Archives: Enforcement

Subscribe to Enforcement RSS Feed

Privacy Shield Update: Ahead of First Joint Review, Europeans Remain Skeptical as FTC Announces Enforcement Actions

Melinda L. McLellanEmily FedelesBy Melinda L. McLellan and Emily Fedeles on Posted in Enforcement, International Privacy Law
On September 8, 2017, the Federal Trade Commission (FTC) announced enforcement actions against three companies alleged to have falsely claimed participation in the EU-U.S. Privacy Shield Framework. The move follows several months of uncertainty surrounding the Framework’s future as EU officials and privacy advocates have questioned its efficacy and validity in the run-up to the … Continue Reading

Uber Settles With FTC Over Allegedly Deceptive Privacy And Data Security Practices

Laura JehlBy Laura Jehl on Posted in Cybersecurity, Enforcement
Uber, the ride-hailing giant, agreed this week to implement a comprehensive privacy program and to undergo 20 years of privacy and data security audits in order to settle allegations by the Federal Trade Commission (FTC) that Uber did not keep its promises to protect customer data. The FTC had alleged two separate failures by Uber: … Continue Reading

FTC Announces Internal Process Reforms in Connection with Civil Investigative Demands

May Tal GongolevskyBy May Tal Gongolevsky and Csilla Bogo-Lofaro on Posted in Enforcement
Has your company or client been served with a Civil Investigative Demand (CID)? Overwhelmed? Don’t despair – the future may be brighter, as the Federal Trade Commission (FTC) is now offering more clarity regarding its CID document requests process. On July 17, 2017 FTC Acting Chairman Maureen K. Ohlhausen issued a new internal process reform … Continue Reading

Oregon Expands Deceptive Trade Practices Act to Include Misrepresentations About PI Usage

David KitchenAlan L. FrielBy David Kitchen and Alan L. Friel on Posted in Enforcement, State Legislation
Effective January 1, 2018, Oregon will join Pennsylvania and Nebraska in expanding its definition of deceptive trade practices to explicitly include a material misstatement regarding the use of personal information. House Bill 2090 applies to statements “publishe[d] on a website … or in a consumer agreement related to a consumer transaction.” Like the other states’ … Continue Reading

Nevada Enacts Online Privacy Policy Law; Illinois ‘Right to Know’ Bill Carried Over

David KitchenAlan L. FrielMelinda L. McLellanBy David Kitchen, Alan L. Friel and Melinda L. McLellan on Posted in Enforcement, Online Privacy, State Legislation
Nevada recently became the latest state to pass a law requiring operators of websites and online services to post a public notice regarding their privacy practices. California was the first state to pass such a law in 2004, and Delaware enacted a similar law effective January 1, 2016.  Similar to its predecessors, the new Nevada … Continue Reading

Deeper Dive: Security Incident Notification Under the New EU General Data Protection Regulation (GDPR)

Melinda L. McLellanJames A. ShererEmily FedelesBy Melinda L. McLellan, James A. Sherer and Emily Fedeles on Posted in Cybersecurity, Data Breaches, Enforcement, International Privacy Law
As noted in the 2017 BakerHostetler Data Security Incident Response Report, the enactment of the EU General Data Protection Regulation (GDPR) represents the most significant change in European data protection law in more than 20 years. Coming into effect on May 25, 2018, the GDPR focuses on a number of core data protection principles and … Continue Reading

Deeper Dive: Be Prepared for Regulatory Investigations in the Wake of a Security Incident

Eric A. PackelBy Eric A. Packel on Posted in Cybersecurity, Enforcement
Your company had a data security event. After an investigation, it was determined that notifications were required, and the incident was made public as a result. Notification letters were mailed and regulators were notified, all in accordance with the law. Your company also enhanced security measures and took other remedial action, so there is nothing … Continue Reading

FTC Nets $500,000 Settlement for Alleged Consent Order Violation Related to Online Data Collection Practices

Melinda L. McLellanBy Melinda L. McLellan and Kathryn Mellinger on Posted in Big Data, Enforcement, Online Privacy
On March 17, 2017, the Federal Trade Commission (FTC) announced that it had reached a $500,000 settlement with Upromise, a membership reward service aimed at families saving for college. The FTC had alleged that Upromise violated a 2012 FTC consent order by failing to make required disclosures about its data collection and use practices and … Continue Reading

