The Federal Trade Commission (FTC) will be holding a series of hearings this fall on “Competition and Consumer Protection in the 21st Century,” with the goal of reflecting on the agency’s powers, and state attorneys general (AGs) want to make sure their voices are heard.

A bipartisan group of 29 state AGs filed comments with the FTC on August 20, 2018, asking it to consider their unique viewpoints and expertise as state regulators who are “in the forefront of consumer protection.” The FTC hearings begin on September 13 with a schedule that includes a panel on “The Regulation of Consumer Data” featuring former acting chair Maureen Ohlhausen and former FTC staff members and academics. As the FTC opens its doors for a public discussion on how its enforcement priorities and policies affecting consumers might change, especially with a new slate of commissioners, the AGs want to be seen as partners. In particular, they want be part of the conversation on privacy and data security, as has been a strong trend in recent years.

“In our experiences, consumer privacy and data security is an afterthought in product and service development. Industry often does not adequately invest in privacy and security. Consumer data has inherent value and the free market alone does not adequately protect sensitive data. Consumers have voiced concerns to us about what personal information industry collects, how industry informs consumers about data collection, and how industry uses and shares consumers’ data. Industry must place privacy and security front and center in its research and development of products and services,” the comment stated.

Continue Reading AGs emphasize consumer protection and privacy expertise in FTC comments

On February 28, 2018, the Federal Trade Commission (FTC) released a report about security update practices for businesses providing mobile phones and other connected devices. The report recommends that manufacturers and carriers provide security updates that are consistent with consumer expectations, provide better information regarding their security practices and educate consumers on their role in

On February 26, 2018, an en banc federal appeals court held that the common carrier exception in the Federal Trade Commission (FTC) Act that preempts FTC jurisdiction is “activity-based” rather than “status-based” and therefore applies only to the extent an entity engages in common-carrier services. See FTC v. AT&T Mobility LLC, No. 15-16585, D.C. No. 3:14-cv-04785EMC (Opinion) (9th Cir. Feb. 26, 2018). The decision affirmed the Northern District of California’s denial of AT&T Mobility LLC’s motion to dismiss.

In 2010, AT&T switched its mobile data plan offering from “unlimited” to “tiered” but allowed existing customers to retain their unlimited data plans. In 2011, AT&T reduced unlimited customers’ broadband data speed without regard to actual network congestion if they exceeded a preset limit. The FTC filed an action in October 2014 under section 5 of the FTC Act, alleging AT&T’s data-throttling plan was unfair and deceptive. AT&T moved to dismiss, arguing it was exempt due to common carrier status.

Section 5 exempts “common carriers subject to the Acts to regulate commerce.” 15 U.S.C. § 45(a)(1), (2). Although providing mobile data was not a “common carrier service” at the time the FTC filed suit, the Federal Communications Commission (FCC) reclassified mobile data as a common-carriage service in 2015 while AT&T’s motion to dismiss was pending. See In the Matter of Protecting and Promoting the Open Internet, 30 F.C.C. Rcd. 5601, 5734 n.792 (2015) (Reclassification Order). The FCC reversed the Reclassification Order in early 2018. See In the Matter of Restoring Internet Freedom, W.C. Dkt. No. 17-108, 2018 WL 305638, at *1 (Jan 4, 2018).

Continue Reading Ninth Circuit calls common carrier exception “activity-based”

The International Association of Privacy Professionals and Reed Smith’s Washington, D.C. office co-hosted the Association’s KnowledgeNet Chapter meeting, “Key Federal and State Regulatory and Enforcement Trends in Privacy to Watch in 2018 – Direct from the Regulators” on February 27, 2018.

Reed Smith partner Divonne Smoyer moderated a panel discussion featuring Utah Attorney General Sean

A Washington Legal Foundation legal opinion titled “The FTC’s Black-Box Determination of Information’s Sensitivity Imperils First Amendment and Due-Process Rights” and written by Gerry Stegmaier, Wendell Bartnick, and Kelley Chittenden illustrates the troubling fact that although businesses are tasked with implementing “reasonable” data security that hinges, in part, on the sensitivity of information, the Federal

In a recently published “Staff Perspective,” the Federal Trade Commission (FTC) appears to be staying true to the regulatory humility approach Acting Chairman Maureen K. Ohlhausen underscored in her opening remarks to the connected cars and autonomous vehicles workshop the FTC co-hosted with the National Highway Traffic Safety Administration (NHTSA) last summer. The Consumer Protection Bureau of the FTC ultimately distills the privacy and data security workshop that covered a wide range of existing and future connected car technologies from infotainment systems such as GM’s new Marketplace feature to vehicle-to-vehicle and vehicle-to-infrastructure (such as traffic lights and cameras) communications capabilities to fully automated “driverless” vehicles down to the following takeaway: Connected vehicles will generate – and businesses will collect – a vast amount of aggregated, non-sensitive and sensitive data, which may lead to privacy risk due to unexpected uses and data security risk.

Continue Reading Warning light: The FTC is monitoring the connected car marketplace

On October 30, 2017, Sears Holding Management Corporation (“Sears”) petitioned the Federal Trade Commission (“FTC”) to reopen and modify the settlement to which they agreed in 2009.  At that time, Sears agreed to a consent order to resolve the FTC’s complaint that Sears allegedly did not adequately disclose the scope of its collection of “online browsing” data collected from users of Sears’ desktop software application.  This landmark enforcement action was one of the FTC’s first uses of its section 5 authority to regulate privacy-related disclosures and the tracking of users’ online activity.

With Sears’ petition, a company under a privacy-related consent order has for the first time asked the FTC to scale back the breadth of the order’s applicability because of changes in technology, consumer expectations, and the marketplace.

Changes in Mobile App Ecosystem and Consumer Expectations. In its petition, Sears argued that the current online marketplace demonstrates that the consent order is too broad and “does not align with today’s mobile application ecosystem and consumer expectations.”  Sears explained that the consent order requires handling consumer notices in its mobile applications in a way different from other companies’ industry-standard mobile apps, and the order’s prescriptive manner does not fit with how consumers obtain mobile applications through app stores.  According to Sears, more recent FTC orders recognized exceptions to certain consumer notices for normal functioning of mobile applications that are expected by consumers, e.g., notices related to application configurations, crash monitoring, and usage activity.  Sears seeks an order more in-line with the new FTC orders that include the exceptions.

Continue Reading Sears Petitions to Change Its 8-Year-Old FTC Privacy Settlement Order

On October 19, President Trump formally announced his nomination of Joseph Simons to serve as Federal Trade Commission Chair for a seven-year term.

Simons would assume the chairmanship of the agency in lieu of Acting Chair Maureen Ohlhausen, who took the position last January and is expected to remain with the Commission until the expiration

A panel at a meeting of the National Association of Attorneys General highlighted data breaches and privacy in the context of new technology, signalling that state regulators are focused on consumer protection in this area.

The panel at the Southern Regional Meeting in Charlottesville on April 4 was devoted to emerging technologies, privacy concerns, and