Photo of Kristin Madigan

Kristin J. Madigan is a partner in Crowell & Moring’s San Francisco office and a member of the firm’s Litigation and Privacy & Cybersecurity groups. Kristin focuses her practice on representing clients in high-stakes complex litigation with a focus on technology, as well as privacy and consumer protection matters including product counseling, compliance, investigations, enforcement, and litigation that typically involves existing and emerging technologies. In addition, Kristin is well-versed in and counsels clients on California Consumer Privacy Act (CCPA) compliance. Kristin is a Certified Information Privacy Professional/United States (CIPP/US).

Thursday, November 10, was a big day for the FTC asserting its competition authority, from an announcement to strengthen FTC enforcement of Section 5 to weighing in on hiring restrictions. These stories, plus warnings of limited options for medication, an upcoming open Commission meeting, and more, after the jump.

Continue Reading FTC Updates (November 7-11, 2022)

The FTC had an active week and addressed numerous topics, including ways to protect older adults and gig economy workers. Notably, the FTC released a report showing the rise in sophisticated dark pattern practices and the Commission’s commitment to combatting them. The Commission also announced a proposed rule targeting government and business impersonation scams. This story and more after the jump. 

Continue Reading FTC Updates (September 12–16, 2022)

The FTC has been aggressive wrapping up the fiscal year before the Labor Day weekend—it initiated several actions across various industries, protecting consumers from sensitive data leak to deceptive “pre-approved” credit offers. The Commission also issued its E-Cigarette Report for 2019-2020, which highlights dramatic surge in sale of flavored disposable e-cigarettes and menthol e-cigarette cartridges. Last but not the least, the FTC is sending checks totaling more than $1.9 million to consumers who bought Hubble brand contact lenses from Vision Path, Inc. This story and more after the jump. 

Continue Reading FTC Updates (August 29-September 2, 2022)

On August 24, 2022, the California Attorney General’s Office announced a settlement with Sephora, Inc. (Sephora), a French multinational personal care and beauty products retailer. The settlement resolved Sephora’s alleged violations of the California Consumer Privacy Act (CCPA) for allegedly failing to: disclose to consumers that the company was selling their personal information, process user requests to opt out of sale via user-enabled global privacy controls, and cure these violations within the 30-day period currently allowed by the CCPA.

Continue Reading $1.2 Million CCPA Settlement with Sephora Focuses on Sale of Personal Information and Global Privacy Controls

The FTC released its policy paper and fact sheet urging state legislatures to avoid using Certificate of Public Advantage (“COPA”) laws and instead invited state lawmakers to work collaboratively with competition policy experts to minimize the potentially harmful effects of further hospital consolidation. This follows that Agency’s recent blocking of a number of healthcare provider mergers, emphasizing the Commission’s focus on preventing what it considers anticompetitive hospital mergers. The Agency also announced that it will be sending out checks totaling more than $822,000 to borrowers that lost money to a student loan debt-relief scheme. These stories after the jump.

Continue Reading FTC Updates (August 15-19, 2022)

The FTC announced two victories in separate actions against Personal Protective Equipment (“PPE”) companies and secured more than $17 million for consumers. In the two cases, the FTC has alleged that California-based Glowyy and Louisiana-based American Screening each failed to deliver PPE products within promised time periods during the early stages of the COVID-19 pandemic. In addition, the FTC announced a new action and consent agreement against online homebuying firm Opendoor Labs, Inc. for allegedly misleading claims about the benefits of its service. Last, the Commission is sending checks totaling more than $1 million to 1,966 consumers who were harmed by a debt collection scam. These stories and more after the jump.

Continue Reading FTC Updates (August 1-5, 2022)

Last week, the President signed the Internet of Things (IoT) Cybersecurity Improvement Act into law, kicking off a multi-year process that will culminate in the first-ever federal requirements for IoT devices. Under the law, the National Institute of Standards & Technology (NIST) is now charged with drafting and finalizing security requirements for IoT devices, as

On November 3, 2020, California voters approved California Proposition 24, also known as the California Privacy Rights Act of 2020, or CPRA. The CPRA expands protections afforded to personal information, building off of the California Consumer Privacy Act (CCPA), which took effect in January of this year. While some of the CPRA changes will take effect immediately, most will not become enforceable until July 1, 2023, and apply only to personal information collected after January 1, 2022.

Key Changes to CA Privacy Law

At 54 pages long, the CPRA makes numerous changes to the CCPA, ranging from minor revisions to the introduction of new concepts and the creation of several new consumer rights. Some of the most impactful changes are discussed below. A series of future client alerts will explore the nuances of these changes in greater detail.

Sensitive Personal Data

The CPRA establishes new rules for a category of “sensitive personal information,” which includes, for example, genetic data and religious or philosophical beliefs, and is defined as personal information that reveals:

(1)

  1. a consumer’s social security, driver’s license, state identification card, or passport number;
  2. a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;
  3. a consumer’s precise geolocation;
  4. a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership;
  5. the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication; and
  6. a consumer’s genetic data; and

(2)

  1.  the processing of biometric information for the purpose of uniquely identifying a consumer;
  2.  personal information collected and analyzed concerning a consumer’s health; or
  3.  personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.

This definition is among the most impactful changes in the CPRA, given the breadth of data that it sweeps in, along with the creation of new disclosure and opt-out rights associated with “sensitive personal information.” These changes will likely require covered businesses to dive into their data, map it, and ensure they are compliant.

In addition, the CPRA creates a right for consumers to “limit use and disclosure of sensitive personal information.” Similar to existing CCPA opt-out rights, beginning in 2023, consumers may direct businesses that collect sensitive personal information to limit its use to that “which is necessary to perform the services or provide the goods reasonably expected by an average consumer” or to perform a small subset of specifically identified exempt services. Significantly, exemptions to the opt-out will include short-term, transient advertising, and “performing services on behalf of the business,” but not general advertising and marketing, nor long-term profiling or behavioral marketing technologies.
Continue Reading CCPA 2.0? California Adopts Sweeping New Data Privacy Protections