Privacy & Information Security Law Blog

On October 9, 2024, both the Federal Trade Commission and a coalition of 50 state attorneys general issued announcements that they had reached settlement agreements with Marriott International, Inc. and its subsidiary Starwood Hotels & Resorts Worldwide LLC over a multi-year series of data breaches impacting hundreds of millions of individuals.

On September 30, 2024, the Federal Communications Commission announced that T-Mobile has entered into an agreement to settle multiple data protection and cybersecurity investigations stemming from data breaches in 2021, 2022 and 2023.

On August 30, 2024, the Federal Trade Commission announced a proposed settlement with Verkada, a security camera firm, in connection with alleged data security failures and CAN-SPAM Act violations. Under the proposed order, Verkada will be required to implement a comprehensive information security program and pay a $2.95 million monetary penalty.

On February 22, 2024, the Federal Trade Commission announced a settlement order against Avast Limited (“Avast”) requiring Avast to pay $16.5 million and prohibiting Avast from selling or licensing any web browsing data for advertising purposes. This ban is to settle charges that the company and its subsidiaries sold such information to third parties after promising that its products would protect consumers from online tracking.

On February 1, 2024, the Federal Trade Commission announced a proposed settlement with Blackbaud Inc. (“Blackbaud”) in connection with alleged security failures that resulted in a breach of the company’s network and access to the personal data of millions of consumers. As part of the settlement, Blackbaud will be required to comply with a variety of obligations, including deleting personal data that the company does not have a need to retain.

On January 12, 2024, the New York State Department of Financial Services (“NYDFS”) announced a consent order with virtual currency company Genesis Global Trading, Inc. (“Genesis”) for “significant” failings in Genesis’ Anti-Money Laundering and cybersecurity compliance frameworks. According to the NYDFS, Genesis’ failure to comply with the NYDFS’ virtual currency and cybersecurity regulations left the company vulnerable to cybersecurity risks and related unlawful activity. 

On January 18, 2024, the Federal Trade Commission announced a proposed order against geolocation data broker InMarket Media (“InMarket”), barring the company from selling or licensing precise location data. According to the FTC’s charges, InMarket failed to obtain informed consent from users of applications developed by the company and its third-party partners.  

On January 9, 2024, in its first settlement with a data broker concerning the collection and sale of sensitive location information, the Federal Trade Commission announced a proposed order against data broker X-Mode Social, Inc. and its successor Outlogic, LLC (“X-Mode”) for unfair and deceptive acts or practices in violation of Section 5 of the FTC Act.

On August 14, 2023, the Federal Trade Commission announced a proposed order against Experian Consumer Services (“Experian”) for failure to comply with the federal CAN-SPAM Act.  The complaint alleges that Experian sent marketing emails that did not provide an unsubscribe opportunity to consumers who had signed up for Experian’s credit monitoring services. The CAN-SPAM Act requires businesses to, in relevant part, clearly and conspicuously display a return email address or Internet-based mechanism that allows consumers to unsubscribe from future marketing emails. While the Experian emails contained a notice stating that the messages related to the consumer’s Experian account (which would make them “transactional” or “relationship” messages under the CAN-SPAM Act, and therefore exempt from the unsubscribe requirement), the complaint alleged that, in actuality, the emails contained only marketing material.

On May 31, 2023, the Federal Trade Commission announced a proposed order against home security camera company Ring LLC (“Ring”) for unfair and deceptive acts or practices in violation of Section 5 of the FTC Act.

On October 31, 2022, the Federal Trade Commission announced a proposed settlement with education technology provider Chegg in connection with the company’s alleged poor cybersecurity practices. 

On October 18, 2022, the New York State Department of Financial Services (“NYDFS”) announced that EyeMed Vision Care LLC (“EyeMed”) agreed to a $4.5 million settlement for violations of the Cybersecurity Regulation (23 NYCRR Part 500) that contributed to the exposure of hundreds of thousands of consumers’ health data in connection with a cybersecurity event in 2020.

On June 24, 2022, the New York State Department of Financial Services (“NYDFS” or the “Department”) announced it had entered into a $5 million settlement with Carnival Corp. (“Carnival”), the world’s largest cruise-ship operator, for violations of the Cybersecurity Regulation (23 NYCRR Part 500) in connection with four cybersecurity events between 2019 and 2021, including two ransomware events.  

On May 25, 2022, Twitter reached a proposed $150 million settlement with the Department of Justice (“DOJ”) and the Federal Trade Commission to resolve allegations that the company deceptively used nonpublic user contact information obtained for account security purposes to serve targeted ads to Twitter users. In a complaint filed in federal court, the government alleged that Twitter violated both the FTC Act and a 2011 FTC Order by misrepresenting the extent to which the company maintained and protected users’ nonpublic contact information. The proposed settlement would require Twitter to pay $150 million in civil penalties and implement a comprehensive privacy and information security program “with extensive procedures to safeguard user information and assess internal and external data privacy risks.”

On March 15, 2022, the Federal Trade Commission (FTC) announced a proposed settlement with custom merchandise platform CafePress in connection with the company’s alleged failure to implement reasonable security measures, and its alleged attempt to cover up a 2019 data breach. The proposed settlement would require CafePress to implement a comprehensive data security program and pay $500,000 in redress to affected individuals.

