Janis Claire Kestenbaum Partner

The Federal Trade Commission gave privacy lawyers a long-awaited Christmas present on December 20, 2023: its notice of proposed rulemaking to amend the Children’s Online Privacy Protection Act Rule. The NPRM follows a review of the COPPA Rule initiated by the FTC four years ago and the submission of over 175,000 public comments.

Just a few years ago, the legal landscape governing health-related personal information was relatively simple: Protected Health Information was regulated under HIPAA. Today, by contrast, the privacy of health-related personal information is under close scrutiny by the FTC, the U.S. Department of Health and Human Services’ Office for Civil Rights and state regulators.

Under an amendment to the Safeguards Rule under the Gramm-Leach-Bliley Act announced on October 27, 2023, the Federal Trade Commission will require a broad range of nonbank financial institutions to notify the FTC of instances of the unauthorized acquisition of unencrypted, personally identifiable, nonpublic financial information of more than 500 customers.

A significant number of federal legislative proposals that focus on online child safety have been introduced. If enacted, they would modify online providers’ obligations to remove and report child sexual exploitation content, as well as require providers to implement notice and takedown mechanisms for certain CSE content.

Following a related request for information earlier this year, the Consumer Financial Protection Bureau announced on August 15, 2023, its intention to launch rulemaking targeting data brokers.

For the first time since 2015, the Federal Trade Commission (FTC) has been asked to approve a new “verifiable parental consent” (VPC) method under the Children’s Online Privacy Protection (COPPA) Rule.

On June 6, 2023, Florida Governor Ron DeSantis signed Senate Bill 262 into law.

As the hype about generative artificial intelligence (AI) has grown, the Federal Trade Commission (FTC) has made clear that it intends to be at the forefront of federal agencies working to ensure the responsible use of AI.

International, federal, and state privacy regulators highlighted their ambitious agendas at the 2023 IAPP Global Privacy Summit in Washington, D.C.

The U.S. Supreme Court ruled in two related cases that federal district courts have jurisdiction to hear structural constitutional challenges to the adjudicative authority of the Federal Trade Commission and the U.S. Securities and Exchange Commission, and that litigants need not wait until the appeal of an adverse agency decision in the adjudication to raise such arguments in court.

The Consumer Financial Protection Bureau announced on March 15, 2023, that it is issuing a Request for Information about the business practices of data brokers, which the agency said will assist it in “planned rulemaking” under the Fair Credit Reporting Act.

The Federal Trade Commision announced a proposed complaint and proposed consent order with BetterHelp, Inc., an online counseling platform that allegedly disclosed consumer health data to third-party advertising platforms.

The Federal Trade Commission announced its first enforcement of the Health Breach Notification Rule against a digital health company, a case it brought against a company that shared user health data with third-party advertising platforms without the authorization of the affected users. This case signals the importance for digital health companies, whether or not covered by the Health Insurance Portability Accountability Act, of treating personal health information as sensitive and regulated by the HBNR and other FTC-enforced laws.

Data security will be an enforcement priority for the FTC in 2023. The FTC, in its December 14, 2022, Commission meeting, highlighted four data security measures that it believes are particularly important for strong cybersecurity.

The Federal Trade Commission filed a lawsuit on August 29, 2022, against data broker Kochava Inc., alleging that the company’s sale of precise geolocation data is an unfair act or practice that violates Section 5 of the FTC Act.

The Federal Trade Commission released an advance notice of proposed rulemaking on “Commercial Surveillance and Data Security” on August 11, 2022. The ANPRM, approved on a 3-2 party line vote, is the initial step in a process that could result in the adoption of the first federal regulation addressing privacy, data security, and algorithmic discrimination across broad sectors of the U.S. economy.

In its most recent open meeting, the Federal Trade Commission (FTC) unanimously (1) issued a COPPA policy statement directed at ed tech providers and (2) proposed amendments to the Endorsement Guides, which address influencer advertising on social media and consumer reviews.

Alvaro Bedoya was sworn in as a commissioner of the U.S. Federal Trade Commission (FTC) on May 16, 2022.

Federal Trade Commission Chair Lina Khan spoke at the opening of the International Association of Privacy Professionals Global Privacy Summit on April 11, 2022, in Washington, D.C.

