Privacy and Data Security
On August 30, 2024, the Federal Trade Commission announced that the Department of Justice filed a complaint upon notification and referral from the FTC against a surveillance camera company that allegedly failed to provide reasonable security for the personal information it collected—including 150,000 live camera feeds in sensitive areas like psychiatric hospitals, women’s health clinics, elementary schools and prison cells.
According to the complaint, these alleged failures allowed a threat actor – in March 2021 – to remotely access the company’s customer camera feeds and watch consumers live, without their knowledge or consent. Despite the purported invasive security breach, the company allegedly remained unaware of the threat actor’s exploration until the threat actor self-reported the hack to the media.
According to the FTC, the vast majority of the company’s customers throughout the U.S. and abroad include small businesses spanning multiple industries, including education, government, healthcare, and hospitality. The FTC says that the compromise went beyond the company’s security cameras. According to the complaint, the threat actor also exfiltrated data about the company’s own customers, mostly businesses, including, but not limited to, names, email addresses, physical addresses, usernames and password hashes, and geolocation data for security cameras.
The company’s alleged security failures “are in stark contrast to its many public promises to keep personal and customer information safe,” according to the FTC.
According to the complaint, the company’s own privacy policy claimed that the company “take[s] customer privacy seriously,” and “[w]e will use best-in-class data security tools and best practices to keep your data safe and protect [the company’s] products from unauthorized access.”
The FTC also states that the company’s publicly promised that it was HIPAA certified or compliant and that it followed the EU-U.S.
On August 7, 2024 the Federal Communications Commission proposed new consumer protections against AI-generated robocalls and robotexts. The Notice of Proposed Rulemaking broadens the FCC’s efforts to address AI’s impact on the rights of consumers under the Telephone Consumer Protection Act.
The NPRM seeks comment on the definition of AI-generated calls, requiring callers to disclose their use of AI-generated calls and text messages, supporting technologies that alert and protect consumers from unwanted and illegal AI robocalls, and protecting positive uses of AI to help people with disabilities utilize the telephone networks.
The Notice of Proposed Rulemaking proposes to define “AI-generated calls,” and introduces such a definition that would include calls using artificial intelligence generate voice or text. For purposes of identifying the types of calls that would be subject to the new proposed rules, the FCC proposes to define “AI generated call” as “a call that uses any technology or tool to generate an artificial or prerecorded voice or a text using computational technology or other machine learning, including predictive algorithms, and large language models, to process natural language and produce voice or text content to communicate with a called party over an outbound telephone call.”
The definition proposed by the FCC is broad enough to encompass existing and evolving AI technologies. Importantly, it is limited to outbound calls. AI technologies that are used to answer inbound calls are not within the scope of the proposed definition of “AI-generated calls.”
“We believe this definition is consistent with federal and state AI definitions cited in the AI NOI,
On July 30, 2024, New York Attorney General Letitia James announced the launch of two privacy guides on the Office of the Attorney General (OAG) website: a Business Guide to Website Privacy Controls and a Consumer Guide to Tracking on the Web.
The Business Guide is intended to help businesses better protect visitors to their websites by identifying common mistakes the OAG’s office believe businesses make when deploying tracking technologies, processes they can use to help identify and prevent issues, and guidance for ensuring they comply with New York law. The Consumer Guide is intended to assist New Yorkers by offering tips they can use to protect their privacy when browsing the web, including how to safeguard against unwanted online tracking.
The OAG issued the guides following a review that purportedly uncovered unwanted tracking on more than a dozen popular websites, collectively serving more than 75 million visitors per month.
“When New Yorkers visit websites, they deserve to have the peace of mind that they won’t be tracked without their knowledge, and won’t have their personal information sold to advertisers,” said Attorney General lawyer James. “All too often, visiting a webpage or making a simple search will result in countless ads popping up on unrelated websites and social media. When visitors opt out of tracking, businesses have an obligation to protect their visitors’ personal information, and consumers deserve to know this obligation is being fulfilled. These new guides that my team launched will help protect New Yorkers’ privacy and make websites safer places to visit.”
While many websites provide visitors with information about the tracking that takes place and controls to manage that tracking,
The Federal Trade Commission and the U.S. Department of Justice possess both overlapping and distinct authority to challenge anti-competitive practices under federal law. The FTC enforces, without limitation, the FTC Act and the Clayton Act. The DoJ enforces, without limitation, the Sherman Act and the Clayton Act. The FTC also may refer evidence of criminal antitrust violations to the DoJ. Only the DoJ can obtain criminal sanctions.
The FTC primarily focuses on policing deceptive or unfair business practices, and from unfair methods of competition. The DoJ enforces a much wider range of legal regulations on behalf of the federal government. Sometimes, the federal agencies cooperate on antitrust issues. There is a clearance process to determine which federal agency will investigate and enforce a particular matter.
