For the fourth time, the Federal Trade Commission (FTC) has reached a consent agreement with a company for alleged misrepresentations regarding Privacy Shield certification. A California-based company, ReadyTech Corporation, agreed to a settlement whereby it is “prohibited from misrepresenting its participation in any privacy or security program sponsored by a government or any self-regulatory or standard-setting organization, including but not limited to the EU-U.S. Privacy Shield framework and the Swiss-U.S. Privacy Shield framework.” Privacy Shield is one of a few mechanisms that are available to U.S. companies for the lawful transfer of personal data from the European Union and Switzerland to the United States pursuant to applicable data protection laws including the new General Data Protection Regulation (GDPR). As part of the process, companies must self-certify with the Department of Commerce (DoC) and then annually re-certify that the company is Privacy Shield compliant.

As part of the self-certification process, an organization must update its privacy policy prior to the DoC’s review. The International Trade Administration (ITA) of the DoC, which administers the Privacy Shield program, must actually verify that a company has completed certain requirements before finalizing the organization’s self-certification or re-certification. One of these requirements is that the organization has “included in its privacy policy a statement that it adheres to the Privacy Shield Principles and, if the privacy policy is available online, a hyperlink to the Department’s Privacy Shield website.” By posting what is, for all intents and purposes, a promise to consumers, an organization is running straight into the FTC’s Section 5 powers to investigate possible “unfair or deceptive acts or practices” in commerce—the power under which the FTC has nudged many best practices related to consumer data privacy and information security in the United States.

Like its three predecessors, all of which reached a consent order with the FTC because of misrepresentations related to Privacy Shield in their privacy policy, ReadyTech Corporation is alleged to have falsely claimed on its website that it was in the process of certifying that it was compliant with Privacy Shield Framework. The FTC’s press release specified that “[w]hile ReadyTech initiated an application to the U.S. Department of Commerce in October 2016, the company did not complete the steps necessary to participate in the Privacy Shield framework.”

There are a couple of important facts to consider regarding the timeline of this action. While it is only the fourth enforcement action of its kind, and the first since September 8, 2017, the action more importantly comes only a little more than a month after GDPR went into effect on May 25th. It also comes only two months after the FTC’s empty commissioner seats were finally filled by President Trump, and new chairman Joseph Simons was sworn in. Being that the Privacy Shield framework is one of the few mechanisms whereby companies may lawfully engage in international data transfer under the GDPR, and many organizations scrambled to update their privacy policies prior to May 25th, the FTC may be giving a prudent warning that it will be investigating misrepresentations as to Privacy Shield certification and compliance in the near future.

This afternoon, Governor Brown signed into law California Assembly Bill 375, the California Consumer Privacy Act of 2018. The law is unprecedented in the United States that it applies European-level compliance obligations akin to the now infamous General Data Protection Regulation (GDPR), which took effect only a month ago. How did this happen? California legislators rushed a bill through to avoid a ballot initiative proposed by Alastair Mactaggart. Mactaggart agreed to withdraw the initiative if a law was signed by the Governor by today. The law takes effect on January 1, 2020. (And if you think that’s a long time, then you did not just live through the last 18 months working on GDPR preparedness.)   What does AB 375 mean for organizations doing business in California? It includes new disclosure requirements, consumer rights, training obligations, and potential penalties for noncompliance, among other things.

Below are some of the key provisions:

Continue Reading California, Privacy, and the New Normal – CA AB 375 Signed Into Law

This month we’re celebrating Privacy Shield’s first birthday (admittedly, a bit belated) with an update on everything Privacy Shield. There have been a number of developments on the Privacy Shield-front that companies certified or seeking self-certification under Privacy Shield need to know. If you are looking for a quick primer on Privacy Shield, please check out our previous post here. Once you’re ready, read on: Continue Reading Privacy Shield: Year One Updates You Need To Know