On February 14, 2022 the FTC announced that, at the agency’s request, federal courts in California ordered two Voice over Internet Protocol (“VoIP”) service providers to produce information as part of ongoing investigations by the FTC into telemarketing calls and robocalls made in violation of the Telemarketing Sales Rule (“TSR”). Failure to comply with the court orders could result in the VoIP service providers being held in contempt of court.

On January 6, 2022, the Federal Trade Commission reached a $1.5 million settlement with loan application company ITMedia Solutions LLC (“ITMedia”) over alleged violations of the FTC Act and Fair Credit Reporting Act (“FCRA”). The FTC alleged that ITMedia deceptively acquired and indiscriminately shared consumers’ sensitive personal information under the guise of connecting them with lenders.

On September 1, 2021, the Federal Trade Commission banned Support King, LLC, the operator of SpyFone.com (“SpyFone”), and its CEO, Scott Zuckerman, from offering, promoting, selling or advertising any surveillance app, service or business. The FTC alleged SpyFone allowed purchasers to illegally surveil other individuals by surreptitiously monitoring a device user’s activity without the device user’s knowledge. The FTC also alleged that SpyFone failed to safeguard such illegally harvested personal information by failing to put in place basic security measures.

On July 1, 2021, the Federal Trade Commission settled a complaint brought under the Children’s Online Privacy Protection Act (“COPPA”) against Toronto-based Kuuhuub Inc. and its Finnish subsidiaries Kuu Hubb Oy and Recolor Oy, operators of the online coloring book app, Recolor. The FTC alleged that the app operators violated the COPPA Rule by collecting and disclosing personal information from child users of the app without first notifying their parents or obtaining verifiable parental consent.

On December 14, 2020, the Federal Trade Commission announced that it had issued orders to nine social media and video streaming companies, requesting information on how the companies collect, use and present personal information, their advertising and user engagement practices and how their practices affect children and teens. The orders will assist the FTC in conducting a study of these policies, practices and procedures. The FTC issued the orders pursuant to Section 6(b) of the FTC Act, which allows the agency to undertake broad studies separate from its law enforcement activities.

On November 9, 2020, the Federal Trade Commission announced it had entered into an consent agreement (the “Proposed Settlement”) with Zoom Video Communications, Inc. (“Zoom”) to settle allegations that the video conferencing provider engaged in a series of unfair and deceptive practices that undermined the security of its user base, which, according to the FTC, has grown from 10 million users in December 2019 to 300 million in April 2020 during the COVID-19 pandemic.

On January 16, 2020, the Federal Trade Commission announced that settlements with five companies of separate allegations that they had falsely claimed certification under the EU-U.S. Privacy Shield framework had been finalized.

On January 6, 2020, the Federal Trade Commission announced that it granted final approval to a settlement with InfoTrax Systems, L.C. and its former CEO, Mark Rawlins, related to allegations that InfoTrax failed to implement reasonable, low-cost and readily available security safeguards to protect the personal information the company maintained on behalf of its business clients.

On December 6, 2019, the Federal Trade Commission announced its Final Order and Opinion in the matter of Cambridge Analytica, LLC, finding that Cambridge Analytica violated the FTC Act’s Section 5 prohibition against “unfair or deceptive acts or practices” when harvesting personal information through its “GSRApp” Facebook application.

On December 3, 2019, the Federal Trade Commission announced that it had reached settlements in four separate Privacy Shield cases. Specifically, the FTC alleged that Click Labs, Inc., Incentive Services, Inc., Global Data Vault, LLC, and TDARX, Inc. each falsely claimed to participate in the EU-U.S. Privacy Shield framework. The FTC also alleged that Click Labs and Incentive Services falsely claimed to participate in the Swiss-U.S. Privacy Shield framework and that Global Data and TDARX continued to claim participation in the EU-U.S. Privacy Shield after their Privacy Shield certifications lapsed. The complaints further alleged that Global Data and TDARX failed to comply with the Privacy Shield framework, including by failing to (1) verify annually that statements about their Privacy Shield practices were accurate, and (2) affirm that they would continue to apply Privacy Shield protections to personal information collected while participating in the program.

On November 13, 2019, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth issued a discussion paper on “Organizational Accountability in Light of FTC Consent Orders” (the “Discussion Paper”). The Discussion Paper examines the recent $5 billion FTC settlement with Facebook, which resulted from Facebook’s alleged violation of a prior 2012 FTC consent order, and the recent $575 million FTC settlement with Equifax, related to its 2017 data breach.

On October 21, 2019, the Federal Trade Commission took action against two companies alleged to have engaged in the business of false online reviews and social media influence. In the first case, the FTC entered into a consent decree with cosmetics marketer Sunday Riley, LLC, and the company’s owner, who sell products at Sephora stores and online at Sephora.com. According to the FTC’s complaint, disguised as ordinary consumers, Sunday Riley employees and Ms. Riley herself posted fake 5-star reviews of the company’s products on Sephora’s website. Under the terms of the FTC’s agreement, the company and its principal are barred from posting fake reviews, must clearly identify endorsers, and must instruct staff on their disclosure obligations. The FTC vote on the action was 3-2, with Commissioners Chopra and Slaughter dissenting on the grounds that the settlement did not include a monetary payment or an admission of guilt.

