Category Archives: FTC

In recent years, the FTC has increasingly focused on protecting consumers’ access to healthcare, through both its competition and its consumer protection missions. Similarly, the FTC has become a force in federal privacy regulation, second only to the Office for Civil Rights of the Department of Health and Human Services. On occasion, the FTC’s priorities in access to health care and health information privacy have come together,… More

As we had previously blogged, the FTC in guidance following the Supreme Court’s decision in Dobbs v. Jackson Women’s Health indicated that it would aggressively wield its enforcement authority in relation to deceptive statements about location privacy, particularly in the context of what the FTC called “the often shadowy ad tech and data broker ecosystem.”  The FTC voiced particular concern about unbeknownst tracking or selling of sensitive location data,… More

When is personal data “anonymized”?  The answer to this question has largely been based on jurisdiction.  If your business is in the U.S., so long as HIPAA or the CCPA does not govern, then generally aggregated or de-identified data could often be considered “anonymized” for legal compliance purposes.  (Both HIPAA and the CCPA have specific requirements for what counts as “de-identified” data.)  Under the GDPR, the story has been much more complicated:  merely “de-identified”… More

As we think about what 2022 may hold with regard to privacy and data security regulation by the Federal Trade Commission (FTC), we should first look back at some of the developments from last year that set the stage for this year. Just like 2021, it appears that the regulatory culture at the FTC this year will be heavily entangled with the political environment. Recent events suggest that while privacy and data security related reforms previously enjoyed bipartisan support,… More

The Federal Trade Commission has finalized amendments to the Standards for Safeguarding Customer Information (“Safeguards Rule”), specific to defined financial institutions, designed to strengthen security for consumer financial information following a recent uptick in data breaches.

The amendments contain four main modifications to the existing Rule that outline additional protections financial institutions must implement when handling sensitive consumer data.

• First, the amendments provide financial institutions with additional guidance regarding developing and implementing an information security program,…

More

Editors’ Note:  This is the fourth in our fifth-annual end-of-year series examining important trends in data privacy and cybersecurity in the coming year.  Read our previous posts on Energy, Cannabis, and the GDPR.

As the Trump Administration ends, it is time to look forward to what may be on the horizon with regards to law enforcement at the FTC under the Biden Administration.… More

We posted earlier this year about increased scrutiny of cryptocurrency advertising, especially the promotion of Initial Coin Offerings, or ICOs.  The key takeaway from that post was that the frenzy around cryptocurrencies – including as an investment opportunity for individuals who aren’t otherwise active investors – has led to a number of efforts to curtail cryptocurrency promotion, from both regulators and industry stakeholders.… More

The EU-US Privacy Shield, a framework that allows companies to transfer personal data from the EU to the US in compliance with the GDPR, has been under fire for not providing adequate protection to EU citizens.  As Foley noted in 2017, the EU’s Article 29 Working Party (now the European Data Protection Board) identified “a number of significant concerns” with the Privacy Shield in the Working Party’s First Annual Joint Review,… More

The long-anticipated decision in LabMD v. FTC has finally arrived. The 11th Circuit held that the FTC’s cease-and-desist order against LabMD is unenforceable:

In sum, assuming arguendo that LabMD’s negligent failure to implement and maintain a reasonable data-security program constituted an unfair act or practice under Section 5(a), the Commission’s cease and desist order is nonetheless unenforceable. It does not enjoin a specific act or practice.… More