Category Archives: FTC

The FTC’s Post-Dobbs Focus on Location Privacy Draws a Legal Challenge

As we had previously blogged, the FTC in guidance following the Supreme Court’s decision in Dobbs v. Jackson Women’s Health indicated that it would aggressively wield its enforcement authority in relation to deceptive statements about location privacy, particularly in the context of what the FTC called “the often shadowy ad tech and data broker ecosystem.”  The FTC voiced particular concern about unbeknownst tracking or selling of sensitive location data,… More

Anonymization v. De-Identification, Post-Dobbs; Rumblings from the FTC

When is personal data “anonymized”?  The answer to this question has largely been based on jurisdiction.  If your business is in the U.S., so long as HIPAA or the CCPA does not govern, then generally aggregated or de-identified data could often be considered “anonymized” for legal compliance purposes.  (Both HIPAA and the CCPA have specific requirements for what counts as “de-identified” data.)  Under the GDPR, the story has been much more complicated:  merely “de-identified”… More

Cybersecurity 2022 – The Year in Preview: Privacy Regulations at the FTC

As we think about what 2022 may hold with regard to privacy and data security regulation by the Federal Trade Commission (FTC), we should first look back at some of the developments from last year that set the stage for this year. Just like 2021, it appears that the regulatory culture at the FTC this year will be heavily entangled with the political environment. Recent events suggest that while privacy and data security related reforms previously enjoyed bipartisan support,… More

Requiring Robust Security for Financial Institutions, FTC Finalizes Amendments to Safeguards Rules

The Federal Trade Commission has finalized amendments to the Standards for Safeguarding Customer Information (“Safeguards Rule”), specific to defined financial institutions, designed to strengthen security for consumer financial information following a recent uptick in data breaches.

The amendments contain four main modifications to the existing Rule that outline additional protections financial institutions must implement when handling sensitive consumer data.

  • First, the amendments provide financial institutions with additional guidance regarding developing and implementing an information security program,…
  • More

Regulators Step Up Scrutiny of Cryptocurrency Advertising as Industry Stance Softens

We posted earlier this year about increased scrutiny of cryptocurrency advertising, especially the promotion of Initial Coin Offerings, or ICOs.  The key takeaway from that post was that the frenzy around cryptocurrencies – including as an investment opportunity for individuals who aren’t otherwise active investors – has led to a number of efforts to curtail cryptocurrency promotion, from both regulators and industry stakeholders.… More

Whither the Privacy Shield?

The EU-US Privacy Shield, a framework that allows companies to transfer personal data from the EU to the US in compliance with the GDPR, has been under fire for not providing adequate protection to EU citizens.  As Foley noted in 2017, the EU’s Article 29 Working Party (now the European Data Protection Board) identified “a number of significant concerns” with the Privacy Shield in the Working Party’s First Annual Joint Review,… More

11th Circuit Issues LabMD Decision, and Wants More Specificity

The long-anticipated decision in LabMD v. FTC has finally arrived. The 11th Circuit held that the FTC’s cease-and-desist order against LabMD is unenforceable:

In sum, assuming arguendo that LabMD’s negligent failure to implement and maintain a reasonable data-security program constituted an unfair act or practice under Section 5(a), the Commission’s cease and desist order is nonetheless unenforceable. It does not enjoin a specific act or practice.… More