FTC and Department of Justice Announce Public Strike Force on Unfair and Illegal Pricing Meeting
On July 26, 2024, the Federal Trade Commission and U.S. Justice Department announced the first public meeting of the Strike Force on Unfair and Illegal Pricing on Thursday, August 1, 2024, to discuss Strike Force enforcement actions taken to lower prices for Americans.
The meeting will include an open-press session with remarks by FTC attorney and Chair Lina M. Khan, Associate Attorney General Benjamin C. Mizer, Assistant Attorney General for the Antitrust Division Jonathan S. Kanter, and Principal Deputy Assistant Attorney General for the Civil Division Brian M. Boynton. Senior officials from other agencies will then offer remarks as well.
On July 23, 2024, the Federal Trade Commission announced the issuance of orders to eight companies offering surveillance pricing products and services that incorporate data about consumers’ characteristics and behavior. The orders were sent to: Mastercard, Revionics, Bloomreach, JPMorgan Chase, Task Software, PROS, Accenture, and McKinsey & Co.
The orders seek information about the potential impact these practices have on privacy, competition and consumer protection.
The orders are aimed at helping the FTC better understand the opaque market for products by third-party intermediaries that claim to use advanced algorithms, artificial intelligence and other technologies, along with personal information about consumers—such as their location, demographics, credit history, and browsing or shopping history—to categorize individuals and set a targeted price for a product or service.
The study is aimed at helping the FTC better understand how surveillance pricing is affecting consumers, especially when the pricing is based on surveillance of an individual’s personal characteristics and behavior.
“Firms that harvest Americans’ personal data can put people’s privacy at risk. Now firms could be exploiting this vast trove of personal information to charge people higher prices,” said FTC lawyer and Chair Lina M. Khan. “ Americans deserve to know whether businesses are using detailed consumer data to deploy surveillance pricing, and the FTC’s inquiry will shed light on this shadowy ecosystem of pricing middlemen.”
The FTC is using its 6(b) authority, which authorizes the Commission to conduct wide-ranging studies that do not have a specific law enforcement purpose,
As previously blogged about here, the Federal Communications Commission recently published the final, single-seller, one-to-one lead generator consent rule (the “Rule”). The Rule amends the definition of “prior express written consent” for purposes of the Telephone Consumer Protection Act and will dramatically impact the lead generation industry.
How Does the New One-to-One, Single Seller Rule Impact Lead Generation?
When utilizing regulated technologies such as automatic telephone dialing systems (“ATDS”), artificial or prerecorded voice telephone calls, artificial intelligence voice telephone calls, outbound interactive voice response, and voicemail technology using artificial or pre-recorded voice messages, consumers will be required to select each “seller” – the ultimate provider – of a product or service from whom they want to receive telephone calls from.
Note that manual dialing may not provide cover, including insofar as telephone numbers on a do-not-call registry and various state legal regulations are concerned.
Further note that single “seller” consent does not encompass lead generators and other intermediaries, with potentially limited exception. Furthermore, it also appears that sharing consent across corporate affiliates will also be considered a Rule violation.
The cost of violating any of the Rule’s provisions are potentially devastating. Plaintiffs’ attorneys will be ready to pounce. Do not attempt to secure compliance on your own. Contact an FTC lawyer to discuss legal regulatory considerations for keeping you and your business from becoming low hanging fruit.
The effective date for the single seller provisions of the Rule is January 2025.
On June 18, 2024, the Federal Trade Commission released a statement regarding the agency’s referral to the Department of Justice a complaint against TikTok, the successor to Musical.ly, and its parent company ByteDance Ltd.
The FTC’s investigation of these companies began in connection with its order compliance review of Musical.ly following a 2019 settlement with the company for alleged violations of the Children’s Online Privacy Protection Act. The FTC also investigated additional potential violations of COPPA and the FTC Act, according to the statement.
The investigation uncovered reason to believe named defendants are violating or are about to violate the law and that a proceeding is in the public interest, so the FTC has voted to refer a complaint to the DOJ, according to the procedures outlined in the FTC Act.
The FTC does not typically make public the fact that it has referred a complaint. Here, however, the agency states that it has “determined that doing so here is in the public
interest.”
Richard B. Newman is an FTC defense lawyer at Hinch Newman LLP. Follow FTC defense attorney on X.
Informational purposes only. Not legal advice. May be considered attorney advertising.
On June 7, 2024, the New York Attorney General announced that it applauds the passage of two legislative bills designed to protect children online and address the youth mental health in conjunction with the use of social media.
