Tag Archives: privacy

NIST Solicits Comments on Revised Draft IoT Cybersecurity Device Guidance

By Sheila Millar and Tracy Marshall on January 15, 2020 Posted in Privacy

On January 7, 2020, the National Institute of Standards and Technology (NIST) released a draft of revised cybersecurity recommendations for IoT devices at both the pre-market and post-market stages. NISTIR 8259, Recommendations for IoT Device Manufacturers: Foundational Activities and Core Device Cybersecurity Capability Baseline, identifies six voluntary steps manufacturers should take to account for security… Continue Reading

The EU Advocate General Opinion is Out: Standard Contractual Clauses are Valid

By Sheila Millar and Tracy Marshall on December 20, 2019 Posted in Privacy

Businesses that rely on standard contractual clauses (SSCs) to transfer personal data outside the European Economic Area (EEA) just got good news. The long-awaited decision from the EU Advocate General (AG) is here: SCCs are valid. The AG’s opinion, although non-binding, is significant for the case brought by Austrian privacy activist Max Schrems against Facebook,… Continue Reading

FTC Says “Stalking” Apps Violate COPPA and the FTC Act

By Sheila Millar and Tracy Marshall on October 30, 2019 Posted in Privacy

You know that movie where a person thinks they’ve barricaded themselves in their house against a stalker, only to grasp the awful realization that the threat is “coming from inside the house”? Unbeknownst to you, that threat may, in fact, be coming from your smartphone, according to a complaint by the Federal Trade Commission (FTC).… Continue Reading

Reevaluating the COPPA Rule

By Sheila Millar on October 22, 2019 Posted in Privacy

In the two decades following the enactment of the Children’s Online Privacy Protection (COPPA) Rule, technological developments have changed the online landscape considerably. Recognizing this, the Federal Trade Commission (FTC) held a public workshop on October 7, 2019, to discuss whether, given the proliferation of smart devices, video games, online channels, and EdTech, the Rule,… Continue Reading

FTC and D-Link Settle Data Security Dispute

By Sheila Millar and Tracy Marshall on July 17, 2019 Posted in Data Privacy

After protracted litigation, the Federal Trade Commission (FTC) entered into a proposed settlement with computer software manufacturer D-Link over charges that the company misrepresented the security of its wireless routers and Internet-connected cameras and failed to take reasonable software testing and remediation measures to protect the devices. As we previously reported, part of the FTC’s… Continue Reading

UK ICO Proposes GDPR Fines for British Airways and Marriott Data Breaches

By Sheila Millar and Tracy Marshall on July 11, 2019 Posted in Data Security

Earlier this week, the UK Information Commissioner’s Office (ICO) announced its intent to fine British Airways £183,390 million ($230 million) and its intent to fine Marriott International more than £99 million ($123 million) for violations of the General Data Protection Regulation (GDPR) arising out of data breaches. The ICO investigated the breaches as the lead… Continue Reading

FTC Settles Lax Data Security Charges with Software Seller

By Sheila Millar and Tracy Marshall on June 17, 2019 Posted in Privacy

The Federal Trade Commission (FTC) entered into a proposed settlement with LightYear Dealer Technologies, LLC (aka DealerBuilt) on June 12, 2019, over allegations of lax consumer privacy protections. While no fines were levied, the order is remarkable for its detailed and extensive requirements governing the company’s future data privacy practices and the FTC’s role in… Continue Reading

Website Hacks Result in FTC Actions for Lax Security

By Sheila Millar and Tracy Marshall on May 17, 2019 Posted in Privacy

After hacks of two websites, i-Dressup.com and ClixSense.com, resulted in the compromise of personal information for millions of users – including, in the case of i-Dressup, hundreds of thousands of children under 13 – the Federal Trade Commission (FTC) issued complaints against the websites and their operators for lax security and other privacy violations. Notably,… Continue Reading

