Privacy & Information Security Law Blog

On April 7, 2024, U.S. Sen. Maria Cantwell (D-WA) and U.S. Rep. Cathy McMorris Rodgers (R-WA) released a discussion draft of the latest federal privacy proposal, known as American Privacy Rights Act (“APRA” or the “Act”). The APRA builds upon the American Data Privacy and Protection Act (“ADPPA”), which was introduced as H.R. 8152 in the 117th Congress and advanced out of the House Energy and Commerce Committee but did not become law. As the latest iteration of a federal privacy proposal, the APRA signals that some members of Congress continue to seek to create a federal standard in the wake of—and in spite of—the ever-growing patchwork of state privacy laws.

After potential warning signs spanning several years, on March 14, 2024, the Federal Trade Commission brought an enforcement action against two entities selling virus protection software to consumers via online and telemarketing sales. According to the FTC’s complaint, for several years the entities, Restoro Cyprus Limited and Reimage Cyprus Limited, received excessive chargebacks on purchases, numerous consumer complaints made directly to the entities, and various indirect consumer complaints made to vendors, telecoms service providers and others. 

On February 22, 2024, the Federal Trade Commission announced a settlement order against Avast Limited (“Avast”) requiring Avast to pay $16.5 million and prohibiting Avast from selling or licensing any web browsing data for advertising purposes. This ban is to settle charges that the company and its subsidiaries sold such information to third parties after promising that its products would protect consumers from online tracking.

On September 14, 2023, the Federal Trade Commission issued a press release announcing the publication of a staff paper about blurred advertising. In the staff paper, the FTC describes blurred advertising as the blending of ads with digital media content (e.g., displaying ads within online games and virtual reality worlds). The FTC warns that these ads are not readily identifiable as marketing by consumers and pose a significant threat to young children who do not have the skills or cognitive defenses to identify and understand this type of advertising. The FTC recommends that ...

On August 14, 2023, the Federal Trade Commission announced a proposed order against Experian Consumer Services (“Experian”) for failure to comply with the federal CAN-SPAM Act.  The complaint alleges that Experian sent marketing emails that did not provide an unsubscribe opportunity to consumers who had signed up for Experian’s credit monitoring services. The CAN-SPAM Act requires businesses to, in relevant part, clearly and conspicuously display a return email address or Internet-based mechanism that allows consumers to unsubscribe from future marketing emails. While the Experian emails contained a notice stating that the messages related to the consumer’s Experian account (which would make them “transactional” or “relationship” messages under the CAN-SPAM Act, and therefore exempt from the unsubscribe requirement), the complaint alleged that, in actuality, the emails contained only marketing material.

On July 14, 2023, the Norwegian Data Protection Authority (“DPA”) ordered Meta Platforms Ireland Limited and Facebook Norway AS (jointly, “Meta”) to temporarily cease the processing of personal data of data subjects in Norway for the purpose of targeting ads on the basis of “observed behavior,” when relying on either the contractual necessity legal basis (Article 6(1)b)) or the legitimate interests legal basis (Article 6(1)(f)) of the GDPR.

On June 13, 2023, Texas Governor Greg Abbott signed H.B. 18, or the Securing Children Online through Parental Empowerment (“SCOPE”) Act that would impose obligations on digital service providers to protect minors.

On June 13, 2023, Texas Governor Greg Abbott signed H.B. 18, or the Securing Children Online through Parental Empowerment (“SCOPE”) Act that would require digital service providers to get parental consent to create an account with minors younger than 18 years of age.  

On February 20, 2023, in the case of Experian Limited v The Information Commissioner, the First-Tier Tribunal in the UK (the “Tribunal”) ruled on the ICO’s action to require Experian to make changes to how it processes personal data for direct marketing purposes. While the Tribunal supported the ICO in certain respects, it largely ruled in favor of Experian and issued a Substituted Decision Notice, as detailed further below.

The UK Information Commissioner’s Office (“ICO”) recently published a package of detailed guidance and checklists for direct marketing activities. The ICO’s new webpage on direct marketing now includes various resources, including specific guidance for SMEs, business-to-business marketing, and organizations using the marketing services of data brokers, as well as direct marketing FAQs and checklists, and a training module for businesses.

On October 26, 2022, House Energy and Commerce Committee and Consumer Protection and Commerce Subcommittee leaders (“Committee Leaders”) sent letters to several toy manufacturers, including Bandai Namco, Hasbro, Mattel, MGA Entertainment, LEGO Group and the Toy Association, asking how they plan to protect children and their information from BigTech companies like TikTok and YouTube. Given the shift of marketing efforts from traditional television outlets to social media platforms, Committee Leaders are concerned about failure to protect children’s privacy, security and mental health on social media platforms.

On September 23, 2022, New York State Senator Andrew Gounardes introduced S9563, also known as the “New York Child Data Privacy and Protection Act.” The bill, which resembles the recently passed California Age-Appropriate Design Code Act, bans certain data collection and targeted advertising and requires data controllers to, among other obligations, assess the impact of their products on children.