As an update to our previous blog posts, the FTC announced that it and the New York Attorney General reached a $170 million agreement with Google to resolve allegations that the company violated COPPA through its YouTube platform. Under the agreement, Google will pay $136 million to the FTC and $34 million to New York. The FTC voted 3-2 to authorize the action.

As an update to our previous blog post, according to media reports, Google has reached a settlement with the FTC in the range of $150 to $200 million over the agency’s investigation into the company’s alleged violations of COPPA through its YouTube platform. The settlement has not been announced by the FTC or Google, and the details of the settlement have not been made publicly available. These reports follow Google’s announcement earlier this week that it has created a separate YouTube Kids site, which will include different content for different age groups. This news also ...

On August 8, 2019, the FTC announced that Unrollme Inc. (“Unrollme”), an email management company, agreed to settle allegations the company deceived consumers about how it accesses and uses their personal emails. Unrollme offered users a service whereby the company would help unsubscribe users from unwanted subscription emails. In connection with this service, Unrollme required users to provide the company with access to their email accounts. The FTC alleged that Unrollme falsely told consumers it would not “touch” their personal emails. In fact, the FTC alleged, Unrollme shared its users’ email receipts (“e-receipts”) (i.e., emails sent to consumers following a completed transaction) with its parent company, Slice Technologies, Inc. The FTC’s complaint alleged that the parent company used information from the e-receipts (such as the user’s name, address, and information about products or services the individual purchased) for purposes of its own market research analytics products.

In addition to Facebook’s record-breaking Federal Trade Commission penalty and settlement order, on July 24, 2019, the Securities and Exchange Commission announced charges against Facebook for inadequate and misleading disclosures over its privacy practices. Facebook, without admitting or denying the SEC’s allegations, has agreed to the entry of a final judgment ordering a fine of $100 million.

As previously reported on July 12, 2019, Facebook will pay a $5 billion penalty to the Federal Trade Commission to resolve a privacy probe into whether Facebook violated a prior FTC consent decree requiring the company to better protect user privacy. The $5 billion penalty is the largest imposed on any company for violating consumers’ privacy – nearly 20 times the largest privacy or data security penalty to date.

According to media reports, the Federal Trade Commission has approved a multimillion dollar fine as part of a settlement with Google related to the FTC’s investigation into YouTube’s children’s data privacy practices. The FTC found that, in violation of COPPA, Google had failed to adequately protect children under 13 who used the video-streaming service and improperly collected their data.

According to media reports, the Federal Trade Commission has approved a roughly $5 billion settlement with Facebook, Inc. to resolve a privacy probe investigating whether Facebook had violated a prior FTC consent decree requiring the company to better protect user privacy. The investigation followed reports that Cambridge Analytica improperly accessed the personal data of 87 million Facebook users.

On July 11, 2019, Washington Attorney General Bob Ferguson announced that his office had entered into a consent decree and $10 million settlement with Premera Blue Cross (“Premera”) that stems from a 2014-2015 breach that affected more than 11 million individuals. The settlement, which includes a payment of roughly $5.4 million to Washington state and $4.6 million to a coalition of 29 other state Attorneys General (the “Multistate AGs”), is one of the largest ever for a breach involving protected health information (“PHI”) and comes just one month after another notable HIPAA settlement involving a similar coalition of state AGs.

On July 2, 2019, the Federal Trade Commission announced a case involving the operator of an online rewards website who allegedly failed to take reasonable steps to secure consumers’ personal data.

On June 14, 2019, the Federal Trade Commission announced that it has taken action against a number of companies that allegedly misrepresented their compliance with the EU-U.S. and Swiss-U.S. Privacy Shield frameworks (collectively, the “Privacy Shield”) and other international privacy agreements.

On April 24, 2019, the Federal Trade Commission announced two data security cases involving online operators—one, an online rewards website, and the second, a dress-up games website—that were alleged to have failed to take reasonable steps to secure consumers’ data, which allowed hackers to breach both websites.

As reported in BNA Privacy Law Watch, on June 27, 2018, Equifax entered into a consent order (the “Order”) with 8 state banking regulators (the “Multi-State Regulatory Agencies”), including those in New York and California, arising from the company’s 2017 data breach that exposed the personal information of 143 million consumers.

On May 24, 2018, the Federal Trade Commission granted final approval to a settlement (the “Final Settlement”) with PayPal, Inc., to resolve charges that PayPal’s peer-to-peer payment service, Venmo, misled consumers regarding certain restrictions on the use of its service, as well as the privacy of transactions. The proposed settlement was announced on February 27, 2018. In its complaint, the FTC alleged that Venmo misrepresented its information security practices by stating that it “uses bank-grade security systems and data encryption to protect your financial information.” Instead, the FTC alleged that Venmo violated the Gramm-Leach-Bliley Act’s (“GLBA’s”) Safeguards Rule by failing to (1) have a written information security program; (2) assess the risks to the security, confidentiality and integrity of customer information; and (3) implement basic safeguards such as providing security notifications to users that their passwords were changed. The complaint also alleged that Venmo (1) misled consumers about their ability to transfer funds to external bank accounts, and (2) misrepresented the extent to which consumers could control the privacy of their transactions, in violation of the GLBA Privacy Rule.

