FTC

Subscribe to FTC via RSS

Several states and the Federal Trade Commission (FTC) have implemented autorenewal laws aimed at (i) better protecting consumers and providing transparency in automatic renewals (e.g., subscriptions) and (ii) mandating easy cancellation processes to terminate such products.

Although state laws vary, the amended California Automatic Renewal Law (CARL) and the FTC’s Click-to-Cancel Rule (FTC Rule) provide a comprehensive overview of what businesses can expect when complying with autorenewal laws. While these autorenewal requirements have consumers saying “click, click hooray” understanding and implementing these obligations can create a compliance conundrum for businesses. Here is a summary of what businesses should know.Continue Reading Click, Click Hooray: What Businesses Need to Know about Autorenewal Laws and Subscription Cancellation Requirements

Last week, Taft’s Privacy and Data Security team sponsored and presented at Northern Kentucky University’s (NKU) 17th Annual Cybersecurity Symposium. Our presentation centered on (i) new consumer health data laws being enacted at the state level across the country; (ii) the Federal Trade Commission (FTC) Act’s heightened focus on businesses’ use of health information and (iii) the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Although these laws have overlapping data points and serve a similar objective of protecting health data, the obligations placed on entities regulated under each law differ. Therefore, it is crucial for organizations collecting health data to learn about these laws, determine how, if at all, they apply to your organization and comply with the obligations outlined under each applicable law.

Below, we have prepared a summary of some obligations that these laws require of regulated companies.  Please note that the summary below is not intended to be an exhaustive list of obligations imposed under each law.Continue Reading Health Data and its Many Obligations – An Overview of the Expanding Scope of Health Data Laws in the United States

As we discussed last year, the Federal Trade Commission (FTC) has increased its focus and its enforcement related to the Children’s Online Privacy Protection Act (COPPA), especially in the educational context. Now the FTC is taking further steps to secure and protect children’s information as online tools and technologies continue to quickly advance.

In December 2023, the FTC issued a notice of proposed rulemaking to the COPPA rule that focuses on targeted advertising, push notifications, surveillance in the educational context, and providing more clarity on the exceptions under COPPA. According to the FTC Chair Linda M. Kah, “[t]he proposed changes to COPPA are much-needed, especially in an era where online tools are essential for navigating daily life—and where firms are deploying increasingly sophisticated digital tools to surveil children.” Moreover, the FTC issued a lengthy statement from Commissioner Alvaro M. Bedoy that attempts to dispel the critiques around COPPA and other regulations around children’s data collection, such as the critique that many violations of such data privacy statutes regulate conduct that does not involve a great deal of harm. Looking at all of the above, it is clear that the FTC believes new tools and technologies utilized by companies online are a major risk to children and that this new rulemaking is necessary to keep up with such new tools and technologies.Continue Reading Children’s Online Privacy Protection Act Update: Part Deux! New FTC Rulemaking Proposal

In July of 2023, the Federal Trade Commission (FTC) and the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) published a joint letter cautioning hospitals, health app developers, and telehealth providers about the privacy and security risks related to the use of online tracking technologies integrated into their websites or mobile apps that may be impermissibly disclosing consumers’ sensitive personal health data to third parties. Additionally, the two agencies sent the joint letter to approximately 130 hospital systems and telehealth providers to remind them of the regulatory risks associated with using such technologies.Continue Reading A Cautionary Tale: FTC and OCR Publish Warning Letters Regarding the Use of Third-Party Tracking Technologies

Over the last few years, there has been an increased focus on the collection of children’s personal information in the United States. For example, many states have begun passing laws that significantly increase regulation for businesses collecting personal information from children, see our previous discussion on California’s Age-Appropriate Design Code Act. Additionally, at the federal level, the Federal Trade Commission (FTC) has increased its focus on the Children’s Online Privacy Protection Act (COPPA), specifically in the educational context.Continue Reading Children’s Online Privacy Protection Act Update! FTC Enforcement and New Parental Consent Proposal

On May 18, 2023, the Federal Trade Commission (the “FTC”) issued a policy statement on the use of biometric information under its regulatory powers in Section 5 of the FTC Act (the “Statement”). The Statement is the strongest message the FTC has ever issued regarding how certain uses of biometric technology may, depending on the circumstances, constitute unfair and deceptive trade practices under Section 5.

