This month we’re celebrating Privacy Shield’s first birthday (admittedly, a bit belated) with an update on everything Privacy Shield. There have been a number of developments on the Privacy Shield-front that companies certified or seeking self-certification under Privacy Shield need to know. If you are looking for a quick primer on Privacy Shield, please check out our previous post here. Once you’re ready, read on: Continue Reading Privacy Shield: Year One Updates You Need To Know
Earlier this month, three class action lawsuits were filed against companies for alleged violations of the Children’s Online Privacy Protection Act (“COPPA”). These lawsuits are raising eyebrows as COPPA does not provide for a private right of action, and a potential class certification could open the floodgates for COPPA-based lawsuits. Given these lawsuits and the recent enforcement actions brought by the FTC and the New York State Attorney General, companies more than ever need to understand their responsibilities and obligations under COPPA and maintain measures for compliance. Continue Reading Class Action Lawsuits over Alleged COPPA Violations Reinforce Importance of Compliance
On July 5, 2017, the FTC announced a settlement with Blue Global Media, LLC (“Blue Global”) and its CEO Christopher Kay over allegations that the company solicited consumers to provide sensitive information based on false pretenses and then shared that information with potential buyers without any regard for the protection or security of that information. The settlement provides key insights into the FTC’s current position on the processing of sensitive information. Continue Reading Data for Sale . . . at a Price – FTC Imposes $104 Million Judgment against Company over Alleged Unlawful Sharing of Consumers’ Sensitive Information
On June 1, 2017, Washington State joined Illinois and Texas as the third state to pass a biometric privacy law. The law, H.B. 1493, which goes into effect July 23, 2017, covers any business entity that collects biometric identifiers for commercial purposes. Continue Reading Third State Adopts Biometric Privacy Law
Last week, the Federal Trade Commission (“FTC”) released a new report, Six-Step Compliance Plan for Your Business, to help companies understand their obligations under the Children’s Online Privacy Protection Act (“COPPA”). In addition to reviewing longstanding COPPA requirements, the report provides important new guidance on how COPPA applies to the rapidly evolving world of connected toys, online games and the Internet of Things (“IoT”). Here’s what you need to know. Continue Reading Children’s Privacy: FTC Issues New COPPA Guidance for IoT and Connected Devices
In what is being hailed by the Federal Trade Commission as “a record-setting win for American consumers,” and what should be viewed as a cautionary tale for marketers, satellite TV provider Dish Network (“Dish”) was recently found liable for repeated and willful violations of various federal and state telemarketing laws and ordered to pay 280 million dollars in damages in connection with a long-running lawsuit brought by the FTC, Department of Justice, and various state attorneys general. This decision comes on the heels of last month’s order in a North Carolina class action lawsuit brought against Dish, awarding damages of 61 million to the class action plaintiffs based on many of the same unlawful practices. The high monetary awards in both cases, and the additional restrictions imposed on Dish in the government’s lawsuit, highlight just how seriously regulators and courts are taking violations of the telemarketing laws. In addition to the take-aways listed below, the big lesson from the Dish cases is that marketers who rely on a network of third-party vendors to reach out to new customers and turn a blind eye to those vendors’ compliance with the telemarketing laws do so at their peril – and at the risk of millions in penalties. Continue Reading Dish Network Hit with Damages of 280 Million and 61 Million in Two Separate Lawsuits for Long-standing Violations of Telemarketing Laws
In the past five months, we’ve seen a significant shift in the direction of privacy regulation at the federal level. As discussed in our previous post, Congress voted (and President Trump signed) a resolution repealing last year’s FCC Order that imposed greater obligations on broadband Internet service providers and other carriers regarding the protection of customer data. The FCC and FTC also announced that they intend to reverse the FCC’s 2015 decision to treat broadband Internet service providers as Title II common carriers, which would effectively return jurisdiction over broadband Internet service providers to the FTC. Then, at the beginning of this month, the Ninth Circuit granted a petition by the FTC to rehear its ruling from last year that the FTC lacked authority under the FTC Act to regulate AT&T as a common carrier. Continue Reading Times They Are A-Changin’: Oregon and Illinois Bills Latest in Push by States to Regulate Internet Privacy
Caution: Spoilers Ahead
The plot of last Sunday’s episode of HBO’s fantastic and hilarious show, Silicon Valley, titled “Terms of Service,” was driven entirely by “COPPA,” a somewhat obscure (though probably not to our blog readers) privacy law that stands for the Children’s Online Privacy Protection Act. As someone who frequently advises clients on COPPA-related issues, this was a really fun episode for me to watch. So I thought I’d share some of my musings.
If you’re an online publisher or other internet service provider (“ISP”) that relies on moderators to police or curate user-generated comments or other content, your risk of liability for copyright infringement just increased. In a recent opinion, the influential Ninth Circuit Court of Appeals sent shockwaves through the ISP community by ruling that LiveJournal.com, a social media platform, may not be immunized from copyright liability under the Digital Millennium Copyright Act (“DMCA”). The court held that LiveJournal may be liable for infringing content submitted by users of the site because the company relied on paid and volunteer moderators to curate and police the content for substance and possible infringement. The opinion calls into question many widely held assumptions about the scope of DMCA immunity and raises serious concerns for websites that rely on user-generated content, curated by moderators, as part of their business model. The decision represents a sea change in the interpretation of the DMCA for internet media outlets. Here’s what you need to know. Continue Reading Federal Appeals Court Weakens DMCA Safe Harbor Protection for Moderated Online Content
Back in January, we posted about the circumstances in which your company, even if based in the US, must comply with the EU General Data Protection Regulation (GDPR), taking effect in May 2018. Now we get down to business. If your organization is covered, how do you start the process of preparing for compliance? There appear to be so many moving pieces, where to begin? Here we will provide a high level checklist to help you start down the path of GDPR readiness. As usual, this is not legal advice, just information based on the resources available from the EU authorities thus far designed to help you get your ducks in a row and start planning.
First, a reminder. Due to the extraterritorial jurisdiction provisions of the GDPR, your company is covered by the law even if you have no establishment in the EU if you process personal data of data subjects in the EU and that processing relates to (a) the offering of goods or services to those data subjects, irrespective of whether a payment of the data subject is required; or (b) the monitoring of those data subjects’ behavior as far as their behavior takes place in the EU. Processing means any operation which is performed upon personal data, whether or not by automatic means, including collection, recording, organization, storage, adaptation or alteration, retrieval, use, disclosure by transmission, dissemination or otherwise making available, combination, blocking, erasure and destruction. Personal data is also broadly defined and includes not only what we think of as traditionally personally identifiable information connected to a name or person, but also information connected to a particular device or even IP address. EU regulators can assess administrative fines of €20 million or up to 4% of the total worldwide annual turnover of the preceding fiscal year, whichever is higher.
If your organization is covered by the law, here is a list of things to consider — and the sooner the better (with barely over a year to become compliant). Each of the following points will be the subject of a more detailed overview in a series of forthcoming blog posts over the next few months. Continue Reading Start Your Engines: We Have to Deal With GDPR, What Now?