If 2021 is any indication, the Federal Trade Commission (FTC) shows no signs of slowing down in its pursuit of enforcement actions to address a wide variety of alleged privacy and cybersecurity issues. Under the leadership of new chair, Lina Khan, the past year has seen the FTC engage is a variety of new and expanding enforcement actions exhibiting an increasing interest in regulating data privacy and security, as well as other consumer protection areas.

While the FTC has become the de facto regulator for entities that are not subject to other sector-specific regulations, the Commission’s assertion of authority over privacy and cybersecurity matters is limited by its statutory powers under section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices” that injure consumers. The FTC’s expansion of that authority to cover privacy and cybersecurity matters has only grown more aggressive in recent years but has also become the subject of close judicial review. Notably, in 2018, the Eleventh Circuit ruled, in LabMD, Inc. v. FTC, that the FTC did not have unlimited authority to dictate the details of companies’ privacy and cybersecurity protections. Earlier this year, the Supreme Court, in AMG Capital Mgmt., LLC v. FTC, held that Section 13(b) of the FTC Act does not allow the FTC to obtain monetary relief in federal court. The FTC has asked Congress to use its authority to remedy this ability, and claims that this constitutes a loss of its “best and most efficient tool for returning money to consumers who suffered losses as a result of deceptive, unfair, or anticompetitive conduct.”

The FTC has pushed for a more expansive view of its authority for several years, and this has only intensified over the last year. Even before the AMG decision, the FTC had been advocating for Congress to address the gap in Section 13(b), which only explicitly provides for the FTC’s ability to order injunctive relief and is silent on monetary relief. While waiting on Congress to address the issue, we expect for the FTC to continue to bring enforcement actions and order restitution and disgorgement via their Section 19 authority, which provides for these types of relief, but only after a final cease-and-desist order, which can be challenged and is subject to review of appellate courts.Continue Reading FTC Signals Increased Focus on Privacy and Data Misuse

BillThe proposed Washington Privacy Act (WPA) continues to move forward with new enforcement provisions, including a limited private right of action. The Washington House Committee on Civil Rights and Judiciary narrowly approved the so-called “striker” amendment, which would enable state residents to sue companies for injunctive relief over alleged violations; but does not allow suit for monetary damages. The bill had already passed in the Washington Senate by a vote of 48-1.
Continue Reading Proposed Washington Privacy Act Gets a Different Set of Teeth with Private Right of Action for Injunctive Relief

The Supreme Court heard arguments Tuesday morning, March 30, regarding class certification related to Article III standing in TransUnion v. Ramirez, where only 25% of a certified class suffered injury.  In its briefing and in yesterday’s arguments, TransUnion argued that class certification should only apply where every class member has standing and the lead plaintiff does not allege atypical injuries.
Continue Reading Supreme Court Hears Arguments on FCRA Class Certification

CAThe California Attorney General’s office (OAG) recently released a third set of proposed modifications to the California Consumer Privacy Act (CCPA) regulations.  This comes on the heels of the second set of modifications the Office of Administrative Law (OAL) approved just two months ago (see article here).  The third set of proposed modifications restores certain provisions the OAG had previously withdrawn from its draft regulations submitted to the OAL in July, as well as clarifies and adds illustrative examples to some provisions.  Overall, the modifications do not significantly alter the CCPA regulatory landscape, and if accepted, are not likely to impact businesses greatly.  Nonetheless, businesses should review the changes, which address the following topics, to confirm that they would not require any adjustment in business practice:
Continue Reading California AG Proposes Third Amended Regulations to CCPA

A federal judge in Oregon, Hon. Michael H. Simon, has recently upheld a $925 million statutory damages award against health supplement maker ViSalus for its violation of the Telephone Consumer Protection Act (“TCPA”)—making this the largest TCPA damages award to date.

The underlying class action against ViSalus alleged the company placed nearly 2 million unsolicited robocalls nationwide to advertise its weight-loss and dietary products.  The class argued that the robocalls constituted unlawful telemarketing practices and violated the TCPA, and after a three-day trial in April of 2019, a jury agreed.
Continue Reading $925M TCPA Robocall Award Upheld

CCPA

On August 14, 2020, California Attorney General Xavier Becerra announced the California Office of Administrative Law’s approval of the final California Consumer Privacy Act (CCPA) regulations, and filed them with the California Secretary of State. The AG’s office stated that the regulations are effective immediately.

The OAL made additional revisions to the March 11, 2020 regulations, summarized here, which itself comprised of revised regulations followed several rounds of public forums, hearings, and comment periods. At a high level, the final texts’ noteworthy substantive revisions from the March submission (noted in the OAG’s Addendum to the Final Statement of Reasons) include the following:
Continue Reading CCPA Regulations Approved

CAOn August 13, two California contact tracing bills, AB-660 and AB-1782, were approved by the California Senate Judiciary Committee.  These bills would affect how public agencies can collect, store and disclose personal information that is used to facilitate COVID-19 contact tracing.

  • If enacted, AB-660 would prohibit any use or disclosure of data collected for purposes of contact tracing other than further contact tracing efforts.
  • If enacted, AB-1782 would require businesses using or providing contact tracing technologies to provide individuals with the right to consent, access, correct, and delete personal information about them, and to carry out other measures regarding use, security. and maintenance of the data.

Continue Reading California Contact Tracing Bills Approved by State Judiciary Committee

Article29Latin American privacy laws may pose special challenges for businesses considering when and how to reopen their facilities during the coronavirus pandemic.  As elsewhere, many companies operating in Latin America may decide to screen employees for their COVID-19 risk-levels before allowing them to enter a shared workspace.  Already in place in many European and Asian countries, screening options primarily involve contact tracing or temperature checks. As they focus on health and safety, however, companies should also bear in mind a potentially competing interest: protecting employees’ privacy.
Continue Reading Returning to the Office – Data Privacy Concerns for Companies in Latin America