The U.S. Government Accountability Office has launched an investigation into how retirement plan providers use data collected from 401k plan participants to engage in cross-selling of financial products.
On October 16, 2024, the Federal Trade Commission issued a final Click-to-Cancel Rule, also known as the Negative Option Rule, updating its existing regulatory scheme that requires sellers to make it as easy for consumers to cancel their subscriptions and memberships as it is to sign up in the first place.
In August 2024, the Guangzhou Internet Court in China published its final decision in the case No. (2022) Yue 0192 Minchu 6486 regarding the cross-border transfer of personal information under the Personal Information Protection Law (“PIPL”), which was originally issued on September 8, 2023. It is the first case explaining the reliance on necessity for performance of contract in cross-border data transfer activities.
On September 24, 2024, a federal district court held that New York City’s Customer Data Law violates the First Amendment.
On August 30, 2024, the Federal Trade Commission announced a proposed settlement with Verkada, a security camera firm, in connection with alleged data security failures and CAN-SPAM Act violations. Under the proposed order, Verkada will be required to implement a comprehensive information security program and pay a $2.95 million monetary penalty.
On July 30, 2024, New York Attorney General Letitia James announced the Office of the AG’s publication of two privacy guides, one for businesses and one for consumers, both focused on the use of website tracking technologies.
On July 22, 2024, Google announced that the company is scrapping its plans to phase out the use of third-party cookies in its Chrome browser. Google previously announced plans in 2020 to phase out third-party cookies, a digital advertising tool that tracks consumers’ Internet activity across websites. The company intended to replace third-party cookies with privacy-protective APIs through its Privacy Sandbox initiative.
On July 23, 2024, the Federal Trade Commission announced that it had launched a study of eight companies’ “surveillance pricing” practices. According to the FTC, “the orders are aimed at helping the FTC better understand the opaque market for products by third-party intermediaries that claim to use advanced algorithms, artificial intelligence and other technologies, along with personal information about consumers—such as their location, demographics, credit history, and browsing or shopping history—to categorize individuals and set a targeted price for a product or service.”
On July 22, 2024, Google announced that the company had scrapped its plan to phase out the use of third-party cookies in its Chrome browser.
Earlier this month, the Federal Trade Commission, International Consumer Protection and Enforcement Network and Global Privacy Enforcement Network announced the results of a comprehensive review regarding the use of “dark patterns.”
On April 7, 2024, U.S. Sen. Maria Cantwell (D-WA) and U.S. Rep. Cathy McMorris Rodgers (R-WA) released a discussion draft of the latest federal privacy proposal, known as American Privacy Rights Act (“APRA” or the “Act”). The APRA builds upon the American Data Privacy and Protection Act (“ADPPA”), which was introduced as H.R. 8152 in the 117th Congress and advanced out of the House Energy and Commerce Committee but did not become law. As the latest iteration of a federal privacy proposal, the APRA signals that some members of Congress continue to seek to create a federal standard in the wake of—and in spite of—the ever-growing patchwork of state privacy laws.
After potential warning signs spanning several years, on March 14, 2024, the Federal Trade Commission brought an enforcement action against two entities selling virus protection software to consumers via online and telemarketing sales. According to the FTC’s complaint, for several years the entities, Restoro Cyprus Limited and Reimage Cyprus Limited, received excessive chargebacks on purchases, numerous consumer complaints made directly to the entities, and various indirect consumer complaints made to vendors, telecoms service providers and others.
On February 22, 2024, the Federal Trade Commission announced a settlement order against Avast Limited (“Avast”) requiring Avast to pay $16.5 million and prohibiting Avast from selling or licensing any web browsing data for advertising purposes. This ban is to settle charges that the company and its subsidiaries sold such information to third parties after promising that its products would protect consumers from online tracking.
On September 14, 2023, the Federal Trade Commission issued a press release announcing the publication of a staff paper about blurred advertising. In the staff paper, the FTC describes blurred advertising as the blending of ads with digital media content (e.g., displaying ads within online games and virtual reality worlds). The FTC warns that these ads are not readily identifiable as marketing by consumers and pose a significant threat to young children who do not have the skills or cognitive defenses to identify and understand this type of advertising. The FTC recommends that ...
On August 14, 2023, the Federal Trade Commission announced a proposed order against Experian Consumer Services (“Experian”) for failure to comply with the federal CAN-SPAM Act. The complaint alleges that Experian sent marketing emails that did not provide an unsubscribe opportunity to consumers who had signed up for Experian’s credit monitoring services. The CAN-SPAM Act requires businesses to, in relevant part, clearly and conspicuously display a return email address or Internet-based mechanism that allows consumers to unsubscribe from future marketing emails. While the Experian emails contained a notice stating that the messages related to the consumer’s Experian account (which would make them “transactional” or “relationship” messages under the CAN-SPAM Act, and therefore exempt from the unsubscribe requirement), the complaint alleged that, in actuality, the emails contained only marketing material.