On April 30, 2018, the Federal Trade Commission announced that BLU Products, Inc. (“BLU”), a mobile phone manufacturer, agreed to settle charges that the company allowed ADUPS Technology Co. Ltd. (“ADUPS”), a third-party service provider based in China to collect consumers’ personal information without their knowledge or consent, notwithstanding the company’s promises that it would keep the relevant information secure and private. The relevant personal information allegedly included, among other information, text message content and real-time location information. On September 6, 2018, the FTC gave final approval to the settlement in a unanimous 5-0 vote.

On February 27, 2018, the Federal Trade Commission (“FTC”) announced an agreement with PayPal, Inc., to settle charges that its Venmo peer-to-peer payment service misled consumers regarding privacy and the extent to which consumers’ financial accounts were secured. This is the second significant FTC settlement in the past three months that addressed these issues, following the FTC’s action against TaxSlayer, Inc. and signals a renewed focus by the FTC on violations of the Gramm-Leach-Bliley Act’s (“GLBA’s”) Privacy and Safeguards Rules.

On March 17, 2017, the Federal Trade Commission announced that Upromise, Inc., (“Upromise”) agreed to pay $500,000 to settle allegations (the “Settlement”) that it violated the terms of a 2012 consent order (the “2012 Order”) that required Upromise to provide notice to consumers regarding its data collection and use practices, and obtain third-party audits.

On December 20, 2016, the FTC announced that it has agreed to settle charges that Turn Inc. (“Turn”), a company that enables commercial brands and ad agencies to target digital advertising to consumers, tracked consumers online even after consumers took steps to opt out of tracking.

On July 29, 2016, the Federal Trade Commission (“FTC”) announced that it had issued an opinion and final order concluding that LabMD, Inc. (“LabMD”) violated the unfairness prong of Section 5 of the FTC Act by failing to maintain reasonable security practices to protect consumers’ sensitive personal information. The unanimous decision reverses a November 2015 administrative law judge’s initial decision that, as we previously reported, dismissed the FTC’s charges against LabMD for failing to show that LabMD’s allegedly unreasonable data security practices caused, or were likely to cause, substantial consumer injury.

On June 22, 2016, the Federal Trade Commission announced a settlement with Singaporean-based mobile advertising network, InMobi, resolving charges that the company deceptively tracked hundreds of millions of consumers’ locations, including children, without their knowledge or consent. Among other requirements, the settlement orders the company to pay $950,000 in civil penalties. 

On June 8, 2016, the Federal Trade Commission announced that Practice Fusion, an electronic health records company, agreed to settle FTC charges that the company misled consumers about the privacy of doctor reviews submitted to the company.

On May 9, 2016, the Federal Trade Commission announced it had issued Orders to File a Special Report (“Orders”) to eight mobile device manufacturers requiring them to, for purposes of the FTC’s ongoing study of the mobile ecosystem, provide the FTC with “information about how [the companies] issue security updates to address vulnerabilities in smartphones, tablets, and other mobile devices.” The FTC’s authority to issue such Orders comes from Section 6(b) of the FTC Act.

On March 2, 2016, the Consumer Financial Protection Bureau (“CFPB”) reached a settlement with Dwolla, Inc. (“Dwolla”), an online payment system company, to resolve claims that the company made false representations regarding its data security practices in violation of the Consumer Financial Protection Act. Among other things, the consent order imposes a $100,000 fine on Dwolla. This marks the first data security-related fine imposed by the CFPB.

On February 23, 2016, the Federal Trade Commission announced that it reached a settlement with Taiwanese-based network hardware manufacturer ASUSTeK Computer, Inc. (“ASUS”), to resolve claims that the company engaged in unfair and deceptive security practices in connection with developing network routers and cloud storage products sold to consumers in the U.S.

On January 5, 2016, the Federal Trade Commission announced that dental office management software provider, Henry Schein Practice Solutions, Inc. (“Schein”), agreed to settle FTC charges that accused the company of falsely advertising the level of encryption it used to protect patient data. The proposed Agreement Containing Consent Order (“Consent Order”) stems from an FTC complaint that alleged the company engaged in unfair or deceptive acts or practices by falsely representing that the Dentrix G5 software used industry-standard encryption and helped dentists protect patient data in accordance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

On December 15, 2015, the California Attorney General announced an approximately $25 million settlement with Comcast Cable Communications, LLC (“Comcast”) stemming from allegations that Comcast disposed of electronic equipment (1) without properly deleting customer information from the equipment and (2) in landfills that are not authorized to accept electronic equipment. The settlement must be approved by a California judge before it is finalized.

On December 21, 2015, the Federal Trade Commission announced software company Oracle Corporation (“Oracle”) has agreed to settle FTC charges that accused the company of misrepresenting the security of its software updates. The proposed Agreement Containing Consent Order (“Consent Order”) stems from an FTC complaint that alleged the company had deceived consumers about the security provided by updates to the Java Platform, Standard Edition software (“Java SE”).

