Mar 15, 2019

FTC Imposes Record COPPA Fine

Children at computers: COPPA establishes basic online privacy protections for children under the age of 13

Continuing its aggressive approach to the enforcement of privacy law violations, the FTC last week imposed on Musical.ly, Inc., the operator of the popular TikTok app (formerly called Musical.ly), a record-setting fine of $5.7 million for the company’s violations of the Children’s Online Privacy Protection Act (“COPPA”). COPPA establishes basic online privacy protections for children under the age of 13 and generally requires parental consent for the collection and sharing of any personal data for children younger than 13. The TikTok app allows users to make videos of themselves lip-syncing to popular songs and then post those videos online. In… Read more


Jun 7, 2018

Is Inadequate Data Security an Unfair Trade Practice?

Doctor's Office: Inadequate Data Security?

In LabMD, Inc. v. Federal Trade Commission, Case No. 16-16270 (decided June 6, 2018) the United States Court of Appeals for the Eleventh Circuit addressed the enforcement of an FTC order finding that a business’s allegedly inadequate data security practices were unfair trade practices under Section 5(a) of the Federal Trade Commission Act. LabMD operated a medical laboratory that conducted diagnostic testing for cancer. Contrary to LabMD policy, an employee installed on a company computer a file-sharing application. That application allowed an outside party to download a file that contained the personal information of thousands of customers. The FTC initiated… Read more


Feb 6, 2018

EU-US Privacy Shield: Frequently Asked Questions

US-EU Privacy Shield: data transfer

What is the EU-U.S. Privacy Shield? The EU-U.S. Privacy Shield (the “Privacy Shield”) is a framework designed by the U.S. Department of Commerce and the European Commission to provide companies in the U.S. and in the EU with a means to comply with data protection laws and regulations when transferring personal data between the U.S. and EU member countries. In July 2016, following an earlier EU Court of Justice decision that struck down the previous EU-U.S. Safe Harbor Framework, the European Commission determined that the Privacy Shield was adequate to permit data transfers to the U.S. under EU law.  … Read more


Jan 30, 2018

General Data Protection Regulation (GDPR): Frequently Asked Questions

GDPR Compliance

What is the General Data Protection Regulation? The General Data Protection Regulation (the “GDPR”) (Regulation (EU) 2016/679) is a European Union regulation intended to harmonize data privacy laws across Europe and increase data privacy protections for all European Union citizens.  The GDPR was approved by the European Council and Parliament on April 14, 2016, and will come into force beginning on May 25, 2018. The GDPR will replace the Data Protection Directive 95/46/EC (the “Directive”), which required each member state of the European Union to pass national legislation to implement the intended outcome of the Directive. The result was a… Read more


Jan 23, 2018

Cybersecurity in M&A Transactions: Frequently Asked Questions

Cybersecurity and Data Privacy

1. What types of transactions implicate cybersecurity and data privacy concerns? Cybersecurity and data privacy concerns arise in many different types of M&A transactions, but greater focus on potential cybersecurity and data privacy issues should be directed toward transactions involving (a) a target company that operates in certain highly-regulated industries, (b) the acquisition of sensitive information and data, and/or (c) the transfer of sensitive information and data across national borders. Target companies that operate in the financial services and healthcare industries, for example, are subject to the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act of 1996, respectively…. Read more


Aug 28, 2017

Is Your Website a “Place of Public Accommodation” Under the Americans with Disabilities Act?

Web Accessibility

What do burgers and art supplies have in common? They are both sold on websites recently challenged by disabled plaintiffs. Blind plaintiffs have filed lawsuits alleging certain websites violate federal, state and city laws because they contain various access barriers and are not fully usable by the blind. This summer two federal courts in New York – the Southern District (Markett v. Five Guys Enterprises LLC, 17-cv-788-KBF, ECF No. 33 (July 21, 2017)) and the Eastern District (Andrews v. Blick Art Materials, LLC, , 17-cv-767-JBW, ECF No. 25 (August 1, 2017)) – found that websites selling these goods were “places of public accommodation.” The… Read more


Aug 3, 2017

Recent Cyber Insurance Decision Rejects Claim for Computer Fraud

are you covered?

A federal judge in Michigan recently granted summary judgment to Travelers in American Tooling Center, Inc. v. Travelers Casualty and Surety Company of America, Case No. 16-12108, United States District Court, Eastern District of Michigan.  That decision interpreted the “computer fraud” provision of Travelers’ insurance policy, finding no coverage for the insured for the losses claimed. The basic facts were that American Tooling asked its vendor in China, YiFeng, for all outstanding invoices by email. American Tooling received a response by email, from an account that looked very much like the YiFeng account, and which directed American Tooling to send… Read more


Jun 20, 2017

A Primer on the EU’s General Data Protection Regulation

Data Protection

Overview Over four years in the making, the General Data Protection Regulation (the “GDPR”) was approved by the European Council and Parliament on April 14, 2016, and will come into force beginning on May 25, 2018. In the wake of ever-increasing cyber security and data privacy threats across the globe, the GDPR is intended to harmonize data privacy laws across Europe and increase data privacy protections for all European Union citizens. The GDPR will replace the Data Protection Directive 95/46/EC (the “Directive”), which required each member state of the European Union to pass national legislation to implement the intended outcome… Read more


Apr 23, 2015

FTC Tracking Company Settlement Highlights Importance of Keeping Privacy Promises

It has long been the Federal Trade Commission’s (FTC) position that if you make a privacy promise to consumers you should expect to be held to that promise.  The FTC’s complaint and its proposed settlement, announced on April 23, 2015, with Nomi Technologies, Inc. (Nomi) highlights this. Nomi’s tracking applications allow retailers to capture the unique media access control address (and other information) of mobile devices of persons who enter a retailer’s physical store as well as persons within a certain distance from the stores. Nomi then made this information available to its retailer customers for analytics purposes. Nomi promised that it would… Read more


Apr 19, 2015

Recent Cases Emphasize Clickwrap Basics

Two court decisions in the past couple of months, both from federal courts in California, involving arbitration clauses in clickwrap agreements make clear that the manner in which affirmative assent to website terms is sought from a site’s users makes all the difference when enforceability of those terms is at issue. In early February, the U.S. District Court for the Northern District of California held in Savetsky v. Pre-Paid Legal Services, Inc. d/b/a LegalShield, Case No. 14-03514 SC  (N.D. Cal. Feb. 12, 2015), that merely alerting a site user prior to online checkout that the user can obtain more information… Read more