On October 10, 2023, California Governor Gavin Newsom signed the Delete Act (SB 362). The Act is new legislation that requires businesses that meet the definition of “data broker” to provide detailed disclosures about its practices, register with the state and delete any personal information relating to a California resident upon receiving a verifiable deletion request.
The Act requires the California Privacy Protection Agency to establish a simple deletion mechanism that permits individuals to submit deletion requests that data brokers must adhere to starting August 1, 2026. Importantly, beginning in 2028 data brokers will be subject to audits intended to demonstrate compliance with the Act.
What Businesses are Covered Under the Act?
The Delete Act defines “data broker” as a business that knowingly collects and sells personal information of a consumer that it does not have a direct relationship with, to third parties. Excluded are certain entities that may be covered by various federal and state laws relating to data, such as the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, the Confidentiality of Medical Information Act and the California Insurance Information and Privacy Protection Act.
Data brokers must register with the CPPA and pay registration fees, as well as fees for access to the deletion mechanism.
What are the Applicable Registration and Disclosure Requirements?
Data brokers are required to register with the CPPA on or before January 31 for each year that they meet the statutory definition of “data broker.” In fact,
On August 22, 2023, the Federal Trade Commission announced that as a result of an FTC lawsuit, a federal court has temporarily shut down an alleged business opportunity scheme that purportedly lured consumers to invest $22 million in online stores, using alleged unfounded claims about income and profits.
The operators of Automators also claimed to use artificial intelligence to ensure success and profitability for consumers who agreed to invest with Automators, according to the agency.
In addition to offering consumers high return as “passive investors” in profitable e-stores, Automators, which previously used the names Empire and Onyx Distribution, also offered to teach consumers how to successfully set up and manage e-stores themselves using a “proven system” and the powers of artificial intelligence, according to the FTC.
“The defendants preyed on consumers looking to provide for their families with promises of high returns and the use of AI to power such returns,” said FTC attorney Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Their lies caused consumers to lose tens of thousands of dollars, with many losing their life savings. The FTC is working to hold defendants accountable and to secure redress for their victims.”
The FTC’s complaint against defendants Roman Cresto, John Cresto, and Andrew Chapman, through their companies Automators AI, Empire Ecommerce and Onyx Distribution, claims that the vast majority of defendants’ clients did not make the promised earnings or even recoup their investment. Instead, most clients allegedly lost significant amounts and Amazon and Walmart have routinely suspended or terminated the stores that defendants operated for repeated policy violations,
On August 14, 2023, the Federal Trade Commission announced that it will require Experian Consumer Services, which offers consumers access to their Experian credit information, to pay $650,000 to settle charges it sent consumers unsolicited email without offering them a way to opt out of such messages, as required under the CAN-SPAM Act.
In a complaint filed by the Department of Justice on behalf of the FTC, the agency says that California-based Experian Consumer Services (ECS), also known as ConsumerInfo.com, Inc., spammed consumers with marketing offers after they signed up for an account with the company in order to manage their Experian credit report information.
In the emails, the FTC alleges that the company failed to provide clear and conspicuous notice of consumers’ ability to opt out of receiving additional marketing messages and a mechanism for doing so, in violation of the CAN-SPAM Act, according to the complaint.
“Signing up for a membership doesn’t mean you’re signing up for unwanted email, especially when all you’re trying to do is freeze your credit to protect your identity,” said FTC lawyer Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “You always have the right to unsubscribe from marketing messages, and the FTC takes enforcing that right seriously.”
Consumers who wish to freeze or take other steps to manage their Experian credit information online must create an account with ECS. The complaint charges that consumers who signed up for a free membership account with ECS were then sent emails promoting Experian’s products and services such as one touting Experian Boost,
FTC advertising compliance and defense attorney Richard B. Newman was recently quoted in an article for Cybersecurity Law Report titled “Xbox and Alexa COPPA Case Lessons: Avatars, Biometrics and Other New Expectations.”
The article discusses the FTC’s recent privacy enforcement run and how it reinforces regulators’ expanding expectations for companies using video and audio recordings, smart devices and AI. The article further discusses recent agency settlements with Microsoft, Amazon and educational technology provider Edmodo that drew $51 million in penalties, broke new ground on the Children’s Online Privacy Protection Act Rule enforcement and signaled new expectations for all companies’ privacy compliance.