On October 13, 2022, the Interactive Advertising Bureau (“IAB”) released for public comment an updated version of its contractual framework and new U.S. State Signals (“Signals”) specifications to help the digital advertising industry comply with the comprehensive state privacy laws of California, Virginia, Colorado, Utah and Connecticut.

On September 21, 2022, the Federal Communications Commission (“FCC”) announced a proposed combined fine of $3.4 million against Sinclair Broadcast Group, Nexstar Media Group and 19 other broadcast television licensees for violations of rules limiting commercial matter in children's television programming.

On September 21, 2022, the Federal Trade Commission announced the agenda for its “Protecting Kids from Stealth Advertising in Digital Media” virtual event to be held on October 19, 2022. The event will cover how children recognize and understand digital advertising content; the current advertising landscape’s impact on kids, including potential harms stemming from an inability to distinguish advertising from other content; and an assessment of the current legal regime’s protection of children from potential harms, and whether additional regulatory, self-regulatory, educational and technological tools may provide additional protection.

On August 29, 2022, the Federal Trade Commission announced a civil action against digital marketing data broker Kochava Inc. for “selling geolocation data from hundreds of millions of mobile devices that can be used to trace the movements of individuals to and from sensitive locations.” The lawsuit seeks a permanent injunction to stop Kochava’s sale of geolocation data and to require the company to delete the geolocation data it has collected.  

On August 10, 2022, the Consumer Financial Protection Bureau (“CFPB”) issued a new interpretive rule clarifying when digital marketing providers must comply with federal consumer financial protection law. Under the new rule, Big Tech companies that use behavioral advertising techniques to market financial products will be subject to the Consumer Financial Protection Act of 2010 (“CFPA”).

On August 23, 2022, the Federal Trade Commission announced it is seeking additional public comment on “how children are affected by digital advertising and marketing messages that may blur the line between ads and entertainment” in conjunction with its “Protecting Kids from Stealth Advertising in Digital Media” event on October 19, 2022. The event will focus on manipulative marketing practices targeted towards children, particularly those related to influencer marketing and online games.

On June 3, 2022, the Federal Trade Commission announced it is seeking public comment on its 2013 guidance, “.com Disclosures: How to Make Effective Disclosures in Digital Advertising” (the “Guidance”). The FTC indicated that it is updating the Guidance to better protect consumers against online deceptive practices, particularly because some companies have interpreted the current version of Guidance to “justify practices that mislead consumers online.” For example, the FTC explains that companies have wrongfully claimed they can avoid FTC Act liability by placing required disclosures behind hyperlinks. The updated Guidance will address issues such as advertising on social media, in video games, in virtual reality environments, and on mobile devices and applications, as well as the use of dark patterns, manipulative user interface designs, multi-party selling arrangements, hyperlinks and online disclosures.

On April 28, 2022, the Federal Trade Commission published a Notice of Proposed Rulemaking (“NPRM”) and an Advance Notice of Proposed Rulemaking (“ANPRM”), proposing several updates to the Telemarketing Sale Rules (“TSR”).

On March 24, 2022, the European Union unveiled the final text of the Digital Markets Act (the “DMA”). The final text of the DMA was reached following trilogue negotiations between the European Commission, European Parliament and EU Member States (led by the French Presidency at the European Council). The final text retains essentially the same features as the previous draft text but does include some notable changes.

On March 1, 2022, President Biden, in his first State of the Union address, called on Congress to strengthen privacy protections for children, including by banning online platforms from excessive data collection and targeted advertising for children and young people. President Biden called for these heightened protections as part of his unity agenda to address the nation’s mental health crisis, especially the growing concern about the harms of digital technologies, particularly social media, to the mental health and well-being of children and young people. President Biden not only urged for stronger protections for children’s data and privacy, but also for interactive digital service providers to prioritize safety-by-design standards and practices. In his address, President Biden called on online platforms to “prioritize and ensure the health, safety and well-being of children and young people above profit and revenue in the design of their products and services.” President Biden also called for a stop to “discriminatory algorithmic decision-making that limits opportunities” and impacts the mental well-being of children and young people.

On February 14, 2022, Noom Inc., a popular weight loss and fitness app, agreed to pay $56 million, and provide an additional $6 million in subscription credits to settle a putative class action in New York federal court. The class is seeking conditional certification and has urged the court to preliminarily approve the settlement.

On February 15, 2022, the French Data Protection Authority (the “CNIL”) published its enforcement priority topics for 2022. Each year, the CNIL conducts numerous investigations in response to complaints, data breach notifications and ongoing events, or based on previously established enforcement priorities.

On February 2, 2022, the Litigation Chamber of the Belgian Data Protection Authority (the “Belgian DPA”) imposed a €250,000 fine against the Interactive Advertising Bureau Europe (“IAB Europe”) for several alleged infringements of the EU General Data Protection Regulation (the “GDPR”), following an investigation into IAB Europe Transparency and Consent Framework (“TCF”).

The Austrian data protection authority (the “Austrian DPA”) recently published a decision in a case brought against an Austrian website provider and Google by the non-governmental organization co-founded by privacy activist Max Schrems, None of Your Business (“NOYB”). The Austrian DPA ruled that the use of Google Analytics cookies by the website operator violates both Chapter V of the EU General Data Protection Regulation (“GDPR”), which establishes rules on international data transfers, and the Schrems II judgment of the Court of Justice of the European Union.

