Federal Trade Commission (FTC)

Subscribe to Federal Trade Commission (FTC)

On July 20, 2023, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) and the Federal Trade Commission (“FTC”) sent warning letters to approximately 130 hospital systems and telehealth providers. The letters were intended to warn those entities of the privacy and security risks of online tracking technologies integrated into their websites and mobile applications. The agencies noted that the entities may be impermissibly disclosing consumers’ sensitive personal health information to third parties such as Meta/Facebook pixel and Google Analytics through the use of such online tracking technologies in potential violation of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended (collectively, “HIPAA”), the FTC Act, and/or the FTC Health Breach Notification Rule (“HBNR”).

Continue Reading HHS and FTC Warning Letters Highlight Continued Scrutiny of Use of Online Tracking Technologies in Healthcare

The FTC’s recent publication, FTC Safeguards Rule: What Your Business Needs to Know (the “Guide”), provides a helpful overview of the FTC’s recent Safeguards Rule amendments. The FTC’s Safeguards Rule is applicable to “financial institutions,” such as private funds, subject to the FTC’s jurisdiction but not the jurisdiction of another regulator under the Gramm-Leach-Bliley Act (GLBA). Ropes & Gray has previous reviewed the Safeguards Rule amendments here and here. The Guide does not break any substantial new ground but does provide a useful summary of the Safeguards Rule’s security requirements along with additional details regarding the controls the FTC considers part of a reasonable information security program.

The Guide identifies nine elements of an information security program required under the Safeguards Rule. Companies that maintain personal information regarding fewer than 5,000 consumers are not subject to all of these requirements, as summarized further here. Additionally, companies are not required to have in place all of the controls described until December of this year, but should work toward implementation now, as many will require time intensive processes.

Continue Reading FTC Publishes Guide to Safeguards Rule Compliance Applicable to Private Funds

Private funds that are excluded from the definition of “investment company” under sections 3(c)(1) or 3(c)(7) of the Investment Company Act of 1940 (“ICA”) will face significantly stricter cybersecurity requirements under the FTC’s revised Safeguards Rule, which comes into full effect as of December 9, 2022. The FTC’s updated Safeguards Rule breaks new ground for

The onset of the COVID-19 pandemic in 2020 shuttered daycare centers, shifted schools to virtual settings, and fueled the rapid growth of children’s applications and educational technology (“ed-tech”) to facilitate the shelter-in-place childcare and remote learning paradigms. The federal Children’s Online Privacy Protection Act (COPPA) and Family Educational Rights and Privacy Act (FERPA), as well as numerous state laws protect children’s and students’ privacy when using these platforms. In 2021, increased scrutiny of the data collection practices of these platforms has followed their rapid deployment, as new variants led to renewed restrictions on in-person education and childcare. That scrutiny is likely to continue in the new year, as the use of such platforms persists, even as the pandemic subsides. In this post, we survey the developments during 2021 and assess the future of child and student privacy in 2022.

Continue Reading Trends in Child and Student Privacy

If 2021 is any indication, the Federal Trade Commission (FTC) shows no signs of slowing down in its pursuit of enforcement actions to address a wide variety of alleged privacy and cybersecurity issues. Under the leadership of new chair, Lina Khan, the past year has seen the FTC engage is a variety of new and expanding enforcement actions exhibiting an increasing interest in regulating data privacy and security, as well as other consumer protection areas.

While the FTC has become the de facto regulator for entities that are not subject to other sector-specific regulations, the Commission’s assertion of authority over privacy and cybersecurity matters is limited by its statutory powers under section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices” that injure consumers. The FTC’s expansion of that authority to cover privacy and cybersecurity matters has only grown more aggressive in recent years but has also become the subject of close judicial review. Notably, in 2018, the Eleventh Circuit ruled, in LabMD, Inc. v. FTC, that the FTC did not have unlimited authority to dictate the details of companies’ privacy and cybersecurity protections. Earlier this year, the Supreme Court, in AMG Capital Mgmt., LLC v. FTC, held that Section 13(b) of the FTC Act does not allow the FTC to obtain monetary relief in federal court. The FTC has asked Congress to use its authority to remedy this ability, and claims that this constitutes a loss of its “best and most efficient tool for returning money to consumers who suffered losses as a result of deceptive, unfair, or anticompetitive conduct.”

