FTC Staff Report on ISP Privacy Practices Paves the Way for an FTC Privacy Rulemaking in the New Year

Share

Following up on a mandatory 2019 request for information issued by the Federal Trade Commission (FTC) to the largest Internet Service Providers (ISPs) in the United States, the FTC staff in late October issued a Report titled – A Look at What ISPs Know About You: Examining the Privacy Practices of Six Major Internet Service Providers. Among the agency staff’s general findings on ISP data collection and use practices, the most striking perhaps is the apparent degree of integration among ISPs and advertisers with respect to their data collection and use practices. The report also highlights the tools ISPs offer to customers to either manage or control many types of ISP data collection and use.

The information presented in the Report is aggregated and de-identified and has been supplemented with information gathered from follow-up FTC staff questions and meetings with the ISPs that were the subjects of the FTC information request. The Report’s summary of information on real-world ISP data practices could prove useful as Congress wrestles with the potential for federal privacy legislation and states review the need for legislation.

Continue reading “FTC Staff Report on ISP Privacy Practices Paves the Way for an FTC Privacy Rulemaking in the New Year”

Zombie PHR Breach Rule Rises From the Dead

Share

If an entity that offers a personal health record identifies a breach of information in that record, it is required to provide notice to each impacted individual and to the FTC within 60 calendar days of discovery.

Yesterday, the FTC issued a policy statement announcing a new interpretation of the FTC’s 10-year-old “Personal Health Record Breach Notification Rule.” As the FTC acknowledges, this rule has never been enforced by the FTC. The FTC’s announcement indicates its intention to begin enforcing this rule, which allows the FTC to assess penalties of $43,792 per day of violation.

Continue reading “Zombie PHR Breach Rule Rises From the Dead”

TikTok Facing Billion-Pound Legal Challenge in Children’s Data Privacy Lawsuit

Share

TikTok is facing a potential legal claim in the U.K. brought by the former Children’s Commissioner for England, Anne Longfield, on behalf of millions of children in the U.K. and EEA who have used the social media app. Claimants in the action could be entitled to over $1 billion pounds in damages.

This action follows fines issued by the U.S. Federal Trade Commission in 2019 and the Korea Communications Commission in South Korea in 2020 for mishandling children’s data. TikTok has also previously been investigated by the U.K.’s Information Commissioner’s Office, which ordered TikTok in 2019 to delete data associated with a linked app and set up an age verification system for that function.

Continue reading “TikTok Facing Billion-Pound Legal Challenge in Children’s Data Privacy Lawsuit”

FTC Settlement with Zoom Concerning Alleged Data-Security Lapses

Share

On November 9, 2020, the United States Federal Trade Commission (FTC) announced that it had entered into a consent agreement, subject to final approval, with videoconferencing company Zoom Video Communications, Inc. (Zoom). The consent agreement settles allegations that Zoom engaged in a series of deceptive and unfair practices that undermined the security of its users. The Commission voted 3–2 to accept the settlement, with Commissioners Chopra and Slaughter voting no and issuing dissenting statements asserting that the FTC’s action did not go far enough.

While the FTC generally does not identify what triggers a law enforcement action, there have been many news articles and a number of class actions filed in connection with Zoom’s data-security practices over the past six months that likely led to this action.

Continue reading “FTC Settlement with Zoom Concerning Alleged Data-Security Lapses”

FTC Opinion Holds False Express Privacy Claims are Material

Share

The Federal Trade Commission’s Opinion finding that Cambridge Analytica engaged in deceptive practices to harvest personal information closes another chapter in the Commission’s actions against Cambridge Analytica and its former chief executive and app developer. The opinion is noteworthy for two reasons. First, the procedural posture of this matter is unique because Cambridge Analytica failed to appear or to answer the complaint. This allowed the Commission under its Rules of Practice to find the facts to be as alleged in the complaint and to enter a final decision. Second, the Commission’s opinion holds that a false express privacy claim is material and thus violates Section 5 of the FTC Act.

Continue reading “FTC Opinion Holds False Express Privacy Claims are Material”

FTC Litigation with D-Link Ends with Comprehensive Settlement

Share

In 2017, the FTC filed a complaint against D-Link Systems, Inc. (D-Link) alleging that the Taiwan-based computer networking equipment manufacturer had taken inadequate security measures which left its wireless routers and Internet-connected cameras vulnerable to hackers. In early July, D-Link agreed to a settlement that includes a requirement that it implement a comprehensive software security program, and obtain biennial, independent third-party assessments of its software security program for 10 years.

Continue reading “FTC Litigation with D-Link Ends with Comprehensive Settlement”