Privacy & Data Security

Episode 8 of Venable’s Ad Law Tool Kit Show, Season 2, is now available. Listen to “State Privacy Laws” here, or search for it in your favorite podcast player.

State privacy laws continue to evolve rapidly, challenging businesses to keep pace. By the end of 2024, businesses will need to comply with up to nine comprehensive state privacy laws, with more laws slated to come into force in 2025 and 2026. To date, all such laws draw inspiration from both the first comprehensive state privacy law—the California Consumer Privacy Act (CCPA)—and the European Union General Data Protection Regulation (GDPR). But there are differences.

In this episode, Venable partner Kelly Bastide discusses which laws, if any, apply to your business and how to develop a practical compliance program that harmonizes with the different laws.Continue Reading Listen to Venable’s Ad Law Tool Kit Show Podcast – “State Privacy Laws”

Episode 5 of Venable’s Ad Law Tool Kit Show, Season 2,is now available. Listen to “Litigation Trends in Privacy Laws” here, or search for it in your favorite podcast player.

Data breaches, cookie banners, chatbots, pixel tracking, and biometrics are just some of the trends in privacy law that are keeping litigators busy. Many technologies that are necessary to operate a website have become hot areas of litigation. But there are more trends, and more questions.

In this episode, Venable partner Jean-Paul Cart discusses the states that are considering new consumer protection legislation, other technologies that are being targeted by plaintiffs, and what your business can be doing to be prepared.Continue Reading Listen to Venable’s Ad Law Tool Kit Show Podcast – “Litigation Trends in Privacy Laws”

Early this week, the Federal Communications Commission (FCC) announced it had fined the largest U.S. wireless carriers for sharing access to customers’ geolocation information without consent and without taking reasonable measures to protect against unauthorized disclosure. These Forfeiture Orders follow the issuance of Notices of Apparent Liability for Forfeiture and Admonishment by former Chairman Ajit Pai in 2020, and subsequent agency investigation by the agency’s Privacy and Data Protection Task Force.

The orders buttress FCC Chairwoman Jessica Rosenworcel’s consumer protection agenda, which includes launching the Privacy and Data Protection Task Force last year. The FCC has been increasing its regulatory oversight under the task force, which it described as “an FCC staff working group focused on coordinating across the agency on the rulemaking, enforcement, and public awareness needs in the privacy and data protection sectors, including data breaches (such as those involving telecommunications providers) and vulnerabilities involving third-party vendors that service regulated communications providers.”Continue Reading FCC Fines Major Wireless Carriers $200 Million for Sharing Customer Geolocation Data

Venable’s Advertising and Marketing Group hosted its 10th Advertising Law Symposium on March 21 in Washington, DC. The group welcomed in-house counsel, advertising executives, and marketing professionals for a full day of sessions on the latest developments in advertising law and what to watch for soon.

Here are some highlights:

Patchwork of Privacy Laws Makes Compliance a Challenge

Frequent data breaches and incidents like the 2018 Cambridge Analytica scandal have increased criticism of the United States’ approach to regulating privacy through a patchwork of federal and state laws and industry self-regulatory codes. But even harsh critiques have not been enough to spur Congress to pass a preemptive privacy law that would supersede the jumble of state laws and regulations and streamline things. Partner Rob Hartwell and associate Allie Monticollo said marketers and advertisers should watch what’s happening in the states and mitigate risk accordingly.Continue Reading Event in Review: 10th Advertising Law Symposium

In late January, the Federal Trade Commission (FTC) and Justice Department (DOJ) announced a collaborative effort to update their instructions regarding preservation of electronic communications to targets of pre-litigation information requests in antitrust investigations. The agencies’ new instruction makes clear that targets must preserve ephemeral messages and threatens civil or criminal sanctions for failure to do so.

A number of popular messaging platforms—both text and email—allow users to send messages that are erased and permanently disappear either immediately or shortly after the recipient reads the message. SnapChat and Slack are common examples of apps that give users the option of ephemeral messaging. Some of these apps use end-to-end encryption to prevent third-party providers from accessing the communications. For example, Signal and Proton Mail are prevalent messaging and email platforms used for their ephemeral messaging capabilities.Continue Reading The FTC’s and DOJ’s New Magic Act: Vanished Messages Will Reappear in Discovery

Cybersecurity and data protection is front and center on the Federal Communications Commission’s (FCC) agenda. The latest manifestation of this is the FCC’s issuance of a Notice of Proposed Rulemaking (NPRM) on August 25, 2023, which seeks comments on a proposed voluntary cybersecurity labeling program for Internet of Things (IoT) devices or products.