In discussing how COPPA is a tool for financial penalties and how these cases highlight the value of COPPA enforcement to the FTC versus its Section 5 authority under the FTC Act, Mr. Newman noted that “[i]n Amazon, obviously, the $25‑million settlement amount leaps out” for Alexa’s improper retention of voice recordings in violation of COPPA.
Mr. Newman further shared that “not just the FTC, but state attorneys general are becoming increasingly interested in expanding regulation of the use and sharing of consumer data, including geolocation data.”
While the FTC contests the issue at the federal level, data brokers and those that interact with them should expect that the plaintiffs’ class action bar and state AGs may lodge claims under state “little FTC acts” that echo the FTC’s July 2022 statement about geolocation data or the biometric one,
Florida has become the latest state – approximately ten – to enact a comprehensive privacy law. On June 6, 2023, Governor DeSantis recently signed SB 262 which includes some new privacy provisions. Florida also recently passed a child privacy law that is notably similar to California’s Age Appropriation Act that becomes effective July 1, 2024.
The Florida Digital Bill of Rights Law
Covered entities (“controllers”) include those that earn $1 billion in global gross annual revenues and either (i) receive 50% of gross annual revenue from online ad sales; (ii) operate a consumer smart speaker and voice command service with an integrated virtual assistant through a cloud-connected service and hands-free verbal activation; or (iii) operate an app store or digital distribution platform that has at least 250,000 apps available for download.
Note, however, that non-covered entities that serve as data processors for covered entities may potentially be impacted. More specifically, such processors are required to support a covered entities’ compliance efforts and to maintain responsible contracts that include provisions governing data processing. In fact, the new law sets forth specific requirements that must be included in such data processing agreements.
Not unlike other states, the Florida Digital Bill of Rights Law has numerous exemptions and applies to consumer information. Exemptions include entities covered by HIPAA (and business associates), financial institutions and affiliates (subject to GLBA), non-profits, certain government entities, and higher education institutions. There are also specific data exemptions.
The United States District Court for the Middle District of Florida, Ocala Division, issued an order permanently banning the defendant from offering for sale or selling any protective goods or services, after granting the FTC’s motion for summary judgment.
The order also includes two monetary judgments against the individual, who has allegedly done business under different corporate names. The first judgment is for $989,483.69, to be returned to consumers allegedly harmed by his violations of the FTC Act and the Commission’s Mail Order Rule. The court also entered a second civil penalty judgment of $2,562.21 for his alleged violations of the FTC Act with regards to the COVID-19 Consumer Protection Act.
In a complaint filed in June 2021, the FTC alleged that he preyed upon consumers’ fear of COVID-19 by advertising the availability and quick delivery of PPE, including N95 facemasks, even though he had no basis to make those promises.
The complaint stated that he failed to deliver PPE on time (if at all), failed to notify consumers of delayed shipments, failed to offer the cancellations and refunds required by the Commission’s Mail Order Rule, and failed to honor refund requests.
When the individual eventually did deliver the products, he often sent supplies that were inferior in quality to what consumers ordered, according to the complaint. Based on this conduct, the complaint alleged that his deceptive and unfair conduct violated the Mail Order Rule, the FTC Act, and the FTC Act with regards to the COVID-19 Consumer Protection Act.
On May 23, 2023, the Federal Trade Commission hosted a national workshop designed to consider the current state of recycling practices and recycling-related advertising.
This follows an FTC announcement in December 2022 that the agency was seeking public comment on potential updates and changes to its ‘Green Guides’ for the use of environment marketing claims. The Green Guides help marketers avoid making environmental marketing claims that are unfair or deceptive under Section 5 of the FTC Act.
Updates to ‘Green Guides’
In December 2022, the FTC announced that it would seek public comment on potential updates to its “Green Guides” for the use of environmental marketing claims. FTC attorneys seek to update the Green Guides based on increasing consumer interest in buying environmentally friendly products. The comment period was extended through April 24, 2023.
“Consumers are increasingly conscious of how the products they buy affect the environment, and depend on marketers’ environmental claims to be truthful,” said FTC lawyer and Bureau of Consumer Protection Director Samuel Levine. “We look forward to this review process, and will make any updates necessary to ensure the Green Guides provide current, accurate information about consumer perception of environmental benefit claims. This will both help marketers make truthful claims and consumers find the products they seek.”