FTC’s $2.2m Smart TV Settlement Signals Continued IoT Enforcement Focus

Alan L. FrielMelinda L. McLellanBy Alan L. Friel and Melinda L. McLellan on Posted in Behavioral Advertising, Big Data, Enforcement, Information Security, Internet of Things, Marketing, Online Privacy
On February 6, 2017, the Federal Trade Commission announced that it had settled charges against VIZIO, Inc., a consumer electronics manufacturer of Internet-connected televisions. The FTC alleged that VIZIO unfairly tracked sensitive TV viewing data of millions of American consumers, and deceptively failed to disclose how the collected data was being used. This action was … Continue Reading

Finalized New York Department of Financial Services Cybersecurity Regulation to Take Effect March 1

Melinda L. McLellanJonathan FormanBy Melinda L. McLellan and Jonathan Forman on Posted in Cybersecurity, Enforcement, Financial Privacy, Information Security
On February 16, 2017, the New York Department of Financial Services (NYDFS) announced the release of its finalized Cybersecurity Requirements for Financial Services Companies (“Cybersecurity Regulation”), which will take effect on March 1, 2017. This final iteration, issued following an additional 30-day comment period, is in large part the same as the revised version dated … Continue Reading

FTC Goes After IoT Device Manufacturer for Alleged Security Vulnerabilities in Routers, IP Cameras

Melinda L. McLellanBy Melinda L. McLellan and Kathryn Mellinger on Posted in Enforcement, Internet of Things
On January 6, the Federal Trade Commission (FTC) announced that it had filed a complaint against Taiwanese D-Link Corp. and its U.S. subsidiary, D-Link Systems Inc. (D-Link), alleging the company made deceptive claims about the security of its products and engaged in unfair practices that put U.S. consumers’ privacy at risk. The case is noteworthy for … Continue Reading

New York Department of Financial Services Issues Revised Cybersecurity Regulations

Melinda L. McLellanJonathan FormanBy Melinda L. McLellan and Jonathan Forman on Posted in Cybersecurity, Enforcement, Financial Privacy
With the clock ticking down to the new year, on December 28, 2016, the New York State Department of Financial Services (NYDFS) released highly anticipated revisions to its proposed Cybersecurity Requirements for Financial Services Companies (the “Proposal”). As we previously reported, the NYDFS first announced the proposed regulations in September; at that time, they were … Continue Reading

FTC Settles with Ad Tech Company Over Deceptive Online Tracking Practices

Melinda L. McLellanRobyn M. FeldsteinBy Melinda L. McLellan and Robyn M. Feldstein on Posted in Behavioral Advertising, Enforcement, Marketing, Mobile Privacy, Online Privacy
On December 20, 2016, the Federal Trade Commission (FTC) announced that Turn Inc. agreed to settle charges that it misled consumers about its online tracking activities and failed to honor consumer opt-outs as described in its privacy policy. Background Turn is a digital advertising company that facilitates targeted marketing by commercial brands and ad agencies … Continue Reading

FCC Wades Back Into Data Privacy and Security for ISPs With Revised Privacy Proposal

Alan L. FrielBy Alan L. Friel and Suchismita Pahi on Posted in Cybersecurity, Enforcement
Recently, Federal Communications Commission (FCC or Commission) Chairman Tom Wheeler circulated to the Commission a revised proposed order to regulate the data privacy and security practices of internet service providers (ISPs) (also known by the Commission as broadband internet access service (BIAS) providers). We previously wrote about the Commission’s initial proposal in this regard (available … Continue Reading

Latest Data Breach Settlement Illustrates Need for Companies to Prioritize Cybersecurity

David M. BrownBy David M. Brown on Posted in Cybersecurity, Data Breaches, Enforcement, Online Privacy, Retail Industry
On Aug. 5, 2016, the New York attorney general, Eric Schneiderman, announced a $100,000 settlement with an e-retailer following an investigation of a data breach that resulted in the potential exposure of more than 25,000 credit card numbers and other personal information. According to the investigation, on Aug. 7, 2014, in an all-too-common scenario, an … Continue Reading

Unanimous FTC Finds LabMD’s Data Security Practices Violated Section 5 of the FTC Act

Will R. DaughertyDavid M. BrownBy Will R. Daugherty and David M. Brown on Posted in Cybersecurity, Enforcement, Medical Privacy, Online Privacy
On July 29, 2016, a unanimous Federal Trade Commission (“FTC” or “Commission”) issued its Opinion and Final Order reversing the decision of an administrative law judge (“ALJ”) and holding that LabMD engaged in “unfair” practices in violation of Section 5 of the FTC Act because it failed to provide reasonable and appropriate security for personal … Continue Reading

