Privacy & Data Security

States can now require internet retailers to collect sales taxes even if the retailer has no physical presence in the state.

In South Dakota v. Wayfair, the Supreme Court overturned its 1992 decision in Quill Corporation v. North Dakota, which limited a state’s ability to impose its sales tax on an out-of-state retailer. In Quill the Court ruled that only a retailer that had a physical presence in a state by means of employees, stores, warehouses, or the like was required to collect such state’s sales tax. The Quill decision is one of the main reasons why many e-commerce retailers did not have to collect sales tax for sales to out-of-state residents.


Continue Reading States Win and E-Retailers Lose as U.S. Supreme Court Alters Sales Tax Collection Standard

Practitioners have been waiting for quite some time for the 11th Circuit’s decision in the LabMD case. LabMD, Inc. v. Fed. Trade Comm’n, No. 16-16-270 (11th Cir. June 6, 2018). In particular, there was a great deal of interest as to how the court might resolve the issue of whether the “substantial injury” requirement under the unfairness prong of Section 5(a) of the FTC Act was satisfied by a data breach in 2008 involving approximately 9000 consumers and with little evidence of actual consumer monetary injury.

Well, the 11th Circuit published its decision this week but the issue regarding the meaning of “substantial injury” will have to wait for another day as the Court declined to address that question, instead ruling that the Federal Trade Commission’s order as drafted is unenforceable. In doing so, the 11th Circuit likely surprised a lot of folks and created a great deal of uncertainty regarding FTC orders in general.

The Court noted that for the most part the FTC’s complaint against LabMD was premised not upon certain affirmative acts taken by the company but rather by their failure to act in particular ways. In other words, the company had been negligent in establishing a reasonable data security program. The Court assumed for the sake of argument that the FTC could base an unfairness complaint upon a negligent failure to act but then went on to find the order unenforceable because the order set forth an indefinite “reasonableness” standard with respect to the Company’s future obligations in establishing data security measures. The relevant order language read as follows:


Continue Reading 11th Circuit’s LabMD Decision has Implications Outside of Just Privacy

Flu shotSome people really do not like being told to get a flu shot and, in Latner v. Mount Sinai Health System, Inc., 2018 WL 265085 (2d Cir. amended decision Jan. 9, 2018), a man sued his hospital over it. Well, not exactly. Plaintiff Daniel Latner claimed that a text message sent by a third party telemarketer for Mt. Sinai Health System reminding him to get a flu shot violated his rights under the Telephone Consumer Protection Act (TCPA). Among other things, the TCPA allows individuals to file lawsuits and collect statutory damages for receiving autodialed text messages without the recipient’s prior express consent. Latner addressed the scope of consent required for a healthcare message made by a covered entity or its business associate, as those terms are defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Continue Reading Dose of Relief for Healthcare Entities: Second Circuit Finds Hospital Had Sufficient Consent Under the TCPA

Seal of the Federal Trade CommissionA change in administration inevitably raises questions regarding the priorities and direction of federal agencies. To help set the record straight, Lesley Fair, a Senior Attorney with the Federal Trade Commission’s (FTC or Commission), Bureau of Consumer Protection, reminded us during last week’s NAD Annual Conference that the FTC has kept quite busy over the last year or so, with numerous enforcement cases arising out of the FTC’s Bureau of Consumer Protection. Ms. Fair also shared her views regarding the FTC’s key enforcement priorities that affect advertisers and marketers. Perhaps unsurprisingly, these priority areas generally relate to (i) advertising substantiation; (ii) use of social media, endorsements, and consumer reviews; (iii) matters involving privacy and data security; and (iv) allegations of financial deception. While such topics warrant serious consideration and attention for advertisers, one would be remiss in failing to mention that, in typical Ms. Fair fashion, she discussed these issues in a manner that not only kept the audience engaged, but largely entertained.

