Privacy Law Blog

Category Archives: FTC Enforcement

Subscribe to FTC Enforcement RSS Feed

The Legacy of the RadioShack Bankruptcy and the Importance of PII

Customer information has become an increasingly valuable business asset.  And, the volume and detail of other available information about consumers has increased along with it, well beyond mere customer names and addresses to preferences, purchasing history, and online activity.  This means that when a business is sold, customer information is often sold along with it.  … Continue Reading

FTC Issues Report and Privacy Best Practices for the Internet of Things

On January 27, 2015 the Federal Trade Commission (the “FTC”) issued a report detailing best practices and recommendations that businesses engaged in the Internet of Things (“IoT”) can follow to protect consumer privacy and security. The IoT refers to the connection of everyday objects to the Internet and the transmission of data between those devices. … Continue Reading

Learning from the Past: The FTC Bans Undisclosed History Sniffing

It has been said that we must learn from the past to profit by the present. Taking this literally in this digital age of ours, one online advertising company has found this maxim to have some serious privacy implications as evidenced by the FTC order last week banning undisclosed history sniffing practices.… Continue Reading

Shaking Up the Settlement Process: FTC Reconsiders Whether Companies Can Deny Wrongdoing While Settling Privacy Violation Claims

The Federal Trade Commission (“FTC”) recently announced settlements of cases brought against Google and Facebook for alleged privacy violations. The Google settlement drew headlines for being the largest fine ever assessed for the violation of a FTC consent order ($22.5 million).  But Commissioner J. Thomas Rosch’s dissents are perhaps more momentous, as they have prompted the … Continue Reading

Peek-A-Boo The FTC Sees You: A Need to Know for Members of the Kids App Eco-System

Whether your six year old has hijacked your iPad again to rediscover the inexplicable joy of flinging birds with a finger activated slingshot or to harness her mighty math powers in the origami-paved streets of Umi City, children are tapping into the spring of entertainment and educational value offered by the mobile applications marketplace. Yet, according to a study issued last week by the Federal Trade Commission "Mobile Apps for Kids: Current Privacy Disclosures are DisAPPointing", the lack of privacy disclosures in these apps may hint at deeper laden privacy pitfalls which members of the kids app ecosystem may soon have to remedy. … Continue Reading

Do I really have to obtain consent from all my customers to make a change to my privacy policy?

"Do I really have to obtain consent from all my customers to make a change to my privacy policy?  No one else seems to be following that rule." We get this question all the time.  It is understandable, given that we often watch Web-based companies expand their usage of consumer data without the affirmative consent … Continue Reading

Facebook Accedes to the FTC’s Poke, Settles FTC’s Charges

Facebook recently agreed to settle charges by the Federal Trade Commission (FTC) that Facebook violated the FTC Act. The FTC-Facebook settlement, which is still subject to final FTC approval, prohibits Facebook from making misrepresentations about the privacy or security of its users' personal information, requires Facebook to obtain users' affirmative consent before enacting changes that override the users' privacy preferences, and requires Facebook to prevent anyone from accessing material posted by a user more than 30 days after such user deleted his or her account. Similar to the March 2011 FTC-Google settlement, the Facebook settlement requires that Facebook enact a comprehensive privacy program and not misrepresent its compliance with the US-EU Safe Harbor Principles. As we previously reported, these two requirements are relatively new FTC settlement terms, which were first used in March 2011. … Continue Reading

The FTC Has Your Back, Even When It’s Naked: FTC Orders P2P Program’s Default File Sharing Settings Changed

FrostWire LLC (a P2P file-sharing software company) agreed to change the default privacy settings on its mobile and desktop applications and agreed to clearly disclose its applications' content sharing options pursuant to a settlement agreement with the FTC which resulted from claims by the FTC that FrostWire's content sharing practices violated the FTC Act. … Continue Reading

FTC Fines First Mobile App Developer for COPPA Violation

On Monday, the Federal Trade Commission (FTC) announced that mobile application developer W3 Innovations, LLC (d/b/a Broken Thumbs Apps), has agreed to pay a fine of $50,000 in order to settle charges that it collected and disclosed personal information from children under the age of 13 without first notifying parents of information-collection policies or obtaining verifiable … Continue Reading

FTC-Google Settlement Marks Two “Firsts” in FTC Privacy Enforcement

Google recently settled charges by the Federal Trade Commission (FTC) that Google's social networking service, Buzz, violated the FTC Act. The FTC-Google settlement prohibits Google from misrepresenting the extent to which it maintains and protects the confidentiality of users' information and from misrepresenting its compliance with the US-EU Safe Harbor Framework. In that regard, the settlement represents two important "firsts" in FTC enforcement. … Continue Reading

