A flurry of legislative activity over the past year has brought meaningful changes to a variety of privacy and security provisions in state and federal law. At the state level, as in 2022, we have seen a handful of changes to generally applicable breach notification statutes, along with action on both narrower security provisions and broader omnibus privacy laws.

The Federal Trade Commission recently finalized updates to its Guides Concerning the Use of Endorsements and Testimonials in Advertising, which address the FTC’s latest thinking about how the truth-in-advertising standards under the FTC Act apply to endorsement and review-related issues.

The Federal Trade Commission recently announced a notice of proposed rulemaking to expand its Negative Option Rule to apply to all recurring subscription programs.

California’s Age-Appropriate Design Code is a first-of-its-kind children’s privacy law in the United States that is scheduled to go into effect in 2024. The CA AADC is applicable to online services, products, or features that are likely to be accessed by children.

This Update discusses a spate of recent class action lawsuits asserting claims under the Video Protection Privacy Act.

Perkins Coie’s survey of 150 industry stakeholders involved in XR and next-gen technology, which encompasses technological advancements such as Web3 and the metaverse, shows that immersive technology has reached a critical point.

Recent news has shined a spotlight on the legal consequences of mass layoff situations. Employers should take steps now to prepare for possible reductions in their workforce.

New Jersey has become the latest state to pass a law governing some types of automatically renewing subscriptions.

After more than a year of delays and revisions, the long awaited Ban on Non-Compete Agreements Amendment Act of 2020 (the Act) took effect beginning October 1, 2022, following the passage of the Non-Compete Clarification Amendment Act of 2022.

Cyberattacks continue to plague businesses, making the fallout of data breach notification and response as critical as ever. This year, like 2021, has been relatively quiet as it relates to state updates to breach notification laws.

Perkins Coie is pleased to present the third edition of Labor Law Today —Year in Review, highlighting the past year’s most noteworthy developments.

Businesses that allow customers to sign up for automatically renewing subscriptions must comply with a patchwork of state and federal regulations.

Perkins Coie and XR Association survey of over 160 professionals found that immersive technology’s prospects have been strengthened by the pandemic.

Cyberattacks continue to make the news and affect our lives in increasingly more significant ways.

The Federal Trade Commission announced on January 11, 2021, that it had reached a settlement with Everalbum, Inc., the developer of a now-defunct photo storage app called “Ever.” The settlement is the FTC’s first enforcement action focused on facial recognition technology, and likely signals a new era of increased regulatory scrutiny for companies involved in facial recognition.

Perkins Coie is pleased to present the second edition of Labor Law Today —Year in Review, highlighting the past year’s most noteworthy developments.

Companies that do business in Portland, Oregon may need to add one more item to their holiday to-do list: disable face recognition technologies in Portland.

COVID-19 is the biggest disruption to consumer retail spending patterns in recent history.

States continue to enhance and expand their breach notification requirements, increasing the scope of breaches that require notice as well as the complexity of compliance.

Perkins Coie, XR Association, and boost VC surveyed nearly 200 professionals representing startups, enterprise technology firms, and investors for their insights on the trajectory of the immersive technology industry.

While privacy laws are proliferating globally, the California Consumer Privacy Act (the CCPA) is California’s comprehensive and landmark legislation that seeks to give California consumers expanded rights to learn about and control certain aspects of how a business handles “personal information” collected about its consumers.

As more and larger data breaches come to light, states continue to update and expand their breach notification statutes, adding to the patchwork of notification obligations that now exists in every state.

As if businesses did not have enough on their plates as they prepare for the California Consumer Protection Act and similar privacy laws in other states, manufacturers of Internet of Things (IoT) devices (objects that connect to the internet and collect and transmit data) must also comply with California and other states’ new IoT device security laws.

Perkins Coie surveyed 200 startup founders, technology company executives, investors and consultants on key challenges and opportunities in the immersive technology space.

Google won summary judgment in Rivera v. Google, a privacy class action alleging violations of the Illinois Biometric Information Privacy Act (BIPA). The case involved “face grouping,” a feature that enables Google Photos to automatically sort and group the photographs in a user’s private account, based on visual similarities between the images of faces in the photos. The court held that any alleged collection of “biometric information” or “biometric identifiers” stemming from this feature did not cause an injury-in-fact sufficient to confer Article III standing. This update summarizes the decision, which may be relevant to clients involved with biometric technology, as well as other clients facing litigation where a no-injury defense may be applicable.

Yesterday, the U.S. Supreme Court overruled more than 50 years of Commerce Clause precedent to hold that a state may require an out-of-state retailer with no physical presence in the taxing state to collect sales and use taxes on sales of goods and services delivered in the state.