On July 14, 2023, the Norwegian Data Protection Authority (“DPA”) ordered Meta Platforms Ireland Limited and Facebook Norway AS (jointly, “Meta”) to temporarily cease the processing of personal data of data subjects in Norway for the purpose of targeting ads on the basis of “observed behavior,” when relying on either the contractual necessity legal basis (Article 6(1)b)) or the legitimate interests legal basis (Article 6(1)(f)) of the GDPR.
On June 13, 2023, Texas Governor Greg Abbott signed H.B. 18, or the Securing Children Online through Parental Empowerment (“SCOPE”) Act that would impose obligations on digital service providers to protect minors.
On June 13, 2023, Texas Governor Greg Abbott signed H.B. 18, or the Securing Children Online through Parental Empowerment (“SCOPE”) Act that would require digital service providers to get parental consent to create an account with minors younger than 18 years of age.
On February 20, 2023, in the case of Experian Limited v The Information Commissioner, the First-Tier Tribunal in the UK (the “Tribunal”) ruled on the ICO’s action to require Experian to make changes to how it processes personal data for direct marketing purposes. While the Tribunal supported the ICO in certain respects, it largely ruled in favor of Experian and issued a Substituted Decision Notice, as detailed further below.
The UK Information Commissioner’s Office (“ICO”) recently published a package of detailed guidance and checklists for direct marketing activities. The ICO’s new webpage on direct marketing now includes various resources, including specific guidance for SMEs, business-to-business marketing, and organizations using the marketing services of data brokers, as well as direct marketing FAQs and checklists, and a training module for businesses.
On October 26, 2022, House Energy and Commerce Committee and Consumer Protection and Commerce Subcommittee leaders (“Committee Leaders”) sent letters to several toy manufacturers, including Bandai Namco, Hasbro, Mattel, MGA Entertainment, LEGO Group and the Toy Association, asking how they plan to protect children and their information from BigTech companies like TikTok and YouTube. Given the shift of marketing efforts from traditional television outlets to social media platforms, Committee Leaders are concerned about failure to protect children’s privacy, security and mental health on social media platforms.
On September 23, 2022, New York State Senator Andrew Gounardes introduced S9563, also known as the “New York Child Data Privacy and Protection Act.” The bill, which resembles the recently passed California Age-Appropriate Design Code Act, bans certain data collection and targeted advertising and requires data controllers to, among other obligations, assess the impact of their products on children.
On October 13, 2022, the Interactive Advertising Bureau (“IAB”) released for public comment an updated version of its contractual framework and new U.S. State Signals (“Signals”) specifications to help the digital advertising industry comply with the comprehensive state privacy laws of California, Virginia, Colorado, Utah and Connecticut.
On September 21, 2022, the Federal Communications Commission (“FCC”) announced a proposed combined fine of $3.4 million against Sinclair Broadcast Group, Nexstar Media Group and 19 other broadcast television licensees for violations of rules limiting commercial matter in children's television programming.
On September 21, 2022, the Federal Trade Commission announced the agenda for its “Protecting Kids from Stealth Advertising in Digital Media” virtual event to be held on October 19, 2022. The event will cover how children recognize and understand digital advertising content; the current advertising landscape’s impact on kids, including potential harms stemming from an inability to distinguish advertising from other content; and an assessment of the current legal regime’s protection of children from potential harms, and whether additional regulatory, self-regulatory, educational and technological tools may provide additional protection.
On September 7, 2022, the Children’s Advertising Review Unit (“CARU”) of BBB National Programs announced its finding that Tilting Point Media, LLC (“Tilting Point”), owner and operator of the SpongeBob: Krusty Cook-Off app (the “App”), violated the Children’s Online Privacy Protection Act (“COPPA”) and CARU’s Self-Regulatory Guidelines for Advertising and for Children’s Online Privacy Protection (“CARU’s Guidelines”). CARU has recommended a variety of corrective actions with respect to Tilting Point’s advertising and privacy practices.
On August 29, 2022, the Federal Trade Commission announced a civil action against digital marketing data broker Kochava Inc. for “selling geolocation data from hundreds of millions of mobile devices that can be used to trace the movements of individuals to and from sensitive locations.” The lawsuit seeks a permanent injunction to stop Kochava’s sale of geolocation data and to require the company to delete the geolocation data it has collected.
On September 15, 2022, California Governor Gavin Newsom signed into law the California Age-Appropriate Design Code Act (the “Act”). The Act, which takes effect July 1, 2024, places new legal obligations on companies with respect to online products and services that are “likely to be accessed by children” under the age of 18.
On August 10, 2022, the Consumer Financial Protection Bureau (“CFPB”) issued a new interpretive rule clarifying when digital marketing providers must comply with federal consumer financial protection law. Under the new rule, Big Tech companies that use behavioral advertising techniques to market financial products will be subject to the Consumer Financial Protection Act of 2010 (“CFPA”).