Credit Report Resellers Settle FTC Charges Over Poor Security

The Federal Trade Commission recently announced that it reached a settlement with three consumer credit report resellers whose information security practices and procedures were not sufficient to prevent hackers to obtain more than 1,800 consumer credit reports without authorization. The settlement resolves allegations that the resellers violated the Fair Credit Reporting Act, the FTC Act and … Continue Reading

Twitter’s Settlement With the FTC Demonstrates that “Reasonable Security” Isn’t Only About Online Commerce

The social networking and micro-blogging service Twitter recently agreed to settle charges with the Federal Trade Commission (FTC) regarding its privacy and data security practices. Similar to settlement terms reached with other online merchants, the settlement bars Twitter for 20 years from misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information. Notably, the agreement also requires Twitter to maintain a comprehensive information security program and submit to audits of the program for 10 years. The settlement agreement does not include a monetary penalty. The FTC alleged that despite Twitter's promises on its website to protect the personal information of its users, Twitter's practices failed to provide reasonable and appropriate security. Unlike many of the other companies that the FTC has pursued regarding online security practices, Twitter does not sell goods online or collect financial information from its users. … Continue Reading

The FTC Brings 27th Case for “Faulty Data Security Practices”

On March 25, 2010, the Federal Trade Commission ("FTC") announced that it had entered into a settlement with entertainment operator, Dave & Buster's, Inc., for alleged violations of Section 5(a) of the FTC Act, and for "engag[ing] in a number of practices that, taken together, failed to provide reasonable and appropriate security for personal information on its networks." The settlement marks the 27th case brought by the FTC against a company for insufficient data security practices. … Continue Reading

Life Unlocked? FTC and 35 State Attorneys General Ding LifeLock, Inc. for Deceptive Claims and Poor Data Security

On March 9, 2010, the Federal Trade Commission and 35 state attorneys general announced a negotiated settlement with LifeLock, Inc. which resolves charges that LifeLock misrepresented the nature and effectiveness of the identity theft protection services it offers, and made false claims about its own data security practices. In the words of FTC Chairman Jon Leibowitz, "While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it." … Continue Reading

FTC Tells Sears That Consumer Disclosures Must be More Conspicuous

Over the course of the last decade, many companies have become accustomed to notifying consumers of their data collection practices in their online privacy policy.  However, in a recent proposed settlement, the FTC indicated that, at least under the facts before them, disclosures that were “buried” in a privacy policy were not sufficient. On June … Continue Reading

Doesn’t Alice Live Here Anymore? FACTA and the Address Discrepancy Rule

Section 315 of FACTA requires institutions that utilize consumer reports (“users”) to develop and follow certain procedures when notified of an address discrepancy  by a national CRA (Equifax, Experian and TransUnion). Under FACTA, national CRAs are required to issue a “notice of address discrepancy” when an address provided by a user requesting a consumer report “substantially … Continue Reading

Federal Court Enjoins Sale of Keylogger Program

A U.S. District Court for the Middle District of Florida recently issued a preliminary injunction ordering CyberSpy Software, LLC to stop promoting and selling “RemoteSpy,” a keylogger software program that, once installed on a computer, collects information regarding use of the computer.… Continue Reading

Federal Trade Commission Announces Settlement with TJX Over Inadequate Security Practices

According to a proposed settlement announced by the Federal Trade Commission (“FTC”) on March 27, 2008, discount retailer TJX will be required to implement a comprehensive information security program to remedy deficiencies in protecting sensitive consumer information. If approved, the settlement will resolve allegations that the company engaged in practices that failed to provide reasonable and … Continue Reading

FTC Sets Sights on Goal: Student Lender Taken to School for Data Security Breakdowns

On March 4 the FTC announced that a consent agreement has been reached in its 17th case challenging data security practices by a company handling sensitive consumer information. Goal Financial, LLC, a San Diego-based student loan company, has agreed to implement a comprehensive information security program, avoid future misrepresentations about its data security practices, and receive independent, third-party audits of its data security program every two years for the next 10 years. The consent order does not provide for a civil fine. … Continue Reading

For Companies Whose Data Security Practices Are Lacking, Life is [Not So] Good

The Federal Trade Commission announced on January 17, 2008 that it has agreed in principle to a consent order with Life is good, Inc. and Life is good Retail, Inc. (collectively "Life is good") resolving allegations that the apparel company collected sensitive information from consumers and failed to secure it in compliance with its own privacy and security policies. The consent order against Life is good, among other things, prohibits future deceptive privacy and security claims and requires the company to implement a comprehensive information security program that includes biennial audits by an independent security professional for the next twenty years. … Continue Reading

First FACTA Disposal Rule FTC Settlement Leaves American United Down in the Dumps

On December 18, the FTC announced a settlement in its 15th case (and its first in 13 months) addressing the data security practices of companies handling sensitive consumer information. American United Mortgage Company agreed to pay a $50,000 penalty for failing to implement reasonable safeguards to protect customer information and failing to provide customers with privacy notices. … Continue Reading