This spring has brought a particularly active round of revisions to state data breach notification laws.

Perkins Coie surveyed 140 startup founders, technology company executives, investors and consultants on key challenges and opportunities in the AR/VR space.

The General Data Protection Regulation (GDPR), which is effective May 25, 2018, requires notification to European regulators within 72 hours of the discovery of many types of data breaches. This deadline requires speed and organization that no other jurisdiction currently requires, especially in the United States. Organizations that hold personal data of EU residents and do not have an incident response plan should promptly develop one so they can comply with the GDPR’s requirements.

Any individual, corporation, business trust, estate, trust, partnership, limited liability company, association, joint venture, government, governmental subdivision, agency, or instrumentality, public corporation, or any other legal or commercial entity (collectively, Entity) that owns or licenses computerized data that includes an IA resident’s PI that is used in the course of the Entity’s business, vocation, occupation, or volunteer activities and that was subject to a breach of security.

Last Friday, the U.S. Court of Appeals for the District of Columbia Circuit (D.C. Circuit) issued its long-awaited decision in ACA International v. Federal Communications Commission, No. 15-1211 (D.C. Cir. Mar. 16, 2018).

Artificial Intelligence (AI) refers to a machine's ability to simulate human intelligence to perform tasks like planning, decision-making, and recognizing objects or sounds. Its use is not always obvious, but AI is now present in nearly every aspect of our lives—from our "smart" home products to our medical care, jobs, and businesses.

Last November, the U.S. Copyright Office issued its Final Rule regarding designating copyright agents under the Digital Millennium Copyright Act (DMCA) and announced a new electronic system for filing such designations.

As anticipated, the Republican members of the Federal Communications Commission are taking steps to pare down the 2016 Broadband Privacy Order now that they are in the majority.

The National Highway Traffic Safety Administration (NHTSA) has issued a comprehensive policy on “automated vehicles,” more commonly known as self-driving cars.

This year brought a wave of class action complaints alleging that national retailers are violating the New Jersey Truth-in-Consumer Contract, Warranty and Notice Act (TCCWNA), N.J.S.A. §§ 56:12-14 et seq., by including certain provisions in their online terms and other consumer-facing notices and agreements.

The spring legislative sessions this year brought a now-familiar round of revisions to data breach notification laws, with states broadening their laws in often divergent ways.

Perkins Coie and Upload surveyed more than 650 startup founders, executives with established technology companies and investors on the future of augmented and virtual reality.

In four of the last five years, California’s legislature has updated its data breach notification law, expanding its scope and making the required notifications more specific.

The Department of Justice (DOJ) has once again postponed its proceeding to amend regulations that would spell out the obligations of retailers, hotels, restaurants, places of entertainment and other public-facing businesses to make their websites and mobile applications accessible to individuals with disabilities under Title III of the Americans with Disabilities Act (ADA).

The Department of Justice (DOJ) has once again postponed its proceeding to amend regulations that would spell out the obligations of retailers, hotels, restaurants, places of entertainment and other businesses to make their websites accessible to individuals with disabilities under the Americans with Disabilities Act (ADA).

In what could be a major setback for the Federal Trade Commission (FTC) in the data security arena, an Administrative Law Judge (ALJ) has ruled that an unfairness claim brought by the FTC under Section 5 of the FTC Act requires a showing that substantial injury to consumers is probable, not merely possible, when there is no evidence of actual consumer injury.

Massive explosions occurred at a warehouse in Tianjin, China, in August 2015, that left hundreds of people dead or injured and destroyed much of the city’s port facilities. Tianjin is located in the industrial north of China and is a critical transit point for many global industries, including electronics, automotive, aerospace, petrochemicals and manufacturing equipment.

Since at least 2005, the Federal Trade Commission has asserted that it may regulate lax data security practices as an “unfair” business practice under Section 5 of the FTC Act. The Wyndham hotel chain was the first to challenge this authority in court. In a highly anticipated opinion, the U.S. Court of Appeals for the Third Circuit resoundingly agreed with the FTC that a failure to implement reasonable data security measures may constitute an unfair business practice under Section 5.

Four state legislatures closed their sessions with changes to their data breach notification laws, potentially imposing significant new compliance burdens.

During their spring 2015 legislative sessions, Washington, Wyoming, Montana, and North Dakota expanded their data security breach notification laws.

Privacy and data security are high priorities of the Federal Communications Commission (FCC) under the leadership of Chairman Tom Wheeler. In addition to significant enforcement actions against AT&T and TerraCom/YourTel that take a page out of the playbook of the Federal Trade Commission (FTC), the FCC’s recent Open Internet Order for the first time imposes the privacy obligations of Section 222 of the Communications Act of 1934, as amended (the Act) on broadband Internet service providers.

