On 31 May 2022, the Italian Parliament approved Law 62/2022, also known as the Sunshine Act, which entered into force on 26 June 2022. The new rules will become fully operational once the Ministry of Health sets up the public database where companies will have to disclose their data. In practice, this means the new
On April 24, 2018, Senators Amy Klobuchar (D-MN) and John Kennedy (R-LA) introduced the Social Media Privacy and Consumer Rights Act of 2018. The bill aims to protect consumers’ online data by increasing the transparency of data collection and tracking practices, and requiring companies to notify consumers of a privacy violation within 72 hours.
“Our bill gives consumers more control over their private data, requires user agreements to be written in plain English and requires companies to notify users of privacy violations,” Senator Kennedy explained. “These are just simple steps that online platforms should have implemented in the first place.”
Other features of the legislation include providing consumers a right of access to see what information about them has been collected and used, allowing consumers to opt out of data collection and tracking, and requiring online platforms to have a privacy program in place. Senator Klobuchar explained that “[c]onsumers should have the right to control their personal data and that means allowing them to opt out of having their data collected and tracked and alerting them within 72 hours when a privacy violation occurs and their personal information may be compromised.” …
Continue Reading Senators Klobuchar and Kennedy Introduce Privacy Legislation
Senators Ed Markey (D-MA) and Richard Blumenthal (D-CT) reintroduced a pair of bills today relating to the cybersecurity of cars and aircraft, which would impose affirmative security, disclosure, and consent requirements on manufacturers and air carriers. The Security and Privacy in Your Car (“SPY Car”) Act and Cybersecurity Standards for Aircraft to Improve Resilience (“Cyber AIR”) Act were each introduced but not enacted in a previous session of Congress. In a joint press release, the Senators noted that the legislation was designed to “implement and improve cybersecurity standards for cars and aircraft.”
The SPY Car Act
The SPY Car Act would require cars manufactured for sale in the U.S. to comply with “reasonable measures to protect against hacking attacks,” including measures to isolate critical software systems from non-critical systems, evaluate security vulnerabilities, and “immediately detect, report, and stop attempts to intercept driving data or control the vehicle.” It would also require “driving data” collected by cars to be “reasonably secured to prevent unauthorized access,” including while such data is in transit to other locations or subsequently stored elsewhere. Violations of these cybersecurity requirements are subject to civil penalties of up to $5,000 per violation.
Continue Reading Senators Reintroduce Cybersecurity Legislation for Cars and Planes
On September 16, 2016, the Federal Trade Commission (“FTC”) hosted a workshop on the factors that may contribute to the effect disclosures have on consumer behavior. The workshop, “Putting Disclosures to the Test,” included speakers from a wide range of disciplines and industries, who remarked on aspects of disclosure such as consumer cognition, recognition, and comprehension, methodologies for measuring disclosure effectiveness, the impact of disclosures on consumer decision-making, and disclosure design.
In her introductory remarks, Lorrie Cranor, Chief Technologist at the FTC, espoused the benefits to privacy disclosures of studying research in other areas. Edith Ramirez, Chairwoman of the FTC, then opened the workshop with remarks on issues that are important to the FTC. The FTC’s primary task, she stated, is to ensure consumers have access to truthful and accurate information, to enable them to make decisions in the marketplace. Their focus, with respect to disclosure of information, is on the effect of disclosure on consumer welfare. They consider some disclosures necessary to prevent deception in advertising, or to communicate the risks of products, or choices consumers may have. With respect to privacy, the FTC encourages companies to disclose their data practices, so consumers have greater control over how their data is used. They require disclosures to be clear and conspicuous, so consumers can understand them and make informed decisions.
Continue Reading FTC Hosts “Putting Disclosures to the Test” Workshop
By Ani Gevorkian
Under the Gramm-Leach-Bliley Act (GBLA), a financial institution generally must send annual privacy notices to customers that describe whether and how the financial institution shares their nonpublic personal information. An institution that shares this information with unaffiliated third parties generally must notify customers of their right to opt out of the sharing and provide instructions on how to do so.
Under the new rule, a financial institution may meet GBLA requirements by posting privacy notices online instead of distributing an annual paper copy, as long as the institution adheres to certain requirements. For instance, the institution may not share data in ways that trigger customers’ opt-out rights. They must also continue to send notices through existing delivery methods if the policies’ terms change or if a customer with limited internet access requests by phone to receive a notice.
