This week, the New York State Attorney General announced a $4.95 million settlement with Oath Inc., the result of an investigation into violations of the Children’s Online Privacy Protection Act (“COPPA”).

The NYAG found that Oath’s ad exchanges transferred persistent identifiers and geolocation from website users to DSP bidders in its automated auction process.  While that may be fine for websites directed to grown-up audiences, COPPA includes persistent identifiers and geolocation in its definition of “personal information.”  And under the law, companies must obtain verifiable parental consent before collecting or using children’s personal information.

But instead of seeking verifiable parental consent, Oath treated all websites (and therefore all user information) the same, despite knowledge that some website inventory on its exchange was directed to children under 13 and subject to COPPA.  And instead of using available technology to avoid the use of children’s information altogether, Oath’s ad exchanges allowed advertisers to collect information on children and display ads on sites targeting children.  The “flagrant” violations of the law led to the largest-ever penalty under COPPA and a settlement agreement provided some remarkable takeaways:

Continue Reading AdTech Provider Hit with Record COPPA Fine

While new EU breach notification requirements have received significant media attention, closer to home are the data breach reporting obligations under Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), which took effect on November 1. PIPEDA is a Canadian federal privacy law that broadly governs the collection, maintenance, use and disclosure of Canadian citizens’ personal information during commercial activities. Unlike U.S. privacy laws currently in effect that form a regulatory patchwork of sectoral and industry-specific laws, PIPEDA follows an omnibus approach.

On June 18, 2015, Canada passed various amendments to PIPEDA, including the Digital Privacy Act. Most of the changes were simultaneously effective. However, the mandatory data breach reporting and its related reporting requirements just came into full force on November 1, 2018. Many U.S. companies are not aware that PIPEDA may apply to them.

Continue Reading PIPEDA Data Breach Reporting is in Effect

Once upon a time, Larry Page said “you can’t have privacy without security.” California clearly agrees and may test the sincerity of Mr. Page and other tech leaders innovating in the field of connected devices with new legislation signed by Governor Brown in September.

With the ink barely dry on the infamous California Consumer Privacy Act (the CCPA)—a first-of-its-kind data privacy bill in the United States—Brown signed a new Internet of Things cybersecurity bill into law, SB 327. Perhaps not so coincidentally, both laws will take effect on January 1, 2020, marking a substantial compliance deadline for technology companies big and small.

Continue Reading Your Vacuum Cleaner, Your Coffee Maker, and Your Baby Monitor May Be Watching You, So They Better Be Secure: California Passes New Connected Device Cybersecurity Law

Financial institutions and insurance companies operating in New York have until September 3, 2018 to comply with the next phase of New York’s Cybersecurity Regulations. Here’s what you need to know to avoid regulatory scrutiny.

Continue Reading Are You Ready for the New York Cybersecurity Regulations’ September 3rd Deadline?

Last week, British Airways (BA) became one of the first public relations victims of the General Data Protection Regulation (GDPR). Per reports from TechCrunch, BA requested that individuals who had tweeted BA regarding flight delay complaints respond on Twitter—to the public—with personal information, purportedly in order to comply with the GDPR. The personal information that BA representatives requested included full names, billing addresses, dates of birth, the last 4 digits of payment cards, and even passport numbers. Eventually, BA clarified that it did not mean that users should respond with the requested information in the public feed, but rather that they should do so via direct message (DM).

Continue Reading GDPR Woes Take Flight: British Airways Asks Customers to Tweet Their Personal Information in Misguided Attempt to “Comply” with GDPR

For the fourth time, the Federal Trade Commission (FTC) has reached a consent agreement with a company for alleged misrepresentations regarding Privacy Shield certification. A California-based company, ReadyTech Corporation, agreed to a settlement whereby it is “prohibited from misrepresenting its participation in any privacy or security program sponsored by a government or any self-regulatory or standard-setting organization, including but not limited to the EU-U.S. Privacy Shield framework and the Swiss-U.S. Privacy Shield framework.” Privacy Shield is one of a few mechanisms that are available to U.S. companies for the lawful transfer of personal data from the European Union and Switzerland to the United States pursuant to applicable data protection laws including the new General Data Protection Regulation (GDPR). As part of the process, companies must self-certify with the Department of Commerce (DoC) and then annually re-certify that the company is Privacy Shield compliant.

Continue Reading A Privacy Shield Enforcement Action: More to Come?

This afternoon, Governor Brown signed into law California Assembly Bill 375, the California Consumer Privacy Act of 2018. The law is unprecedented in the United States that it applies European-level compliance obligations akin to the now infamous General Data Protection Regulation (GDPR), which took effect only a month ago. How did this happen? California legislators rushed a bill through to avoid a ballot initiative proposed by Alastair Mactaggart. Mactaggart agreed to withdraw the initiative if a law was signed by the Governor by today. The law takes effect on January 1, 2020. (And if you think that’s a long time, then you did not just live through the last 18 months working on GDPR preparedness.)   What does AB 375 mean for organizations doing business in California? It includes new disclosure requirements, consumer rights, training obligations, and potential penalties for noncompliance, among other things.

Below are some of the key provisions:

Continue Reading California, Privacy, and the New Normal – CA AB 375 Signed Into Law

This month we’re celebrating Privacy Shield’s first birthday (admittedly, a bit belated) with an update on everything Privacy Shield. There have been a number of developments on the Privacy Shield-front that companies certified or seeking self-certification under Privacy Shield need to know. If you are looking for a quick primer on Privacy Shield, please check out our previous post here. Once you’re ready, read on: Continue Reading Privacy Shield: Year One Updates You Need To Know

Earlier this month, three class action lawsuits were filed against companies for alleged violations of the Children’s Online Privacy Protection Act (“COPPA”). These lawsuits are raising eyebrows as COPPA does not provide for a private right of action, and a potential class certification could open the floodgates for COPPA-based lawsuits. Given these lawsuits and the recent enforcement actions brought by the FTC and the New York State Attorney General, companies more than ever need to understand their responsibilities and obligations under COPPA and maintain measures for compliance. Continue Reading Class Action Lawsuits over Alleged COPPA Violations Reinforce Importance of Compliance

On July 5, 2017, the FTC announced a settlement with Blue Global Media, LLC (“Blue Global”) and its CEO Christopher Kay over allegations that the company solicited consumers to provide sensitive information based on false pretenses and then shared that information with potential buyers without any regard for the protection or security of that information. The settlement provides key insights into the FTC’s current position on the processing of sensitive information. Continue Reading Data for Sale . . . at a Price – FTC Imposes $104 Million Judgment against Company over Alleged Unlawful Sharing of Consumers’ Sensitive Information