On August 23, 2022, the Federal Trade Commission announced it is seeking additional public comment on “how children are affected by digital advertising and marketing messages that may blur the line between ads and entertainment” in conjunction with its “Protecting Kids from Stealth Advertising in Digital Media” event on October 19, 2022. The event will focus on manipulative marketing practices targeted towards children, particularly those related to influencer marketing and online games.
On June 3, 2022, the Federal Trade Commission announced it is seeking public comment on its 2013 guidance, “.com Disclosures: How to Make Effective Disclosures in Digital Advertising” (the “Guidance”). The FTC indicated that it is updating the Guidance to better protect consumers against online deceptive practices, particularly because some companies have interpreted the current version of Guidance to “justify practices that mislead consumers online.” For example, the FTC explains that companies have wrongfully claimed they can avoid FTC Act liability by placing required disclosures behind hyperlinks. The updated Guidance will address issues such as advertising on social media, in video games, in virtual reality environments, and on mobile devices and applications, as well as the use of dark patterns, manipulative user interface designs, multi-party selling arrangements, hyperlinks and online disclosures.
On June 3, 2022, House Energy and Commerce Chair Rep. Frank Pallone (D-NJ), Ranking Member Rep. Cathy McMorris Rodgers (R-WA) and Senate Commerce, Science and Transportation Committee Ranking Member Sen. Roger Wicker (R-MS) released a new comprehensive federal privacy bill, the American Data Privacy and Protection Act (“ADPPA”).
On April 28, 2022, the Federal Trade Commission published a Notice of Proposed Rulemaking (“NPRM”) and an Advance Notice of Proposed Rulemaking (“ANPRM”), proposing several updates to the Telemarketing Sale Rules (“TSR”).
On April 8, 2022, the Food and Drug Administration (“FDA”) issued Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, a draft guidance document for industry and FDA staff. Industry stakeholders will have until July 7, 2022 to comment on the proposed guidance.
On March 24, 2022, the European Union unveiled the final text of the Digital Markets Act (the “DMA”). The final text of the DMA was reached following trilogue negotiations between the European Commission, European Parliament and EU Member States (led by the French Presidency at the European Council). The final text retains essentially the same features as the previous draft text but does include some notable changes.
On March 1, 2022, President Biden, in his first State of the Union address, called on Congress to strengthen privacy protections for children, including by banning online platforms from excessive data collection and targeted advertising for children and young people. President Biden called for these heightened protections as part of his unity agenda to address the nation’s mental health crisis, especially the growing concern about the harms of digital technologies, particularly social media, to the mental health and well-being of children and young people. President Biden not only urged for stronger protections for children’s data and privacy, but also for interactive digital service providers to prioritize safety-by-design standards and practices. In his address, President Biden called on online platforms to “prioritize and ensure the health, safety and well-being of children and young people above profit and revenue in the design of their products and services.” President Biden also called for a stop to “discriminatory algorithmic decision-making that limits opportunities” and impacts the mental well-being of children and young people.
On February 14, 2022, Noom Inc., a popular weight loss and fitness app, agreed to pay $56 million, and provide an additional $6 million in subscription credits to settle a putative class action in New York federal court. The class is seeking conditional certification and has urged the court to preliminarily approve the settlement.
On February 15, 2022, the French Data Protection Authority (the “CNIL”) published its enforcement priority topics for 2022. Each year, the CNIL conducts numerous investigations in response to complaints, data breach notifications and ongoing events, or based on previously established enforcement priorities.
On February 2, 2022, the Litigation Chamber of the Belgian Data Protection Authority (the “Belgian DPA”) imposed a €250,000 fine against the Interactive Advertising Bureau Europe (“IAB Europe”) for several alleged infringements of the EU General Data Protection Regulation (the “GDPR”), following an investigation into IAB Europe Transparency and Consent Framework (“TCF”).
The Austrian data protection authority (the “Austrian DPA”) recently published a decision in a case brought against an Austrian website provider and Google by the non-governmental organization co-founded by privacy activist Max Schrems, None of Your Business (“NOYB”). The Austrian DPA ruled that the use of Google Analytics cookies by the website operator violates both Chapter V of the EU General Data Protection Regulation (“GDPR”), which establishes rules on international data transfers, and the Schrems II judgment of the Court of Justice of the European Union.
On January 6, 2022, the Federal Trade Commission reached a $1.5 million settlement with loan application company ITMedia Solutions LLC (“ITMedia”) over alleged violations of the FTC Act and Fair Credit Reporting Act (“FCRA”). The FTC alleged that ITMedia deceptively acquired and indiscriminately shared consumers’ sensitive personal information under the guise of connecting them with lenders.
On December 27, 2021, the Federal Trade Commission sought public comment on a petition filed by Accountable Tech calling on the FTC to use its rulemaking authority to prohibit “surveillance advertising” as an “unfair method of competition” (“UMC”). Accountable Tech is a non-profit organization that advocates for social media companies to strengthen the integrity of their platforms.
On December 15, 2021, the European Parliament adopted its position on the proposal for a Digital Markets Act (“DMA”), ahead of negotiations with the Council of the European Union.
