The Article 29 Working Party (WP29) has published long-awaited draft guidance on transparency and consent under the General Data Protection Regulation (“GDPR”).  We are continuing to analyze the lengthy guidance documents, but wanted to highlight some immediate reactions and aspects of the guidance that we think will be of interest to clients and other readers of InsidePrivacy.  The draft guidance is open for consultation until 23 January 2018.

Continue Reading EU Regulators Provide Guidance on Notice and Consent under GDPR

Earlier this week, the Federal Trade Commission and Department of Education announced plans to hold a joint workshop on the application of the Children’s Online Privacy Protection Act (“COPPA”) and the Family Educational Rights and Privacy Act (“FERPA”) to educational technology products and services in the K-12 school environment.  In advance of the workshop, the FTC and Department of Education are soliciting comments on several key questions regarding COPPA and FERPA compliance for educational technology providers.  This is a valuable opportunity for Ed Tech providers to provide feedback to both agencies on the practical application of COPPA and FERPA in this arena.

Continue Reading FTC and Department of Education Announce Joint Workshop on FERPA and COPPA Compliance for Ed Tech

A European Parliament policy department has released a report, entitled Big Data and Smart Devices and Their Impact on Privacy, that criticizes the lack of focus on privacy and data protection in the European Commission’s “Digital Single Market” policy agenda, noting a “conflicting” intersection between the Commission’s Digital Single Market objectives and the EU’s efforts, now in their hopefully final stages, to reform the EU’s general legislation around the protection of personal information.
Continue Reading EU Parliament Policy Report Takes Dim View of EU Commission’s “Pro-Market” Policies on Big Data and Smart Devices

State legislators have recently passed a number of bills that impose new data security and privacy requirements on companies nationwide. The laws include new data breach notification requirements, marketing restrictions, and data destruction rules. Below is an overview of the new laws and amendments that will go into effect on January 1, 2015.
Continue Reading New State Privacy Laws Go Into Effect on Jan. 1, 2015

The Federal Trade Commission (“FTC”) announced on Thursday, September 4 that Google has agreed to settle charges and refund no less than $19 million to consumers whose children were allegedly deceived into making mobile purchases through the Android app store.

Google offers thousands of apps for free or a specific dollar amount through its Google Play Store, which is preloaded on Android mobile devices.  In many children’s game apps, after installation, children may purchase virtual items within an app — “in-app charges.”

Continue Reading Google to Refund Consumers at Least $19 Million to Settle FTC Complaint It Unlawfully Billed Parents for Children’s Unauthorized In-App Charges

The staff of the Federal Trade Commission (“FTC”) has released updated guidance on how the Children’s Online Privacy Protection Act (“COPPA”) and its implementing regulations apply to schools and educational online services through revisions to the Frequently Asked Questions (“FAQS”) that are published on the FTC website.  For a comparison between the old and new school FAQs, please click here.  The FAQs constitute informal guidance, but they are useful for understanding how FTC staff interprets COPPA’s application in different contexts.  Here is a brief summary:

  • The revised FAQs do not change the circumstances under which schools can provide verifiable parental consent on behalf of parents, that is, when an operator collects personal information from students “for the use and benefit of the school, and for no other commercial purposes.”  Examples of prohibited commercial purposes include online behavioral advertising and “building user profiles for commercial purposes not related to the provision of the online service” to the school.
  • While the prior FAQs noted that, in such circumstances, operators should provide schools with robust notice about their data collection, use, and sharing practices, the revised FAQs suggest that these disclosures should track the direct notice requirements outlined in the COPPA Rule.  In COPPA FAQ M.1, FTC staff explains that “the operator must provide the school with all the required notices.”

Continue Reading FTC Staff Updates Guidance on “COPPA and Schools” Through Revised FAQs

The Center for Digital Democracy (“CDD”) recently filed requests for investigation with the Federal Trade Commission (“FTC”) claiming that Marvel Entertainment and Sanrio Digital failed to comply with the Children’s Online Privacy Protection Act’s (“COPPA”) notice and consent requirements. 