Continue Reading CFPB Finalizes Rule to Allow Online Privacy Disclosures from Financial Institutions
Continuing our coverage of the flurry of bills signed into law by California Governor Jerry Brown last week, we turn now to AB 1710, an amendment to California’s data breach legislation. The data breach amendment makes three notable changes to existing laws regarding personal information privacy:
1. Requires Companies that Maintain Personal Information to Implement and Maintain Reasonable Security Procedures and Practices.
California’s existing data breach law requires companies that own or license personal information to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information . . . .” Under existing law, the terms “own” and “license” include personal information retained as a part of a business’s internal customer accounts or for the purpose of using the information in transactions.
AB 1710 extends this requirement to companies that merely “maintain” personal information about Californians. The bill defines maintain information in the negative, as information that a business does not own or license.
For purposes of implementing and maintaining reasonable security procedures and practices, California defines “personal information” as an individual’s first name (or first initial) and her last name in combination with her social security number, driver’s license or California ID number, any medical information, or a financial account number (such as a credit or debit card number) and the associated access code. Cal. Civ. Code § 1798.81.5(d)(1).
Continue Reading California Amends Data Breach Legislation
Today, the Federal Trade Commission (“FTC”) issued a staff report examining the consumer-protection implications of popular shopping apps. These services are intended to ease and enhance the shopping experience by allowing consumers to, for example, compare prices in-store across retailers, collect and redeem deals, or pay for purchases while shopping in brick-and-mortar stores. The FTC…
Recent discoveries of data security breaches have raised a perennial question for public companies: are public companies required by law or practice to provide material updates to their investors when bad things happen? The answer can be quite surprising.
Disclosure at the Time of the Event
As a threshold matter, federal securities law does not explicitly impose an affirmative duty on issuers to disclose data security breaches or failed attempts to breach a company’s data security. There is no specific line item in any SEC disclosure document, rule or regulation that specifically requires such disclosures. In this regard, federal securities law does not require the disclosure of this, or other information, solely because it might be “material.” Instead, the determination of whether material information is required to be disclosed depends on whether such information is required to be disclosed in the applicable form, or is necessary to make other statements made not misleading.
For example, Form 8-K, the form that is generally used to provide markets and investors with current information, is only required to be filed when one of the specific items included in the form are triggered. These include things such as entry or termination of material contracts, the acquisition or disposition of a material business or a material amount of assets, the appointment or termination of executive officers or directors and similar occurrences. Any events that do not involve one of the enumerated triggers may be filed under Item 8.01 as an “Other Event” or under Item 7.01 as “Regulation FD Disclosure,” which is intended to allow companies to comply with Regulation FD, which generally requires that companies publicly disclose information that they intend to disclose privately to investors or others. Form 8-K does not include a specific line item relating to data security breaches or similar events – even if such events are material.…
In a closing letter declining to bring enforcement action against shoemaker Cole Haan, FTC staff stated that it believes “Pins” on Pinterest featuring a company’s products can constitute an endorsement of those products, and that if the pins are incentivized by the opportunity to win a significant prize in a contest, contestants should be instructed to label their pins appropriately.
The closing letter follows an investigation into whether Cole Haan violated Section 5 of the Federal Trade Commission Act in connection with its “Wandering Sole” Pinterest Contest. Section 5 of the FTC Act protects consumers from “unfair or deceptive acts or practices.” Pursuant to its Section 5 authority, the FTC requires disclosure when there exists a connection between a product endorser and the seller of the advertiser product that might materially affect the weight or credibility of the endorsement (i.e., the connection is not reasonably expected by the audience).
For a chance to win a $1,000 shopping spree, Wandering Sole contestants were instructed to create Pinterest boards that included five re-pins of shoe images from Cole Haan’s Wandering Sole Pinterest Board. According to the FTC, these re-pinned images featuring Cole Haan shoes constituted product endorsements that were “incentivized by the opportunity to win” a shopping spree, therefore creating a material connection requiring disclosure. The contest rules directed contestants to caption each pin with “#WanderingSole,” but the FTC determined that the hashtag was not adequate in communicating the material connection — i.e., financial incentive — between Cole Haan and its contestants. The FTC concluded that “entry into a contest to receive a significant prize in exchange for endorsing a product through social media constitutes a material connection that would not reasonably be expected by viewers of the endorsement.”…
Yesterday, the FTC held a public workshop titled “In Short: Advertising & Privacy Disclosures in a Digital World.” The workshop explored whether and how the FTC should revise its 2000 guidance concerning advertising and privacy disclosures in the new era of online and mobile technology.
This post will highlight the morning workshop sessions on usability research, cross-platform advertising disclosures, and social media advertising disclosures. A second post will recap the afternoon’s discussions on mobile advertising and privacy disclosures.…