Tag archives: FTC

Two FTC complaints that over-retention of personal data violates Section 5

By David Kessler (US) and Susan Ross (US) on February 13, 2024 Posted in Enforcement

On January 18, 2024, the U.S. Federal Trade Commission announced a complaint and proposed consent order with InMarket Media, LLC, a digital marketing platform and data aggregator. Less than two weeks later, on February 1, the FTC announced a complaint and proposed consent order with software licensor and data provider Blackbaud, Inc. In both cases, … Continue reading

FTC amendment to Safeguards Rule

By Dan Pepper (US) and Elyssa Diamond (US) on November 1, 2023 Posted in Data breach, General

Under the Federal Trade Commission’s (“FTC”) new amendment to the Safeguards Rule (the “Amended Rule”), non-banking financial institutions will have to report certain data breaches and other security events to the agency. Requirements Approved on October 27, 2023 by a 3-0 vote by the Commission after a public comment period, the amendment requires non-banking financial … Continue reading

OCR and FTC Issue a Joint Letter Suggesting Enforcement Actions May Be in the Pipeline

By Anna Rudawski (US) and Alexis Wilpon (US) on July 21, 2023 Posted in Compliance and risk management, Data Protection, Privacy law

On July 20, 2023 HHS and the Federal Trade Commission (“FTC”) issued a joint letter to approximately 130 companies regarding their online data collection processes. The letter follows the much discussed December 1, 2022, Bulletin that expanded the kinds of websites and applications governed by HIPAA (you can read about our analysis of the bulletin … Continue reading

FTC proposed consent order prohibits perpetual retention of personal information

By David Kessler (US), Susan Ross (US) and Susana Medeiros (US) on March 21, 2023 Posted in General

We had previously written about an FTC proposed consent order that would prohibit a company from perpetual retention of personal health information. On March 2, 2023, the FTC announced a complaint and proposed consent with BetterHelp, Inc. that would prohibit the company from perpetual retention of personal information—a broader category. Also unlike the previous matter, … Continue reading

Another fine for over-retention of data

By David Kessler (US) and Susan Ross (US) on April 7, 2022 Posted in Compliance and risk management

A third regulator has recently entered into a proposed consent that includes a $500,000 fine based in part on a company’s over-retention of personal data for longer than it was needed. The first regulator was the French data protection authority, the CNIL, in 2021, which we wrote about here. The second regulator was the New … Continue reading

FTC to levy unprecedented $US5bn fine against Facebook

By Andrea D'Ambra (US) and Max Kellogg (US) on July 16, 2019 Posted in Data breach, Regulatory response

Data Protection Report - Norton Rose Fulbright

The Wall Street Journal reported that Federal Trade Commission and Facebook reached a settlement to resolve Facebook’s privacy issues.… Continue reading

FTC, privacy, vendor due diligence and opt-in consent

By Susan Ross (US) on May 10, 2018 Posted in Regulatory response

Norton Rose Fulbright - Data Protection Report blog

On April 30, 2018, the U.S. Federal Trade Commission (FTC) released for public comment an administrative complaint and proposed consent agreement with mobile phone manufacturer BLU Products Inc. and its owner and president. Although the FTC has entered into many settlements relating to privacy and data security, this proposed settlement is particularly noteworthy for two … Continue reading

Blocking illegal or fraudulent ‘robocalls’: FCC rulemaking, with FTC comments

By Allison Lange Garrison (US) and Susan Ross (US) on February 13, 2018 Posted in Regulatory response

Illegal robocalls are a “scourge.” So says FCC Chairman Ajit Pai, and most consumers likely agree. Both the FCC and the FTC (each of which has jurisdiction over some aspects of telemarketing regulation) are actively pursuing ways to curb illegal and fraudulent robocalls. The FCC issued a report and order in November 2017 authorizing telecommunications … Continue reading

US Commission on Enhancing National Cybersecurity: Action Plan for the President-Elect