On November 5, 2015, the Enforcement Bureau of the Federal Communications Commission (“FCC”) entered into a Consent Decree with cable operator Cox Communications to settle allegations that the company failed to properly protect customer information when the company’s electronic data systems were breached in August 2014 by a hacker. The FCC alleged that Cox failed to properly protect the confidentiality of its customers’ proprietary network information (“CPNI”) and personally identifiable information, and failed to promptly notify law enforcement authorities of security breaches involving CPNI in violation of the Communications Act of 1934 and FCC’s rules.

On April 23, 2015, the Federal Trade Commission (“FTC”) announced that Nomi Technologies (“Nomi”) has agreed to settle charges stemming from allegations that the company misled consumers with respect to their ability to opt out of the company’s mobile device tracking service at retail locations. The settlement marks the FTC’s first Section 5 enforcement action against a company that provides tracking services at retailers.

On April 13, 2015, the Federal Trade Commission announced that it has settled charges with two debt brokers who posted consumers’ unencrypted personal information on a public website. The settlements with Cornerstone and Company, LLC (“Cornerstone”), Bayview Solutions, LLC (“Bayview”), and the companies’ individual owners resulted from initial complaints about the debt brokers in 2014. Cornerstone and Bayview allegedly had posted the personal information of their debtors in unencrypted Excel spreadsheets on a publicly accessible website geared to buyers and sellers of consumer debt. The information included consumers’ names, addresses, credit card numbers, bank account numbers and debt amounts.

On April 7, 2015, the FTC announced proposed settlements with TES Franchising, LLC, an organization specializing in business coaching, and American International Mailing, Inc., an alternative mail transporting company, related to charges that the companies falsely claimed they were compliant with the U.S.-EU and U.S.-Swiss Safe Harbor Frameworks.

On December 19, 2014, the Federal Trade Commission announced a settlement of at least $90 million with mobile phone carrier T-Mobile USA, Inc. (“T-Mobile”) stemming from allegations related to mobile cramming. This settlement amount will primarily be used to provide refunds to affected customers who were charged by T-Mobile for unauthorized third party charges. As part of the settlement, T-Mobile also will pay $18 million in fines and penalties to the attorneys general of all 50 states and the District of Columbia, and $4.5 million to the Federal Communications Commission.

On October 22, 2014, the Federal Trade Commission announced that several interrelated online marketing and advertising companies (“Stipulating Defendants”) agreed to pay nearly $10 million to settle allegations that they engaged in a pattern of text message spamming, robocalling and mobile cramming practices in violation of Section 5 of the FTC Act, the Telemarketing and Consumer Fraud and Abuse Prevention Act, and the Telemarketing Sales Rule.

On October 10, 2014, TD Bank, N.A. entered into an assurance of voluntary compliance (“Assurance”) with a multistate group of nine attorneys general to settle allegations that the company violated state consumer protection and personal information safeguards laws in connection with a 2012 data breach. The breach involved the loss of two unencrypted backup tapes containing the personal information of approximately 260,000 customers. The Assurance requires TD Bank to pay $850,000 to the attorneys general.

On October 8, 2014, the Federal Trade Commission announced an $80 million settlement with mobile phone carrier AT&T Mobility, LLC (“AT&T”) stemming from allegations related to mobile cramming. The $80 million payment to the FTC is part of a larger $105 million settlement between AT&T and various federal and state regulators, including the Federal Communications Commission and the attorneys general of all 50 states and the District of Columbia. According to the FCC, “[t]he settlement is the largest enforcement action in FCC history.”

On September 17, 2014, the Federal Trade Commission announced that the online review site Yelp, Inc., and mobile app developer TinyCo, Inc., have agreed to settle separate charges that they collected personal information from children without parental consent, in violation of the Children’s Online Privacy Protection Rule (the “COPPA Rule”).

On September 8, Vermont Attorney General William Sorrell announced that SEI/Aaron’s, Inc. has entered into an assurance of discontinuance, which includes $51,000 in total fines, to settle charges over the company’s remote monitoring of its customers’ leased laptops. The settlement stems from charges accusing SEI/Aaron’s, an Atlanta-based franchise of the national rent-to-own retailer Aaron’s, Inc., of unlawfully using surveillance software on its leased laptops to assist the company in the collection of its customers’ overdue rental payments. The Vermont Office of the Attorney General claimed that such remote monitoring of the laptop users’ online activities in connection with debt collection constituted an unfair practice in violation of the Vermont Consumer Protection Act.

On September 4, 2014, the Federal Trade Commission announced a proposed settlement with Google Inc. (“Google”) stemming from allegations that the company unfairly billed consumers for mobile app charges incurred by children. The FTC’s complaint alleges that since 2011, Google violated the FTC Act’s prohibition on unfair commercial practices by billing consumers for in-app charges made by children without the authorization of the account holder.

