While businesses rightfully have been focused on preparing for the California Consumer Privacy Act (“CCPA”), the Nevada and Maine Legislatures have moved forward with legislation that, like the CCPA, features new requirements relating to the sale of consumer personal data. The Nevada bill, which was signed into law on May 29 and amends an existing…
At the Federal Communications Commission’s (“FCC”) Open Meeting on October 27, the Commission voted along party lines (3-2) to impose more stringent rules on broadband Internet service providers (“ISPs”). Chairman Tom Wheeler, along with Commissioners Rosenworcel and Clyburn voted in favor of the item, while Commissioners Pai and O’Rielly voted against it.
The new rules clarify the privacy requirements applicable to broadband ISPs pursuant to Section 222 of the Communications Act. The new rules also apply to voice services and treat call-detail records as “sensitive” in the context of voice services.
According to an FCC press release issued immediately after the meeting, these rules “establish a framework of customer consent required for ISPs to use and share their customers’ personal information that is calibrated to the sensitivity of the information.” The Commission further asserts that this approach is consistent with the existing privacy framework of the Federal Trade Commission (“FTC”).
Continue Reading FCC Votes to Impose Aggressive New Privacy Rules on Broadband Providers
This past Friday, the European Commission (“the Commission”) issued guidance addressing transatlantic data transfers after the European Court of Justice (“ECJ”) decision in the Schrems case. As we noted in an earlier post, the ECJ Schrems decision invalidated the U.S.-EU Safe Harbor framework, the mechanism that enabled self-certifying corporations to transfer personal data from…
On September 4, 2014, the FTC announced a settlement with Google Inc., which requires the search giant to pay at least $19 million in refunds to consumers that the Commission alleges were billed for unauthorized in-app charges incurred by kids. The settlement follows a similar settlement in January with Apple (which required Apple to pay a minimum of $32.5 million in refunds), and a recent complaint filed by the FTC in federal court against Amazon.
The FTC’s complaint against Google alleges that the company offered free and paid apps through its Play store. Many of these apps are rated for kids and offer “in-app purchases” ranging from $0.99 to $200, which can be incurred in unlimited amounts. The FTC alleges that many apps invite children to obtain virtual items in a context that blurs the line between what costs virtual currency and what costs real money.
At the time Google introduced in-app charges in March 2011, users were notified of an in-app charge with a popup containing information about the virtual item and the amount of the charge. A child, however, could clear the popup simply by pressing a button labeled “CONTINUE.” In many instances, once a user had cleared the popup, Google did not request any further action before billing the account holder for the corresponding in-app charge.
It was not until mid- to late-2012 that Google begin requiring password entry in connection with in-app charges. The complaint alleges, however, that once a password was entered, it was stored for 30 minutes, allowing a user to incur unlimited in-app charges during that time period. Regardless of the number or amount of charges incurred, Google did not prompt for additional password entry during this 30 minute period.
Google controls the billing process for these in-app charges and retains 30 percent of all revenue. For all apps, account holders can associate their Google accounts with certain payment mechanisms, such as a credit card, gift card, or mobile phone billing. The complaint highlights that Google received thousands of complaints related to unauthorized in-app charges by children and that unauthorized in-app purchases was the lead cause of chargebacks to consumers. …
Continue Reading Google to Refund at Least $19 Million Over Kids’ In-App Purchases
The guidance provides the following 10 key recommendations:…
Continue Reading California Releases Guidance on DNT Disclosures for Privacy Policies
On May 8, 2014, the FTC announced a settlement with Snapchat resolving allegations that the popular mobile messaging app deceived consumers over the disappearing nature of users “snaps” and made false and misleading representations concerning its privacy and information security practices. The FTC took issue with several of Snapchat’s practices and representations:
Earlier this week, a federal district court in New Jersey issued an opinion ruling on Wyndham Worldwide Corporation’s and three of its subsidiaries’ (collectively “Wyndham’s”) motion to dismiss, finding for the FTC on all grounds. While the court noted that the “decision does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked,” the opinion underscores the risk exposure for companies that incur a data breach (or otherwise collect/store consumer data), and face FTC scrutiny thereafter as to whether their information safeguard practices are consistent with FTC expectations. While the FTC has reached over 50 data security settlements, this case represents the first time that the FTC is litigating its theory that a business’s privacy and data security practices may be unfair and/or deceptive under Section 5 of the FTC Act.
Continue Reading Wyndham Hits a Wall in Challenge to FTC Data Breach Authority