Jason Howell and Amanda Beane talk with Janis Kestenbaum, partner at Perkins Coie and former Federal Trade Commission (FTC) attorney, about the makeup and direction of the FTC as it relates to advertising and marketing law.

Following a 3-2 vote, the Federal Trade Commission recently announced amendments to the Safeguards Rule under the Gramm-Leach-Bliley Act.

On April 22, 2021, in a unanimous decision, the U.S. Supreme Court in AMG Capital Management v. FTC held that the authorization to seek a “permanent injunction” under Section 13(b) of the Federal Trade Commission Act does not permit the FTC to obtain equitable monetary relief such as restitution and disgorgement. While the FTC may still seek monetary relief under Sections 5 and 19 of the Act, those provisions can be more difficult for the FTC to pursue. FTC Acting Chairwoman Rebecca Kelly Slaughter is already calling on Congress to “strengthen the FTC’s powers” in light of the decision.

The Federal Trade Commission announced on Jan. 11 that it had reached a settlement with Everalbum Inc., the developer of a now-defunct photo storage app called Ever.

The Federal Trade Commission announced on January 11, 2021, that it had reached a settlement with Everalbum, Inc., the developer of a now-defunct photo storage app called “Ever.” The settlement is the FTC’s first enforcement action focused on facial recognition technology, and likely signals a new era of increased regulatory scrutiny for companies involved in facial recognition.

Privacy issues are all around us. Questions from this still nascent area of law have become intertwined with many of the significant legal and public policy issues of the day. As smartphone apps are used for COVID-19 contact tracing, questions have been raised about how to balance public health and privacy.

On June 13, the Federal Trade Commission held a virtual workshop on proposed changes to the Gramm-Leach-Bliley Act safeguards rule.

On July 9, 2020, the U.S. Supreme Court granted certiorari in two cases to review whether the FTC has authority to seek restitution under Section 13(b) of the FTC Act.

As in-house counsel, during the pandemic you and your colleagues may be working from home and caring for children or other family members, all while addressing novel legal issues raised by the coronavirus plus the normal day-to-day issues of your job.

This part one of a two-part report with the focus primarily on consumer protection implications. The report assesses the implications of data analytics, and new types of artificial intelligence, including machine learning and neural networks, on the law that drives our practices as consumer protection and competition lawyers. 

On Aug. 7, the Federal Trade Commission held a full-day workshop titled "Inside the Game." It addressed consumer protection issues regarding video game "loot boxes" — randomized or surprise in-game virtual rewards that players buy or earn.

On April 9 and 10, 2019, the Federal Trade Commission focused on the agency’s approach to consumer privacy at the 12th hearing in its “Hearings on Competition and Consumer Protection in the 21st Century” series. The hearing occurred at a potentially pivotal time with respect to the regulation of consumer privacy in the United States.

On September 26, 2018, Christine S. Wilson was sworn in as a Commissioner at the Federal Trade Commission into the seat previously held by Maureen Ohlhausen. Commissioner Wilson most recently held a senior legal role at Delta Airlines, previously was an antitrust partner at two large law firms, and during the George W. Bush Administration served as Chief of Staff to FTC Chairman Timothy Muris.

In this first of a series on the FTC’s multipart hearings, we offer some key takeaways from the initial hearing.

In the Federal Trade Commission’s first litigated enforcement action addressing the security of internet of things devices, the district court for the Northern District of California recently dismissed the FTC’s unfairness claim and two of five deception claims under Section 5 of the FTC Act against D-Link Systems Inc., for alleged security flaws in its routers and internet-connected security cameras. Order, FTC v. D-Link Sys. Inc., No. 3:17-cv-00039 (N.D. Cal. Sept. 19, 2017).

*Subscription based publication.

While children may be fans of talking dinosaurs, robots and stuffed animals, the federal government appears to have its concerns. At least that is the suggestion from a warning to parents from the Federal Bureau of Investigation that came on the heels of a Federal Trade Commission announcement that connected toys must comply with the Children’s Online Privacy Protection Act (COPPA).

This interview looks at Jessica Rich’s leadership of the Federal Trade Commission Bureau of Consumer Protection.

