Federal Trade Commission

Last week, the FTC announced its release of a staff report discussing key topics from the April 29, 2021 workshop addressing dark patterns. The report states that the FTC will take action when companies employ dark patterns that violate existing laws, including the FTC Act, ROSCA, the TSR, TILA, CAN-SPAM, COPPA, ECOA, or other statutes and regulations enforced by the FTC. The report highlights examples of cases in which the FTC used its authority under these laws and regulations to bring enforcement actions against companies that allegedly used dark patterns. Accordingly, the report builds upon the FTC’s historical approach of using its existing authority to bring enforcement actions in this context.

Continue Reading New FTC Report on Dark Patterns

Today, the Federal Trade Commission (FTC) announced that it anticipates proposing a privacy rulemaking this month, with comments closing in August.  This announcement follows the agency’s statement in December that it planned to begin a rulemaking to “curb lax security practices, limit privacy abuses, and ensure that algorithmic decision-making does not result in unlawful discrimination.” 

Last week, Senators Richard Blumenthal (D-CT) and Marsha Blackburn (R-TN) introduced the bipartisan Kids Online Safety Act (“KOSA”), which would impose new safeguards, tools, and transparency requirements for minors online.  The bill applies to entities that are a “commercial software application or electronic service that connects to the internet and that is used, or is

2021 was another busy year for data privacy regulatory enforcement and litigation. With some distance to reflect on last year, we have prepared this post identifying and describing important trends from 2021 that can help provide insight into what to expect in the data privacy landscape in 2022.

Data Privacy Regulatory Enforcement Trends

Federal Trade Commission (FTC) and state enforcement action in 2021 centered on several key areas, including protecting children.

An FTC enforcement action last year alleged that the maker of an online coloring book application violated the Children’s Online Privacy Protection Act (COPPA) by collecting personal information about children who used the app without notifying their parents and obtaining their consent.  The allegations note that the app included a “Kids” category that was targeted to children.  The FTC further claimed that the app’s social media features collected personal information from users and that some parents, lacking knowledge of these features, may have inadvertently permitted their young children to use the app.
Continue Reading 2021 Trends in Privacy Regulatory Enforcement and Litigation

In a new post on the Covington Digital Health blog, our colleagues discuss recently announced Federal Trade Commission (“FTC”) guidance meant to help companies determine their obligations under the Health Breach Notification Rule (the “Rule”).  The guidance follows the FTC’s September 2021 Policy Statement, which expanded the Rule’s application to the developers of health

On January 4, 2022, the Federal Trade Commission published a warning to companies and their vendors to take reasonable steps to remediate the Log4j vulnerability (CVE-2021-44228).  The FTC provided a list of recommended remedial actions for companies using the Log4j software.  The FTC’s warning references obligations under the FTC Act and Gramm Leach Bliley Act (“GLBA”) to take reasonable action to remediate vulnerabilities, and hints at potential inquiries and enforcement actions against companies and vendors that fail to do so.  As the FTC notes in its warning, the “FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.”
Continue Reading FTC Warns Companies to Remediate the Log4j Vulnerability and Hints at Potential Enforcement Actions

On September 29, 2021, the Senate Committee on Commerce, Science, and Transportation held a hearing entitled “Protecting Consumer Privacy.”  The hearing centered on strengthening consumer privacy rights, including by increasing the FTC’s resources and creating a comprehensive federal privacy law.

To explore these issues, the Committee invited David Vladeck, Professor and Faculty Director of the Center on Privacy and Technology at Georgetown Law and former Director of the FTC Bureau of Consumer Protection; Morgan Reed, President of The App Association; Maureen Ohlhausen, Partner and Section Chair (Antitrust & Competition Law) at Baker Botts and former Acting Chairman of the FTC; and Ashkan Soltani, Independent Researcher and Technologist and former Chief Technologist of the FTC.
Continue Reading Consumer Privacy Hearing Focuses on Expanding FTC Resources, Creating Federal Privacy Law

On September 15, the Federal Trade Commission (“FTC”) adopted, on a 3-2 party-line vote, a policy statement that takes a broad view of which health apps and connected devices are subject to the FTC’s Health Breach Notification Rule (the “Rule”) and what triggers the Rule’s notification requirement.

The Rule was promulgated in 2009 under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act.  Under the Rule, vendors of personal health records that are not otherwise regulated under the Health Insurance Portability and Accountability Act (“HIPAA”) are required to notify individuals, the FTC, and, in some cases, the media following a breach involving unsecured identifiable health information.  Third-party service providers also are required to notify covered vendors of any breach.
Continue Reading FTC Adopts Policy Statement on Privacy Breaches by Health Apps and Connected Devices

Yesterday, Rep. Kathy Castor (D-FL) introduced an updated version of the “Protecting the Information of our Vulnerable Children and Youth Act” (Kids PRIVCY Act), which would make broad changes the Children’s Online Privacy Protection Act (COPPA).  Rep. Castor introduced a similar bill in early 2020, but it stalled alongside other proposals to overhaul the federal children’s privacy law last year.
Continue Reading Rep. Castor Reintroduces Bill to Rewrite the Children’s Online Privacy Protection Act

To add to the growing list of federal privacy frameworks introduced this year, Senator Amy Klobuchar (D-MN) has re-introduced the bipartisan Social Media Privacy Protection and Consumer Rights Act of 2021 (S. 1667).  Senator Klobuchar introduced the bill originally in 2018 and 2019, although it did not advance to committee in either instance.  Senators Kennedy (R-LA), Burr (R-NC), and Manchin (D-WV) have co-sponsored the bill.

Key provisions in this bill include:
Continue Reading New Privacy Bill Provides Opt-Out Rights and New Data Security Requirements