The Statement provides significant insight into the FTC’s shifting priorities and focus on the regulation of the use of biometric technology, a topic that so far has been regulated by state and local law – or not at all. Companies should take heed of the FTC’s guidance for purposes of understanding potential exposure not only at the federal and state regulatory level but also in the form of potential civil lawsuits under state unfair and deceptive trade practice statutes.Continue Reading The FTC Expands Its Regulatory Watch Over the Use of Biometric Technology

On October 24, 2022, in a rare occurrence, the Federal Trade Commission (FTC) issued a proposed order against Drizly, an online alcohol ordering and delivery service provider, that specifically holds the company’s CEO as liable for the company’s failure to maintain appropriate security safeguards that led to a second data breach.
Continue Reading FTC: Drizly Executive Held to Be Individually Liable for 2018 Data Breach

You may have heard of a security vulnerability from December 2021 called Log4j that allows attackers to remotely gain control of a vulnerable device. You may also think this is old news and no longer an issue.  Wrong. According to an April 26, 2022 report from researchers at the cybersecurity company Rezilion, there are currently over 90,000 vulnerable internet-facing applications and more than 68,000 servers that are still publicly exposed. That’s right – four months after the vulnerability was disclosed, a majority of affected open-source components remain unpatched and companies continue to use vulnerable versions of this tool. So, what is it anyways and do you need to take any action to mitigate the risk?
Continue Reading Apache Log4j Security Vulnerability Is STILL a Problem – What is it, Who Does it Impact, and Should I do Anything About It?

Thank you, reader, for taking time out of your day to read this blog post. I trust before clicking on this link you first sought out our website’s Privacy Policy and reviewed it in full, took mental notes while silently nodding throughout, and finished with an audible “I agree” before moving on to review this content. Correct?

Very likely you did not, but take solace in knowing you are in good company. Only 22% of Americans report “often” or “always” reading online privacy policies, and that’s solely for websites which require browsers to affirmatively agree to a privacy policy (i.e., flashing a pop-up with some form of “check the box” affirmation). This does not engender much confidence that Americans are actively seeking out and consenting to the privacy policies embedded within the myriad of websites they visit on a daily basis. And who can blame them – a 2008 study estimated it would take 244 hours each year to read every privacy policy in full for all the websites an average web browser visited annually. So put down your summer beach novel and start reading privacy policies – you’re already 10 weeks behind.

All kidding aside, this is a real problem for the United States’ federal data privacy legal framework, which is guided in part upon the Federal Trade Commission’s Fair Information Practice Principles. Notably, those include (i) consumer notice and awareness (“Consumers should be given notice of an entity’s information practices before any personal information is collected from them”), and (ii) consumer choice and consent (“In order to be effective, any choice regime should provide a simple and easily-accessible way for consumers to exercise their choice”). If the vast majority of websites utilize privacy policies which consumers are willfully ignoring or otherwise failing to recognize the existence of, much less comprehending their contents, how can one reasonably claim consumers are “on notice and aware” of privacy policies and exercising real “choice and consent” to the management of their personal data?
Continue Reading You Read the Privacy Policy, Right? Sure You Did. A New Federal Bill Seeks to Address the Transparency Gap.

FTCNow, more than ever, corporate boards must ensure their cybersecurity measures are up to par, funded, and properly implemented to avoid the FTC’s wrath. Corporate boards need to be cognizant of both ensuring that their cybersecurity measures are consistent with best practices and with nationally and internationally recognized data security standards — and that those cybersecurity measures can actually be met through commitment of sufficient resources. Otherwise, the Federal Trade Commission may find fertile ground to scrutinize the company, and
Continue Reading Corporate Boards Beware: The FTC is Watching