Earlier this month, three class action lawsuits were filed against companies for alleged violations of the Children’s Online Privacy Protection Act (“COPPA”). These lawsuits are raising eyebrows as COPPA does not provide for a private right of action, and a potential class certification could open the floodgates for COPPA-based lawsuits. Given these lawsuits and the recent enforcement actions brought by the FTC and the New York State Attorney General, companies more than ever need to understand their responsibilities and obligations under COPPA and maintain measures for compliance. Continue Reading Class Action Lawsuits over Alleged COPPA Violations Reinforce Importance of Compliance

On July 5, 2017, the FTC announced a settlement with Blue Global Media, LLC (“Blue Global”) and its CEO Christopher Kay over allegations that the company solicited consumers to provide sensitive information based on false pretenses and then shared that information with potential buyers without any regard for the protection or security of that information. The settlement provides key insights into the FTC’s current position on the processing of sensitive information. Continue Reading Data for Sale . . . at a Price – FTC Imposes $104 Million Judgment against Company over Alleged Unlawful Sharing of Consumers’ Sensitive Information

Last week, the Federal Trade Commission (“FTC”) released a new report, Six-Step Compliance Plan for Your Business, to help companies understand their obligations under the Children’s Online Privacy Protection Act (“COPPA”). In addition to reviewing longstanding COPPA requirements, the report provides important new guidance on how COPPA applies to the rapidly evolving world of connected toys, online games and the Internet of Things (“IoT”). Here’s what you need to know. Continue Reading Children’s Privacy: FTC Issues New COPPA Guidance for IoT and Connected Devices

In what is being hailed by the Federal Trade Commission as “a record-setting win for American consumers,” and what should be viewed as a cautionary tale for marketers, satellite TV provider Dish Network (“Dish”) was recently found liable for repeated and willful violations of various federal and state telemarketing laws and ordered to pay 280 million dollars in damages in connection with a long-running lawsuit brought by the FTC, Department of Justice, and various state attorneys general.  This decision comes on the heels of last month’s order in a North Carolina class action lawsuit brought against Dish, awarding damages of 61 million to the class action plaintiffs based on many of the same unlawful practices.  The high monetary awards in both cases, and the additional restrictions imposed on Dish in the government’s lawsuit, highlight just how seriously regulators and courts are taking violations of the telemarketing laws.  In addition to the take-aways listed below, the big lesson from the Dish cases is that marketers who rely on a network of third-party vendors to reach out to new customers and turn a blind eye to those vendors’ compliance with the telemarketing laws do so at their peril –  and at the risk of millions in penalties.  Continue Reading Dish Network Hit with Damages of 280 Million and 61 Million in Two Separate Lawsuits for Long-standing Violations of Telemarketing Laws

In the past five months, we’ve seen a significant shift in the direction of privacy regulation at the federal level. As discussed in our previous post, Congress voted (and President Trump signed) a resolution repealing last year’s FCC Order that imposed greater obligations on broadband Internet service providers and other carriers regarding the protection of customer data. The FCC and FTC also announced that they intend to reverse the FCC’s 2015 decision to treat broadband Internet service providers as Title II common carriers, which would effectively return jurisdiction over broadband Internet service providers to the FTC. Then, at the beginning of this month, the Ninth Circuit granted a petition by the FTC to rehear its ruling from last year that the FTC lacked authority under the FTC Act to regulate AT&T as a common carrier. Continue Reading Times They Are A-Changin’: Oregon and Illinois Bills Latest in Push by States to Regulate Internet Privacy

Caution: Spoilers Ahead

The plot of last Sunday’s episode of HBO’s fantastic and hilarious show, Silicon Valley, titled “Terms of Service,” was driven entirely by “COPPA,” a somewhat obscure (though probably not to our blog readers) privacy law that stands for the Children’s Online Privacy Protection Act.  As someone who frequently advises clients on COPPA-related issues, this was a really fun episode for me to watch.  So I thought I’d share some of my musings.

Protection concept: computer keyboard with Key icon and word Privacy, selected focus on enter button, 3d render

Continue Reading My Thoughts on HBO’s Recent “Silicon Valley” Episode, “Terms of Service”