In July of 2023, the Federal Trade Commission (FTC) and the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) published a joint letter cautioning hospitals, health app developers, and telehealth providers about the privacy and security risks related to the use of online tracking technologies integrated into their websites or mobile apps that may be impermissibly disclosing consumers’ sensitive personal health data to third parties. Additionally, the two agencies sent the joint letter to approximately 130 hospital systems and telehealth providers to remind them of the regulatory risks associated with using such technologies.
Over the last few years, there has been an increased focus on the collection of children’s personal information in the United States. For example, many states have begun passing laws that significantly increase regulation for businesses collecting personal information from children, see our previous discussion on California’s Age-Appropriate Design Code Act. Additionally, at the federal level, the Federal Trade Commission (FTC) has increased its focus on the Children’s Online Privacy Protection Act (COPPA), specifically in the educational context.…
On May 18, 2023, the Federal Trade Commission (the “FTC”) issued a policy statement on the use of biometric information under its regulatory powers in Section 5 of the FTC Act (the “Statement”). The Statement is the strongest message the FTC has ever issued regarding how certain uses of biometric technology may, depending on the circumstances, constitute unfair and deceptive trade practices under Section 5.
The Statement provides significant insight into the FTC’s shifting priorities and focus on the regulation of the use of biometric technology, a topic that so far has been regulated by state and local law – or not at all. Companies should take heed of the FTC’s guidance for purposes of understanding potential exposure not only at the federal and state regulatory level but also in the form of potential civil lawsuits under state unfair and deceptive trade practice statutes.…
On October 24, 2022, in a rare occurrence, the Federal Trade Commission (FTC) issued a proposed order against Drizly, an online alcohol ordering and delivery service provider, that specifically holds the company’s CEO as liable for the company’s failure to maintain appropriate security safeguards that led to a second data breach.
Continue Reading FTC: Drizly Executive Held to Be Individually Liable for 2018 Data Breach
You may have heard of a security vulnerability from December 2021 called Log4j that allows attackers to remotely gain control of a vulnerable device. You may also think this is old news and no longer an issue. Wrong. According to an April 26, 2022 report from researchers at the cybersecurity company Rezilion, there are currently over 90,000 vulnerable internet-facing applications and more than 68,000 servers that are still publicly exposed. That’s right – four months after the vulnerability was disclosed, a majority of affected open-source components remain unpatched and companies continue to use vulnerable versions of this tool. So, what is it anyways and do you need to take any action to mitigate the risk?
Continue Reading Apache Log4j Security Vulnerability Is STILL a Problem – What is it, Who Does it Impact, and Should I do Anything About It?
All kidding aside, this is a real problem for the United States’ federal data privacy legal framework, which is guided in part upon the Federal Trade Commission’s Fair Information Practice Principles. Notably, those include (i) consumer notice and awareness (“Consumers should be given notice of an entity’s information practices before any personal information is collected from them”), and (ii) consumer choice and consent (“In order to be effective, any choice regime should provide a simple and easily-accessible way for consumers to exercise their choice”). If the vast majority of websites utilize privacy policies which consumers are willfully ignoring or otherwise failing to recognize the existence of, much less comprehending their contents, how can one reasonably claim consumers are “on notice and aware” of privacy policies and exercising real “choice and consent” to the management of their personal data?
Now, more than ever, corporate boards must ensure their cybersecurity measures are up to par, funded, and properly implemented to avoid the FTC’s wrath. Corporate boards need to be cognizant of both ensuring that their cybersecurity measures are consistent with best practices and with nationally and internationally recognized data security standards — and that those cybersecurity measures can actually be met through commitment of sufficient resources. Otherwise, the Federal Trade Commission may find fertile ground to scrutinize the company, and…
Continue Reading Corporate Boards Beware: The FTC is Watching
The Children’s Online Privacy Protection Act (“COPPA”) governs an online operator’s collection of personal information from children, i.e., those under 13 years of age. Generally, the act requires verifiable parental consent before an online operator may collect a child’s “personal information,” a term that the rule broadly defines. Verifiable parental consent is not easy to obtain, but it has been simplified, per the FTC’s guidance, for operators collecting online information in partnerships with schools.
Verifiable Parental Consent
The general rule…
Continue Reading Simplifying Classroom Consent: the FTC’s Guidance on COPPA in Schools