Key Point: The Federal Trade Commission (FTC) has amended the Safeguards Rule to require non-banking financial institutions to inform the FTC within 30 days of discovering any unauthorized acquisition of unencrypted customer information that affects 500+ customers.

The Federal Trade Commission (FTC) has announced a significant amendment to the Safeguards Rule, that directs all financial institutions, including non-banking entities, to report certain data breaches and security events to the FTC within 30 days.

The Safeguards Rule, which is predicated on the Gramm-Leach-Bliley Act (GLBA), now requires all financial institutions to report to report “notification events” to the FTC. The FTC is defining a notification event as “the unauthorized acquisition of unencrypted customer information, involving at least 500 customers.” The amendment goes into effect in April 2024. See pending additions at 16 C.F.R. § 314.2(m) and § 314.5.

Keypoint: Advertising platform settles with the FTC over allegations that it collected location data without consent and collected information from child-directed apps without notice or parental consent in violation of the FTC Act and COPPA.

Online advertising exchange platform, OpenX Technologies, Inc., has been ordered to pay $2 million of a $7.5 million judgment to settle Federal Trade Commission allegations that it misrepresented its data collection, use, and disclosure practices as it concerns personal information collected from children and location information collected from consumers who had not granted or had denied requisite location permissions.

Conceptual image about how a laptop computer with internet open a virtual door to worldwide information sharing.Keypoint: 2020 promises to be another ground-breaking year in privacy and cybersecurity law in the United States.

2019 was an exciting year in privacy and cybersecurity law. In the United States, the California Consumer Privacy Act (CCPA) was the most significant story, but there also were developments in states such as New York and Nevada. Numerous other states also considered consumer privacy legislation, and federal lawmakers even jumped into the fray, proposing a variety of bills and regulations. Overseas, GDPR garnered the most headlines of course, but other countries, such as Brazil, also made news.

But 2019 was just the start. There is no doubt that privacy and cybersecurity law is undergoing a fundamental change in the United States. If nothing else, the legal landscape of privacy law in the United States promises to look very different by the end of the year.

Below we discuss what we anticipate will be the biggest stories in 2020 and beyond.

Keypoint:  The fallout from the 2018 Cambridge Analytica incident continues with the FTC’s issuance of this unanimous opinion and order.

On December 6, the Federal Trade Commission (“FTC”) issued a unanimous opinion (the “Opinion”) finding that political consulting firm Cambridge Analytica, LLC (“Cambridge Analytica”) violated Section 5 of the Federal Trade Commission Act (“FTC Act”) (15 U.S.C. § 45) by engaging in deceptive practices to harvest personal information from tens of millions of Facebook users through a Facebook application called the “GSRApp.”

Key Point: The FTC’s fine is the largest for any COPPA-related incident; however, two issues of first impression alleged in the Complaint could have a more significant impact over the long term.

We previously reported that the Federal Trade Commission (“FTC”) entered into a settlement agreement with Facebook, Inc., which included a record-breaking $5 billion fine for repeat violations of consumers’ privacy rights. The FTC recently announced that it had entered into a settlement with Google, LLC (“Google”) and its subsidiary YouTube, LLC (“YouTube”), in which those entities will pay a $170 million fine for violating the Children’s Online Privacy Protection Act (“COPPA”) Rule. The $170 million fine is the largest the FTC has issued in a COPPA case since Congress enacted the law in 1998.

In 2010, Mark Zuckerberg famously stated that privacy was no longer a “social norm.”  Today, the Facebook founder is no doubt viewing social norms around privacy a bit differently, as are U.S. regulators and consumers.

On Wednesday, the Federal Trade Commission (FTC) confirmed that it agreed to a settlement with Facebook, Inc. stemming from Facebook’s alleged privacy violations in the Cambridge Analytica scandal.  In the settlement order (Order), Facebook agreed to pay a record-breaking $5 billion penalty to resolve the FTC’s claims that Facebook violated a prior FTC order by repeatedly using deceptive disclosures and settings to undermine users’ privacy preferences and allowing Facebook to share users’ personal information without prior consent with third party applications.