On May 12, 2014, the Federal Trade Commission announced that it has approved final consent orders with two companies that marketed genetically customized nutrition supplements. In addition to charges that the companies’ claims regarding the effectiveness of their products were not sufficiently substantiated, the settlements also allege that the companies misrepresented their privacy and security practices. The two companies, Gene Link, Inc. (“Gene Link”) and foru™ International Corp. (“foru” – a former subsidiary of Gene Link), represented in their privacy policy that they had “taken every precaution to create a process that allows individuals to maintain the highest level of privacy” and that the companies’ third party service providers are “contractually obligated to maintain the confidentiality and security of the Personal Customer Information and are restricted from using such information in any way not expressly authorized” by the companies.

On May 9, 2014, the Federal Trade Commission announced a settlement with clothing manufacturer American Apparel related to charges that the company falsely claimed to comply with the U.S.-EU Safe Harbor Framework. According to the FTC’s complaint, the company violated Section 5 of the FTC Act by deceptively representing, through statements in its privacy policy, that it held a current Safe Harbor certification even though it had allowed the certification to expire.

On May 8, 2014, the Federal Trade Commission announced a proposed settlement with Snapchat, Inc. (“Snapchat”) stemming from allegations that the company’s privacy policy misrepresented its privacy and security practices, including how the Snapchat mobile app worked. Snapchat’s app supposedly allowed users to send and receive photo and video messages known as “snaps” that would “disappear forever” after a certain time period. The FTC alleged that, in fact, it was possible for recipients to save snaps indefinitely, regardless of the sender-designated expiration time.

On April 10, 2014, the Federal Trade Commission announced that the Director of the FTC’s Bureau of Consumer Protection had notified Facebook and WhatsApp Inc., reminding both companies of their obligation to honor privacy statements made to consumers in connection with Facebook’s proposed acquisition of WhatsApp.

On April 7, 2014, the U.S. District Court for the District of New Jersey issued an opinion in Federal Trade Commission v. Wyndham Worldwide Corporation, allowing the FTC to proceed with its case against the company. Wyndham had argued that the FTC lacks the authority to regulate data security under Section 5 of the FTC Act. The judge rejected Wyndham’s challenge, ruling that the FTC can charge Wyndham with unfair data security practices. The case will continue to be litigated on the issue of whether Wyndham’s data security practices constituted a violation of Section 5.

On March 28, 2014, the Federal Trade Commission announced proposed settlements with Fandango and Credit Karma stemming from allegations that the companies misrepresented the security of their mobile apps and failed to secure consumers’ sensitive personal information transmitted using their mobile apps.

On January 31, 2014, the Federal Trade Commission announced a settlement with GMR Transcription Services, Inc. (“GMR”) stemming from allegations that GMR’s failure to provide reasonable security allowed certain patients’ medical transcripts to be exposed to the public on the Internet. The FTC issued an accompanying press release stating it was the FTC’s 50th data security settlement.

On January 15, 2014, the Federal Trade Commission announced a proposed settlement with Apple Inc. stemming from allegations that the company billed consumers for mobile app charges incurred by children without their parents’ consent. Specifically, the FTC’s complaint alleges that Apple violated the FTC Act by not informing account holders that, for a 15-minute window after entering their password to approve a single in-app purchase, their children could make unlimited purchases without further action by the parent.

On December 31, 2013, the Federal Trade Commission announced that Accretive Health, Inc. (“Accretive”) has agreed to settle charges that the company’s inadequate data security measures unfairly exposed sensitive consumer information to the risk of theft or misuse. Accretive experienced a breach in July 2011 that involved the protected health information of more than 23,000 patients.

On December 5, 2013, the Federal Trade Commission announced a proposed settlement with mobile app developer Goldenshores Technologies, LLC (“Goldenshores”) following allegations that Goldenshores’ privacy policy for its popular Brightest Flashlight Free app deceived consumers regarding how the app collects information, including geolocation information, and how that information may be shared with third parties. Brightest Flashlight Free, developed for the Android operating system, allows its users to use their cell phones as flashlights.

On November 12, 2013, two companies (the “Defendants”) that provide consumer background reports to third parties, including criminal record checks agreed to an $18.6 million settlement stemming from allegations that they violated the Fair Credit Reporting Act (“FCRA”) when providing these reports to prospective employers.

On October 22, 2013, the Federal Trade Commission announced a proposed settlement with Aaron’s, Inc. (“Aaron’s”) stemming from allegations that it knowingly assisted its franchisees in spying on consumers. Specifically, the FTC alleged that Aaron’s facilitated its franchisees’ installation and use of software on computers rented to consumers that surreptitiously tracked consumers’ locations, took photographs of consumers in their homes, and recorded consumers’ keystrokes in order to capture login credentials for email, financial and social media accounts. The FTC had previously settled similar allegations against Aaron’s and several other companies.

On September 4, 2013, the Federal Trade Commission announced a settlement with TRENDnet, Inc. (“TRENDnet”) stemming from allegations that TRENDnet’s failure to provide reasonable security for its Internet Protocol (“IP”) security cameras allowed hackers to publicly post online live feeds from approximately 700 customers’ cameras. As the FTC noted in its press release, “this is the agency’s first action against a marketer of an everyday product with interconnectivity to the Internet and other mobile devices – commonly referred to as the ‘Internet of Things.’”

