Last week, British Airways (BA) became one of the first public relations victims of the General Data Protection Regulation (GDPR). Per reports from TechCrunch, BA requested that individuals who had tweeted BA regarding flight delay complaints respond on Twitter—to the public—with personal information, purportedly in order to comply with the GDPR. The personal information that BA representatives requested included full names, billing addresses, dates of birth, the last 4 digits of payment cards, and even passport numbers. Eventually, BA clarified that it did not mean that users should respond with the requested information in the public feed, but rather that they should do so via direct message (DM).
For the fourth time, the Federal Trade Commission (FTC) has reached a consent agreement with a company for alleged misrepresentations regarding Privacy Shield certification. A California-based company, ReadyTech Corporation, agreed to a settlement whereby it is “prohibited from misrepresenting its participation in any privacy or security program sponsored by a government or any self-regulatory or standard-setting organization, including but not limited to the EU-U.S. Privacy Shield framework and the Swiss-U.S. Privacy Shield framework.” Privacy Shield is one of a few mechanisms that are available to U.S. companies for the lawful transfer of personal data from the European Union and Switzerland to the United States pursuant to applicable data protection laws including the new General Data Protection Regulation (GDPR). As part of the process, companies must self-certify with the Department of Commerce (DoC) and then annually re-certify that the company is Privacy Shield compliant.
This afternoon, Governor Brown signed into law California Assembly Bill 375, the California Consumer Privacy Act of 2018. The law is unprecedented in the United States that it applies European-level compliance obligations akin to the now infamous General Data Protection Regulation (GDPR), which took effect only a month ago. How did this happen? California legislators rushed a bill through to avoid a ballot initiative proposed by Alastair Mactaggart. Mactaggart agreed to withdraw the initiative if a law was signed by the Governor by today. The law takes effect on January 1, 2020. (And if you think that’s a long time, then you did not just live through the last 18 months working on GDPR preparedness.) What does AB 375 mean for organizations doing business in California? It includes new disclosure requirements, consumer rights, training obligations, and potential penalties for noncompliance, among other things.
Below are some of the key provisions:
This month we’re celebrating Privacy Shield’s first birthday (admittedly, a bit belated) with an update on everything Privacy Shield. There have been a number of developments on the Privacy Shield-front that companies certified or seeking self-certification under Privacy Shield need to know. If you are looking for a quick primer on Privacy Shield, please check out our previous post here. Once you’re ready, read on: Continue Reading Privacy Shield: Year One Updates You Need To Know
Earlier this month, three class action lawsuits were filed against companies for alleged violations of the Children’s Online Privacy Protection Act (“COPPA”). These lawsuits are raising eyebrows as COPPA does not provide for a private right of action, and a potential class certification could open the floodgates for COPPA-based lawsuits. Given these lawsuits and the recent enforcement actions brought by the FTC and the New York State Attorney General, companies more than ever need to understand their responsibilities and obligations under COPPA and maintain measures for compliance. Continue Reading Class Action Lawsuits over Alleged COPPA Violations Reinforce Importance of Compliance
On July 5, 2017, the FTC announced a settlement with Blue Global Media, LLC (“Blue Global”) and its CEO Christopher Kay over allegations that the company solicited consumers to provide sensitive information based on false pretenses and then shared that information with potential buyers without any regard for the protection or security of that information. The settlement provides key insights into the FTC’s current position on the processing of sensitive information. Continue Reading Data for Sale . . . at a Price – FTC Imposes $104 Million Judgment against Company over Alleged Unlawful Sharing of Consumers’ Sensitive Information
On June 1, 2017, Washington State joined Illinois and Texas as the third state to pass a biometric privacy law. The law, H.B. 1493, which goes into effect July 23, 2017, covers any business entity that collects biometric identifiers for commercial purposes. Continue Reading Third State Adopts Biometric Privacy Law
Last week, the Federal Trade Commission (“FTC”) released a new report, Six-Step Compliance Plan for Your Business, to help companies understand their obligations under the Children’s Online Privacy Protection Act (“COPPA”). In addition to reviewing longstanding COPPA requirements, the report provides important new guidance on how COPPA applies to the rapidly evolving world of connected toys, online games and the Internet of Things (“IoT”). Here’s what you need to know. Continue Reading Children’s Privacy: FTC Issues New COPPA Guidance for IoT and Connected Devices
In what is being hailed by the Federal Trade Commission as “a record-setting win for American consumers,” and what should be viewed as a cautionary tale for marketers, satellite TV provider Dish Network (“Dish”) was recently found liable for repeated and willful violations of various federal and state telemarketing laws and ordered to pay 280 million dollars in damages in connection with a long-running lawsuit brought by the FTC, Department of Justice, and various state attorneys general. This decision comes on the heels of last month’s order in a North Carolina class action lawsuit brought against Dish, awarding damages of 61 million to the class action plaintiffs based on many of the same unlawful practices. The high monetary awards in both cases, and the additional restrictions imposed on Dish in the government’s lawsuit, highlight just how seriously regulators and courts are taking violations of the telemarketing laws. In addition to the take-aways listed below, the big lesson from the Dish cases is that marketers who rely on a network of third-party vendors to reach out to new customers and turn a blind eye to those vendors’ compliance with the telemarketing laws do so at their peril – and at the risk of millions in penalties. Continue Reading Dish Network Hit with Damages of 280 Million and 61 Million in Two Separate Lawsuits for Long-standing Violations of Telemarketing Laws
In the past five months, we’ve seen a significant shift in the direction of privacy regulation at the federal level. As discussed in our previous post, Congress voted (and President Trump signed) a resolution repealing last year’s FCC Order that imposed greater obligations on broadband Internet service providers and other carriers regarding the protection of customer data. The FCC and FTC also announced that they intend to reverse the FCC’s 2015 decision to treat broadband Internet service providers as Title II common carriers, which would effectively return jurisdiction over broadband Internet service providers to the FTC. Then, at the beginning of this month, the Ninth Circuit granted a petition by the FTC to rehear its ruling from last year that the FTC lacked authority under the FTC Act to regulate AT&T as a common carrier. Continue Reading Times They Are A-Changin’: Oregon and Illinois Bills Latest in Push by States to Regulate Internet Privacy