Privacy & Data Security

Subscribe to Privacy & Data Security

Join us as we spotlight select chapters of Venable’s popular Advertising Law Tool Kit, which helps marketing teams navigate the legal risk of campaigns and promotions. Click here to download the entire Tool Kit, and tune in to the Ad Law Tool Kit Show podcast, to hear the authors of this chapter dive deeper into the issue of Advertising Agreements in this week’s episode.

Businesses often hire advertising agencies to assist with their marketing and promotion efforts. This outsourcing model has gained popularity with the emergence of online, social media, and mobile advertising.

While this approach to online advertising has many benefits, businesses must ensure that their contracts with advertising agencies contain key provisions that will mitigate certain legal risks, bearing in mind that the business itself is the party that is likely to be sued if a third party objects to the contents of the advertising. The best practices listed below can help businesses limit risk when outsourcing marketing campaigns.Continue Reading Advertising Agreements: An Excerpt from the Advertising Law Tool Kit

Episode 8 of Venable’s Ad Law Tool Kit Show, Season 2, is now available. Listen to “State Privacy Laws” here, or search for it in your favorite podcast player.

State privacy laws continue to evolve rapidly, challenging businesses to keep pace. By the end of 2024, businesses will need to comply with up to nine comprehensive state privacy laws, with more laws slated to come into force in 2025 and 2026. To date, all such laws draw inspiration from both the first comprehensive state privacy law—the California Consumer Privacy Act (CCPA)—and the European Union General Data Protection Regulation (GDPR). But there are differences.

In this episode, Venable partner Kelly Bastide discusses which laws, if any, apply to your business and how to develop a practical compliance program that harmonizes with the different laws.Continue Reading Listen to Venable’s Ad Law Tool Kit Show Podcast – “State Privacy Laws”

Episode 5 of Venable’s Ad Law Tool Kit Show, Season 2,is now available. Listen to “Litigation Trends in Privacy Laws” here, or search for it in your favorite podcast player.

Data breaches, cookie banners, chatbots, pixel tracking, and biometrics are just some of the trends in privacy law that are keeping litigators busy. Many technologies that are necessary to operate a website have become hot areas of litigation. But there are more trends, and more questions.

In this episode, Venable partner Jean-Paul Cart discusses the states that are considering new consumer protection legislation, other technologies that are being targeted by plaintiffs, and what your business can be doing to be prepared.Continue Reading Listen to Venable’s Ad Law Tool Kit Show Podcast – “Litigation Trends in Privacy Laws”

Early this week, the Federal Communications Commission (FCC) announced it had fined the largest U.S. wireless carriers for sharing access to customers’ geolocation information without consent and without taking reasonable measures to protect against unauthorized disclosure. These Forfeiture Orders follow the issuance of Notices of Apparent Liability for Forfeiture and Admonishment by former Chairman Ajit Pai in 2020, and subsequent agency investigation by the agency’s Privacy and Data Protection Task Force.

The orders buttress FCC Chairwoman Jessica Rosenworcel’s consumer protection agenda, which includes launching the Privacy and Data Protection Task Force last year. The FCC has been increasing its regulatory oversight under the task force, which it described as “an FCC staff working group focused on coordinating across the agency on the rulemaking, enforcement, and public awareness needs in the privacy and data protection sectors, including data breaches (such as those involving telecommunications providers) and vulnerabilities involving third-party vendors that service regulated communications providers.”Continue Reading FCC Fines Major Wireless Carriers $200 Million for Sharing Customer Geolocation Data

Venable’s Advertising and Marketing Group hosted its 10th Advertising Law Symposium on March 21 in Washington, DC. The group welcomed in-house counsel, advertising executives, and marketing professionals for a full day of sessions on the latest developments in advertising law and what to watch for soon.

Here are some highlights:

Patchwork of Privacy Laws Makes Compliance a Challenge

Frequent data breaches and incidents like the 2018 Cambridge Analytica scandal have increased criticism of the United States’ approach to regulating privacy through a patchwork of federal and state laws and industry self-regulatory codes. But even harsh critiques have not been enough to spur Congress to pass a preemptive privacy law that would supersede the jumble of state laws and regulations and streamline things. Partner Rob Hartwell and associate Allie Monticollo said marketers and advertisers should watch what’s happening in the states and mitigate risk accordingly.Continue Reading Event in Review: 10th Advertising Law Symposium

In late January, the Federal Trade Commission (FTC) and Justice Department (DOJ) announced a collaborative effort to update their instructions regarding preservation of electronic communications to targets of pre-litigation information requests in antitrust investigations. The agencies’ new instruction makes clear that targets must preserve ephemeral messages and threatens civil or criminal sanctions for failure to do so.