With respect to advertising substantiation, Ms. Fair took the opportunity to remind the audience that despite our obsession with smartphones—and our assumption that they can do almost anything except fold our laundry—the FTC will carefully scrutinize advertisers’ claims about their products, including health apps for smartphones, to ensure they are adequately substantiated. As an example, Ms. Fair mentioned the Commission’s January 2017 Settlement with Breathometer, Inc. and Charles Michael Yim in which the FTC alleged that marketers of two app-supported smartphone accessories, marketed to accurately measure consumers’ blood alcohol content (BAC), failed to adequately test the accuracy of the app and failed to notify customers that the app regularly understated BAC levels. In another smartphone settlement from December 2016, FTC v. Aura Labs, Inc. and Ryan Archdeacon, the FTC alleged that the marketer’s blood pressure app lacked reliable testing, and that the app’s readings were significantly less accurate than those taken with a traditional blood pressure cuff. In both of these cases, Ms. Fair suggested that FTC seemed particularly concerned due to potential safety issues arising from the lack of proper testing, especially where an intoxicated driver might get behind a wheel, or where a consumer may think his/her blood pressure does not present a health risk. These cases serve as a reminder that the FTC will evaluate substantiation with an especially critical eye where advertisers make health and safety-related claims.


Continue Reading What’s the Federal Trade Commission Been Up to Recently?

Virtual DataVirtual reality (VR) and augmented reality (AR) are now considered mainstream technologies, and if your company is not yet using them, it will be.

AR has the ability to blur the lines between reality and computer-generated information, whereas VR is further along the spectrum of computer-generated content and involves the creation of an immersive, wholly computer-generated environment.

Both are known primarily for their use in recreation, most notably video games, though the technologies are also being incorporated into other industry sectors. Some argue AR will change the way we work, for example architects in various locations around the world may be able to, in real time and in 3D, manipulate the designs of buildings. And VR is already being used to train people in various industries, such as the military and medicine. Indeed, some experts believe that AR and VR will achieve widespread adoption in commercial applications well before either receives widespread consumer adoption for recreational purposes.


Continue Reading Are You Prepared for the Legal Issues of Augmented Reality?

little girl and laptopOn June 21, 2017, the Federal Trade Commission (FTC) updated one of its Children’s Online Privacy Protection Act (COPPA) compliance guides for businesses. Known as the “Six-Step Compliance Plan,” this document provides a step-by-step road map for determining if a company is covered by COPPA and what to do to comply.

COPPA applies to operators of websites and online services that collect “personal information” from children under 13 years of age, where the site or service is directed to children or has actual knowledge that it is collecting personal information from a child. COPPA’s coverage extends to a variety of online services, such as mobile apps, internet-enabled gaming platforms, and – in some cases – companies that collect personal information directly from users of another website or online service (such as ad networks and plug-ins).


Continue Reading FTC Updates COPPA Guidance for IoT and New Consent Options

Virtual DataIn the most recent edition of Digital Media Link, we explore the legal issues surrounding new technologies, with a particular focus on augmented and virtual reality. As we have seen time and again, new technologies do not necessarily mean new statutes or case law, which usually are slow to catch up. What is a

Data SecurityOn Friday, an unprecedented cyberattack affected a large number of Microsoft Windows-based computers through a type of malware known as ransomware. Although ransomware has been increasingly prevalent over the last few years, this particular version, called “WannaCry,” spread quickly and widely around the world. Many believe that the cyberattack will continue.

Ransomware is generally spread via email messages that contain infected attachments. When a user opens the attachment, a program runs that encrypts the user’s computer and demands a ransom be paid, typically in bitcoin, for a key that will unencrypt the files. In this case, the attackers are asking for between $300 and $600 to unlock the files.


Continue Reading Ransomware Cyberattacks: How to Minimize Your Risks

Data Security Rules of the Road: A Guidebook to FTC CasesAs data security risks increase in their intensity, variety, and sophistication, Venable introduces Data Security Rules of the Road: A Guidebook to FTC Cases v1.0.  The book is a valuable resource for businesses seeking to protect the security of personal information in ways that are consistent with guidance offered by the FTC.

With over a

Keep Calm and Carry OnBrexit is likely to cause years of future uncertainty around data protection, including the legal mechanisms for data transfer to countries outside of the United Kingdom (“U.K.”). In the short term, there will be little to no impact on existing data transfer solutions implemented by companies that rely on the U.K. as an entry point into the European Union (“EU”). In the mid-term, with the scheduled implementation of the EU-U.S. Privacy Shield (“Privacy Shield”) in 2016 and the EU’s General Data Protection Regulation (“GDPR”) in 2018, the U.K. will either continue to be subject to EU laws by extending its membership in the European Economic Area (“EEA”) or it will create its own national data protection legislation. Although companies may have to rethink data transfer agreements, this will be part of a long term process as the future of U.K. data protection continues to unfold.

Short Term—What to Expect in the Next 12 Months 
Continue Reading Keep Calm and Carry On: Data Protection Post Brexit