On January 6, 2022, the Federal Trade Commission reached a $1.5 million settlement with loan application company ITMedia Solutions LLC (“ITMedia”) over alleged violations of the FTC Act and Fair Credit Reporting Act (“FCRA”). The FTC alleged that ITMedia deceptively acquired and indiscriminately shared consumers’ sensitive personal information under the guise of connecting them with lenders.

On December 27, 2021, the Federal Trade Commission sought public comment on a petition filed by Accountable Tech calling on the FTC to use its rulemaking authority to prohibit “surveillance advertising” as an “unfair method of competition” (“UMC”). Accountable Tech is a non-profit organization that advocates for social media companies to strengthen the integrity of their platforms.

On December 15, 2021, the European Parliament adopted its position on the proposal for a Digital Markets Act (“DMA”), ahead of negotiations with the Council of the European Union.

The DMA introduces new rules for certain core platforms services acting as “gatekeepers,” (including search engines, social networks, online advertising services, cloud computing, video-sharing services, messaging services, operating systems and online intermediation services) in the digital sector and aims to prevent them from imposing unfair conditions on businesses and consumers and to ensure the openness of important digital services.

On December 15, 2021, the Federal Trade Commission announced a $2 million settlement with OpenX Technologies (“OpenX”) in connection with alleged violations of the Children’s Online Privacy Protection Act Rule (“COPPA Rule”) and the FTC Act. According to the FTC’s complaint, OpenX knowingly collected personal information from children under age 13 without parental consent, and collected geolocation data from users of all ages who opted out of being tracked.

On November 18, 2021, the European Data Protection Board (“EDPB”) released a statement on the Digital Services Package and Data Strategy (the “Statement”). The Digital Services Package and Data Strategy is a package composed of several legislative proposals, including the Digital Services Act (“DSA”), the Digital Markets Act (“DMA”), the Data Governance Act (“DGA”), the Regulation on a European approach for Artificial Intelligence (“AIR”) and the upcoming Data Act (expected to be presented shortly). The proposals aim to facilitate the further use and sharing of personal data between more public and private parties; support the use of specific technologies, such as Big Data and artificial intelligence (“AI”); and regulate online platforms and gatekeepers.

On October 28, 2021, the Federal Trade Commission announced the issuance of a new enforcement policy statement warning companies against using dark patterns that trick consumers into subscription services. The policy statement comes in response to rising complaints about deceptive sign-up tactics like unauthorized charges or impossible-to-cancel billing.

As reported on the Hunton Retail Resource Blog, on October 20, 2021, a new wave in the fight against “robocalls” is targeting telemarketing text messages. In the past six months, there has been an uptick in activity at both the state and federal level to reign in telemarketing text messages.

The Irish Data Protection Commissioner (“DPC”) has submitted a draft decision on Facebook Ireland Limited’s (“Facebook”) data protection compliance to other European regulators under the cooperation mechanism of the EU General Data Protection Regulation (“GDPR”) (the “Draft Decision”). The DPC proposes a fine between €28 and €36 million (i.e., up to $42 million) for infringements of the transparency obligations under the GDPR, specifically with respect to the legal basis upon which Facebook relied. In addition, the Draft Decision proposes imposing an order on Facebook to bring its terms of service and Data Policy into compliance within three months. However, the DPC indicates in its Draft Decision that Facebook is permitted to rely on contractual necessity as a legal basis for its personalized advertising, taking the view that this constitutes a core element of Facebook’s service.

On October 15, 2021, the U.S. District Court for the District of Massachusetts entered a final order approving a $14 million class action settlement resolving claims against HelloFresh for alleged violations of the Telephone Consumer Protection Act (“TCPA”), 47 U.S.C. § 227, et seq. The named plaintiffs alleged that HelloFresh violated the TCPA by (1) placing telemarketing calls to consumers whose phone numbers were listed on the federal Do Not Call registry; (2) placing telemarketing calls to consumers using an automatic telephone dialing system (“ATDS”) without prior express written consent; and (3) placing telemarketing calls to consumers who had requested to be placed on Hello Fresh’s internal Do Not Call list. According to plaintiffs’ attorneys, this settlement is the largest TCPA class action settlement in Massachusetts state history.

On September 10, 2021, the UK Government Department for Digital, Culture, Media & Sport (“DCMS”) launched a consultation on its proposed reforms to the UK data protection regime. The consultation reflects DCMS’s effort to deliver on Mission 2 of the National Data Strategy, which is “to secure a pro-growth and trusted data regime in the UK.” Organizations are encouraged to provide input on a range of data protection proposals, some of which are outlined below. The consultation will close on November 19, 2021, and the Centre for Information Policy Leadership (“CIPL”) will consult with members to prepare a formal response to the consultation.