By Anna Rudawski (US) on December 14, 2016 Posted in Compliance and risk management, Regulatory response

The US Commission on Enhancing National Cybersecurity, a nonpartisan group established by President Obama in early 2016, released its final report on December 1, 2016. The report provides an in-depth view of cybersecurity challenges facing the digital economy, and provides a roadmap for addressing those challenges. For some issues, the Commission recommends that the next … Continue reading

Recent Developments from Our Sister Blogs

By on November 5, 2016 Posted in General

Data protection and privacy issues frequently intersect with other areas of the law. In addition to the Data Protection Report, Norton Rose Fulbright publishes other blogs covering important legal developments across the globe. These blogs sometimes touch on issues that may be of interest to our readers. As a service to our readers, we highlight … Continue reading

FTC Enforcement Possible for Failing to Guard Against Ransomware

By on October 6, 2016 Posted in Compliance and risk management, Cybercrime, Regulatory response

Recent comments by FTC Chairwoman Edith Ramirez suggest that a company’s failure to take preventative measures to address ransomware could result in an enforcement action by the FTC, even if a company is never actually subject to a ransomware attack. The Chairwoman’s comments reflect a growing concern among US government agencies regarding ransomware and may … Continue reading

FTC Commissioner Julie Brill comments on EU-US Privacy Shield

By on February 4, 2016 Posted in Compliance and risk management

FTC Commissioner Julie Brill sat down this morning with the Information Technology and Innovation Foundation to discuss the EU-US Privacy Shield, the new framework for transatlantic transfer of personal data announced earlier this week. Commissioner Brill began by discussing the agreement generally, and provided valuable insight on the role of the Federal Trade Commission (FTC) … Continue reading

White House Releases Draft Consumer Privacy Bill of Rights Act

By on March 3, 2015 Posted in Compliance and risk management

Late afternoon last Friday, the White House released its draft Consumer Privacy Bill of Rights Act (the “Act”). This follows on the heels on the President’s announcement of cybersecurity as a top priority of the administration, which foreshadowed the release of the Act and included other initiatives, including one for a single national breach notification … Continue reading

FTC issues new privacy and security report on the internet of things

By on January 27, 2015 Posted in Compliance and risk management

In advance of what will likely be a flood of interconnected devices to soon hit the market, the Federal Trade Commission (“FTC”) today announced the release of a new report on the Internet of Things (the “Report”). Focusing on privacy and security, the FTC makes several suggestions to companies developing Internet of Things devices that are marketed … Continue reading

FTC Commissioner Julie Brill to lead a privacy roundtable at Norton Rose Fulbright

By on January 27, 2015 Posted in General

On January 30, 2015, Norton Rose Fulbright New York City office will host FTC Commissioner Julie Brill for a privacy roundtable. As part of the IAPP KnowledgeNet lecture series, Commissioner Brill will address privacy topics that will be in focus for 2015: Big Data, its fair use and effects on consumers, the privacy issues raised by … Continue reading

Just what the doctor ordered: President outlines national breach law proposal

By Geraldine Young (US) on January 20, 2015 Posted in Compliance and risk management, Data breach, Regulatory response

Leading up to the President’s State of the Union, the White House previewed several potentially sweeping cybersecurity initiatives—including a proposed federal law that would create a single national breach notification standard, entitled the Personal Data Notification & Protection Act (the “Act”). The President argued that the proposed law will benefit consumers and alleviate the confusion … Continue reading

Sharing Cyber Threat Information: A Legal Perspective (ISSA Journal Article)

By on January 5, 2015 Posted in Data breach

The ISSA Journal recently included an article, Sharing Cyber Threat Information: A Legal Perspective, authored by Utsav Mathur and I (David Navetta) concerning potential legal risks associated with intra-industry sharing of cyber-threat information. The article summarizes recent efforts by the US government to encourage more information sharing concerning cyber threats and data-security incidents within industries. Recent Department of Justice and Federal Trade Commission … Continue reading