Vermont’s new Data Broker Regulation (“Regulation”) takes effect on January 1, 2019. The Regulation requires, among other things, that data brokers register with the Vermont Secretary State and protect personally identifiable information of Vermont residents. This week, the Vermont Attorney General issued guidance on the Regulation, which helps address questions on process and scope. Below are some of the key takeaways from the Regulation and guidance.

Continue Reading Vermont AG Issues Guidance on New Data Broker Regulation

This week, the New York State Attorney General announced a $4.95 million settlement with Oath Inc., the result of an investigation into violations of the Children’s Online Privacy Protection Act (“COPPA”).

The NYAG found that Oath’s ad exchanges transferred persistent identifiers and geolocation from website users to DSP bidders in its automated auction process.  While that may be fine for websites directed to grown-up audiences, COPPA includes persistent identifiers and geolocation in its definition of “personal information.”  And under the law, companies must obtain verifiable parental consent before collecting or using children’s personal information.

But instead of seeking verifiable parental consent, Oath treated all websites (and therefore all user information) the same, despite knowledge that some website inventory on its exchange was directed to children under 13 and subject to COPPA.  And instead of using available technology to avoid the use of children’s information altogether, Oath’s ad exchanges allowed advertisers to collect information on children and display ads on sites targeting children.  The “flagrant” violations of the law led to the largest-ever penalty under COPPA and a settlement agreement provided some remarkable takeaways:

Continue Reading AdTech Provider Hit with Record COPPA Fine

Shortly after FTC staff published the results of their study on cross-device tracking (described in this prior blog post), the FTC issued its own comprehensive report on the topic.  In addition to highlighting many of the same benefits and privacy concerns raised by cross-device tracking, the FTC report provides an update on industry self-regulatory efforts in this area, along with practical recommendations for those involved in cross-device tracking, based on learnings from past FTC enforcement actions. Continue Reading Don’t Get Your Wires Crossed When Cross-Device Tracking

Earlier this month, the FTC announced that a third-party study and report on cross-device tracking had been completed by the Office of Technology, Research and Investigation (“OTech”), following up on their presentation on this topic at the FTC’s 2015 workshop.  The FTC released its own report on cross-device tracking last week, which will be covered in a subsequent blog post.  OTech’s study focused on: 1) what information companies are collecting and may be using to track consumers across devices, and 2) what companies are disclosing about their cross-device tracking in privacy policies or otherwise (the answer is not much!).  Continue Reading FTC Highlights Third-Party Report Finding That Companies Are Hiding the Ball on Cross-Device Tracking