Companies that volunteer to join the proposed program would have their qualifying products bear a new “U.S. Cyber Trust Mark,” which the agency believes would help consumers identify trustworthy products and make informed purchasing decisions, incentivizing better cybersecurity standards. There are a couple of aspects of the NPRM that are worth highlighting.Continue Reading What’s in a Label? FCC Begins Rulemaking Procedure for Cybersecurity Labeling on IoT Devices

Last week, the Federal Communication Commission’s (FCC) issued a Notice of Apparent Liability for Forfeiture proposing a $20 million forfeiture, essentially a fine, against two telecommunications service providers for failing to properly authenticate customers’ identity before providing online access to Customer Proprietary Network Information (CPNI). CPNI includes sensitive data, such as called phone numbers, the length and time of calls, and service features. FCC rules mandate that companies handling such information use “reasonable measures” to guard access to CPNI.

Because it would be easy for third parties to impersonate customers and gain access to their CPNI, FCC rules prohibit the use of readily available biographical information or account information. “Readily available biographical information” includes “information drawn from the customer’s life history and includes such things as the customer’s social security number . . . mother’s maiden name; home address; or date of birth.” Account information is “information that is specifically connected to the customer’s service relationship with the carrier, including such things as an account number or any component thereof, the telephone number associated with the account, or the bill’s amount.” FCC rules thus requires service providers to authenticate customer identity without the use of the above information and then require a password.Continue Reading FCC Proposes $20 Million Forfeiture Against Telecommunications Service Providers for Failing to Protect User Data

This week the Federal Trade Commission unveiled hefty settlements with Epic Games Inc.—the creator of the video game Fortnite—to resolve separate actions alleging violations of Section 5 of the FTC Act and the Children’s Online Privacy Protection Act (COPPA), respectively.

Epic Games will pay $245 million in consumer redress to settle the alleged Section 5 violations in an FTC administrative proceeding and will pay $275 million in monetary penalties to settle the COPPA action in federal court. The cases highlight two hot spots for the FTC—dark patterns and children’s privacy.

In its administrative complaint, the FTC alleges that Epic Games used dark patterns, making the gameplay interface confusing and tricking players into making in-game purchases, often when they did not intend to. Specifically, the complaint alleges that:Continue Reading Ready, Aim, Fire: FTC Scores Record-Breaking $520 Million Settlement with Fortnite Creator Epic Games

Cybersecurity is a growing concern for all organizations, especially those that store, process, and transmit sensitive data. As commercial mailing and publishing continue to digitize, business operations rely on sharing growing volumes of data. This includes, for example, sharing subscriber and mailing information with the U.S. Postal Service (USPS), data aggregators, and other partners.

Increasingly, federal and state laws require that such information be protected with cybersecurity safeguards and require notification to consumers in the event of unauthorized access or breach. Liability and loss of consumer confidence are important risks that organizations often manage by updating their legal and technical processes to better reflect the modern cyber threat environment.Continue Reading Evaluating the Cybersecurity Risk of Mailing and Publishing Partners

This week, the Federal Trade Commission (FTC) announced a proposed settlement with MoviePass to resolve allegations that the company offered an automatically renewing movie subscription program but blocked paid subscribers from using the advertised services, and failed to adequately secure subscribers’ personal data.

The FTC brought the case against MoviePass under the Restore Online Shoppers Confidence Act (ROSCA), the federal statute governing online negative option programs. The statute requires sellers to clearly and conspicuously disclose all “material terms of the transaction” and obtain consumers’ express informed consent before charging them for online negative option features.

However, the FTC’s complaint did not take issue with the company’s billing disclosures or consent mechanism. Instead, it asserted that the company’s failure to disclose its deceptive tactics that prevented subscribers from accessing all of the advertised benefits violated ROSCA. In the complaint the FTC alleged that MoviePass, Inc deceptively marketed a MoviePass subscription service that allowed customers to view movies at local theaters for a monthly fee. However, once customers purchased a subscription, MoviePass allegedly used various methods to prevent subscribers from accessing the advertised service. For example, to limit the movies that customers could view, MoviePass allegedly blocked account access by invalidating subscriber passwords under the guise of “suspicious activity or potential fraud.” The FTC asserted that resetting a password was cumbersome and often failed, precluding subscribers from regaining access. Next, the FTC alleged that MoviePass’s operators implemented a ticket verification program that required users to submit pictures of their physical movie ticket stubs for approval through the app within a certain time frame after purchase. Users who failed to submit their ticket stubs would be blocked from viewing future movies and could risk subscription termination. Third, MoviePass allegedly used “trip wires” to block certain groups of subscribers—heavy users who viewed more than three movies per month—from using the service to purchase more tickets. These allegations seem to echo statements from the FTC’s Dark Patterns workshop (we blogged about the workshop here), which discussed ways the FTC should address websites and apps that impair consumers’ autonomy, decision making, and choice.Continue Reading Lights, Camera, Action! FTC Settlement Signals Novel Use of ROSCA