On August 20, 2021, China’s 13^th Standing Committee of the National People’s Congress passed the Personal Information Protection Law (the “PIPL”). As we previously reported, the PIPL is China’s first comprehensive data protection law. It is modeled, in part, on other jurisdictions’ omnibus data protection regimes, including the EU General Data Protection Regulation (“GDPR”). The PIPL will become effective on November 1, 2021. Below are some of the key provisions under the PIPL.

Laura Liguori of Portolano Cavallo reports that on June 10, 2021, the Italian Data Protection Authority (Garante or “DPA”) adopted a new version of its guidelines for cookies and other tracking mechanisms (the “Guidelines”).

On July 29, 2021, U.S. Representative Rep. Kathy Castor (D-Florida), a member of the House Energy and Commerce Committee, reintroduced the Protecting the Information of our Vulnerable Children and Youth Act (the “Bill”). The Bill would update the Children’s Online Privacy Protection Act (“COPPA”) to, among other requirements: (1) cover teens ages 13-17; (2) expand the categories of information considered to be “personal” (to include physical characteristics, biometric information, health information, education information, contents of messages and calls, browsing and search history, geolocation information, and latent audio or visual recordings); (3) prohibit companies from targeting online advertising to children and teens based on their personal information and behavior; (4) require opt-in consent to process personal information collected from all individuals under age 18; (5) strengthen Federal Trade Commission enforcement of COPPA; (6) provide a private right of action to parents of children and teens; and (7) eliminate the FTC’s recognition of self-regulatory COPPA safe harbor programs.

On July 1, 2021, the Federal Trade Commission settled a complaint brought under the Children’s Online Privacy Protection Act (“COPPA”) against Toronto-based Kuuhuub Inc. and its Finnish subsidiaries Kuu Hubb Oy and Recolor Oy, operators of the online coloring book app, Recolor. The FTC alleged that the app operators violated the COPPA Rule by collecting and disclosing personal information from child users of the app without first notifying their parents or obtaining verifiable parental consent.

On June 24, 2021, Google announced that it will delay its plan to replace the use of third-party cookies on its Chrome web browser with new technologies. This delay comes amid antitrust and privacy concerns, as well as scrutiny from the advertising industry that the changes will strengthen Google’s own advertising business.

On June 11, 2021, the Belgian Data Protection Authority (“Belgian DPA”) released its 2020 Annual Report (the “Report”). Notably in 2020, the Belgian DPA focused on the supervision of initiatives to fight the COVID-19 pandemic involving data processing, while not losing sight of its other priorities, as identified in its Strategic Plan 2020-2025.

Due to the increased awareness of the importance of the protection of personal data, 2020 had a significant increase in the number of complaints, which were up 290.64%, and data breach notifications, which were up 25.09%, received by the Belgian DPA.

As reported on the Hunton Retail Law Resource blog, this week, the Federal Trade Commission voted 3 to 1 to accept a settlement agreement with MoviePass, Inc., its parent company, and two of the now-defunct company’s former employees, after allegations of failure to take reasonable measures to secure consumers’ data and deceptive trade practices. The Commission brought an enforcement action against MoviePass pursuant to the FTC Act and the Restore Online Shoppers’ Confidence Act (“ROSCA”), the latter of which requires disclosure of all material terms, a consumer’s informed consent, and a simple mechanism to stop recurring charges when marketing negative option services.

On April 1, 2021, the Supreme Court issued its long-awaited opinion in Facebook, Inc. v. Duguid et al., No. 19-511 (Apr. 1, 2021).  At issue in Facebook, was the question of what technology constitutes an “automatic telephone dialing system” (“ATDS”) within the meaning of the Telephone Consumer Protection Act, 47 U.S.C. §227 et seq (“TCPA”). The Supreme Court’s unanimous decision is a huge win for companies who communicate with their consumers by telephone/text message.

On March 15, 2021, the state Data Protection Authority of Bavaria (“Bavarian DPA”) declared the use of U.S. e-mail marketing service Mailchimp by a fashion magazine (acting as controller) in Bavaria impermissible due to non-compliance with Schrems II mitigation steps in relation to the transfer of e-mail addresses to Mailchimp in the U.S.

On October 27, 2020, the UK Information Commissioner’s Office (“ICO”) published a report following its investigation into data protection compliance in the direct marketing data broking sector, alongside its enforcement action against Experian. During the investigation, the ICO conducted audits of the direct marketing data broking businesses of the UK’s three largest credit reference agencies (“CRAs”) – Experian, Equifax and TransUnion – and found “significant data protection failures at each” that were “deeply embedded” within the businesses.

On October 27, 2020, the UK Information Commissioner’s Office (“ICO”) published its enforcement notice against credit reference agency Experian Limited (“Experian”) under Section 149 of the Data Protection Act 2018 (“DPA”) (the “notice”). The notice requires Experian to make fundamental changes to its offline direct marketing practices, and was issued after the ICO undertook a two-year investigation into the use of personal data by data broking businesses Experian, Equifax and TransUnion.

On September 7, 2020, the European Data Protection Board (the “EDPB”) published Guidelines on the Targeting of Social Media Users (the “Guidelines”). The Guidelines aim to provide practical guidance on the role and responsibilities of social media providers and those using targeting services, such as for targeted advertising, on social media platforms (“targeters”).

