Photo of Nicole O'Donnell

Just in time for Data Privacy Day, the California attorney general (“California AG”) announced a new round of privacy investigations targeting the retail, travel, and food service industries.  The investigative sweep will focus on “popular apps” that allegedly fail to honor consumer requests to opt out of the “sale” of their personal information.  The sweep will also review responses to requests sent on behalf of consumers by authorized agents such as the “Permission Slip” application developed by Consumer Reports.  Even with the considerable attention owed to the new requirements of the California Privacy Rights Act (“CPRA”)—which amends and expands on the California Consumer Privacy Act (“CCPA”)—along with the significant recent activity by the California Privacy Protection Agency, businesses should not overlook their ongoing obligations to comply with the CCPA prior to the CPRA’s enforcement beginning on July 1, 2023.Continue Reading California AG Announces New CCPA Sweep

On October 5, 2022, Joe Sullivan, Uber’s former Chief Security Officer, was convicted of “obstruction of the proceedings of the Federal Trade Commission and misprision of felony in connection with the attempted cover-up of a 2016 hack at Uber.” He faces up to eight years in prison. The conviction marks the first time that an individual company executive has faced criminal charges related to an information security breach.Continue Reading Former Chief Security Officer of Uber Convicted for Mishandling 2016 Data Breach

If 2021 is any indication, the Federal Trade Commission (FTC) shows no signs of slowing down in its pursuit of enforcement actions to address a wide variety of alleged privacy and cybersecurity issues. Under the leadership of new chair, Lina Khan, the past year has seen the FTC engage is a variety of new and expanding enforcement actions exhibiting an increasing interest in regulating data privacy and security, as well as other consumer protection areas.

While the FTC has become the de facto regulator for entities that are not subject to other sector-specific regulations, the Commission’s assertion of authority over privacy and cybersecurity matters is limited by its statutory powers under section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices” that injure consumers. The FTC’s expansion of that authority to cover privacy and cybersecurity matters has only grown more aggressive in recent years but has also become the subject of close judicial review. Notably, in 2018, the Eleventh Circuit ruled, in LabMD, Inc. v. FTC, that the FTC did not have unlimited authority to dictate the details of companies’ privacy and cybersecurity protections. Earlier this year, the Supreme Court, in AMG Capital Mgmt., LLC v. FTC, held that Section 13(b) of the FTC Act does not allow the FTC to obtain monetary relief in federal court. The FTC has asked Congress to use its authority to remedy this ability, and claims that this constitutes a loss of its “best and most efficient tool for returning money to consumers who suffered losses as a result of deceptive, unfair, or anticompetitive conduct.”

The FTC has pushed for a more expansive view of its authority for several years, and this has only intensified over the last year. Even before the AMG decision, the FTC had been advocating for Congress to address the gap in Section 13(b), which only explicitly provides for the FTC’s ability to order injunctive relief and is silent on monetary relief. While waiting on Congress to address the issue, we expect for the FTC to continue to bring enforcement actions and order restitution and disgorgement via their Section 19 authority, which provides for these types of relief, but only after a final cease-and-desist order, which can be challenged and is subject to review of appellate courts.Continue Reading FTC Signals Increased Focus on Privacy and Data Misuse

The Future of US Federal and State Regulation of Data Privacy

During the November 3rd session of Ropes & Gray’s conference, “The Future of Global Data Protection: Conflict or Coherence?” Ropes & Gray partner Chong Park moderated a discussion with Ropes & Gray’s data protection partner Fran Faircloth and Minh Ta, Vice President of Global Governmental Affairs at the Carlyle Group regarding the future of federal and state regulation of data privacy in the United States.

The group all agreed that there should be a comprehensive, US federal data privacy law, but expressed opposing views on the likelihood of such a federal law being implemented in the near future. Minh analogized it to the infrastructure bill debate in the United States, noting that there is bipartisan consensus to address the issue on some level, but the problem lies in the details—i.e., what specifically should be regulated is where people disagree. Fran, on the other hand, expressed a bit more optimism that a federal law on privacy would be passed in the future, but agreed the likelihood of imminent passage is unlikely. She noted that as more states pass their own versions of privacy laws, that eventually as a result a federal law would be passed.Continue Reading The Future of US Federal and State Regulation of Data Privacy