Header graphic for print
Privacy Law Blog

Category Archives: FTC Enforcement

Subscribe to FTC Enforcement RSS Feed

Shaking Up the Settlement Process: FTC Reconsiders Whether Companies Can Deny Wrongdoing While Settling Privacy Violation Claims

Posted in FTC Enforcement, Online Privacy

The Federal Trade Commission (“FTC”) recently announced settlements of cases brought against Google and Facebook for alleged privacy violations. The Google settlement drew headlines for being the largest fine ever assessed for the violation of a FTC consent order ($22.5 million).  But Commissioner J. Thomas Rosch’s dissents are perhaps more momentous, as they have prompted the… Continue Reading

Peek-A-Boo The FTC Sees You: A Need to Know for Members of the Kids App Eco-System

Posted in FTC Enforcement

Whether your six year old has hijacked your iPad again to rediscover the inexplicable joy of flinging birds with a finger activated slingshot or to harness her mighty math powers in the origami-paved streets of Umi City, children are tapping into the spring of entertainment and educational value offered by the mobile applications marketplace. Yet, according to a study issued last week by the Federal Trade Commission “Mobile Apps for Kids: Current Privacy Disclosures are DisAPPointing”, the lack of privacy disclosures in these apps may hint at deeper laden privacy pitfalls which members of the kids app ecosystem may soon have to remedy.

Do I really have to obtain consent from all my customers to make a change to my privacy policy?

Posted in Data Privacy Laws, FTC Enforcement, Online Privacy

"Do I really have to obtain consent from all my customers to make a change to my privacy policy?  No one else seems to be following that rule." We get this question all the time.  It is understandable, given that we often watch Web-based companies expand their usage of consumer data without the affirmative consent… Continue Reading

Facebook Accedes to the FTC’s Poke, Settles FTC’s Charges

Posted in FTC Enforcement

Facebook recently agreed to settle charges by the Federal Trade Commission (FTC) that Facebook violated the FTC Act. The FTC-Facebook settlement, which is still subject to final FTC approval, prohibits Facebook from making misrepresentations about the privacy or security of its users’ personal information, requires Facebook to obtain users’ affirmative consent before enacting changes that override the users’ privacy preferences, and requires Facebook to prevent anyone from accessing material posted by a user more than 30 days after such user deleted his or her account. Similar to the March 2011 FTC-Google settlement, the Facebook settlement requires that Facebook enact a comprehensive privacy program and not misrepresent its compliance with the US-EU Safe Harbor Principles. As we previously reported, these two requirements are relatively new FTC settlement terms, which were first used in March 2011.

The FTC Has Your Back, Even When It’s Naked: FTC Orders P2P Program’s Default File Sharing Settings Changed

Posted in FTC Enforcement

FrostWire LLC (a P2P file-sharing software company) agreed to change the default privacy settings on its mobile and desktop applications and agreed to clearly disclose its applications’ content sharing options pursuant to a settlement agreement with the FTC which resulted from claims by the FTC that FrostWire’s content sharing practices violated the FTC Act.

FTC Fines First Mobile App Developer for COPPA Violation

Posted in Children's Online Privacy Protection Act, FTC Enforcement

On Monday, the Federal Trade Commission (FTC) announced that mobile application developer W3 Innovations, LLC (d/b/a Broken Thumbs Apps), has agreed to pay a fine of $50,000 in order to settle charges that it collected and disclosed personal information from children under the age of 13 without first notifying parents of information-collection policies or obtaining verifiable… Continue Reading

FTC-Google Settlement Marks Two “Firsts” in FTC Privacy Enforcement

Posted in FTC Enforcement, Online Privacy

Google recently settled charges by the Federal Trade Commission (FTC) that Google’s social networking service, Buzz, violated the FTC Act. The FTC-Google settlement prohibits Google from misrepresenting the extent to which it maintains and protects the confidentiality of users’ information and from misrepresenting its compliance with the US-EU Safe Harbor Framework. In that regard, the settlement represents two important “firsts” in FTC enforcement.

Credit Report Resellers Settle FTC Charges Over Poor Security

Posted in FTC Enforcement

The Federal Trade Commission recently announced that it reached a settlement with three consumer credit report resellers whose information security practices and procedures were not sufficient to prevent hackers to obtain more than 1,800 consumer credit reports without authorization. The settlement resolves allegations that the resellers violated the Fair Credit Reporting Act, the FTC Act and… Continue Reading

Twitter’s Settlement With the FTC Demonstrates that “Reasonable Security” Isn’t Only About Online Commerce

Posted in FTC Enforcement, Identity Theft, Online Privacy

The social networking and micro-blogging service Twitter recently agreed to settle charges with the Federal Trade Commission (FTC) regarding its privacy and data security practices. Similar to settlement terms reached with other online merchants, the settlement bars Twitter for 20 years from misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information. Notably, the agreement also requires Twitter to maintain a comprehensive information security program and submit to audits of the program for 10 years. The settlement agreement does not include a monetary penalty. The FTC alleged that despite Twitter’s promises on its website to protect the personal information of its users, Twitter’s practices failed to provide reasonable and appropriate security. Unlike many of the other companies that the FTC has pursued regarding online security practices, Twitter does not sell goods online or collect financial information from its users.