The Antitrust Division of the U.S. Department of Justice recently announced its first criminal antitrust prosecution in e-commerce. David Topkins was charged on April 6, 2015, with price fixing in violation of Section 1 of the Sherman Antitrust Act in the online sale of decorative posters.

Based on their interpretation of Washington state gambling laws, many fantasy sports game operators do not allow players from Washington to participate in pay-to-play fantasy sports games.  Game operators and players alike were hopeful this would change when Washington state legislators proposed new legislation to legalize fantasy sports games in their state.

Earlier today, the Supreme Court decided Alice Corporation v. CLS Bank International and unanimously held that Alice’s patent claims were not patent eligible under 35 U.S.C. § 101 because they merely called for generic computerization of the abstract idea.

California recently enacted two laws regarding Do Not Track Transparency and Advertising to Minors that will have a significant impact on all companies that operate commercial websites, host mobile applications or provide advertising or analytics technology services.

Effective January 1, 2014, California residents must be notified when the information used to access their email or other online accounts is compromised in a data security breach incident.

On July 1, 2013 the FTC’s amended COPPA Rule went into effect. On the same day, the commission also released a six-step compliance plan to aid businesses in complying with the new rule. On July 26, the commission issued further guidance on the rule, particularly as it applies to social network plug-ins and ad networks, in the form of updated FAQs.

Even as efforts to achieve industry-wide consensus on Do Not Track appear to be stalling, self-regulatory associations are forging ahead with their own rules governing online and mobile data collection.  On July 24, the Digital Advertising Alliance (DAA) and the Network Advertising Initiative (NAI) each released rules governing the use of data collected through mobile applications.

On Tuesday, July 16, 2013 the Tracking Protection Working Group of the World Wide Web Consortium (W3C) rejected a proposal put forward by the Digital Advertising Alliance (DAA) to reframe the activity covered by Do Not Track (DNT) signals.

In December 2012, the Federal Trade Commission (FTC) adopted final amendments to the Children's Online Privacy Protection Act (COPPA) Rule, which regulates how companies may collect information online from children under 13.  Last month, the FTC also issued an updated set of Frequently Asked Questions regarding the revised COPPA Rule.  The revised COPPA Rule went into effect today, July 1, 2013, and will impact "operators" of certain websites and online services for a long time to come.

This is the latest opinion in the ongoing litigation arising out of a massive data breach suffered by Hannaford Bros. grocery stores. In re Hannaford Bros. Privacy Litigation, __F. Supp. 2d __, Case No. 2:08-MD-1954-DBH, 2013 WL 1182733 (D. Me. Mar. 20, 2013).

To address a perceived gap in regulatory treatment of increasingly popular virtual currencies, including Bitcoin, the U.S. Department of the Treasury Financial Crimes Enforcement Network (FinCEN) released new guidance on March 18, 2013.

A federal judge in the Northern District of California recently added to the growing list of cases rejecting attempts to recover damages resulting from data breaches.  In In re LinkedIn User Privacy Litigation, Case no. 5:12-CV-03088 EJD (March 6, 2013), the court dismissed a lawsuit brought by LinkedIn users who were upset over the June 2012 posting of 6.5 million stolen LinkedIn user passwords.

The Internet Corporation for Assigned Names and Numbers (ICANN), which is charged with enabling and securing the Internet, has been hard at work on a significant expansion project.

The California Supreme Court recently issued a landmark ruling in Apple Inc. v. Superior Court (formerly Krescent v. Apple Inc. in trial court proceedings), a case with wide-reaching implications for consumer privacy in e-commerce. The issue before the Court was whether California’s Song-Beverly Credit Card Act (the Act), which generally prohibits retailers from collecting or requesting personal identification information (PII) as a condition of accepting credit card payments, should apply to online retailers.

As more countries join the Madrid Protocol System for the International Registration of Marks (Madrid System), trademark owners should be sure to take full advantage of this trademark registration option.  There are now 89 members of the Madrid System.  Significantly lower application and maintenance costs, as well as streamlined portfolio management options, are just a few of the reasons why the Madrid System is advantageous for trademark owners.

Companies that accept online credit card payments should be keeping an ear very close to the ground for the California Supreme Court’s decision in Apple v. Superior Court (Krescent), expected within the next few weeks.  Depending on how the court rules, the case has the potential to spawn a flood of class actions against online retailers and change the way web payments are processed.

In a ruling that will impact certain aspects of how companies handle their SMS/text message promotional programs, on November 29, 2012, the Federal Communications Commission released a Declaratory Ruling regarding the Telephone Consumer Protection Act (TCPA) pursuant to a request by SoundBite Communications, Inc.

