Photo of Laura Riposo VanDruff

Laura Riposo VanDruff

Subscribe to Laura Riposo VanDruff's Posts

Email
(202) 342-8435
Bio  LinkedIn

Follow: Read more about Laura Riposo VanDruffLaura's Linkedin Profile

Digital advertising, analytics, and health/wellness-related personal information are very much in the news, with increased scrutiny and enforcement by the Federal Trade Commission (FTC), the Department of Health and Human Services (HHS), requirements under the new state privacy laws, and a wave of lawsuits and demand letters by litigants using wiretap laws tied to third-party

For anyone planning to attending the ABA Antitrust Spring Meeting in Washington DC this week (March 29-31), please look for your friends from Kelley Drye Ad Law on multiple panels on Wednesday and Thursday:

ABBY STEMPSON (Special Counsel in the Ad Law and State AG practices) will be speaking on a panel entitled Fundamentals –

For the second time in as many months, the Federal Trade Commission (FTC) last week announced a settlement alleging that a company’s use and disclosure of consumers’ health information for online advertising violated the law.  The BetterHelp settlement indicates that the FTC takes a broad view of what constitutes “health information,” but it raises questions about how the FTC will apply its reinterpretation of the Health Breach Notification Rule under its September 2021 policy statement.

Overview of the FTC’s Broad View of “Health Information”

BetterHelp is an online counseling service that has registered more than 2 million users since its 2013 inception.  When a consumer visits the site, the FTC alleges that she is “immediately prompted to begin” Better Help’s intake questionnaire that asks questions about the consumer’s history of therapy, current mental state, and religious beliefs among other characteristics, and then provides an email address and other information to create an account.

According to the FTC’s complaint, the company violated the FTC Act through its use of advertising pixels or web beacons and by uploading consumers’  “health information” to ad platforms for retargeting and to reach additional prospects. In the FTC’s view, the “health information” that BetterHelp disclosed not only included information about consumers’ past use or current enrollment in the company’s services but also their interest in obtaining therapy. This information was sufficient to “reveal” that consumers were “seeking mental health treatment.”

Continue Reading FTC to Advertisers: We’re Tracking Your Use of Health Information

Amidst all of the recent news and developments about the privacy of kids and teens (including multiple Congressional hearings; Frances Haugen’s testimony; enactment of the UK’s and California’s Age Appropriate Design Codes; the Irish DPC’s GDPR decision against Instagram; numerous bills in Congress; and the FTC’s ongoing focus on kids’ privacy in policy statements, workshops, and its “commercial surveillance” rulemaking), the FTC still has a powerful tool that seems to be sitting on the back-burner: the Children’s Online Privacy Protection Act (COPPA) and its implementing rule.

But some members of Congress just wrote a letter to the FTC, asking it to make COPPA a priority.

Background on COPPA 

As most of our readers know, COPPA protects the privacy of kids under 13, mostly by requiring kid-directed web sites or apps, or sites/apps that have actual knowledge they’re dealing with kids, to get parental permission before collecting, using, or sharing kids’ data.  Enacted in 1998, COPPA is now nearly 25 years old, a dinosaur in today’s fast-moving world of privacy.  However, using the APA rulemaking authority granted in COPPA, the FTC has amended its COPPA rule to ensure that it keeps pace with developments – for example, extending the rule to ad networks and plug-ins; adding geolocation, persistent identifiers, photos, and videos to the definition of “personal information”; and strengthening the rule’s requirements governing data security, retention, and deletion.

However, those updates to COPPA became final in 2013 – almost ten years ago – and the FTC hasn’t amended the rule since then.  Although the FTC initiated a rule review in July 2019, that review is still pending more than three years later. According to Regulations.gov, the Commission received over 176,000 public comments in the rule review.  That’s a lot of comments, but it surely can’t explain such a lengthy delay.
Continue Reading Congress to FTC: “Please Update the COPPA Rule Now”

No, we’re not talking about sinister sewing guides, but rather practices or formats that may manipulate or mislead consumers into taking actions they would not otherwise take.