The DMA introduces new rules for certain core platforms services acting as “gatekeepers,” (including search engines, social networks, online advertising services, cloud computing, video-sharing services, messaging services, operating systems and online intermediation services) in the digital sector and aims to prevent them from imposing unfair conditions on businesses and consumers and to ensure the openness of important digital services.
On December 15, 2021, the Federal Trade Commission announced a $2 million settlement with OpenX Technologies (“OpenX”) in connection with alleged violations of the Children’s Online Privacy Protection Act Rule (“COPPA Rule”) and the FTC Act. According to the FTC’s complaint, OpenX knowingly collected personal information from children under age 13 without parental consent, and collected geolocation data from users of all ages who opted out of being tracked.
On November 18, 2021, the European Data Protection Board (“EDPB”) released a statement on the Digital Services Package and Data Strategy (the “Statement”). The Digital Services Package and Data Strategy is a package composed of several legislative proposals, including the Digital Services Act (“DSA”), the Digital Markets Act (“DMA”), the Data Governance Act (“DGA”), the Regulation on a European approach for Artificial Intelligence (“AIR”) and the upcoming Data Act (expected to be presented shortly). The proposals aim to facilitate the further use and sharing of personal data between more public and private parties; support the use of specific technologies, such as Big Data and artificial intelligence (“AI”); and regulate online platforms and gatekeepers.
On October 28, 2021, the Federal Trade Commission announced the issuance of a new enforcement policy statement warning companies against using dark patterns that trick consumers into subscription services. The policy statement comes in response to rising complaints about deceptive sign-up tactics like unauthorized charges or impossible-to-cancel billing.
As reported on the Hunton Retail Resource Blog, on October 20, 2021, a new wave in the fight against “robocalls” is targeting telemarketing text messages. In the past six months, there has been an uptick in activity at both the state and federal level to reign in telemarketing text messages.
The Irish Data Protection Commissioner (“DPC”) has submitted a draft decision on Facebook Ireland Limited’s (“Facebook”) data protection compliance to other European regulators under the cooperation mechanism of the EU General Data Protection Regulation (“GDPR”) (the “Draft Decision”). The DPC proposes a fine between €28 and €36 million (i.e., up to $42 million) for infringements of the transparency obligations under the GDPR, specifically with respect to the legal basis upon which Facebook relied. In addition, the Draft Decision proposes imposing an order on Facebook to bring its terms of service and Data Policy into compliance within three months. However, the DPC indicates in its Draft Decision that Facebook is permitted to rely on contractual necessity as a legal basis for its personalized advertising, taking the view that this constitutes a core element of Facebook’s service.
On October 15, 2021, the U.S. District Court for the District of Massachusetts entered a final order approving a $14 million class action settlement resolving claims against HelloFresh for alleged violations of the Telephone Consumer Protection Act (“TCPA”), 47 U.S.C. § 227, et seq. The named plaintiffs alleged that HelloFresh violated the TCPA by (1) placing telemarketing calls to consumers whose phone numbers were listed on the federal Do Not Call registry; (2) placing telemarketing calls to consumers using an automatic telephone dialing system (“ATDS”) without prior express written consent; and (3) placing telemarketing calls to consumers who had requested to be placed on Hello Fresh’s internal Do Not Call list. According to plaintiffs’ attorneys, this settlement is the largest TCPA class action settlement in Massachusetts state history.
On September 10, 2021, the UK Government Department for Digital, Culture, Media & Sport (“DCMS”) launched a consultation on its proposed reforms to the UK data protection regime. The consultation reflects DCMS’s effort to deliver on Mission 2 of the National Data Strategy, which is “to secure a pro-growth and trusted data regime in the UK.” Organizations are encouraged to provide input on a range of data protection proposals, some of which are outlined below. The consultation will close on November 19, 2021, and the Centre for Information Policy Leadership (“CIPL”) will consult with members to prepare a formal response to the consultation.
On August 20, 2021, China’s 13th Standing Committee of the National People’s Congress passed the Personal Information Protection Law (the “PIPL”). As we previously reported, the PIPL is China’s first comprehensive data protection law. It is modeled, in part, on other jurisdictions’ omnibus data protection regimes, including the EU General Data Protection Regulation (“GDPR”). The PIPL will become effective on November 1, 2021. Below are some of the key provisions under the PIPL.
Laura Liguori of Portolano Cavallo reports that on June 10, 2021, the Italian Data Protection Authority (Garante or “DPA”) adopted a new version of its guidelines for cookies and other tracking mechanisms (the “Guidelines”).