There was a time when a child’s rubber duck was merely a rubber duck. No longer. Today, the duck may be connected to the internet, able to respond to the child’s gestures on a phone, and alert parents if bath water is too warm. A raft of smart toys debuted at this year’s New York Toy Fair, and by 2020 the smart toy market is projected to reach $11.3 billion.

Click here to read more.

Privacy has been at the forefront of the Federal Trade Commission’s (FTC) work during the Obama Administration.

*Subscription based publication.

The FTC has no jurisdiction over common carriers even when they engage in non-common carrier activity, according to a recent U.S. Court of Appeals for the Ninth Circuit opinion.

The Federal Trade Commission unanimously (3-0) ruled on July 29, 2016 that LabMD’s data security practices were “unfair” under Section 5 of the FTC Act, reversing a decision of its Administrative Law Judge.

Consensus was reached in a proceeding of the NTIA of the U.S. Department of Commerce on a set of privacy best practices for the commercial and recreational use of unmanned aerial systems (UAS), more commonly referred to as “drones.” 

As previously promised in last year’s Open Internet Order, the Federal Communications Commission (FCC or the Commission) has released a Notice of Proposed Rulemaking (NPRM) seeking comment on proposed privacy requirements for broadband internet access service providers.

In what could be a major setback for the Federal Trade Commission (FTC) in the data security arena, an Administrative Law Judge (ALJ) has ruled that an unfairness claim brought by the FTC under Section 5 of the FTC Act requires a showing that substantial injury to consumers is probable, not merely possible, when there is no evidence of actual consumer injury.

Since at least 2005, the Federal Trade Commission has asserted that it may regulate lax data security practices as an “unfair” business practice under Section 5 of the FTC Act. The Wyndham hotel chain was the first to challenge this authority in court. In a highly anticipated opinion, the U.S. Court of Appeals for the Third Circuit resoundingly agreed with the FTC that a failure to implement reasonable data security measures may constitute an unfair business practice under Section 5.

The Federal Communications Commission recently adopted in a partisan 3-2 vote a notice of apparent liability for forfeiture and order (the NAL) against AT&T Mobility LLC with an unprecedented proposed penalty of $100 million as well as numerous other compliance obligations, marking the first time the agency has enforced its net neutrality transparency rule.

Last week, an FCC divided on partisan lines adopted a Notice of Apparent Liability for Forfeiture and Order (the NAL) against AT&T with an unprecedented proposed penalty of $100 million as well as numerous other compliance obligations, marking the first time the agency has enforced its net neutrality transparency rule.

Many startups have learned that being young and small does not keep them off the radar screens of privacy regulators, and they can be vulnerable to costly investigations. Privacy issues that come to light in the course of the due diligence process for an acquisition can also threaten their valuation. In fact, VCs increasingly report that privacy can affect a startup’s ability to raise capital. Read full article. 

To improve customer experience and understand customers’ movements and interactions on their premises, retailers, hotels and other brick-and-mortar businesses increasingly use signals from mobile devices to observe their customers’ movements.

Privacy and data security are high priorities of the Federal Communications Commission (FCC) under the leadership of Chairman Tom Wheeler. In addition to significant enforcement actions against AT&T and TerraCom/YourTel that take a page out of the playbook of the Federal Trade Commission (FTC), the FCC’s recent Open Internet Order for the first time imposes the privacy obligations of Section 222 of the Communications Act of 1934, as amended (the Act) on broadband Internet service providers.

In recent years, the Federal Trade Commission (FTC) has solidified its position as the most influential consumer privacy and data security regulator in the United States—as reflected by President Barack Obama’s recent visit to the FTC to announce his administration’s latest privacy initiatives.

Analyzing the intersection of privacy and antitrust law as applied to mergers of technology firms. When firms in this sector merge, it can lead to a substantial increase in the scope and magnitude of consumer data under the control of a single firm. Some regulators and privacy advocates have expressed concern that the aggregated data of the combined entity, when subjected to increasingly powerful “big data” analytic tools, will yield especially revealing pictures of consumers, making data breaches more consequential, and raising the risk that data will be used in ways that will disadvantage consumers.