  • Marvel.  The Marvel filing alleges that is a child-directed website that collects personal information,

The Federal Trade Commission (“FTC”) recently approved a new method of verifiable parental consent — knowledge-based authentication (“KBA”) — as consistent with the requirements of the Children’s Online Privacy Protection Act (“COPPA”).  COPPA generally requires operators of websites or online services that are directed to children under 13 or that have actual knowledge that they

The California legislature has enacted a flurry of privacy-related laws over the past few months.   Still more bills are pending.  This post provides a brief overview of new privacy laws enacted in California in 2013, including measures that will become effective on January 1, 2014.  For a more detailed look at some of these key laws, please see our recent client alert

  • A.B. 370 “Do-Not-Track” Amendment to California Online Privacy Protection Act (effective Jan. 1, 2014).  The California Online Privacy Protection Act (“CalOPPA”) requires that operators of commercial websites and online services that collect personal information conspicuously post a privacy policy disclosing certain information.  This amendment requires operators to further disclose (1) how they respond to “do-not-track” signals or “other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information,” and (2) whether they allow other parties to collect personally identifiable information when a consumer uses the operator’s service.  An operator may satisfy the first disclosure requirement by providing in its privacy policy a conspicuous link to a description of a program or protocol that offers consumers a choice regarding the collection of their personally identifiable information.
  • S.B. 46 Amendment to California’s Security Breach Notification Law (effective Jan. 1, 2014).  California’s existing breach notification law requires an entity to notify consumers following discovery of a data breach involving the unauthorized acquisition of “personal information.”  The law defines “personal information” as an individual’s first name or initial and last name in combination with one or more sensitive data elements, such as Social Security number, financial account number, or medical information.  This amendment expands the definition of “personal information” to include “a user name or email address, in combination with a password or security question and answer that would permit access to an online account,” regardless of whether name and/or other sensitive data elements are breached.

Continue Reading Roundup of Recently Enacted Privacy Legislation in California; Some Measures Will Become Effective on January 1, 2014

Last Friday the California Senate unanimously passed legislation titled, “Privacy Rights for California Minors in the Digital World,” which prohibits certain types of marketing to minors (defined as a natural person under the age of 18 residing in California) and allows minors to delete materials they have posted online.  The bill, which already cleared the California Assembly, now has been sent to Governor Jerry Brown for approval.  If signed into law, the legislation would be effective beginning January 1, 2015. 

The bill, S.B. 365, which was introduced by Senator Darrell Steinberg, adds two new sections to the California Business & Professions Code.

Section 22580 would:

  • Prohibit an operator of a website, online service or application, or mobile application that is directed to minors from marketing or advertising on the service or application certain enumerated products or services that minors cannot otherwise legally purchase or use.  While some of these products and services may be obvious—e.g., alcohol, firearms, tobacco, and obscene materials—others—e.g., tanning and etching cream that is capable of defacing property—may be less so.  
  • Prohibit an operator of a website, online service or application, or mobile application from marketing or advertising the enumerated products or services where the operator has actual knowledge a minor is using its service or application, if the marketing or advertising is directed to that minor based on information specific to the minor such as profile, activity, address, or location, but excluding IP addresses and product identification numbers.  The operator shall be deemed in compliance with this provision if it takes reasonable actions in good faith designed to avoid marketing or advertising under these circumstances.
  • Prohibit an operator of a website, online service or application, or mobile application that is directed to minors or who has actual knowledge that a minor is using its service or application from knowingly using, disclosing, or compiling the personal information of a minor (or allowing a third party to do so) with actual knowledge that such activity is for purposes of marketing or advertising the enumerated products or services to that minor. 
  • These prohibitions do not apply, however, to the incidental placement of products or services embedded in content, if the content is not distributed by or at the direction of the operator primarily for the purposes of marketing and advertising the enumerated products or services.
  • Additionally, “marketing or advertising” is defined to require an “exchange for monetary compensation” in order “to make a communication to one or more individuals, or to arrange for the dissemination to the public of a communication, about a product or service the primary purpose of which is to encourage recipients of the communication to purchase or use the product or service.”  Thus, social media content or applications that only promote an enumerated product or service without paid placement would not fall within the scope of the bill. 

Continue Reading CA Legislature Passes Bill Establishing Online Protections for Minors