On July 29, 2021, U.S. Representative Rep. Kathy Castor (D-Florida), a member of the House Energy and Commerce Committee, reintroduced the Protecting the Information of our Vulnerable Children and Youth Act (the “Bill”). The Bill would update the Children’s Online Privacy Protection Act (“COPPA”) to, among other requirements: (1) cover teens ages 13-17; (2) expand the categories of information considered to be “personal” (to include physical characteristics, biometric information, health information, education information, contents of messages and calls, browsing and search history, geolocation information, and latent audio or visual recordings); (3) prohibit companies from targeting online advertising to children and teens based on their personal information and behavior; (4) require opt-in consent to process personal information collected from all individuals under age 18; (5) strengthen Federal Trade Commission enforcement of COPPA; (6) provide a private right of action to parents of children and teens; and (7) eliminate the FTC’s recognition of self-regulatory COPPA safe harbor programs.
On July 1, 2021, the Federal Trade Commission settled a complaint brought under the Children’s Online Privacy Protection Act (“COPPA”) against Toronto-based Kuuhuub Inc. and its Finnish subsidiaries Kuu Hubb Oy and Recolor Oy, operators of the online coloring book app, Recolor. The FTC alleged that the app operators violated the COPPA Rule by collecting and disclosing personal information from child users of the app without first notifying their parents or obtaining verifiable parental consent.
On June 24, 2021, Google announced that it will delay its plan to replace the use of third-party cookies on its Chrome web browser with new technologies. This delay comes amid antitrust and privacy concerns, as well as scrutiny from the advertising industry that the changes will strengthen Google’s own advertising business.
On June 11, 2021, the Belgian Data Protection Authority (“Belgian DPA”) released its 2020 Annual Report (the “Report”). Notably in 2020, the Belgian DPA focused on the supervision of initiatives to fight the COVID-19 pandemic involving data processing, while not losing sight of its other priorities, as identified in its Strategic Plan 2020-2025.
Due to the increased awareness of the importance of the protection of personal data, 2020 had a significant increase in the number of complaints, which were up 290.64%, and data breach notifications, which were up 25.09%, received by the Belgian DPA.
As reported on the Hunton Retail Law Resource blog, this week, the Federal Trade Commission voted 3 to 1 to accept a settlement agreement with MoviePass, Inc., its parent company, and two of the now-defunct company’s former employees, after allegations of failure to take reasonable measures to secure consumers’ data and deceptive trade practices. The Commission brought an enforcement action against MoviePass pursuant to the FTC Act and the Restore Online Shoppers’ Confidence Act (“ROSCA”), the latter of which requires disclosure of all material terms, a consumer’s informed consent, and a simple mechanism to stop recurring charges when marketing negative option services.
On April 1, 2021, the Supreme Court issued its long-awaited opinion in Facebook, Inc. v. Duguid et al., No. 19-511 (Apr. 1, 2021). At issue in Facebook, was the question of what technology constitutes an “automatic telephone dialing system” (“ATDS”) within the meaning of the Telephone Consumer Protection Act, 47 U.S.C. §227 et seq (“TCPA”). The Supreme Court’s unanimous decision is a huge win for companies who communicate with their consumers by telephone/text message.
On March 15, 2021, China’s State Administration for Market Regulation (“SAMR”) issued Measures for the Supervision and Administration of Online Transactions (the “Measures”) (in Chinese). The Measures implement rules for the E-commerce Law of China and provide specific rules for addressing registration of an online operation entity, supervision of new business models (such as social e-commerce and livestreaming), platform operators’ responsibilities, protection of consumers’ rights and protection of personal information.
On March 15, 2021, the state Data Protection Authority of Bavaria (“Bavarian DPA”) declared the use of U.S. e-mail marketing service Mailchimp by a fashion magazine (acting as controller) in Bavaria impermissible due to non-compliance with Schrems II mitigation steps in relation to the transfer of e-mail addresses to Mailchimp in the U.S.
On February 24, 2021, the Federal Trade Commission announced that it will hold a workshop on digital dark patterns on April 29, 2021. The workshop will aim to understand the ways in which user interfaces can have the effect, intentionally or unintentionally, of obscuring, subverting or impairing consumer autonomy, decision-making or choice.
On February 10, 2021, the European Data Protection Supervisor (“EDPS”) published two opinions on the European Commission’s proposals for a Digital Services Act (“DSA”) and a Digital Markets Act (“DMA”). The proposed DSA and DMA are part of a set of measures announced in the 2020 European Strategy for Data and have two main goals: (1) creating a safer digital space in which the fundamental rights of all users of digital services are protected, and (2) establishing a level playing field to foster innovation, growth and competitiveness in the European Single Market and globally.
On February 10, 2021, representatives of the EU Member States reached an agreement on the Council of the European Union’s (the “Council’s”) negotiating mandate for the draft ePrivacy Regulation, which will replace the current ePrivacy Directive. The text approved by the EU Member States was prepared under Portugal’s Presidency and will form the basis of the Council’s negotiations with the European Parliament on the final terms of the ePrivacy Regulation.
As reported on the Hunton Retail Law Resource blog, the Federal Trade Commission settled charges with mobile advertising company Tapjoy, Inc., on allegations that the company failed to provide promised rewards in exchange for completed activities such as the payment of money, disclosure of sometimes-sensitive personal information or registration for “free trial” marketing offers.