On August 15, 2013 the Federal Trade Commission announced a settlement with Certegy Check Services, Inc. (“Certegy”) stemming from allegations that Certegy violated various provisions of the Fair Credit Reporting Act (“FCRA”). The settlement agreement includes a $3.5 million civil penalty for “knowing violations ... that constituted a pattern or practice of violations.”

On February 22, 2013, the Federal Trade Commission announced that it had settled charges against HTC America, Inc. (“HTC”) alleging that the mobile device manufacturer “failed to take reasonable steps to secure the software it developed for its smartphones and tablet computers, introducing security flaws that placed sensitive information about millions of consumers at risk.” This settlement marks the FTC’s first case against a mobile device manufacturer.

On January 25, 2013, Kmart Corporation (“Kmart”) agreed to a $3 million settlement stemming from allegations that it violated the Fair Credit Reporting Act (“FCRA”) when using background checks to make employment decisions. The FCRA addresses adverse actions taken against consumers based on information in consumer reports and includes numerous requirements relating to the use of such reports in the employment context.

On February 1, 2013, the Federal Trade Commission issued a new report entitled Mobile Privacy Disclosures: Building Trust Through Transparency. The report makes recommendations “for the major participants in the mobile ecosystem as they work to improve mobile privacy disclosures,” offering specific recommendations for mobile platforms, app developers, advertising networks and other third parties operating in this space. The FTC’s report also makes mention of the Department of Commerce’s National Telecommunications and Information Administration’s efforts to engage in a multistakeholder process to develop an industry code of conduct for mobile apps.

In a January 13, 2013 blog post, the Federal Trade Commission’s Bureau of Consumer Protection’s Business Center Blog highlighted the FTC’s recent groundbreaking settlement for violations of the Fair Credit Reporting Act (“FCRA”) in the mobile app context. The settlement with Filiquarian Publishing, LLC, Choice Level, LLC, and Joshua Linsk (the owner of Filiquarian and Choice Level, collectively, the “Companies”), is the first FCRA enforcement action against a mobile app developer. Filiquarian offered mobile apps to consumers for purposes of conducting criminal background checks in numerous states, and Choice Level provided the criminal background checks used by the apps to Filiquarian.

On January 7, 2013, Massachusetts Attorney General Martha Coakley announced that several Massachusetts medical practices have agreed to a consent judgment and $140,000 payment to settle charges they improperly disposed of medical information. The defendants, which include several pathology practices and a firm that provided medical billing services to those practices, were accused of dumping hard copy medical records at the Georgetown Transfer Station, a waste management facility open to the public. The records allegedly contained the names, Social Security numbers and medical diagnoses of approximately 67,000 individuals. The illegal dumping allegations were publicized in a Boston Globe article after a photographer for the newspaper discovered medical records at the facility while he was disposing of his own trash.

On December 5, 2012, the Federal Trade Commission announced that the online advertising company Epic Marketplace, Inc. (“Epic”) agreed to settle charges that it engaged in “history sniffing” to secretly and illegally collect information about consumers’ interest in sensitive medical and financial issues. History sniffing is the practice of determining whether a consumer has previously visited a webpage by checking how a browser displays a hyperlink. The consent order requires Epic to destroy all data collected from history sniffing and bars Epic from engaging in history sniffing in the future.

On November 7, 2012, the Federal Trade Commission announced that it had settled charges against payday lending and check cashing companies alleged to have improperly disposed of consumers’ personal information. In its complaint, the FTC maintained that PLS Financial Services, Inc., and The Payday Loan Store of Illinois violated the FTC’s Disposal Rule as well as the Gramm-Leach-Bliley Act’s Privacy Rule and Safeguards Rule by disposing of documents that contained consumers’ Social Security numbers, bank account numbers and credit reports in unsecured dumpsters near the companies’ payday lending and check cashing retail stores. The FTC also alleged that the companies violated the FTC Act by misrepresenting that they would reasonably protect consumer information.

On October 22, 2012, the Federal Trade Commission announced a proposed settlement agreement with Compete, Inc. (“Compete”), an online market research company that collects clickstream data from consumers to generate and sell analytical reports about consumer behavior on the Internet.

On October 10, 2012, the Federal Trade Commission announced that consumer reporting agency Equifax Information Services LLC (“Equifax”) and several of its customers, including Direct Lending Source, Inc. (“Direct Lending”), have agreed to pay a combined total of nearly $1.6 million to settle FTC allegations that they violated the Fair Credit Reporting Act (“FCRA”) in connection with the sale of data regarding consumers in financial distress. 

On October 4, 2012, the Federal Trade Commission announced that Artist Arena LLC (“Artist Arena”), an operator of fan websites for several popular recording artists, agreed to settle charges that it violated the Children’s Online Privacy Protection Act (“COPPA”) and the FTC’s COPPA Rule (“the Rule”) by improperly collecting personal information from children under the age of 13 without first obtaining verifiable parental consent. The settlement will impose a $1 million penalty on Artist Arena, bar future violations of the Rule and require deletion of the information collected in violation of the Rule.

