As we discussed last year, the Federal Trade Commission (FTC) has increased its focus and its enforcement related to the Children’s Online Privacy Protection Act (COPPA), especially in the educational context. Now the FTC is taking further steps to secure and protect children’s information as online tools and technologies continue to quickly advance.

In December 2023, the FTC issued a notice of proposed rulemaking to the COPPA rule that focuses on targeted advertising, push notifications, surveillance in the educational context, and providing more clarity on the exceptions under COPPA. According to the FTC Chair Linda M. Kah, “[t]he proposed changes to COPPA are much-needed, especially in an era where online tools are essential for navigating daily life—and where firms are deploying increasingly sophisticated digital tools to surveil children.” Moreover, the FTC issued a lengthy statement from Commissioner Alvaro M. Bedoy that attempts to dispel the critiques around COPPA and other regulations around children’s data collection, such as the critique that many violations of such data privacy statutes regulate conduct that does not involve a great deal of harm. Looking at all of the above, it is clear that the FTC believes new tools and technologies utilized by companies online are a major risk to children and that this new rulemaking is necessary to keep up with such new tools and technologies.Continue Reading Children’s Online Privacy Protection Act Update: Part Deux! New FTC Rulemaking Proposal

In July of 2023, the Federal Trade Commission (FTC) and the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) published a joint letter cautioning hospitals, health app developers, and telehealth providers about the privacy and security risks related to the use of online tracking technologies integrated into their websites or mobile apps that may be impermissibly disclosing consumers’ sensitive personal health data to third parties. Additionally, the two agencies sent the joint letter to approximately 130 hospital systems and telehealth providers to remind them of the regulatory risks associated with using such technologies.Continue Reading A Cautionary Tale: FTC and OCR Publish Warning Letters Regarding the Use of Third-Party Tracking Technologies

Over the last few years, there has been an increased focus on the collection of children’s personal information in the United States. For example, many states have begun passing laws that significantly increase regulation for businesses collecting personal information from children, see our previous discussion on California’s Age-Appropriate Design Code Act. Additionally, at the federal level, the Federal Trade Commission (FTC) has increased its focus on the Children’s Online Privacy Protection Act (COPPA), specifically in the educational context.Continue Reading Children’s Online Privacy Protection Act Update! FTC Enforcement and New Parental Consent Proposal

On May 18, 2023, the Federal Trade Commission (the “FTC”) issued a policy statement on the use of biometric information under its regulatory powers in Section 5 of the FTC Act (the “Statement”). The Statement is the strongest message the FTC has ever issued regarding how certain uses of biometric technology may, depending on the circumstances, constitute unfair and deceptive trade practices under Section 5.

The Statement provides significant insight into the FTC’s shifting priorities and focus on the regulation of the use of biometric technology, a topic that so far has been regulated by state and local law – or not at all. Companies should take heed of the FTC’s guidance for purposes of understanding potential exposure not only at the federal and state regulatory level but also in the form of potential civil lawsuits under state unfair and deceptive trade practice statutes.Continue Reading The FTC Expands Its Regulatory Watch Over the Use of Biometric Technology

On October 24, 2022, in a rare occurrence, the Federal Trade Commission (FTC) issued a proposed order against Drizly, an online alcohol ordering and delivery service provider, that specifically holds the company’s CEO as liable for the company’s failure to maintain appropriate security safeguards that led to a second data breach.
Continue Reading FTC: Drizly Executive Held to Be Individually Liable for 2018 Data Breach

You may have heard of a security vulnerability from December 2021 called Log4j that allows attackers to remotely gain control of a vulnerable device. You may also think this is old news and no longer an issue.  Wrong. According to an April 26, 2022 report from researchers at the cybersecurity company Rezilion, there are currently over 90,000 vulnerable internet-facing applications and more than 68,000 servers that are still publicly exposed. That’s right – four months after the vulnerability was disclosed, a majority of affected open-source components remain unpatched and companies continue to use vulnerable versions of this tool. So, what is it anyways and do you need to take any action to mitigate the risk?
Continue Reading Apache Log4j Security Vulnerability Is STILL a Problem – What is it, Who Does it Impact, and Should I do Anything About It?

Thank you, reader, for taking time out of your day to read this blog post. I trust before clicking on this link you first sought out our website’s Privacy Policy and reviewed it in full, took mental notes while silently nodding throughout, and finished with an audible “I agree” before moving on to review this content. Correct?

Very likely you did not, but take solace in knowing you are in good company. Only 22% of Americans report “often” or “always” reading online privacy policies, and that’s solely for websites which require browsers to affirmatively agree to a privacy policy (i.e., flashing a pop-up with some form of “check the box” affirmation). This does not engender much confidence that Americans are actively seeking out and consenting to the privacy policies embedded within the myriad of websites they visit on a daily basis. And who can blame them – a 2008 study estimated it would take 244 hours each year to read every privacy policy in full for all the websites an average web browser visited annually. So put down your summer beach novel and start reading privacy policies – you’re already 10 weeks behind.

All kidding aside, this is a real problem for the United States’ federal data privacy legal framework, which is guided in part upon the Federal Trade Commission’s Fair Information Practice Principles. Notably, those include (i) consumer notice and awareness (“Consumers should be given notice of an entity’s information practices before any personal information is collected from them”), and (ii) consumer choice and consent (“In order to be effective, any choice regime should provide a simple and easily-accessible way for consumers to exercise their choice”). If the vast majority of websites utilize privacy policies which consumers are willfully ignoring or otherwise failing to recognize the existence of, much less comprehending their contents, how can one reasonably claim consumers are “on notice and aware” of privacy policies and exercising real “choice and consent” to the management of their personal data?
Continue Reading You Read the Privacy Policy, Right? Sure You Did. A New Federal Bill Seeks to Address the Transparency Gap.

FTCNow, more than ever, corporate boards must ensure their cybersecurity measures are up to par, funded, and properly implemented to avoid the FTC’s wrath. Corporate boards need to be cognizant of both ensuring that their cybersecurity measures are consistent with best practices and with nationally and internationally recognized data security standards — and that those cybersecurity measures can actually be met through commitment of sufficient resources. Otherwise, the Federal Trade Commission may find fertile ground to scrutinize the company, and
Continue Reading Corporate Boards Beware: The FTC is Watching

The Children’s Online Privacy Protection Act (“COPPA”) governs an online operator’s collection of personal information from children, i.e., those under 13 years of age.  Generally, the act requires verifiable parental consent before an online operator may collect a child’s “personal information,” a term that the rule broadly defines.  Verifiable parental consent is not easy to obtain, but it has been simplified, per the FTC’s guidance, for operators collecting online information in partnerships with schools.

Verifiable Parental Consent
The general rule
Continue Reading Simplifying Classroom Consent: the FTC’s Guidance on COPPA in Schools