Court of Appeals Upholds FCC’s Net Neutrality Rules and Regulatory Authority

Alan L. FrielBy Suchismita Pahi and Alan L. Friel on Posted in Enforcement, Privacy Litigation
On June 14, 2016, the D.C. Court of Appeals ruled 2-1 in favor of the Federal Communication Commission’s (FCC) net neutrality rules, which the commission approved on February 26, 2015 (published March 12, 2015). This reclassified broadband internet access service (BIAS) as a telecommunications service under Title II of the Communications Act, affording the FCC … Continue Reading

German Data Protection Authority Issues Fines for Unlawful Cross-Atlantic Data Transfers

Melinda L. McLellanBy Jenna N. Felz, Melinda L. McLellan and Alexandra Beierlein on Posted in Enforcement, International Privacy Law
The Data Protection Authority of Hamburg, Germany has made good on its promise to audit cross-Atlantic data transfers in the wake of the October 2015 Safe Harbor decision.  On June 6, the Hamburg DPA announced that it had fined three companies for unlawful transfers of personal data from the EU to the United States.  According … Continue Reading

FCC’s Growing Privacy and Data Security Enforcement

Patrick H. HaggertyBy Patrick H. Haggerty and F. Paul Pittman on Posted in Data Breaches, Enforcement
The Federal Communications Commission (FCC) has had a busy 2015, and its presence in the data security regulatory enforcement space will likely continue to grow. Last year, the FCC named Travis LeBlanc as chief of the Enforcement Bureau. Since then, the FCC has brought three separate enforcement actions against companies for allegedly not safeguarding consumers’ … Continue Reading

German Data Protection Authorities Limit Use of Alternative Data Transfer Mechanisms in Light of Safe Harbor Decision

By Jenna N. Felz and Alexandra Beierlein on Posted in Enforcement, International Privacy Law
In the weeks since the October 6, 2015, Court of Justice of the European Union decision (“CJEU Decision”) that invalidated the EU-U.S. Safe Harbor framework, companies have been faced with the quandary of establishing legal alternatives for transferring personal data from Europe to the U.S. We have discussed alternative data transfer mechanisms such as standard … Continue Reading

Safe Harbor Is Dead, Long Live Standard Contractual Clauses?

Melinda L. McLellanWilliam W. HellmuthBy Melinda L. McLellan and William W. Hellmuth on Posted in Enforcement, International Privacy Law
For the past 15 years, the EU-U.S. Safe Harbor Framework has been one of the most popular data transfer mechanisms for organizations that engage in cross-border transfers of EU personal data to the United States. In the aftermath of the recent invalidation of the Safe Harbor Framework by the Court of Justice of the European … Continue Reading

What Now? What Next? FAQs and Answers Regarding the Safe Harbor Decision

Melinda L. McLellanBy Tanya Forsheit and Melinda L. McLellan on Posted in Enforcement, International Privacy Law
As we discussed in our blog post last week, on October 6, 2015, the Court of Justice of the European Union issued a judgment that invalidated the EU-U.S. Safe Harbor Framework. For the past 15 years, thousands of companies have been using the Safe Harbor Framework to transfer personal data from the EU to the … Continue Reading

EU High Court Invalidates Safe Harbor Framework for Cross-Border Data Transfers

Melinda L. McLellanJames A. ShererBy Melinda L. McLellan and James A. Sherer on Posted in Enforcement, International Privacy Law
On October 6, 2015, the Court of Justice of the European Union (CJEU) issued a highly anticipated judgment that has the potential to impact how thousands of companies transfer data from the EU to the United States. The Court’s decision effectively invalidates the European Commission’s “adequacy” determination with respect to the U.S.-EU Safe Harbor Framework, … Continue Reading

CA AG Requires Chief Privacy Officer and Privacy Compliance Program

Alan L. FrielBy Alan L. Friel on Posted in Cybersecurity, Enforcement
California’s Attorney General, Kamala Harris, has required Houzz, a home décor information and e-commerce website and mobile app publisher, to hire a chief privacy officer (CPO), conduct a company-wide privacy assessment, and maintain a privacy compliance program to settle a lawsuit that alleged Houzz failed to follow California law that requires disclosure of the recording … Continue Reading
LexBlog