On August 21, 2012, the U.S. District Court for the Eastern District of New York held that poker is a game of skill and thus running a poker game or business is not subject to federal prosecution under the federal Illegal Gambling Business Act ("IGBA").  Following on the heels of the Justice Department's September 20, 2011 ruling that the Wire Act (which prohibits using wire-line communications to place or receive bets) only applied to sports betting, last week's ruling may be another step toward legalizing online poker.

Earlier this year, Washington state legislators unanimously passed the nation's first criminal law requiring age verification for commercial sexual services advertisements depicting minors. The landmark law's goals are laudable, but its broad reach has some on-line service providers and traditional publishers concerned. For example, on-line service providers that allow users to post content and images on their sites, including on social networking sites, dating sites, discussion forums, blogs and chat rooms, could now face criminal exposure, even if they have absolutely no interest in placing, or permitting the placement of, such ads.

The Consumer Financial Protection Bureau's ("CFPB") recently issued Advance Notice of Proposed Rulemaking ("ANPR") announced its intention to extend Regulation E ("Reg E") protections to certain general purpose reloadable prepaid cards ("GPR cards"), which protections do not currently apply to GPR cards.  CFPB's stated goals are to (1) insure consistent minimum standards across similar financial products, (2) allow consumers to easily compare products by insuring disclosure transparency and (3) appropriately allocate fraud and loss risks.  CFPB is soliciting public comments on this topic until July 23, 2012.

Several class action complaints filed in recent months take a novel approach regarding the requirements for website privacy policies under California's "Shine the Light" law.

After nearly two years of comments, the FCC issued its Report & Order updating its Rules implementing the Telephone Consumer Protection Act pursuant to the January 2010 Notice of Proposed Rulemaking.

On September 15, 2011, the Federal Trade Commission (FTC) released the changes it is proposing to make to the Children’s Online Privacy Protection Rule (required by the Children’s Online Privacy Protection Act, or COPPA), which has been in effect since 2000. To address technological developments in the past decade, the FTC is recommending a number of changes.

There have been many recent changes in the world of domain names.  This is the fourth in a series of updates on these issues.  It is intended to keep you informed about issues that are important to brand owners and any others with a significant web presence.

On July 26, 2011, the Financial Crimes Enforcement Network of the Department of the Treasury ("FinCEN") issued a final rule amending the Bank Secrecy Act's regulations and establishing comprehensive regulatory requirements for prepaid access ("Final Rule").

In a matter of months, the amount of "Internet real estate"—which has been static for the past several years—will expand dramatically. Companies, organizations, cities and others will be able to apply to ICANN to launch new domain spaces using brand names (for example, .nike), generic terms (such as .shoes) and locations (such as .nyc).

The Chinese government is in the midst of a six-month Intellectual Property Rights Campaign (“IPR Campaign”) that could provide some much needed help to businesses struggling with intellectual property (“IP”) infringement in China.  The IPR Campaign aims to reduce IP violations related to all types of IP, including copyrights, trademarks and patents.

On June 29, 2010, New Jersey enacted Assembly Bill 3002, which substantially revised the state’s unclaimed property laws.[1]  Many of these revisions directly impact issuers of “stored value cards,” which broadly includes paper gift certificates, gift cards, rebate cards, and other products.[2]  This white paper discusses AB 3002’s requirement to collect consumer names, addresses and zip codes and the abandonment period for stored value cards.

In late 2010, the Restore Online Shoppers' Confidence Act, (ROSCA), passed in both chambers of Congress and, on December 29, 2010, was signed by the President. ROSCA will become law once final administrative actions are complete. The Act contains two primary prohibitions: (1) it prohibits and prevents Internet-based post-transaction third party sales and (2) it imposes specific requirements on negative option features.  The relevant terms and provisions are summarized in more detail below.

The Federal Trade Commission (FTC) recently adopted important changes to the agency’s Guides Concerning the Use of Endorsements and Testimonials in Advertising.  The Guides now directly apply to product endorsements through nontraditional media, such as blogs.

The FTC recently extended the enforcement deadline for the Red Flags Rule until November 1, 2009. The Rule was originally scheduled to go into effect on November 1, 2008, but on Wednesday, July 29, 2009, the FTC announced that it was delaying enforcement for the third time because a number of industries and entities within the FTC’s jurisdiction still expressed confusion and uncertainty about what types of entities would be subject to the Rule and what the Rule actually required of covered entities.

In the past 19 years, more than 750 companies have sent employees to a Perkins Coie Product Liability Workshop.