On September 25, 2012, the Federal Trade Commission announced that it had settled a case involving allegations of spying by software company DesignerWare, LLC (“DesignerWare”) and several rent-to-own companies that rent computers to consumers, such as Aaron’s, Inc., ColorTyme, Inc., and Premier Rental Purchase. The FTC collaborated with Illinois Attorney General Lisa Madigan in its investigation.

On August 10, 2012, the Federal Trade Commission announced that it has accepted the final settlement with Facebook which resolves allegations “that Facebook deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public.” As we previously reported, the settlement requires Facebook to (1) not misrepresent how it maintains the privacy or security of users’ personal information; (2) obtain users’ “affirmative express consent” before sharing their information with any third ...

On August 8, 2012, the Federal Trade Commission announced a settlement agreement with employment screening company HireRight Solutions, Inc. (“HireRight”). In its first enforcement action against an employment background screening company for Fair Credit Reporting Act (“FCRA”) violations, the FTC alleged that HireRight functioned as a consumer reporting agency, but failed to comply with certain FCRA requirements. The proposed consent order imposes a $2.6 million penalty on HireRight and requires the company to remedy the alleged FCRA violations, create and retain certain records and submit reports to demonstrate compliance.

On June 26, 2012, the Federal Trade Commission announced that it had filed suit against Wyndham Worldwide Corporation and three of its subsidiaries (“Wyndham”) alleging failures to maintain reasonable security that led to three separate data breaches involving hackers accessing sensitive consumer data. The FTC’s complaint claims that Wyndham violated the FTC Act by posting misleading representations on Wyndham websites regarding how the company safeguarded customer information, and by failing to provide reasonable security for personal information it collected ...

On June 12, 2012, the Federal Trade Commission announced a settlement agreement with data broker Spokeo, Inc. (“Spokeo”). The FTC alleged that Spokeo operated as a consumer reporting agency and violated the Fair Credit Reporting Act (“FCRA”), and that certain of its advertisements were deceptive in violation of Section 5 of the FTC Act. The proposed settlement order imposes a $800,000 civil penalty on Spokeo and prohibits future violations of the FCRA. This is the first FTC case to address the sale of Internet and social media data in the employment screening context.

On May 24, 2012, Massachusetts Attorney General Martha Coakley announced that South Shore Hospital agreed to a consent judgment and $750,000 payment to settle a lawsuit stemming from a data breach that occurred in February 2010. At that time, South Shore Hospital shipped several boxes of unencrypted back-up tapes to a service provider in Texas to erase them. The tapes contained the personal and protected health information of approximately 800,000 individuals, including names, Social Security numbers, financial account numbers and medical diagnoses. Several of the boxes went missing and have yet to be recovered, though there is no evidence that the information on the missing tapes has been misused.

On May 8, 2012, the Federal Trade Commission announced a settlement agreement with the social networking service Myspace LLC (“Myspace”). The FTC alleged that Myspace’s practice of sharing users’ personal information with unaffiliated third-party advertisers conflicted with representations the company made in its privacy policy, and could allow those advertisers to obtain users’ names, publicly available information and information about their online browsing habits.

On March 27, 2012, the Federal Trade Commission announced a proposed settlement order with RockYou, Inc. (“RockYou”), a publisher and developer of applications used on popular social media sites. The FTC alleged that RockYou failed to protect the personal information of 32 million of its users, and violated multiple provisions of the FTC’s Children’s Online Privacy Protection Act (“COPPA”) Rule when it collected information from approximately 179,000 children.

On March 26, 2012, the Federal Trade Commission issued a new privacy report entitled “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers.” The report charts a path forward for companies to act in the interest of protecting consumer privacy.

In his introductory remarks, FTC Chairman Jon Leibowitz indicated his support for Do Not Track stating, “Simply put, your computer is your property; no one has the right to put anything on it that you don’t want.” In later comments he predicted that if effective Do Not Track mechanisms are not available by the end of this year, the new Congress likely would introduce a legislative solution.

On December 12, 2011, the United States Court of Appeals for the Third Circuit affirmed a decision that employees of Ceridian Corporation's (“Ceridian's") customers did not have standing to sue Ceridian after the payroll processing firm suffered a data breach.

On January 5, 2012, the Federal Trade Commission announced a proposed settlement with Upromise, Inc., a membership reward service that gives cash rebates for college savings accounts to members who purchase products and services from its partner merchants. The FTC alleged that the “Personalized Offers” feature on the Upromise TurboSaver Toolbar (1) collected far more information about users’ browsing behavior than was disclosed at the time of installation, and (2) contrary to representations in the company’s privacy notice, transmitted that information, which included data such as Social Security numbers and financial account numbers, in clear text.

On November 29, 2011, the Federal Trade Commission announced that Facebook has settled charges that it deceived consumers by making false privacy promises. The settlement requires Facebook to (1) not misrepresent how it maintains the privacy or security of users’ personal information (2) obtain users’ “affirmative express consent” before sharing their information with any third party that “materially exceeds the restrictions imposed by a user’s privacy setting(s),” (3) implement procedures to prevent a third party from accessing users’ information no later than 30 days after the user has deleted such information or terminated his or her account, (4) establish, implement and maintain a comprehensive privacy program, and (5) obtain initial and biennial assessments and reports regarding its privacy practices for the next 20 years.