A number of popular messaging platforms—both text and email—allow users to send messages that are erased and permanently disappear either immediately or shortly after the recipient reads the message. SnapChat and Slack are common examples of apps that give users the option of ephemeral messaging. Some of these apps use end-to-end encryption to prevent third-party providers from accessing the communications. For example, Signal and Proton Mail are prevalent messaging and email platforms used for their ephemeral messaging capabilities.Continue Reading The FTC’s and DOJ’s New Magic Act: Vanished Messages Will Reappear in Discovery

Cybersecurity and data protection is front and center on the Federal Communications Commission’s (FCC) agenda. The latest manifestation of this is the FCC’s issuance of a Notice of Proposed Rulemaking (NPRM) on August 25, 2023, which seeks comments on a proposed voluntary cybersecurity labeling program for Internet of Things (IoT) devices or products.

Companies that volunteer to join the proposed program would have their qualifying products bear a new “U.S. Cyber Trust Mark,” which the agency believes would help consumers identify trustworthy products and make informed purchasing decisions, incentivizing better cybersecurity standards. There are a couple of aspects of the NPRM that are worth highlighting.Continue Reading What’s in a Label? FCC Begins Rulemaking Procedure for Cybersecurity Labeling on IoT Devices

Last week, the Federal Communication Commission’s (FCC) issued a Notice of Apparent Liability for Forfeiture proposing a $20 million forfeiture, essentially a fine, against two telecommunications service providers for failing to properly authenticate customers’ identity before providing online access to Customer Proprietary Network Information (CPNI). CPNI includes sensitive data, such as called phone numbers, the length and time of calls, and service features. FCC rules mandate that companies handling such information use “reasonable measures” to guard access to CPNI.

Because it would be easy for third parties to impersonate customers and gain access to their CPNI, FCC rules prohibit the use of readily available biographical information or account information. “Readily available biographical information” includes “information drawn from the customer’s life history and includes such things as the customer’s social security number . . . mother’s maiden name; home address; or date of birth.” Account information is “information that is specifically connected to the customer’s service relationship with the carrier, including such things as an account number or any component thereof, the telephone number associated with the account, or the bill’s amount.” FCC rules thus requires service providers to authenticate customer identity without the use of the above information and then require a password.Continue Reading FCC Proposes $20 Million Forfeiture Against Telecommunications Service Providers for Failing to Protect User Data

This week the Federal Trade Commission unveiled hefty settlements with Epic Games Inc.—the creator of the video game Fortnite—to resolve separate actions alleging violations of Section 5 of the FTC Act and the Children’s Online Privacy Protection Act (COPPA), respectively.

Epic Games will pay $245 million in consumer redress to settle the alleged Section 5 violations in an FTC administrative proceeding and will pay $275 million in monetary penalties to settle the COPPA action in federal court. The cases highlight two hot spots for the FTC—dark patterns and children’s privacy.

In its administrative complaint, the FTC alleges that Epic Games used dark patterns, making the gameplay interface confusing and tricking players into making in-game purchases, often when they did not intend to. Specifically, the complaint alleges that:Continue Reading Ready, Aim, Fire: FTC Scores Record-Breaking $520 Million Settlement with Fortnite Creator Epic Games

Cybersecurity is a growing concern for all organizations, especially those that store, process, and transmit sensitive data. As commercial mailing and publishing continue to digitize, business operations rely on sharing growing volumes of data. This includes, for example, sharing subscriber and mailing information with the U.S. Postal Service (USPS), data aggregators, and other partners.

Increasingly, federal and state laws require that such information be protected with cybersecurity safeguards and require notification to consumers in the event of unauthorized access or breach. Liability and loss of consumer confidence are important risks that organizations often manage by updating their legal and technical processes to better reflect the modern cyber threat environment.Continue Reading Evaluating the Cybersecurity Risk of Mailing and Publishing Partners