Privacy Law Blog

Amid a Spate of Activity, COPPA Remains an FTC Enforcement Priority

Earlier this month, the FTC sent a letter to Wildec, LLC, the Ukraine-based maker of several mobile dating apps, alleging that the apps were collecting the personal information and location data of users under the age of 13 without first obtaining verifiable parental consent or otherwise complying with the Children’s Online Privacy Protection Act (COPPA). The letter pressed the operator to delete personal information on children (and thereafter comply with COPPA and obtain parental consent before allowing minors to use the apps) and disable any search functions that allow users to locate minors. The letter also advised that the practice of allowing children to create public dating profiles could be deemed an unfair practice under the FTC Act. Subsequently, the three dating apps in question were removed from Apple’s App Store and Google’s Google Play Store following the FTC allegations, showing the real world effects of mere FTC allegations, a response that might ultimately compel Wildec, LLC to comply with the statute (and cause other mobile apps to reexamine their own data collection practices). Wildec has responded to the FTC’s letter by “removing all data from under age accounts” and now prevents minors under the age of 18 from registering on the dating apps. Continue Reading

CCPA: The California Senate is Not Ready to Expand the Consumer Right of Action

Senate Bill 561’s smooth sail through the California legislature came to an end on Thursday, May 16.  On the eve of the deadline for all fiscal committees to hear and report on the bills introduced in their house, the Senate Appropriations committee decided to hold the bill. Meaning, SB 561 will not pass out of the Senate this session.

Notably, the controversial bill was a proposed CCPA amendment that threatened to expand the Act’s private right of action by allowing consumers to bring actions when any of their CCPA rights were violated.  Currently, the CCPA only permits consumers to bring actions in the event of a data breach.  For a detailed review of the CCPA, please view our previous posts.

The bill would have also affected the way that the Attorney General could enforce the CCPA.  The CCPA provides businesses that have violated the Act 30 days to cure the violation, and allows businesses and third parties to request guidance from the Attorney General on how to comply with the Act.  The bill would have eliminated the 30-day window and would have put the onus on the Attorney General to promulgate any guidance.  A more detailed review of SB 561 is available in a previous post.

While this does not necessarily mean it’s the end of the road for SB 561 – after all, the CCPA was resurrected from an inactive file – it does mean good-bye for now.

French DPA Issues Robust Model Regulation for Biometric Access Controls in the Workplace

In late March, the French Data Protection Authority, Commission Nationale de l’Informatique et des Libertés (“CNIL”) released a model regulation (the “Model Regulation”) governing the use of biometric access controls in the workplace.  Unlike many items of personal information, biometric data (such as a person’s face or fingerprints) is unique and, if stolen or otherwise compromised, cannot be changed to avoid misuse.  Under Article 9 of the GDPR, biometric data collected “for the purpose of uniquely identifying a natural person” is considered “sensitive” and warrants additional protections.  The GDPR authorizes Member States to implement such additional protections.  As such, the French Data Protection Act 78-17 of 6 January 1978, as amended, now provides that employers – whether public or private – wishing to use biometric access controls must comply with binding model regulations adopted by the CNIL, the first of which is the Model Regulation.

Continue Reading

The European Parliament Approves EU-Wide Standard for Whistleblower Protection

Per our previous post, the European Parliament and the Member States agreed to adopt new rules that would set the standard for protecting whistleblowers across the EU from dismissal, demotion, and other forms of retaliation when they report breaches of various areas of EU law. According to a press release issued by the European Parliament on April 16, 2019, the Parliament approved these changes by an overwhelming majority. The new rules require that employers create safe reporting channels within their organization, protect whistleblowers who bypass internal reporting channels and directly alert outside authorities, including the media under certain circumstances, and require that national authorities provide independent information regarding whistleblowing. This legislation marks a significant departure from the jurisdiction-specific approach that has resulted in disparate protection across Europe, with some jurisdictions, like Germany and France, offering relatively limited protection when compared to other jurisdictions, such as the UK. These changes, if approved by the EU ministers, will set a uniform baseline and therefore considerably increase whistleblower protections in the EU. Member States will have two years to achieve compliance. For an additional discussion as to the implications of this legislation, see this article by The New Times. We will continue to monitor this development.

With Regulators Increasing Focus on Spam Robocalls, Arkansas Follows Others States in Passing Anti-Spoofing Privacy Law

Unwanted robocalls reportedly totaled 26.3 billion calls in 2018, sparking more and more consumer complaints to the FCC and FTC and increased legislative and regulatory activity to combat the practice. Some automated calls are beneficial, such as school closing announcements, bank fraud warnings, and medical notifications, and some caller ID spoofing is justified, such as certain law enforcement or investigatory purposes and domestic violence shelter use.  However, consumers have been inundated with spam calls – often with spoofed local area codes – that display fictitious caller ID information or circumvent caller ID technology in an effort to increase the likelihood consumers will answer or otherwise defraud consumers. To combat the rash of unwanted calls, Congress and federal regulators advanced several measures in 2019 and states have tightened their own telecommunications privacy laws in the past year.  For example, within the last week, the Arkansas governor signed into law S.B. 514, which boosts criminal penalties for illegal call spoofing and creates an oversight process for telecommunications providers.

Continue Reading

In Groundbreaking Settlements, Attorneys General Find Fake Social Media Engagement Illegal

On January 30, 2019, the Office of the New York Attorney General (“NY AG”) and the Office of the Florida Attorney General (“Florida AG”) announced settlements with Devumi LLC and its offshoot companies (“Devumi”), which sold fake social media engagement, such as followers, likes and views, on various social media platforms. According to the NY AG, such social media engagement is fake in that “it purports to reflect the activity and authentic favor of actual people on the platform, when in fact the activity was not generated by actual people and/or does not reflect genuine interest.”

These settlements are the first in the United States to find that selling fake social media engagement constitutes illegal deception and that using stolen social media identities to engage in online activity is illegal. The NY AG emphasized that the New York settlement sends a “clear message that anyone profiting off of deception and impersonation is breaking the law and will be held accountable.”

Continue Reading

EU Agrees to Set the Floor for Whistleblower Protection Across All Member States

According to a press release issued by the European Commission today, the European Parliament and the Member States have agreed to adopt new rules that set the standard for protecting individuals who blow the whistle on breaches of EU law from dismissal, demotion, and other forms of retaliation. This reform, which was first proposed by the European Commission in April 2018, seeks to replace the patchwork of whistleblower protections that currently exist across the Member States with a uniform approach. If formally adopted by the Parliament and Council, the new rules would protect those who report violations of various areas of EU law, including data protection, and Member States could extend protection to other areas of the law as well. Employers would have an obligation to create safe reporting channels within the organization, and whistleblowers, while encouraged to report internally first, also would be protected when reporting to public authorities. Additionally, whistleblowers could safely report violations directly to the media if no action was taken, if a report to the authorities would be futile, or when the violation is an “imminent” or “manifest” danger to the public interest. Lastly, the new rules would require that national authorities inform citizens and train public authorities on various aspects of whistleblowing. We will continue to monitor this development.

LexBlog