On June 16, 2020, the Litigation Chamber of the Belgian Data Protection Authority (the “Belgian DPA”) imposed a fine on a company (the “defendant”) for unlawful and incorrect processing of personal data and non-compliance with the EU General Data Protection Regulation’s (the “GDPR”) data subject rights provisions.

On June 9, 2020, the Federal Communications Commission (“FCC”) announced a proposed $225 million fine, the largest in the history of the FCC, against several individuals for telemarketing violations.

On May 29, 2020, the Litigation Chamber of the Belgian Data Protection Authority (the “Belgian DPA”) imposed a fine of €1,000 on a non-profit organization. The decision followed a complaint filed by an individual who continued to receive promotional materials from the organization after he had objected to the processing of his contact details for direct marketing purposes and had requested that the organization erase his data from its database.

On May 29, 2020, the German Federal Court of Justice (Bundesgerichtshof, “BGH”), Germany’s highest court for civil and criminal matters, issued its ruling on case Planet49 (I ZR 7/16) regarding consent requirements for the use of cookies and telemarketing activities. In October 2017, the BGH suspended its proceedings and submitted questions to the Court of Justice of the European Union (“CJEU”) for a preliminary ruling regarding the effectiveness of obtaining consent for the use of cookies through a pre-ticked checkbox. As we have previously reported, the CJEU answered these questions in its judgement in Planet49 GmbH v. Verbraucherzentrale Bundesverband e.V. (C-673/17), which was issued on October 1, 2019.

On April 30, 2020, the French Data Protection Authority (the “CNIL”) published guidance on the extraction of web users’ personal data from online public spaces by web scraping tools and re-use of such data for direct marketing (the “Guidance”). The Guidance was issued following inspections carried out by the CNIL in 2019.

The UK Information Commissioner’s Office (“ICO”) has published guidance regarding its expectations for controllers and health professionals during the COVID-19 outbreak.

In its guidance for controllers, the ICO adopted a pragmatic stance, stating: “We know you might need to share information quickly or adapt the way you work. Data protection will not stop you doing that. It’s about being proportionate - if something feels excessive from the public’s point of view, then it probably is.”

On March 3, 2020, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) announced that it had imposed a €525,000 fine on the Royal Dutch Tennis Association (De Koninklijke Nederlandse Lawn Tennisbond, “KNLTB”) for an illegal sale of personal data.

On March 2, 2020, the UK Information Commissioner’s Office (“ICO”) fined CRDNN Limited, a lead generation company, £500,000—the maximum amount available for a breach of the Electronic Communications Regulations (“PECR”). The fine was imposed after CRDNN carried out over 193 million unsolicited automated direct marketing calls relating to window scrappage, window and conservatory sales, boiler sales, and debt management between June and October 2018.

The meaning of an “automatic telephone dialing system” (“ATDS”) as defined by the Telephone Consumer Protection Act (“TCPA”) has been hotly contested since the D.C. Circuit invalidated the prior Federal Communications Commission (“FCC”) rulings interpreting the TCPA in 2018. The Ninth Circuit has held that merely calling numbers from a stored list is sufficient to meet the definition of an ATDS, while the Third Circuit has at least indicated that the ability to generate numbers randomly or sequentially is the defining characteristic.

On February 10, 2020, the Belgian Data Protection Authority (the “Belgian DPA”) published its Recommendation 1/2020 on data processing activities for direct marketing purposes (the “Recommendation”). With this Recommendation, the Belgian DPA aims to clarify the complex rules relating to the processing of personal data for direct marketing purposes, including by providing practical examples and guidelines to the different stakeholders involved in direct marketing activities. Direct marketing is one of the Belgian DPA’s top priorities for the next few years, as indicated in its 2019-2025 Strategic Plan.

On February 1, 2020, the Italian Data Protection Authority (Garante per la protezione dei dati personali, the “Garante”) announced that it had levied a fine of €27,802,946 on TIM S.p.A. (“TIM”), a telecommunications company, for several unlawful marketing data processing practices. Between 2017 and 2019, the Garante received numerous complaints from individuals (including from individuals who were not existing customers of TIM) claiming that they had received unwanted marketing calls, without having provided their consent or despite having registered on an opt-out list. The Garante indicated that the violations impacted several million individuals.

On January 8, 2020, the Information Commissioner's Office (“ICO”) launched a consultation on its draft direct marketing code of practice (the “Draft Code”), as required by section 122 of the Data Protection Act 2018 (“DPA 18”). The Draft Code is open for public consultation until March 4, 2020.

On October 21, 2019, the Federal Trade Commission took action against two companies alleged to have engaged in the business of false online reviews and social media influence. In the first case, the FTC entered into a consent decree with cosmetics marketer Sunday Riley, LLC, and the company’s owner, who sell products at Sephora stores and online at Sephora.com. According to the FTC’s complaint, disguised as ordinary consumers, Sunday Riley employees and Ms. Riley herself posted fake 5-star reviews of the company’s products on Sephora’s website. Under the terms of the FTC’s agreement, the company and its principal are barred from posting fake reviews, must clearly identify endorsers, and must instruct staff on their disclosure obligations. The FTC vote on the action was 3-2, with Commissioners Chopra and Slaughter dissenting on the grounds that the settlement did not include a monetary payment or an admission of guilt.