The FTC has pushed for a more expansive view of its authority for several years, and this has only intensified over the last year. Even before the AMG decision, the FTC had been advocating for Congress to address the gap in Section 13(b), which only explicitly provides for the FTC’s ability to order injunctive relief and is silent on monetary relief. While waiting on Congress to address the issue, we expect for the FTC to continue to bring enforcement actions and order restitution and disgorgement via their Section 19 authority, which provides for these types of relief, but only after a final cease-and-desist order, which can be challenged and is subject to review of appellate courts.

Continue Reading FTC Signals Increased Focus on Privacy and Data Misuse

general data protection regulation GDPR
general data protection regulation GDPR concept, with abstract computer network background (3d render)

The Future of US Federal and State Regulation of Data Privacy

During the November 3rd session of Ropes & Gray’s conference, “The Future of Global Data Protection: Conflict or Coherence?” Ropes & Gray partner Chong Park moderated a discussion with Ropes & Gray’s data protection partner Fran Faircloth and Minh Ta, Vice President of Global Governmental Affairs at the Carlyle Group regarding the future of federal and state regulation of data privacy in the United States.

The group all agreed that there should be a comprehensive, US federal data privacy law, but expressed opposing views on the likelihood of such a federal law being implemented in the near future. Minh analogized it to the infrastructure bill debate in the United States, noting that there is bipartisan consensus to address the issue on some level, but the problem lies in the details—i.e., what specifically should be regulated is where people disagree. Fran, on the other hand, expressed a bit more optimism that a federal law on privacy would be passed in the future, but agreed the likelihood of imminent passage is unlikely. She noted that as more states pass their own versions of privacy laws, that eventually as a result a federal law would be passed.

Continue Reading The Future of US Federal and State Regulation of Data Privacy

On October 27, 2021, the FTC updated its financial services cybersecurity Safeguards Rule and made other revisions to its associated privacy rule.  The FTC also issued a request for comment on a new proposed 30-day data breach notification rule for financial institutions subject to its jurisdiction.  The updated Safeguards Rule breaks new ground for the FTC by requiring specific security controls and accountability measures expressly modeled on the New York Department of Financial Services cybersecurity rule.  For entities covered by the Safeguards Rule, these changes will require prompt review, since many of the newly required controls will take time to implement if they are not already in place.  Among other things, the Safeguards Rule will now require multifactor authentication for any individual accessing information systems storing customer information (or compensating controls), encryption of all customer information both in transit and at rest (again with the option of alternative compensating controls), and updates to record retention procedures.  The revisions also dictate specific governance controls by requiring reporting, at least annually, to a board of directors or senior officer about the institution’s security posture and the adoption of a formal incident response plan.

Continue Reading FTC Updates Safeguards Rule To Specify Security Requirements

20_0588_Data Blog_SS_219812920

Modern smartphones, wearables and internet-enabled devices are capable of monitoring heart rate, blood oxygen levels, steps taken, prescription adherence, and other vital health-related activities. Contrary to popular belief, HIPAA does not cover many of these applications and devices. On September 15, 2021, the Federal Trade Commission issued a Policy Statement attempting to assert authority to police that gap.  The Policy Statement explains the FTC’s view that the Health Breach Notification Rule applies to mobile health applications. This Policy Statement signals increasing FTC scrutiny designed to safeguard sensitive health data on a variety of modern technologies that consumers use to monitor and improve their health.

Continue Reading FTC Warns Health Apps and Connected Device Companies to Comply With Health Breach Notification Rule

LockThe FTC’s recent settlement with Flo Health, announced on June 22, 2021, offers insights into what practices could invite FTC investigation, especially when companies that collect sensitive information make specific promises about high levels of health privacy and data security. More than 100 million consumers use Flo, an app developed by Flo Health Inc., to help women track their periods and fertility. Although the settlement contains no admissions by Flo, the agency alleged that Flo shared users’ health information with outside data analytics providers; an arrangement that is not uncommon for apps that deal with less-sensitive data, but one which contradicted the company’s promise to keep users’ personal information private.
Continue Reading Recent FTC Settlement with Flo Health Focuses on Notice and Consent for Companies Sharing Sensitive Data

On Thursday, April 22, the Supreme Court released a unanimous decision holding that the Federal Trade Commission’s authority under Section 13(b) of the FTC Act does not grant the agency the right to seek equitable monetary relief such as disgorgement or restitution. The opinion, authored by Justice Breyer, held that the section only permits prospective injunctive relief. The import of this decision is that the FTC, in order to obtain monetary relief for unfair and deceptive trade practices, must first utilize its administrative procedures and can no longer seek such relief directly through a lawsuit in the federal courts.
Continue Reading Supreme Court Holds that FTC Cannot Obtain Disgorgement or Restitution Remedies under FTC Act Section 13(b)