On December 14, 2020, the Federal Trade Commission announced that it had issued orders to nine social media and video streaming companies, requesting information on how the companies collect, use and present personal information, their advertising and user engagement practices and how their practices affect children and teens. The orders will assist the FTC in conducting a study of these policies, practices and procedures. The FTC issued the orders pursuant to Section 6(b) of the FTC Act, which allows the agency to undertake broad studies separate from its law enforcement activities.
On October 27, 2020, the UK Information Commissioner’s Office (“ICO”) published a report following its investigation into data protection compliance in the direct marketing data broking sector, alongside its enforcement action against Experian. During the investigation, the ICO conducted audits of the direct marketing data broking businesses of the UK’s three largest credit reference agencies (“CRAs”) – Experian, Equifax and TransUnion – and found “significant data protection failures at each” that were “deeply embedded” within the businesses.
On October 27, 2020, the UK Information Commissioner’s Office (“ICO”) published its enforcement notice against credit reference agency Experian Limited (“Experian”) under Section 149 of the Data Protection Act 2018 (“DPA”) (the “notice”). The notice requires Experian to make fundamental changes to its offline direct marketing practices, and was issued after the ICO undertook a two-year investigation into the use of personal data by data broking businesses Experian, Equifax and TransUnion.
On September 7, 2020, the European Data Protection Board (the “EDPB”) published Guidelines on the Targeting of Social Media Users (the “Guidelines”). The Guidelines aim to provide practical guidance on the role and responsibilities of social media providers and those using targeting services, such as for targeted advertising, on social media platforms (“targeters”).
On July 27, 2020, the Enforcement Bureau of the Federal Communications Commission (the “FCC”) designated the Industry Traceback Group (“ITG”) as the FCC’s official consortium for coordinating efforts to trace illegal robocalls. The ITG is a collaboration of wireline, wireless, VoIP and cable industry companies, led by USTelecom, with the mission of tracing and identifying the source of illegal robocalls. According to the ITG, it conducted more than 1,000 trace-back operations in 2019 and unmasked the source of more than 10 million robocalls.
On July 13, 2020, the Italian Data Protection Authority (Garante per la protezione dei dati personali, “Garante”) announced that it levied a €16,729,600 fine on telecoms provider Wind Tre S.p.A. (“Wind Tre”) for several unlawful data processing activities, mostly related to direct marketing.
On June 16, 2020, the Litigation Chamber of the Belgian Data Protection Authority (the “Belgian DPA”) imposed a fine on a company (the “defendant”) for unlawful and incorrect processing of personal data and non-compliance with the EU General Data Protection Regulation’s (the “GDPR”) data subject rights provisions.
On June 9, 2020, the Federal Communications Commission (“FCC”) announced a proposed $225 million fine, the largest in the history of the FCC, against several individuals for telemarketing violations.
On May 29, 2020, the Litigation Chamber of the Belgian Data Protection Authority (the “Belgian DPA”) imposed a fine of €1,000 on a non-profit organization. The decision followed a complaint filed by an individual who continued to receive promotional materials from the organization after he had objected to the processing of his contact details for direct marketing purposes and had requested that the organization erase his data from its database.
On May 29, 2020, the German Federal Court of Justice (Bundesgerichtshof, “BGH”), Germany’s highest court for civil and criminal matters, issued its ruling on case Planet49 (I ZR 7/16) regarding consent requirements for the use of cookies and telemarketing activities. In October 2017, the BGH suspended its proceedings and submitted questions to the Court of Justice of the European Union (“CJEU”) for a preliminary ruling regarding the effectiveness of obtaining consent for the use of cookies through a pre-ticked checkbox. As we have previously reported, the CJEU answered these questions in its judgement in Planet49 GmbH v. Verbraucherzentrale Bundesverband e.V. (C-673/17), which was issued on October 1, 2019.
On April 30, 2020, the French Data Protection Authority (the “CNIL”) published guidance on the extraction of web users’ personal data from online public spaces by web scraping tools and re-use of such data for direct marketing (the “Guidance”). The Guidance was issued following inspections carried out by the CNIL in 2019.
The UK Information Commissioner’s Office (“ICO”) has published guidance regarding its expectations for controllers and health professionals during the COVID-19 outbreak.
In its guidance for controllers, the ICO adopted a pragmatic stance, stating: “We know you might need to share information quickly or adapt the way you work. Data protection will not stop you doing that. It’s about being proportionate - if something feels excessive from the public’s point of view, then it probably is.”
On March 3, 2020, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) announced that it had imposed a €525,000 fine on the Royal Dutch Tennis Association (De Koninklijke Nederlandse Lawn Tennisbond, “KNLTB”) for an illegal sale of personal data.
On March 2, 2020, the UK Information Commissioner’s Office (“ICO”) fined CRDNN Limited, a lead generation company, £500,000—the maximum amount available for a breach of the Electronic Communications Regulations (“PECR”). The fine was imposed after CRDNN carried out over 193 million unsolicited automated direct marketing calls relating to window scrappage, window and conservatory sales, boiler sales, and debt management between June and October 2018.