Simon McDougall, Executive Director for Technology Policy and Innovation for the UK Information Commissioner’s Office (“ICO”), has stated that “change is needed” in the adtech sector. In a speech delivered on July 11, 2019, at the Westminster Media Forum, focusing on the future of online advertising regulation, McDougall commented that “heads are still firmly in the sand” in some pockets of the digital advertising industry, and that many real-time bidding practices are currently being conducted in an unlawful manner, whether or not industry players are aware of it.

On June 28, 2019, the French data protection authority (the “CNIL”) published its action plan for 2019-2020 to specify the rules applicable to online targeted advertising and to support businesses in their compliance efforts.

The UK Information Commissioner’s Office (“ICO”) recently published an updated report on adtech, following a Fact Finding Forum held in March 2019 and consultation with industry players. The report focuses on whether and how organizations in the adtech sector can comply with the EU General Data Protection Regulation (“GDPR”) and the UK’s implementation of the e-Privacy Directive, known as the Privacy and Electronic Communications Regulations (“PECR”).

On June 12, 2019, the Belgian Data Protection Authority (the “Belgian DPA”) launched a public consultation on direct marketing with a view to updating its Recommendation No. 02/2013 of January 30, 2013 on direct marketing (the “Direct Marketing Recommendation”).

Social media platforms, file hosting sites, discussion forums, messaging services and search engines in the UK are likely to come under increased pressure to monitor and edit online content after the UK Department of Digital, Culture, Media and Sport (“DCMS”) announced in its Online Harms White Paper (the “White Paper”), released this month, proposals for a new regulatory framework to make companies more responsible for users’ online safety. Notably, the White Paper proposes a new duty of care owed to website users, and an independent regulator to oversee compliance.

The UK Information Commissioner’s Office (“ICO”) has issued a Monetary Penalty Notice to pensions release provider Grove Pensions Solutions Ltd (“Grove”), fining it £40,000 after the company used contact details collected by a third party for its direct marketing campaign. Grove used a specialist third-party marketing agency to send emails on its behalf to mailing lists, negligently failing to obtain valid consent from individuals who received the marketing emails. Despite seeking external advice (including legal advice), the ICO decided that Grove should have known of the risk that its conduct would breach rules on direct marketing, particularly given recent widespread publicity of this issue in the UK. The fine was imposed under the Data Protection Act 1998.

The UK’s Information Commissioner’s Office (“ICO”) has fined Vote Leave Limited (the UK’s official Brexit campaign) £40,000 for sending almost 200,000 unsolicited texts promoting the aims of the campaign. In an unrelated action, the ICO has carried out searches of a business believed to have been responsible for initiating nuisance telephone calls. The ICO has highlighted nuisance calls, spam texts and unsolicited direct marketing as areas of “significant public concern,” and is increasingly imposing sanctions on businesses that infringe the Privacy and Electronic Communications Regulations 2003 (“PEC Regulations”), which prohibit these practices. In its view, the monetary penalty imposed on Vote Leave should act as a “deterrent against non-compliance, on the part of all persons running businesses currently engaging in these practices.”

On February 12, 2019, the Federal Trade Commission announced the completion of the first regulatory review of the Controlling the Assault of Non-Solicited Pornography and Marketing Act (“CAN-SPAM”) Rule (the “CAN-SPAM Rule” or “Rule”). By a vote of 5-0, the FTC voted to retain the CAN-SPAM rule with no modifications.

On November 30, 2018, the Austrian Data Protection Authority (“DPA”) published a decision in response to a complaint received from an individual regarding the cookie consent options offered on an Austrian newspaper’s website. As a factual matter, the Austrian newspaper offered three options to individuals who sought to access content on the site: (1) accept the use of cookies for analytics and advertising purposes and have full, complimentary website access; (2) refuse cookies and obtain access to only limited content on the website; or (3) pay a monthly subscription of €6 to obtain full access to the website without accepting the use of cookies and similar tracking technologies.

On November 8, 2018, Privacy International (“Privacy”), a non-profit organization “dedicated to defending the right to privacy around the world,” filed complaints under the GDPR against consumer marketing data brokers Acxiom and Oracle. In the complaint, Privacy specifically requests the Information Commissioner (1) conduct a “full investigation into the activities of Acxiom and Oracle,” including into whether the companies comply with the rights (i.e., right to access, right to information, etc.) and safeguards (i.e., data protection impact assessments, data protection by design, etc.) in the GDPR; and (2) “in light of the results of that investigation, [take] any necessary further [action]... that will protect individuals from wide-scale and systematic infringements of the GDPR.”

On October 17, 2018, the French data protection authority (the “CNIL”) published a press release detailing the rules applicable to devices that compile aggregated and anonymous statistics from personal data—for example, mobile phone identifiers (i.e., media access control or “MAC” address) —for purposes such as measuring advertising audience in a given space and analyzing flow in shopping malls and other public areas. Read the press release (in French).