Avoid Being Held Hostage: FTC Releases Ransomware Guidance

By Sheila Millar and Tracy Marshall on December 13, 2016 Posted in Cybersecurity

New research from security company Kaspersky Labs suggests that the use of ransomware is now so widespread that nearly every moment, a ransomware attack is being launched somewhere in the world on businesses and consumers. Ransomware, or malicious software that infiltrates computer systems and uses tools like encryption to deny access or hold data “hostage”… Continue Reading

Shielded: EU Approves Privacy Pact with the U.S., Fee Schedule Proposed

By Sheila Millar and Tracy Marshall on July 26, 2016 Posted in Cybersecurity, Privacy

The European Commission (EC) approved the EU–U.S. Privacy Shield on Tuesday, July 12, after European Union member states, through the Article 31 committee, approved the pact the previous week (more on the draft adequacy decision back in March here and the earlier agreement laying out the Privacy Shield here). The decision will allow U.S. companies that… Continue Reading

GDPR Publication Starts Countdown to May 2018 Compliance Date for New Privacy Rules

By Sheila Millar and Tracy Marshall on May 9, 2016 Posted in Legislation, Privacy, Regulations

The new General Data Protection Regulation (GDPR) (Regulation 2016/69, Apr. 27, 2016), approved by the European Parliament and the Council of the European Union, was formally published in the Official Journal of the European Union on May 4, 2016, and will replace the Data Protection Directive (Directive 95/46/EC) effective May 28, 2018. This new set… Continue Reading

FCC Adopts Broadband Privacy NPRM

By Sheila Millar and Tracy Marshall on April 1, 2016 Posted in Privacy, Regulations

At its Open Meeting yesterday, the Federal Communications Commission (FCC) adopted a Notice of Proposed Rulemaking (NPRM) that would apply the privacy protections in Section 222 of the Communications Act to broadband Internet Service Providers (ISPs). The text of the NPRM, which reportedly seeks public comment on more than 500 questions relating to privacy and… Continue Reading

The FCC Continues Privacy Push with Draft Proposal Regulating ISP Customers’ Data

By Sheila Millar and Tracy Marshall on March 11, 2016 Posted in Data Security, Privacy, Regulations

On the heels of the Open Internet Order adopted by the Federal Communications Commission (FCC) last year, FCC Chairman Tom Wheeler has circulated a Notice of Proposed Rulemaking (NPRM) to fellow Commissioners that would apply the privacy protections of the Communications Act to broadband Internet access services. Wheeler’s proposal will be voted on at the… Continue Reading

Obama Signs Judicial Redress Act—Will It Move EU–U.S. Privacy Shield Forward?

By Sheila Millar and Tracy Marshall on February 26, 2016 Posted in Legislation, Privacy

President Barack Obama signed the Judicial Redress Act on Wednesday, February 24, 2016, which will eventually enable European Union citizens to seek remedies for alleged privacy violations by the federal government in U.S. courts. The Act gives the U.S. Department of Justice (DOJ) authority to designate countries or international organizations that (1) have appropriate privacy… Continue Reading

New Year, New Cyber Law

By Sheila Millar and Tracy Marshall on January 4, 2016 Posted in Cybersecurity

In the rush of holidays and storms around the country (and weirdly warm weather here in D.C.), it was easy to miss that Congress finally approved the Cybersecurity Information Sharing Act (CISA). The bill was included in the middle of its omnibus spending package, the Consolidated Appropriations Act, 2016, Pub. L. 114–113 (Dec. 18, 2015),… Continue Reading

Two App Developers Agree on COPPA Settlement with FTC

By Sheila Millar and Tracy Marshall on December 18, 2015 Posted in Advertising, Privacy

Two app developers have settled complaints from the Federal Trade Commission (FTC) that they allowed third parties to collect information, including persistent identifiers, through their apps, and allowed third parties to serve advertising to children, in violation of the Children’s Online Privacy Protection Act (COPPA). The FTC’s announcement was released the same day it announced… Continue Reading

Agreement Reached on Landmark EU Data Protection Reform

By Sheila Millar and Tracy Marshall on December 18, 2015 Posted in Data Security, Privacy

