On March 2, 2020, Reed Smith and the International Association of Privacy Professionals (IAPP) presented a panel discussion on 2020 privacy laws and trends featuring Attorney General Christopher Carr of Georgia; Linda Holleran Kopp of the Bureau of Consumer Protection, Division of Privacy and Identity Protection of the Federal Trade Commission (FTC); and Oriana Senatore, Senior Vice President of Policy & Research at the U.S. Chamber Institute for Legal Reform (ILR).

A clear theme from the discussion was that federal legislation is the best path for privacy reform in the United States.  The current “patchwork quilt” of federal and state data privacy laws and enforcement by the FTC (and other agencies) as well as by states – now complicated exponentially by enforcement actions by cities and counties and the presence of private rights of action increasingly proposed for state privacy legislation – is not the way to best balance privacy consumer protection and business compliance.  Indeed, the evolving privacy landscape is now approaching a “crazy quilt patchwork.”
Continue Reading Georgia AG, FTC and US Chamber Institute for Legal Reform discuss “crazy quilt patchwork” of privacy laws in the US

On January 6, 2020, the Director of the Federal Trade Commission’s (FTC’s) Bureau of Consumer Protection, Andrew Smith, published a blog post highlighting recent changes to the Commission’s enforcement orders relating to data security. Industry leaders, law practitioners, Congress, and even the courts have been critical of aspects of the Commission’s data security orders.  In the post, titled New and improved FTC data security orders: Better guidance for companies, better protection for consumers, Smith acknowledges that, upon arriving at the FTC, strengthening the FTC’s orders in data security matters was among Chairman Joseph J. Simons and his first priorities.  Smith’s blog post is a useful roadmap to help understand the practices the Commission requires of companies under its orders.  Lawyers often look to these orders to distill advice for clients in a challenging area where the public shaming of companies after data security incidents is rampant.

The FTC began working towards specific improved data security orders in 2019, and Smith cites seven different 2019 data security orders in an effort to lay out some of these improvements.  The improvements, he notes, resulted in part from a December 2018 FTC hearing addressing areas of improvement for data security orders, as well as a 2018 Eleventh Circuit Court of Appeals decision.

As a result, Smith highlights three major changes that “improve data security practices and provide greater deterrence” for companies and enhance enforceability.  These changes fall into the following three categories:

(1) The orders are more specific.

(2) The orders increase third-party assessor accountability.

(3) The orders elevate data security considerations to the C-Suite and Board level via executive certifications modeled after similar certifications in securities and other laws.

Continue Reading New key features of FTC data security orders highlighted by Consumer Protection Bureau Director

The Federal Trade Commission’s (FTC) recent $5 billion settlement with Facebook is unprecedented in multiple respects:

  • The $5 billion penalty represents the largest privacy and data security settlement in history – it is almost 20 times larger than the recent Equifax Inc. settlement and dwarfs recent EU data protection enforcement actions.
  • As part of the settlement, new corporate governance measures relating to privacy and data security will be required, including an independent committee of the board of directors, with specific nomination requirements and subject matter coverage. This will place pressure on many boards and organizations to freshly examine information governance risk.
  • The settlement also requires executive certifications, which, if modeled by other companies, will trigger dramatic changes in accountability as executives turn to rely on experts, internal compliance teams, audit and related expertise for assurance and attestation in order to avoid civil and criminal penalties and derivative litigation.

The signaling effect of the settlement to the broader business community intended by the primary privacy regulator in the United States cannot be overstated. Similar enforcement actions, such as individual prosecutions in Europe under the EU Data Protection Directive, triggered immediate response and attention from corporations just as the emergence of breach notification laws resulted in massive new investments in information security programs in the United States.

Continue Reading $5 billion Federal Trade Commission settlement with Facebook represents largest privacy enforcement penalty ever

The Federal Trade Commission (FTC) announced a joint state-and-federal initiative, “Operation Call It Quits,” which targets illegal telemarketing practices that violate the FTC’s Telemarketing Sales Rule (TSR).

The TSR, which applies to interstate telephonic marketing communications intended to “induce the purchase of goods or services or a charitable contribution,” makes it illegal to engage in “abusive” acts and practices like failing to transmit caller identification information, calling telephone numbers listed on the National Do Not Call Registry, and using certain types of prerecorded messages or “robocalls.” The TSR also makes it illegal to engage in “deceptive” acts and practices while on a telemarketing call, like processing billing information without authorization, failing to fully disclose certain information before a customer consents to pay for goods or services, and misrepresenting material details of a sale. As part of this latest sweep of TSR enforcement, the FTC announced four newly filed actions:

  • In the first action, the FTC filed suit in the U.S. District Court for the Middle District of Florida against corporate and individual defendants alleged to have made illegal robocalls to “financially distressed consumers” with offers of “bogus credit card interest rate reduction services.”
  • In the second action, the FTC filed suit in the U.S. District Court for the Central District of California against individual and corporate defendants accused of using illegal robocalls to sell “fraudulent money-making opportunities.”
  • The third action, filed on the FTC’s behalf by the U.S. Department of Justice (DOJ) in the Middle District of Florida, targeted the “informational technology (IT) guy” alleged to have developed and operated computer-based “autodialer” technology used to make millions of illegal robocalls.
  • The fourth action, filed by the DOJ on the FTC’s behalf in the U.S. District Court for the Central District of California, alleges that a business and its individual owners sought to develop marketing leads for home solar energy companies by making millions of illegal robocalls and engaging in other abusive practices, including making more than 1,000 calls to a single telephone number in one year.