The meaning of an “automatic telephone dialing system” (“ATDS”) as defined by the Telephone Consumer Protection Act (“TCPA”) has been hotly contested since the D.C. Circuit invalidated the prior Federal Communications Commission (“FCC”) rulings interpreting the TCPA in 2018. The Ninth Circuit has held that merely calling numbers from a stored list is sufficient to meet the definition of an ATDS, while the Third Circuit has at least indicated that the ability to generate numbers randomly or sequentially is the defining characteristic.
On February 10, 2020, the Belgian Data Protection Authority (the “Belgian DPA”) published its Recommendation 1/2020 on data processing activities for direct marketing purposes (the “Recommendation”). With this Recommendation, the Belgian DPA aims to clarify the complex rules relating to the processing of personal data for direct marketing purposes, including by providing practical examples and guidelines to the different stakeholders involved in direct marketing activities. Direct marketing is one of the Belgian DPA’s top priorities for the next few years, as indicated in its 2019-2025 Strategic Plan.
On February 1, 2020, the Italian Data Protection Authority (Garante per la protezione dei dati personali, the “Garante”) announced that it had levied a fine of €27,802,946 on TIM S.p.A. (“TIM”), a telecommunications company, for several unlawful marketing data processing practices. Between 2017 and 2019, the Garante received numerous complaints from individuals (including from individuals who were not existing customers of TIM) claiming that they had received unwanted marketing calls, without having provided their consent or despite having registered on an opt-out list. The Garante indicated that the violations impacted several million individuals.
On January 8, 2020, the Information Commissioner's Office (“ICO”) launched a consultation on its draft direct marketing code of practice (the “Draft Code”), as required by section 122 of the Data Protection Act 2018 (“DPA 18”). The Draft Code is open for public consultation until March 4, 2020.
On October 21, 2019, the Federal Trade Commission took action against two companies alleged to have engaged in the business of false online reviews and social media influence. In the first case, the FTC entered into a consent decree with cosmetics marketer Sunday Riley, LLC, and the company’s owner, who sell products at Sephora stores and online at Sephora.com. According to the FTC’s complaint, disguised as ordinary consumers, Sunday Riley employees and Ms. Riley herself posted fake 5-star reviews of the company’s products on Sephora’s website. Under the terms of the FTC’s agreement, the company and its principal are barred from posting fake reviews, must clearly identify endorsers, and must instruct staff on their disclosure obligations. The FTC vote on the action was 3-2, with Commissioners Chopra and Slaughter dissenting on the grounds that the settlement did not include a monetary payment or an admission of guilt.
Simon McDougall, Executive Director for Technology Policy and Innovation for the UK Information Commissioner’s Office (“ICO”), has stated that “change is needed” in the adtech sector. In a speech delivered on July 11, 2019, at the Westminster Media Forum, focusing on the future of online advertising regulation, McDougall commented that “heads are still firmly in the sand” in some pockets of the digital advertising industry, and that many real-time bidding practices are currently being conducted in an unlawful manner, whether or not industry players are aware of it.
On June 28, 2019, the French data protection authority (the “CNIL”) published its action plan for 2019-2020 to specify the rules applicable to online targeted advertising and to support businesses in their compliance efforts.
The UK Information Commissioner’s Office (“ICO”) recently published an updated report on adtech, following a Fact Finding Forum held in March 2019 and consultation with industry players. The report focuses on whether and how organizations in the adtech sector can comply with the EU General Data Protection Regulation (“GDPR”) and the UK’s implementation of the e-Privacy Directive, known as the Privacy and Electronic Communications Regulations (“PECR”).
On June 12, 2019, the Belgian Data Protection Authority (the “Belgian DPA”) launched a public consultation on direct marketing with a view to updating its Recommendation No. 02/2013 of January 30, 2013 on direct marketing (the “Direct Marketing Recommendation”).
Social media platforms, file hosting sites, discussion forums, messaging services and search engines in the UK are likely to come under increased pressure to monitor and edit online content after the UK Department of Digital, Culture, Media and Sport (“DCMS”) announced in its Online Harms White Paper (the “White Paper”), released this month, proposals for a new regulatory framework to make companies more responsible for users’ online safety. Notably, the White Paper proposes a new duty of care owed to website users, and an independent regulator to oversee compliance.
The UK Information Commissioner’s Office (“ICO”) has issued a Monetary Penalty Notice to pensions release provider Grove Pensions Solutions Ltd (“Grove”), fining it £40,000 after the company used contact details collected by a third party for its direct marketing campaign. Grove used a specialist third-party marketing agency to send emails on its behalf to mailing lists, negligently failing to obtain valid consent from individuals who received the marketing emails. Despite seeking external advice (including legal advice), the ICO decided that Grove should have known of the risk that its conduct would breach rules on direct marketing, particularly given recent widespread publicity of this issue in the UK. The fine was imposed under the Data Protection Act 1998.