The Green Guides were first issued in 1992 and were revised in 1996, 1998, and 2012. They provide guidance on environmental marketing claims, including how consumers are likely to interpret particular claims and how marketers can substantiate these environmental claims to avoid deceiving consumers.
As previously blogged about here, the FCC recently proposed a rule that would turn the lead generation on its head. The proposed new rule goes quite a bit further than simply requiring wireless carriers to block texts from illegitimate numbers.
In addition to carrier investigation and blocking obligations, as well as an extension of DNC protections to text messages, the FCC proposes:
“…to ban the practice of obtaining a single consumer consent as grounds for delivering calls and text messages from multiple marketers on subjects beyond the scope of the original consent.”
In an illustration of the issue, Company A describes a website that purports to enable consumers to comparison shop for insurance. The website sought consumer consent for calls and texts from insurance companies and other various entities, including Company A’s ‘partner companies.’ The ‘partner companies’ were listed in a hyperlink on the web page (i.e., they were not displayed on the website without clicking on the link) and the list of ‘partner companies’ included both insurance companies and other entities that did not appear to be related to insurance.”
Public Knowledge, an influential non-profit Washington, D.C.-based public interest group argues that lead generators and data brokers use hyperlinked lists to harvest consumer telephone numbers and consent agreements on a website and pass that information to telemarketers and scam callers. Commentors have argued that the telemarketer that obtains the consumer’s contact information from the lead generator may believe that it has the consumer’s prior express consent,
On May 3, 2023, the FTC announced that it is proposing a blanket prohibition preventing Facebook from monetizing youth data. The Commission alleges that the company violated the 2020 privacy order and now proposes new protections for children and teens.
The Federal Trade Commission proposed changes to the agency’s 2020 privacy order with Facebook after alleging that the company has failed to fully comply with the order, misled parents about their ability to control with whom their children communicated through its Messenger Kids app, and misrepresented the access it provided some app developers to private user data.
“Facebook has repeatedly violated its privacy promises,” said FTC lawyer Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The company’s recklessness has put young users at risk, and Facebook needs to answer for its failures.”
As part of the proposed changes, Meta, which changed its name from Facebook in October 2021, would be prohibited from profiting from data it collects, including through its virtual reality products, from users under the age of 18.
The company would also be subject to other expanded limitations, including in its use of facial recognition technology, and required to provide additional protections for users.
This marks the third time the agency has taken action against Facebook for allegedly failing to protect users’ privacy.
The Commission first filed a complaint against Facebook in 2011, and secured an order in 2012 barring the company from misrepresenting its privacy practices.
The Federal Trade Commission recently announced a proposed a “click to cancel” provision requiring sellers to make it as simple for consumers to cancel their enrollment as it was to enroll.
According to the FTC, if consumers are unable to easily leave any program when they want to, the negative option feature becomes nothing more than a way to continue charging them for products they no longer want. To address this issue, the proposed rule would require businesses to make it at least as easy to cancel a subscription as it was to start it. For example, if a consumer can sign-up online, cancellation much be able to be effectuated on the same website, in the same number of steps.
But that’s not all the FTC is proposing regarding subscriptions and recurring payments.
The FTC is also proposing:
- Expanded Scope: The proposed “Rule Concerning Recurring Subscriptions and Other Negative Option Plans” would cover all forms of negative option marketing, whether via internet, phone, through print materials, and in-person transactions. Any persons “selling, offering, promoting, charging for, or otherwise marketing a negative option feature” would be subject to the new Rule.
- Additional Consent Requirements: The proposed rule requires marketers to obtain independent consent for the negative option feature and precludes the inclusion of additional information that could interfere a consumer’s ability to provide consent. It sets forth requirements about how consent must be obtained. Marketers would be required to obtain consent for the whole transaction and maintain proof for three years.
About This Blog and Hinch Newman’s Advertising + Marketing Practice
Hinch Newman LLP’s advertising and marketing practice includes successfully resolving some of the highest-profile Federal Trade Commission (FTC) and state attorneys general digital advertising and telemarketing investigations and enforcement actions. The firm possesses superior knowledge and deep legal experience in the areas of advertising, marketing, lead generation, promotions, e-commerce, privacy and intellectual property law. Through these advertising and marketing law updates, Hinch Newman provides commentary, news and analysis on issues and trends concerning developments of interest to digital marketers, including FTC and state attorneys general advertising compliance, civil investigative demands (CIDs), and administrative/judicial process. This blog is sponsored by Hinch Newman LLP.