Rebecca S. Engrav Partner

The Federal Trade Commission (FTC) issued a press release and a request for information on March 22, 2023, soliciting comments from the public on cloud computing business practices, including issues related to market power, competition, and potential data security risks.

The Federal Trade Commission announced its first enforcement of the Health Breach Notification Rule against a digital health company, a case it brought against a company that shared user health data with third-party advertising platforms without the authorization of the affected users. This case signals the importance for digital health companies, whether or not covered by the Health Insurance Portability Accountability Act, of treating personal health information as sensitive and regulated by the HBNR and other FTC-enforced laws.

As it did last year, the California Attorney General’s Office recognized Data Privacy Day by announcing its latest investigative sweep under the California Consumer Privacy Act (CCPA).

Data security will be an enforcement priority for the FTC in 2023. The FTC, in its December 14, 2022, Commission meeting, highlighted four data security measures that it believes are particularly important for strong cybersecurity.

The Federal Trade Commission filed a lawsuit on August 29, 2022, against data broker Kochava Inc., alleging that the company’s sale of precise geolocation data is an unfair act or practice that violates Section 5 of the FTC Act.

The Federal Trade Commission released an advance notice of proposed rulemaking on “Commercial Surveillance and Data Security” on August 11, 2022. The ANPRM, approved on a 3-2 party line vote, is the initial step in a process that could result in the adoption of the first federal regulation addressing privacy, data security, and algorithmic discrimination across broad sectors of the U.S. economy.

Alvaro Bedoya was sworn in as a commissioner of the U.S. Federal Trade Commission (FTC) on May 16, 2022.

Federal Trade Commission Chair Lina Khan spoke at the opening of the International Association of Privacy Professionals Global Privacy Summit on April 11, 2022, in Washington, D.C.

Following a 3-2 vote, the Federal Trade Commission recently announced amendments to the Safeguards Rule under the Gramm-Leach-Bliley Act.

On April 22, 2021, in a unanimous decision, the U.S. Supreme Court in AMG Capital Management v. FTC held that the authorization to seek a “permanent injunction” under Section 13(b) of the Federal Trade Commission Act does not permit the FTC to obtain equitable monetary relief such as restitution and disgorgement. While the FTC may still seek monetary relief under Sections 5 and 19 of the Act, those provisions can be more difficult for the FTC to pursue. FTC Acting Chairwoman Rebecca Kelly Slaughter is already calling on Congress to “strengthen the FTC’s powers” in light of the decision.

As in-house counsel, during the pandemic you and your colleagues may be working from home and caring for children or other family members, all while addressing novel legal issues raised by the coronavirus plus the normal day-to-day issues of your job.

On March 25 and 26, 2019, the Federal Trade Commission's "Hearings on Competition and Consumer Protection in the 21st Century” focused on how competition and consumer protection enforcement has become a global effort, leading to more cooperation between enforcement agencies in different countries. As with other hearings in this series, the focus was on information gathering rather than agency pronouncements.

*Subscription based publication.

In the Federal Trade Commission’s first litigated enforcement action addressing the security of internet of things devices, the district court for the Northern District of California recently dismissed the FTC’s unfairness claim and two of five deception claims under Section 5 of the FTC Act against D-Link Systems Inc., for alleged security flaws in its routers and internet-connected security cameras. Order, FTC v. D-Link Sys. Inc., No. 3:17-cv-00039 (N.D. Cal. Sept. 19, 2017).

*Subscription based publication.

This year brought a wave of class action complaints alleging that national retailers are violating the New Jersey Truth-in-Consumer Contract, Warranty and Notice Act (TCCWNA), N.J.S.A. §§ 56:12-14 et seq., by including certain provisions in their online terms and other consumer-facing notices and agreements.

The Federal Trade Commission unanimously (3-0) ruled on July 29, 2016 that LabMD’s data security practices were “unfair” under Section 5 of the FTC Act, reversing a decision of its Administrative Law Judge.

In a 6-2 decision, the Supreme Court held that the mere allegation of a statutory violation is not necessarily enough to create Article III standing.

In what could be a major setback for the Federal Trade Commission (FTC) in the data security arena, an Administrative Law Judge (ALJ) has ruled that an unfairness claim brought by the FTC under Section 5 of the FTC Act requires a showing that substantial injury to consumers is probable, not merely possible, when there is no evidence of actual consumer injury.

Since at least 2005, the Federal Trade Commission has asserted that it may regulate lax data security practices as an “unfair” business practice under Section 5 of the FTC Act. The Wyndham hotel chain was the first to challenge this authority in court. In a highly anticipated opinion, the U.S. Court of Appeals for the Third Circuit resoundingly agreed with the FTC that a failure to implement reasonable data security measures may constitute an unfair business practice under Section 5.

In a closely watched and first-of-its-kind case, the U.S. District Court for the District of New Jersey rejected, for purposes of a motion to dismiss, a defendant company’s argument that the Federal Trade Commission (FTC) lacks authority to regulate data security practices under Section 5 of the FTC Act.

Even as efforts to achieve industry-wide consensus on Do Not Track appear to be stalling, self-regulatory associations are forging ahead with their own rules governing online and mobile data collection.  On July 24, the Digital Advertising Alliance (DAA) and the Network Advertising Initiative (NAI) each released rules governing the use of data collected through mobile applications.

In December 2012, the Federal Trade Commission (FTC) adopted final amendments to the Children's Online Privacy Protection Act (COPPA) Rule, which regulates how companies may collect information online from children under 13.  Last month, the FTC also issued an updated set of Frequently Asked Questions regarding the revised COPPA Rule.  The revised COPPA Rule went into effect today, July 1, 2013, and will impact "operators" of certain websites and online services for a long time to come.