The FTC Brings 27th Case for “Faulty Data Security Practices”

Posted in FTC Enforcement

On March 25, 2010, the Federal Trade Commission (“FTC”) announced that it had entered into a settlement with entertainment operator, Dave & Buster’s, Inc., for alleged violations of Section 5(a) of the FTC Act, and for “engag[ing] in a number of practices that, taken together, failed to provide reasonable and appropriate security for personal information on its networks.”
The settlement marks the 27th case brought by the FTC against a company for insufficient data security practices.

Life Unlocked? FTC and 35 State Attorneys General Ding LifeLock, Inc. for Deceptive Claims and Poor Data Security

Posted in FTC Enforcement

On March 9, 2010, the Federal Trade Commission and 35 state attorneys general announced a negotiated settlement with LifeLock, Inc. which resolves charges that LifeLock misrepresented the nature and effectiveness of the identity theft protection services it offers, and made false claims about its own data security practices. In the words of FTC Chairman Jon Leibowitz, “While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it.”

FTC Tells Sears That Consumer Disclosures Must be More Conspicuous

Posted in Behavioral Marketing, Data Privacy Laws, FTC Enforcement, Online Privacy, Spyware

Over the course of the last decade, many companies have become accustomed to notifying consumers of their data collection practices in their online privacy policy.  However, in a recent proposed settlement, the FTC indicated that, at least under the facts before them, disclosures that were “buried” in a privacy policy were not sufficient. On June… Continue Reading

Doesn’t Alice Live Here Anymore? FACTA and the Address Discrepancy Rule

Posted in FTC Enforcement

Section 315 of FACTA requires institutions that utilize consumer reports (“users”) to develop and follow certain procedures when notified of an address discrepancy  by a national CRA (Equifax, Experian and TransUnion). Under FACTA, national CRAs are required to issue a “notice of address discrepancy” when an address provided by a user requesting a consumer report “substantially… Continue Reading

Federal Court Enjoins Sale of Keylogger Program

Posted in FTC Enforcement

A U.S. District Court for the Middle District of Florida recently issued a preliminary injunction ordering CyberSpy Software, LLC to stop promoting and selling “RemoteSpy,” a keylogger software program that, once installed on a computer, collects information regarding use of the computer.

Federal Trade Commission Announces Settlement with TJX Over Inadequate Security Practices

Posted in FTC Enforcement

According to a proposed settlement announced by the Federal Trade Commission (“FTC”) on March 27, 2008, discount retailer TJX will be required to implement a comprehensive information security program to remedy deficiencies in protecting sensitive consumer information. If approved, the settlement will resolve allegations that the company engaged in practices that failed to provide reasonable and… Continue Reading

FTC Sets Sights on Goal: Student Lender Taken to School for Data Security Breakdowns

Posted in FTC Enforcement

On March 4 the FTC announced that a consent agreement has been reached in its 17th case challenging data security practices by a company handling sensitive consumer information. Goal Financial, LLC, a San Diego-based student loan company, has agreed to implement a comprehensive information security program, avoid future misrepresentations about its data security practices, and receive independent, third-party audits of its data security program every two years for the next 10 years. The consent order does not provide for a civil fine.

For Companies Whose Data Security Practices Are Lacking, Life is [Not So] Good

Posted in FTC Enforcement

The Federal Trade Commission announced on January 17, 2008 that it has agreed in principle to a consent order with Life is good, Inc. and Life is good Retail, Inc. (collectively “Life is good”) resolving allegations that the apparel company collected sensitive information from consumers and failed to secure it in compliance with its own privacy and security policies. The consent order against Life is good, among other things, prohibits future deceptive privacy and security claims and requires the company to implement a comprehensive information security program that includes biennial audits by an independent security professional for the next twenty years.

First FACTA Disposal Rule FTC Settlement Leaves American United Down in the Dumps

Posted in FTC Enforcement

On December 18, the FTC announced a settlement in its 15th case (and its first in 13 months) addressing the data security practices of companies handling sensitive consumer information. American United Mortgage Company agreed to pay a $50,000 penalty for failing to implement reasonable safeguards to protect customer information and failing to provide customers with privacy notices.