The bills, sponsored by Senator Andrew Gounardes and Assemblymember Nily Rozic, and advanced by Attorney General James in October 2023, are designed to protect children by prohibiting online websites from collecting and sharing their personal data and ”limiting addictive features of social media platforms that are known to harm their mental health and development. The nation-leading legislation will serve as a model for other states to follow as governments work to curb the most dangerous aspects of social media to protect children online.”
“Our children are enduring a mental health crisis, and social media is fueling the fire and profiting from the epidemic,” said Attorney General James. “The legislation my team worked on and supported along with bill sponsors Senator Gounardes and Assemblymember Rozic will help address the addictive features that have made social media so insidious and anxiety-producing. I applaud Governor Hochul, Senate Majority Leader Stewart-Cousins, Assembly Speaker Heastie, and the legislative majorities for supporting this legislation and for agreeing that protecting children’s mental health must be a top priority. New York state is once again leading the nation, and I hope other states will follow suit and pass legislation to protect children and put their mental health above big tech companies’ profits.”
According the New York AG’s office,
On December 6, 2023, Federal Communications Commission Chairwoman Jessica Rosenworcel announced a new initiative to strengthen and formalize the cooperation between the FCC and its state partners on privacy, data protection and cybersecurity enforcement matters.
As part of the work of the FCC’s Privacy and Data Protection Task Force, the FCC’s Enforcement Bureau has signed Memoranda of Understanding with Attorneys General of Connecticut, Illinois, New York and Pennsylvania to share expertise, resources and coordinated efforts in conducting privacy, data protection and cybersecurity-related investigations to protect consumers.
The Memoranda of Understanding
The new MOU affirm that the FCC and State Attorneys General “share close and common legal interests in working cooperatively to investigate and, where appropriate, prosecute or otherwise take enforcement action in relation to privacy, data protection or cybersecurity issues” under sections 201 and 222 of the Communications Act.
Coordinated action and information sharing will take place under all applicable federal and state laws, and privacy protections.
Federal and State Comments
FCC Chairwoman Rosenworcel said, in pertinent part, that “[d]efending consumer privacy is an all-of-government responsibility and a shared challenge. Today we take on evolving consumer threats with new formal partnerships with state law enforcement leaders, which have already been successful in obtaining record-breaking results in combatting illegal robocalls.”
FCC Enforcement Bureau Chief Loyann A. Egal said, in pertinent part, that “[u]se of information and communications technology and services have significantly enhanced our lives while at the same time increasing vulnerabilities to our privacy and sensitive data.
On December 13, 2023, the Federal Communications Commission adopted new rules designed to protect consumers from “scam communications” by directly addressing some of the “biggest vulnerabilities” in America’s robotext defenses and closing the “lead generator” robocall/robotexts loophole.
The new rules allow blocking of “red flagged” robotexting numbers, codifies Do-Not-Call rules for texting, and encourages an opt-in approach for delivering email-to-text messages.
Closing the Lead Generator Loophole
The new rules close a loophole through which “unscrupulous robocallers and robotexters inundate consumers with unwanted and illegal robocalls and robotexts.” The new rules make it unequivocally clear that comparison shopping websites and lead generators must obtain consumer consent to receive robocalls and robotexts one seller at a time – rather than have a single consent apply to multiple telemarketers at once.
Combating Robotext Sources
The new rules allow the FCC to “red flag” certain numbers, requiring mobile carriers to block texts from those numbers. The rules also codify that Do-Not-Call list protections apply to text messaging, making it illegal for marketing texts to be sent to numbers on the registry. And the order encourages providers to make email-to-text messages an opt-in service, which would limit the effectiveness of a major source of unwanted and illegal text messages.
Groundwork for Future Steps
In addition to the rules, the FCC also proposed and will take public comment on additional steps it might take against robotexts. The FCC proposes additional blocking requirements when the FCC notifies a provider of a likely “scam text-generating number.” The FCC will also seek further comment on text message authentication – modeled on the implementation of STIR/SHAKEN protocols for phone calls – including on the status of any industry standards in development.
Topics
Archives
About This Blog and Hinch Newman’s Advertising + Marketing Practice
Hinch Newman LLP’s advertising and marketing practice includes successfully resolving some of the highest-profile Federal Trade Commission (FTC) and state attorneys general digital advertising and telemarketing investigations and enforcement actions. The firm possesses superior knowledge and deep legal experience in the areas of advertising, marketing, lead generation, promotions, e-commerce, privacy and intellectual property law. Through these advertising and marketing law updates, Hinch Newman provides commentary, news and analysis on issues and trends concerning developments of interest to digital marketers, including FTC and state attorneys general advertising compliance, civil investigative demands (CIDs), and administrative/judicial process. This blog is sponsored by Hinch Newman LLP.