On December 15, 2015, the European Commission announced that an agreement has been reached with the European Parliament and the Council (the “trilogue” meetings) regarding the Commission’s sweeping 2012 EU Data Protection Reform proposal. The reform package, which consists of a General Data Protection Regulation and a Data Protection Directive for Police and Criminal Justice… Continue Reading

False Advertising Contempt Suit Costs LifeLock $100 Million

By Sheila Millar and Tracy Marshall on December 17, 2015 Posted in Data Security, Litigation, Privacy

On December 17, 2015, the Federal Trade Commission (FTC) announced that Lifelock, Inc. (LifeLock), agreed to pay a record-breaking $100 million to settle charges that it violated an earlier consent agreement related to flawed data security practices issued in March 2010. The LifeLock settlements implicate both the “fairness” of the company’s data security practices and… Continue Reading

Life After the U.S.–EU Safe Harbor

By Sheila Millar and Tracy Marshall on November 3, 2015 Posted in Data Security, Privacy

We’ve written about the ground-breaking and panic-inducing ruling of the European Court of Justice (ECJ) invalidating the U.S.–EU Safe Harbor framework as an adequate data transfer mechanism, and ruling that national authorities are not bound by Commission approvals. Click here for our September 23, 2015 blog post, and here for a related October 16, 2015… Continue Reading

Article 29 WP Says Safe Harbor Transfers Illegal; Model Clauses and BCRs Under Review

By Sheila Millar and Tracy Marshall on October 16, 2015 Posted in Data Security, Litigation, Privacy

The Article 29 Working Party (WP) issued a press release on October 16, 2015 announcing the outcome of the meeting to discuss coordinated action after the Court of Justice of the European Union (ECJ) decision in the matter of Schrems v. Data Protection Commissioner (C-362-14), which invalidated the U.S.-EU Safe Harbor Agreement. While calling for… Continue Reading

EU Official Calls for Invalidation of EU–U.S. Safe Harbor Pact

By Sheila Millar and Tracy Marshall on September 23, 2015 Posted in Data Security, Privacy

A European Court of Justice (ECJ) advocate general, Yves Bot, has called for the European Union–U.S. Safe Harbor Agreement to be invalidated due to concerns over U.S. surveillance practices (press release here, opinion here). The ECJ has discretion to reject the recommendation, but such opinions are generally followed. A final decision on the issue is… Continue Reading

In Commission Win, Appeals Court Agrees that FTC Can Regulate Business Data Security Practices Under Unfairness Authority

By Sheila Millar and Tracy Marshall on August 26, 2015 Posted in Cybersecurity, Data Security, Privacy

In a closely watched case where the Federal Trade Commission (FTC) pursued Wyndham Worldwide Corporation for several data breaches that led to millions of dollars in fraudulent charges on customers’ payment cards, the U.S. Court of Appeals for the Third Circuit on Monday agreed with the Commission’s broad interpretation of its “unfairness” authority (opinion here).… Continue Reading

Unlucky 13: FTC Settles Charges under International Safe Harbor Framework

By Sheila Millar and Tracy Marshall on August 20, 2015 Posted in Privacy

Thirteen companies have agreed to settle with the Federal Trade Commission (FTC) charges relating to their participation in the U.S.–EU and U.S.–Swiss Safe Harbor Frameworks. Seven companies allegedly failed to renew their Safe Harbor self-certifications, including a sports marketing firm, two software developers, a research organization, a business information firm, a security consulting firm, and… Continue Reading

Is Your Device ID “Personal”? Federal Appeals Court to Decide Under VPPA

By Sheila Millar and Tracy Marshall on May 22, 2015 Posted in Litigation, Privacy

A federal appellate court will consider early next month whether the Video Privacy Protection Act (VPPA) makes an “Android ID” – a device identifier used in Google’s smartphones –personally identifiable information (PII). The Eleventh Circuit has scheduled oral argument in the case, Ellis v. Cartoon Network, Inc., for June 3, 2015. The plaintiff in the… Continue Reading