Although 2024 saw several states enact comprehensive privacy legislation, another year is nearly gone, and we still do not have a comprehensive federal privacy law to resolve the rapidly evolving patchworks of state laws. Despite the lack of comprehensive privacy legislation, privacy and cybersecurity were hot button issues across key federal agencies, such as the FTC and FCC, with significant enforcement activity throughout the year. In this edition of our Twelve Days of Data series, we highlight key developments across a few key federal agencies.
To no surprise, the Federal Trade Commission (FTC) was intensely focused on privacy and cybersecurity throughout 2024. We also saw important activity out of the Federal Communications Commission (FCC), which, among other things, issued guidance regarding the Telephone Consumer Protection Act (TCPA).
Federal Trade Commission
In 2024, we saw a heavy focus by the FTC on the collection and sharing of health data, geolocation data and children’s data. A noteworthy case has been the FTC’s ongoing case against data-analysis company Kochava, whereby the FTC alleged that Kochava unfairly collected and disclosed geolocation and other sensitive data to third parties.
The FTC has been increasingly focused on protecting children’s privacy. In July 2024, the FTC, together with the Los Angeles District Attorney’s Office, announced their settlement against NGL Labs, LLC and two of the company’s co-founders, regarding their anonymous messaging application. Although the settlement contains no admissions by NGL, the FTC alleged that the app unfairly marketed to kids and teens, sent fake messages to drive usage, tricked users into signing up for the company’s premium, paid service, and failed to obtain consent for recurring charges. Under the settlement, the defendants will pay $5 million and are banned from offering their app to anyone under the age of 18. Since 2020, the FTC has brought at least 42 Children’s Online Privacy Protection Act (“COPPA”) cases, collecting more than $532 million in civil penalties.
We also saw the FTC focus on browsing data, with its enforcement action against cybersecurity software company Avast Limited for allegedly selling granular consumer web browsing data for advertising purposes. The settlement with Avast required the company to pay a $16.5 million fine and a prohibition on the sale or license of such data for advertising purposes. Further, under the settlement, Avast is required to obtain affirmative express consent from consumers before selling or licensing browsing data from non-Avast products to third parties for advertising purposes and is required to implement a comprehensive privacy program addressing the misconduct. The settlement also requires Avast to obtain affirmative express consent before selling, licensing, or otherwise disclosing web browsing data from non-Avast products to third parties for such purposes.
With respect to health data, the FTC updated its Health Breach Notification Rule (HBNR) on April 26, 2024. The updated rule clarifies that the HBNR applies to personal health information collected from health apps, fitness trackers and wearable devices, as well as online services that collect health data, along with vendors that access such data. Under the amended HBNR timing requirements, entities must notify the FTC at the same time that they notify affected individuals, and if the breach affected more than 500 individuals, the business must issue the notification without unreasonable delay and in no case later than 60 calendar days after discovery of the breach.
The FTC has also taken an increased focus on financial privacy. In May 2024, the FTC finalized and order against Blackbaud, Inc. for alleged lax security practices that enabled a threat actor to breach the company’s network to access sensitive data of millions of consumers. Under the order, Blackbaud is required to delete data that it no longer needs and is prohibited from misrepresenting its data security and data retention periods. Lastly, the company is required to develop a comprehensive information security program addressing these issues and put in place a data retention schedule. In April 2024, the breach notification amendment to the GLBA Safeguards Rule took effect. The amendment requires financial institutions to notify the FTC of breaches affecting 500 or more consumers.
Another important focus of the FTC has been the protection of consumers who unknowingly sign up for auto-renewal subscription contracts. In October 2024, the FTC announced revisions to the Negative Option Rule, which will prohibit material misrepresentations of the offer, including the terms of the negative option program, the purpose of the product/service being sold, and anything else that would be important for consumers to know. Further, a business will be required to disclose all material terms of the offer before consumers sign up. Per the FTC, a material term is any part of the offer that would matter to the consumer or might influence their decision on whether to sign up. Additionally, businesses must be able to demonstrate that consumers fully understood what they were agreeing to. The revisions prohibit any distractions, including, for example, other information that distracts from the material terms of the offer. Businesses must also obtain proof of consent and retain it for at least three years. The revisions provide flexibility in terms of how to obtain proof, including, for example, a checkbox, signature, or other similar method. Last, but not least, businesses must implement a simple mechanism for consumers to withdraw from the program, as easy as the one used to sign up. In other words, businesses will be prohibited from requiring consumers to speak to representatives to withdraw if they didn’t have to do that during sign up. While some provisions of the rule take effect on January 14, 2025, the majority of the amendments take effect on May 14, 2025. Businesses should evaluate their negative option and auto-renewal offerings to ensure compliance with these amendments as well as state auto-renewal laws.