We untangled the topic of so-called “dark patterns” in two in-depth blogs earlier this year, available here and here. At that time, we noted there was a

Warning that “[t]here are no more excuses,” California Attorney General on August 24, announced the first public settlement under the California Consumer Privacy Act (CCPA). The settlement order, which the court approved on the same day, requires beauty-product retailer Sephora, Inc., to pay a $1.2 million civil penalty to resolve allegations that the company

On August 11, the FTC finally launched its “commercial surveillance and data security” rulemaking after many months of hype and speculation about the FTC’s ability to address consumer privacy through its “Mag-Moss” rulemaking authority. It did so by releasing (by 3/2 vote) an Advanced Notice of Proposed Rulemaking (ANPR) – the first step in a Mag-Moss rulemaking – and holding a press conference featuring Chair Khan, Commissioners Slaughter and Bedoya, and senior FTC staff.

People familiar with the many hurdles in Mag-Moss were watching to see whether the ANPR would be broad and far-reaching (thus guaranteeing a lengthy, complex process) or more narrowly tailored. The answer? The ANPR is remarkably sweeping in scope – covering virtually every form of data collection across the economy, posing 95 questions about factual and legal issues of all kinds, and raising issues that reach beyond the FTC’s legal authority. Indeed, in reading the ANPR, we couldn’t help but wonder whether this is a serious effort to develop a rule or simply a show of activity to address over-hyped expectations. (See more on this topic below.)

Not surprisingly, Commissioners Phillips and Wilson issued strong dissents. Among other things, they raised concerns about agency overreach and the potential to derail the bipartisan privacy bill currently pending in Congress (the ADPPA). Here are more details and takeaways from the FTC’s announcement:
Continue Reading The FTC’s Privacy Rulemaking: Broad and Far-Reaching, but Unlikely to Lead to a Rule Anytime Soon

On Friday May 27, 2022, the California Privacy Protection Agency (CPPA) Board announced its next public meeting will be on June 8, 2022. The announcement simply stated the date of the meeting, that there are “some discussion items [that] will be relevant to the Agency’s rulemaking work,” and that information on how to attend the meeting and the meeting agenda could be found on the CPPA’s site. It did not take too many Internet sleuths to review the posted agenda, and note that Agenda Item No. 3 was “Discussion and Possible Action Regarding Proposed Regulations, Sections 7000–7304, to Implement, Interpret, and Make Specific the California Consumer Privacy Act of 2018, as Amended by the California Privacy Rights Act of 2020, Including Possible Notice of Proposed Action,” and that the posted meeting materials included a copy of the “Draft Proposed CCPA Regulations.” In addition, Agenda Item No. 4 provides for “Delegation of Authority to the Executive Director for Rulemaking Functions.” Full stop, June will be an active month for California privacy rulemaking.

But let’s unpack the surprises in the draft regulations. The 66-page draft proposed CCPA regulations (and they are referred to within the document as CCPA regulations) take a prescriptive approach to privacy obligations. In concept, that is not too surprising. Of concern, in some areas, they uniquely depart from approaches set forth by other state privacy laws. The quiet release of dramatic new obligations while bipartisan Senators reportedly may be reaching consensus on federal privacy legislation that could  preempt state law obligations puts companies doing business in California in a difficult position. Do they scramble to operationalize new programs to comply with the CPPA’s new requirements, if finalized? Do they wait on Congress? Do they choose a third path? For now, while these draft rules are certain to change in some respects before they are finalized, they directionally outline a new privacy baseline for the United States. We highlight certain aspects of the draft rules below, with a particular focus on accountability and risk exposure, how data can be shared with other businesses for digital advertising or other functions, and what those business agreements must include to lawfully support such business relationships and comply with the amended CCPA.
Continue Reading New California Draft Privacy Regulations: How They Would Change Business Obligations and Enforcement Risk

The replay for our May 19, 2022 Teen Privacy Law Update webinar is available here.

Protecting the privacy and safety of kids and teens online is receiving enormous attention lately from Congress, the States, the FTC, and even the White House.  Further, just last month, BBB National Programs unveiled a Teenage Privacy Program Roadmap

The replay for our April 28, 2022 Privacy Priorities for 2022: Tracking State Law Developments webinar is available here.

In the absence of a federal privacy law, privacy has been at the forefront of many states’ legislative sessions this year. Against this backdrop, state attorneys general continue to initiate investigations into companies’ privacy practices,