On May 16, 2018, the Irish Data Protection Bill 2018 (the “Bill”) entered the final committee stage in Dáil Éireann (the lower house and principal chamber of the Irish legislature). The Bill was passed by the Seanad (the upper house of the legislature) at the end of March 2018. In the current stage, final statements on the Bill will be made before it is signed into law by the President.

Recent judicial interpretations of the Illinois Biometric Information Privacy Act (“BIPA”), 740 ILCS 14, present potential litigation risks for retailers who employ biometric-capture technology, such as facial recognition, retina scan or fingerprint software. Federal judges in various district courts have allowed BIPA cases to move forward against companies such as Facebook, Google and Shutterfly, and retailers who use biometric data for security, loss prevention or marketing purposes may also become litigation targets as federal judges decline to narrow the statute’s applicability and additional states consider passing copycat statutes.

On June 5, 2017, an Illinois federal court ordered satellite television provider Dish Network LLC (“Dish”) to pay a record $280 million in civil penalties for violations of the FTC’s Telemarketing Sales Rule (“TSR”), the Telephone Consumer Protection Act (“TCPA”) and state law. In its complaint, the FTC alleged that Dish initiated, or caused a telemarketer to initiate, outbound telephone calls to phone numbers listed on the Do Not Call Registry, in violation of the TSR. The complaint further alleged that Dish violated the TSR’s prohibition on abandoned calls and assisted and facilitated telemarketers when it knew or consciously avoided knowing that telemarketers were breaking the law.

On December 20, 2016, the FTC announced that it has agreed to settle charges that Turn Inc. (“Turn”), a company that enables commercial brands and ad agencies to target digital advertising to consumers, tracked consumers online even after consumers took steps to opt out of tracking.

Hunton & Williams LLP is proud to announce our Privacy & Information Security Law Blog has been named the top Cybersecurity and Information Privacy blog by The Expert Institute and #2 overall Best AmLaw Blog of 2016. All of our lawyers and contributors thank you for your support in making the blog a success.

On November 30, 2016, the FTC released a staff summary (the “Summary”) of a public workshop called Putting Disclosures to the Test. The workshop, which was held on September 15, 2016, examined ways of testing and evaluating company disclosures regarding advertising claims and privacy practices. The Summary reviews the workshop and its key takeaways.

On November 1, 2016, the FTC announced that a group of entities known as the Consumer Education Group (“CEG”) settled FTC charges that, between late 2013 and 2015, it made millions of telemarketing calls, including pre-recorded robocalls, to consumers on the national Do Not Call (“DNC”) Registry, in violation of the Telemarketing Sales Rule (“TSR”).

Hunton & Williams LLP is proud to announce our Privacy & Information Security Law Blog has been nominated in The Expert Institute’s 2016 Best Legal Blog Contest for Best AmLaw Blog of 2016. From all of the editors, lawyers and contributors that make our blog a success, we appreciate your continued support and readership, and ask that you please take a moment to vote for our blog!

The Privacy & Information Security Law Blog was ranked as the #1 Privacy & Data Security blog in LexBlog’s 2015 AmLaw 200 Blog Benchmark Report, and named PR News’ Best Legal PR Blog in 2011. It was noted that the ...

The State Administration for Industry and Commerce of the People’s Republic of China published a draft of its Implementing Regulations for the P.R.C. Law on the Protection of the Rights and Interests of Consumers (the “Draft”) for public comment. The draft is open for comment until September 5, 2016.

On July 25, 2016, the Article 29 Working Party (the “Working Party”) and the European Data Protection Supervisor (“EDPS”) released their respective Opinions regarding the review of Directive 2002/58/EC on privacy and electronic communications (the “ePrivacy Directive"). Both the Working Party and the EDPS stressed that new rules should complement the protections available under the EU General Data Protection Regulation (“GDPR”).

On June 28, 2016, the UK Information Commissioner’s Office (“ICO”) released its Annual Report for 2015 -2016 (the “Report”).

According to the Report, the ICO has dealt with an increase in the number of data protection concerns, handling 16,388 complaints in total. Particularly noteworthy is the £130,000 fine imposed on Pharmacy 2U for breach of the fair processing requirements under the UK Data Protection Act 1998. Pharmacy 2U sold details of over 20,000 customers to a list marketing company without customers' knowledge or consent.

On June 22, 2016, the Federal Trade Commission announced a settlement with Singaporean-based mobile advertising network, InMobi, resolving charges that the company deceptively tracked hundreds of millions of consumers’ locations, including children, without their knowledge or consent. Among other requirements, the settlement orders the company to pay $950,000 in civil penalties. 

TCCWNA. The very acronym evokes head scratches and sighs of angst and frustration among many lawyers in the retail industry. You have probably heard about it. You may have even been warned about it. And you may currently be trying to figure out how best to minimize your risk and exposure this very moment. But what is it and why has virtually every retailer been hit with a TCCWNA class action demand letter or lawsuit in the past few months? And why are most retailers scrambling to update the terms and conditions of their websites?

On June 1, 2016, a new do-not-call list (the “BLOCTEL list”) was implemented in France. French residents who do not wish to receive marketing phone calls may register their landline or mobile phone number online at www.bloctel.gouv.fr.