The UK’s Information Commissioner’s Office (“ICO”) has fined Vote Leave Limited (the UK’s official Brexit campaign) £40,000 for sending almost 200,000 unsolicited texts promoting the aims of the campaign. In an unrelated action, the ICO has carried out searches of a business believed to have been responsible for initiating nuisance telephone calls. The ICO has highlighted nuisance calls, spam texts and unsolicited direct marketing as areas of “significant public concern,” and is increasingly imposing sanctions on businesses that infringe the Privacy and Electronic Communications Regulations 2003 (“PEC Regulations”), which prohibit these practices. In its view, the monetary penalty imposed on Vote Leave should act as a “deterrent against non-compliance, on the part of all persons running businesses currently engaging in these practices.”
On February 12, 2019, the Federal Trade Commission announced the completion of the first regulatory review of the Controlling the Assault of Non-Solicited Pornography and Marketing Act (“CAN-SPAM”) Rule (the “CAN-SPAM Rule” or “Rule”). By a vote of 5-0, the FTC voted to retain the CAN-SPAM rule with no modifications.
On November 30, 2018, the Austrian Data Protection Authority (“DPA”) published a decision in response to a complaint received from an individual regarding the cookie consent options offered on an Austrian newspaper’s website. As a factual matter, the Austrian newspaper offered three options to individuals who sought to access content on the site: (1) accept the use of cookies for analytics and advertising purposes and have full, complimentary website access; (2) refuse cookies and obtain access to only limited content on the website; or (3) pay a monthly subscription of €6 to obtain full access to the website without accepting the use of cookies and similar tracking technologies.
On December 28, 2018, the French Data Protection Authority (the “CNIL”) published guidance regarding the conditions to be met by organizations in order to lawfully share personal data with business partners or other third parties, such as data brokers. The guidance focused, in particular, on such a scenario in the context of the EU General Data Protection Regulation (“GDPR”). The CNIL guidance sets forth the 5 following conditions:
On November 8, 2018, Privacy International (“Privacy”), a non-profit organization “dedicated to defending the right to privacy around the world,” filed complaints under the GDPR against consumer marketing data brokers Acxiom and Oracle. In the complaint, Privacy specifically requests the Information Commissioner (1) conduct a “full investigation into the activities of Acxiom and Oracle,” including into whether the companies comply with the rights (i.e., right to access, right to information, etc.) and safeguards (i.e., data protection impact assessments, data protection by design, etc.) in the GDPR; and (2) “in light of the results of that investigation, [take] any necessary further [action]... that will protect individuals from wide-scale and systematic infringements of the GDPR.”
On October 17, 2018, the French data protection authority (the “CNIL”) published a press release detailing the rules applicable to devices that compile aggregated and anonymous statistics from personal data—for example, mobile phone identifiers (i.e., media access control or “MAC” address) —for purposes such as measuring advertising audience in a given space and analyzing flow in shopping malls and other public areas. Read the press release (in French).
On May 16, 2018, the Irish Data Protection Bill 2018 (the “Bill”) entered the final committee stage in Dáil Éireann (the lower house and principal chamber of the Irish legislature). The Bill was passed by the Seanad (the upper house of the legislature) at the end of March 2018. In the current stage, final statements on the Bill will be made before it is signed into law by the President.
Recent judicial interpretations of the Illinois Biometric Information Privacy Act (“BIPA”), 740 ILCS 14, present potential litigation risks for retailers who employ biometric-capture technology, such as facial recognition, retina scan or fingerprint software. Federal judges in various district courts have allowed BIPA cases to move forward against companies such as Facebook, Google and Shutterfly, and retailers who use biometric data for security, loss prevention or marketing purposes may also become litigation targets as federal judges decline to narrow the statute’s applicability and additional states consider passing copycat statutes.
On June 5, 2017, an Illinois federal court ordered satellite television provider Dish Network LLC (“Dish”) to pay a record $280 million in civil penalties for violations of the FTC’s Telemarketing Sales Rule (“TSR”), the Telephone Consumer Protection Act (“TCPA”) and state law. In its complaint, the FTC alleged that Dish initiated, or caused a telemarketer to initiate, outbound telephone calls to phone numbers listed on the Do Not Call Registry, in violation of the TSR. The complaint further alleged that Dish violated the TSR’s prohibition on abandoned calls and assisted and facilitated telemarketers when it knew or consciously avoided knowing that telemarketers were breaking the law.
On December 20, 2016, the FTC announced that it has agreed to settle charges that Turn Inc. (“Turn”), a company that enables commercial brands and ad agencies to target digital advertising to consumers, tracked consumers online even after consumers took steps to opt out of tracking.
Hunton & Williams LLP is proud to announce our Privacy & Information Security Law Blog has been named the top Cybersecurity and Information Privacy blog by The Expert Institute and #2 overall Best AmLaw Blog of 2016. All of our lawyers and contributors thank you for your support in making the blog a success.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code