With respect to telemarketing, in March 2024, the FTC released its long-awaited Final Rule updating the Telemarketing Sales Rule. Among other notable changes, the new rule extends telemarketing fraud provisions to include business-to-business calls, as well as enhanced recordkeeping requirements.
The FTC also issued guidance warning companies that “[i]t may be unfair or deceptive for a company to adopt more permissive data practices – for example, to start sharing consumers’ data with third parties or using that data for AI training – and only inform consumers of this change through a surreptitious, retroactive amendment to its terms of service or privacy policy.” In other words, simply updating a privacy policy without sufficient notice and consent may not be acceptable. the FTC warned that it will continue bringing “actions against companies that engage in unfair or deceptive practices – including those that try to switch up the “rules of the game” on consumers by surreptitiously re-writing their privacy policies or terms of service to allow themselves free rein to use consumer data for product development.
Federal Communications Commission
Late last year the FCC issued a new rule aiming to close the lead generator loophole by requiring marketers to obtain “one-to-one” consent to receive telemarketing texts and auto-dialed calls. Once the new rule takes effect on January 27, 2025, businesses will be required to request and obtain written consent for robocalls and robotexts from each individual company clearly and conspicuously. The consent cannot be a batched consent that lists multiple sellers and partners. Further, any resulting communication must be logically and topically related to the website where the consent was obtained.
Separately, the FCC’s new consent revocation rules take effect on April 11, 2025. Once these new rules take effect, customers will be allowed to revoke prior consent through any reasonable method, and marketers are prohibited from designating an exclusive means for revocation. Further, marketers must honor revocation requests within a reasonable timeframe, not to exceed 10 business days.
Notably, the final rule permits callers to send a one-time message confirming the consumer’s request that no further messages be sent, provided the confirmatory message only confirms the opt-out request and does not include any marketing or promotional information. Further, the confirmatory message must be sent within five minutes of receipt. Lastly, if the recipient has consented to multiple categories of messages from the sender, the sender is permitted to request clarification as to the scope of the opt-out request, and whether it was meant to cover all categories of messages. Absent an affirmative response clarifying which categories of messages the consumer would like to receive, the sender must treat the opt-out as a global opt-out of all message categories.
Staying on trend with other agencies regulating AI, the FCC released a new notice of proposed rulemaking that would impose obligations to obtain specific written consent to the use of AI-generated content in a clear and conspicuous disclosure. Additionally, companies making AI-generated calls or texts would be required to disclose the use of AI at the beginning of each call or text in a clear disclosure. The notice proposes to define an “AI-generated call” as “a call that uses any technology or tool to generate an artificial or prerecorded voice or a text using computational technology or other machine learning, including predictive algorithms, and large language models, to process natural language and produce voice or text content to communicate with a called party over an outbound telephone call.” Note that these rules would not apply to inbound calls, which fall outside the scope of the TCPA.
Predictions for 2025
While it remains to be seen what impact the new administration will have on privacy and cybersecurity, if 2025 is anything like the last few years, we expect the new year to bring forceful enforcement by key federal regulators to protect a wide array of privacy interests. We also expect to see movement on comprehensive federal privacy legislation. As noted above, several amendments to existing privacy-related laws will take effect, and many of these laws will evolve through notable cases that will continue to reshape the landscape in the coming year. If not already assessing these enforcement actions, amendments, and proposed rules, we urge businesses to take steps to do so in order to mitigate enforcement and litigation risk.
For more information on PLI’s new edition of its cyber law treatise, Cybersecurity: A Practical Guide to the Law of Cyber Risk, click here.