Continue Reading FTC and state law enforcement officials step up efforts against illegal telemarketing

The Federal Trade Commission’s (FTC) recently announced settlement with background check provider SecurTest, Inc. shows the agency remains vigilant regarding businesses’ claims that they comply with the EU-U.S. Privacy Shield Framework (Privacy Shield). Privacy Shield provides U.S. businesses with a legally recognized mechanism for receiving personal data in the United States from the EU. In its complaint against SecurTest, the FTC alleges that for several months SecurTest falsely claimed on its website that it complied with Privacy Shield when in fact it had not self-certified its Privacy Shield compliance with the U.S. Department of Commerce. The terms of the FTC’s decision and order prohibit SecurTest from misrepresenting its Privacy Shield compliance status and require it to submit to compliance monitoring and recordkeeping requirements.

Along with announcing its settlement with SecurTest, the FTC noted that, rather than beginning enforcement proceedings, it has issued a number of warning letters to businesses over similar alleged inaccurate statements about compliance with cross-border privacy and data security transfer programs like Privacy Shield:

Continue Reading FTC settlement and warning letters over cross-border personal data transfers

They are the stars of the young generation, brand ambassadors for organizations and leaders on social media: influencers. With their strong presence on social media channels such as Facebook, Instagram or Twitter, influencers have a power that pays off. Thousands of users follow the day-to-day posts of their role models. Influencers are becoming increasingly important

On April 10, U.S. lawmakers introduced the Algorithmic Accountability Act (the AAA). The AAA empowers the Federal Trade Commission (FTC) to promulgate regulations requiring covered entities to conduct impact assessments of algorithmic “automated decision systems” (including machine learning and artificial intelligence) to evaluate their “accuracy, fairness, bias, discrimination, privacy and security.” The bill is evocative

On February 26, 2019, the Federal Trade Commission’s (FTC) Bureau of Competition announced a new Technology Task Force, which will monitor anticompetitive conduct in U.S. technology markets “to ensure consumers benefit from free and fair competition.” With the consumer protection agency already a chief arbiter of privacy enforcement in the tech sector, the new task force increases the likelihood that the continued convergence between competition and consumer protection policy, which began in earnest at the dawn of the current century, may be gaining momentum.

German approach. The announcement comes just a few weeks after Germany’s antitrust regulator used its competition authority to enforce principles of data privacy and processing. On February 7, 2019, the Bundeskartellamt issued a decision against Facebook, ruling that the practice of combining user personal data from different sources by a dominant market participant violated EU data protection law. This was a noteworthy decision from a competition authority being influenced by and seeking to enforce the General Data Protection Regulation, which would otherwise be enforced by data protection authorities. The decision is not yet final, but if upheld it could have the notable impact of limiting the data footprint used to inform advertising, and may influence regulators’ willingness to use competition law to buttress limitations placed on the flexibility of data collectors and processors. Please see our previous client alert on the Facebook ruling. If this approach informs the FTC’s position on competition and privacy enforcement, it could extend a trend of regulators outside the data protection sphere using broader authority as a bridge to enforce privacy issues against companies they view to have a dominant market position.

Continue Reading In privacy we (anti)trust: Regulators worldwide consider competition law as tool for consumer protection

Companies that employ algorithms, machine learning and artificial intelligence (AI) in their day-to-day business may face increased attention from federal antitrust and consumer protection regulators in the future. On November 13–14,  the Federal Trade Commission (FTC) addressed this topic in their hearings on “Competition and Consumer Protection in the 21st Century.” The panelists, an assembly

On Thursday, September 27, the Federal Trade Commission (FTC) announced settlements with four companies, IDmission, LLC, mResource LLC (doing business as Loop Works, LLC), SmartStart Employment Screening, Inc., and VenPath, Inc., following allegations that the companies falsely claimed to be certified under the EU-U.S. Privacy Shield.

Specifically, the FTC alleged that IDmission, LLC misrepresented participation in the program by claiming certification on its website despite never completing the steps necessary to participate following the company’s October 2017 application. On the other hand, mResource LLC, SmartStart Employment Screening, Inc., and VenPath, Inc. each successfully obtained Privacy Shield certification in 2016 but failed to properly renew expired certifications. Therefore, the FTC alleged the three companies misrepresented that they were current participants in the program.

Further, the FTC alleged that SmartStart Employment Screening, Inc. and VenPath, Inc. additionally misrepresented that they adhere to the Privacy Shield Principles by failing to withdraw or affirm the commitment to protect personal information acquired during participation in the program. The Privacy Shield Principles require that if a company ceases to participate, the company must affirm to the U.S. Department of Commerce that it will continue to apply the Privacy Shield Principles to such personal information.

Continue Reading FTC continues aggressive enforcement of Privacy Shield