Late last year the Federal Trade Commission issued enforcement guidance on “native advertising” — ads that purposely are formatted to appear as noncommercial and are integrated into surrounding editorial content. The agency’s guidance took two parts: an Enforcement Policy Statement on deceptively formatted ads, and a Guide for Business on native advertising. These long-awaited guidance documents follow on the FTC’s December 2013 “Blurred Lines” workshop on native advertising. Importantly, the FTC notes that its policy statement does not apply just to advertisers but also to other parties that help create the content: ad agencies, ad networks and potentially, publishers.

On December 30, 2015, the Pew Research Center released a report on the results of a recent survey that asked 461 Americans about their feelings toward sharing personal information with companies. The survey found that a “significant minority” of American adults have felt “confused over information provided in company privacy policies, discouraged by the amount of effort needed to understand the implications of sharing their data, and impatient because they wanted to learn more about the information-sharing process but felt they needed to make a decision right away.”

On December 17, 2015, the FTC announced a pair of COPPA settlements against operators of child-directed mobile apps available for download in the major app stores. These cases are the FTC’s first COPPA actions involving the collection of persistent identifiers, and no other personal information, from children since the FTC’s updated COPPA Rule went into effect in 2013. The FTC levied civil penalties, totaling $360,000, in both cases.

Hunton & Williams welcomes Phyllis H. Marcus as counsel to the firm’s privacy and competition teams. Phyllis joins the firm from the Federal Trade Commission, where she held a number of leadership positions, most recently as Chief of Staff of the Division of Advertising Practices. Phyllis led the FTC’s children’s online privacy program, including bringing a number of enforcement actions and overhauling the Children’s Online Privacy Protection Act (“COPPA”) Rule. She offers the privacy team a keen understanding of the complexities of the revised regulations, as well as broader issues relating to student privacy, mobile applications and the Internet of Things.

On October 2, 2015, California Attorney General Kamala D. Harris announced that her office settled a lawsuit against home design website, Houzz Inc. (“Houzz”). Houzz was charged with secretly recording incoming and outgoing telephone calls for training and quality assurance purposes without notifying its customers, employees or call recipients, in violation of California eavesdropping and wiretapping laws. As part of the settlement, the Attorney General required Houzz to destroy the recordings, pay a fine of $175,000 and hire a Chief Privacy Officer to supervise its compliance with privacy laws and conduct privacy risk evaluations to assess Houzz’s privacy practices. This is the first time that the Attorney General has required the hiring of a Chief Privacy Officer as part of a settlement.

On September 25, 2015, the UK Information Commissioner’s Office (the “ICO”) issued a fine of £200,000 (approximately $303,000) to Home Energy & Lifestyle Management Ltd. (“HELM”) for making a large number of automated marketing calls in violation of the UK’s direct marketing laws. This is the largest fine that the ICO has issued to date in connection with automated marketing calls.

On September 2, 2015, the Information Commissioner’s Office (the “ICO”) announced an investigation into the data sharing practices of charities in the United Kingdom. The announcement follows the publication of an article in a UK newspaper highlighting the plight of Samuel Rae, an elderly man suffering from dementia. In 1994, Rae completed a survey, which resulted in a charity collecting his personal data. The charity, in turn, allegedly shared his contact details with other charities, data brokers and third parties. Over the years, some of those charities and third parties are reported to have sent Rae hundreds of unwanted items of mail, requesting donations and, in some cases, attempting to defraud him. The legal basis on which Rae’s details were shared remains unclear, although the ICO has noted that the distribution may have resulted from a simple failure to tick an “opt-out” box on the survey.

On July 10, 2015, the Federal Communications Commission (“FCC”) released a Declaratory Ruling and Order that provides guidance with respect to several sections of the Telephone Consumer Protection Act (“TCPA”). The Declaratory Ruling and Order responds to 21 separate requests from industry, government and others seeking clarifications regarding the TCPA and related FCC rules.

On June 30, 2015, the French Data Protection Authority (the “CNIL”) summarized the results of the cookie inspections it conducted at the end of 2014.

On May 13, 2015, the Belgian Data Protection Authority (the “DPA”) published a recommendation addressing the use of social plug-ins associated with Facebook and its services (the “Recommendation”). The Recommendation stems from the recent discussions between the DPA and Facebook regarding Facebook’s privacy policy and the tracking of individuals’ Internet activities.

On May 7, 2015, the Digital Advertising Alliance (“DAA”) announced that, as of September 1, 2015, the Council of Better Business Bureaus and the Direct Marketing Association will begin to enforce the DAA Self-Regulatory Principles for Online Behavioral Advertising and the Multi-Site Data Principles (collectively, the “Self-Regulatory Principles”) in the mobile environment.

On November 16, 2015, the Federal Trade Commission will host a workshop in Washington, D.C., to examine the benefits and privacy risks associated with “cross-device tracking.” The workshop intends to highlight the types of cross-device tracking techniques and how businesses and consumers can benefit from these practices. The workshop also will address related privacy and security risks, and discuss whether self-regulatory programs apply to these practices.