The FTC has placed Twitter in the hot seat again for privacy related practices that it alleges impacted over 140 million users. The Commission has also resolved actions pertaining to alleged magazine subscription scams and credit card laundering. In addition, the FTC is turning to the public to gather information regarding the recent infant formula shortage. These stories and more after the jump.
The California Consumer Privacy Act (“CCPA”), which went into full effect on January 1, 2020, has seen robust enforcement efforts by the office of the California Department of Justice. In late January, California Attorney General Rob Bonta announced an investigative sweep of businesses operating loyalty programs in California and sent notices alleging noncompliance with the CCPA to major corporations in the retail, home improvement, travel, and food services industries. In addition, Attorney General Bonta has encouraged consumers to know and express their privacy rights through an online platform that allows them to directly notify businesses of potential violations.
Continue Reading Enforcement of The California Consumer Privacy Act Via Letters Noticing Noncompliant Loyalty Programs and Online Tool for Consumers to Notify Businesses of Potential Violations
Monday, January 31, 2022
Consumer Protection: Privacy & Facial Recognition
- FTC Commissioner Christine Wilson issued a series of letters to Senators Ron Wyden, Maria Cantwell, and Roger Wicker as well as House of Representatives members Jan Schakowsky, Cathy McMorris Rodgers, and Gus Bilirakis to request review of a proposed contract between the IRS and ID.me, an identity verification software company. Ms. Wilson’s letters highlight a recent Washington Post article predicting that taxpayers may have to scan their faces in order to access their IRS tax accounts. She also expresses concerns that ID.me’s software would not adequately protect the privacy of taxpayer records and could cause other harms, referencing a 2019 hack of the U.S. Customs and Border Patrol database, which exposed thousands of photos of Americans. Commissioner Wilson notes that the recipients of her letters are leaders on privacy issues in the House and Senate, and she offered the FTC’s assistance with this request.
Monday, October 18, 2021
Deceptive or Misleading Conduct & Protecting Older Consumers
- The FTC issued its latest report to Congress on protecting older consumers, which highlights updated findings from the Commission’s fraud reports showing trends in how older adults report being affected by fraud with the most frequent type of fraud reported by older adults
Tuesday, October 5, 2021
Advertising and Marketing & Privacy and Security
- The FTC approved a settlement with the operators of MoviePass over allegations that they took steps to block subscribers from using the service as advertised, while also failing to secure subscribers’ personal data. The FTC alleged that MoviePass Inc.—along with CEO Mitchell Lowe, and MoviePass’ parent company and its CEO, deceptively marketed its “one movie per day” service, then deployed deceptive tactics aimed at preventing subscribers from using the service as advertised —actions the FTC alleged violated both the FTC Act and the Restore Online Shoppers’ Confidence Act. The FTC also alleged MoviePass’s operators left a database containing large amounts of subscribers’ personal information unencrypted and exposed, leading to unauthorized access.
First, it was the “Internet of Things” and now it is the “Internet of Dolls.” Mattel, maker of the iconic Barbie doll, has announced plans to introduce “Hello Barbie,” a doll with a Siri-like ability to communicate. The new Barbie, which connects to the cloud through WiFi, can have conversations, tell jokes, and play games with the children who own them.
Hello Barbie also has the ability to listen and learn girl’s preferences and adapt to them accordingly. During a recent demonstration when a Hello Barbie prototype was asked “What should I be when I grow up?” she responded “Well, you told me you like being on stage. How about a dancer? Or a politician? Or a dancing politician?”
This Barbie doll is likely just the first in what will surely be a long line of dolls and toys that have incredible technological capabilities—whether it is a Siri-like ability to communicate, video recording technology, or the chance to communicate to friends.
But, as these new frontiers of play develop, manufacturers and marketers need to work to ensure that we can strike a balance between innovative play and children’s safety and privacy. And the lines aren’t always clear.…
A bill has been introduced in the California legislature that would dramatically increase retailers’ liability for data breaches. Dubbed the “Consumer Data Breach Protection Act,” Assembly Bill 1710 would enact sweeping changes to California’s data breach notification laws, setting short deadlines by which consumers would need to be notified of breaches and increasing the penalties associated with such breaches. AB 1710’s new provisions would apply to all businesses that sell goods or services to California residents and accept credit or debit cards, although the law retains exemptions for certain businesses that are subject to other privacy regulations (such as financial institutions).
The California Retailers Association has already come out in opposition to the bill, and in years past, has successfully fought similar efforts to expand the state’s data breach notification laws. However, given the number of recent high profile data incidents, lawmakers are in a stronger position this year to amend California’s data protection laws. Indeed, as introduced, AB 1710 made only minor nonsubstantive changes to the data privacy laws, but in the wake of various well-publicized data breaches, the bill’s authors substantially amended the bill to increase the “teeth” in the law.
The following briefly summarizes some of the bill’s key proposed changes:
Expands Restrictions on Data Use and Retention. AB 1710 limits retention of “payment-related data” to the amount of time required for “business, legal, or regulatory purposes.” Retention of payment-related data would be prohibited if it is unnecessary for those purposes. The bill also requires businesses to create “payment data retention and disposal” policies specifying the amount of time such data will be retained. The bill prohibits the retention of certain types of data, such as card verification codes, PIN numbers, social security and driver’s license numbers. The bill also forbids the sale of an individual’s social security number. The term “payment-related data” is defined to include all items that fall within the current statutory definition of “personal information,” such as a consumer’s name, social security number, driver’s license number, account numbers, and user name and passwords.…