Federal Trade Commission
Subscribe to Federal Trade Commission's Posts

Farewell ‘Safe Harbor,’ Hello ‘Privacy Shield’: Europe and U.S. Agree on New Rules for Transatlantic Data Transfer

After intense negotiations, and after the official deadline had passed on Sunday, 31 January 2016, the United States and the European Union have finally agreed on a new set of rules—the “EU-U.S. Privacy Shield”—for data transfers across the Atlantic. The Privacy Shield replaces the old Safe Harbor agreement, which was struck down by the European Court of Justice (ECJ) in October 2015. Critics already comment that the Privacy Shield will share Safe Harbor’s fate and will be declared invalid by the ECJ; nevertheless, until such a decision exists, the Privacy Shield should give companies legal security when transferring data to the United States.

While a text of the new agreement is not yet published, European Commissioner Věra Jourvá stated that the Privacy Shield should be in place in the next few weeks. According to a press release from the European Commission, the new arrangement

…will provide stronger obligations on companies in the U.S. to protect the personal data of Europeans and stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (FTC), including through increased cooperation with European Data Protection Authorities. The new arrangement includes commitments by the U.S. that possibilities under U.S. law for public authorities to access personal data transferred under the new arrangement will be subject to clear conditions, limitations and oversight, preventing generalized access. Europeans will have the possibility to raise any enquiry or complaint in this context with a dedicated new Ombudsperson.

One of the most known critics of the U.S. data processing practices and initiator of the ECJ Safe Harbor decision, Austrian Max Schrems, already reacted to the news. Schrems stated on social media that the ECJ Safe Harbor decision explicitly says that “generalized access to content of communications” by intelligence agencies violates the fundamental right to respect for privacy. Commissioner Jourová, referring to the Privacy Shield, stated that “generalized access … may happen in very rare cases”—which could be viewed as contradictory to the ECJ decision. Critics also argue that an informal commitment by the United States during negotiations with the European Union is not something on which European citizens could base lawsuits in the United States if their data is transferred or used illegally.

The European Commission will now prepare a draft text for the Privacy Shield, which still must be ratified by the Member States. The EU Parliament will also review the draft text. In the meantime, the United States will make the necessary preparations to put in place the new framework, monitoring mechanisms and new ombudsperson.

 




read more

The Connected Car and Keeping YOU in the Driver’s Seat

Remember KITT? KITT (the Knight Industries Two Thousand) was the self-directed, self-driving, supercomputer hero of the popular 1980s television show Knight Rider. Knight Rider was a science fiction fantasy profiling the “car of the future.” The self-directed car is science fiction no more. The future is now and, in fact, we’ve seen a lot of press this year about self-driving or driverless cars.

Driverless cars, equipped with a wide variety of connected systems including cameras, radar, sonar and LiDar (light detection and ranging), are expected on the road within the next few years. They can sense road conditions, identify hazards and negotiate traffic, all from a remote command center. Just as with most connected devices in the age of the Internet of Things (IoT), these ultra-connected devices claim to improve efficiency and performance, and enhance safety.

Though not quite driverless yet, connected vehicles are already on the market, in-market and on the road. Like many IoT “things”, ultra-connected vehicles systems may be vulnerable to hacker attacks.

Christopher Valasek and Charlie Miller, two computer security industry leaders, have presented on this topic at various events, including the 2014 Black Hat USA security conference . They analyzed the information security vulnerabilities of various car makes and models, rating the vehicles on three specific criteria: (1) the area of their wireless “attack surface” (i.e., how many data incorporating features such as Bluetooth, Wi-Fi, keyless entry systems, automated tire monitoring systems); (2) access to the vehicles network through those data points; and (3) the vehicle’s “cyberphysical” features (i.e., connected features such as parking assist, automated braking, and other technological driving aides). This last category of features, combined with access through the data points outlined in items (1) and (2), presented a composite risk profile of each vehicle make’s hackability. Their conclusions were startling: radios, brakes, steering systems were all found to be accessible.

Miller and Valasek claim that their intent was to encourage car manufacturers to consider security in vehicle system connectivity and cyberphysical attributes. They approached vehicle manufacturers and shared their report with the Department of Transportation and the Society of Automobile Engineers. Some manufacturers promised to investigate their vehicle systems and correct the deficiencies. Some seemingly ignored the report altogether. They did, however, catch the attention of Senators Ed Markey (D-MA) and Richard Blumenthal (D-CT). On July 21, 2015, Senators Markey and Blumenthal introduced legislation that would direct the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to establish federal standards to secure vehicles and protect drivers’ privacy. The Security and Privacy in Your Car Act, aptly coined “the SPY Car Act”, would also require manufacturers to establish a ‘cyber dashboard’ that rates vehicle security, informing consumers as to the security performance of their vehicle.

As proposed, the SPY Car Act would require that all motor vehicles manufactured in the U.S. be “equipped with reasonable measures to protect against hacking attacks.” All “entry points” are to be protected through “reasonable” measures against hacking. Internal networks are to [...]

Continue Reading




read more

Start with Security

On June 30, 2015, the Federal Trade Commission (FTC) published “Start with Security: A Guide for Businesses” (the Guide).

The Guide is based on 10 “lessons learned” from the FTC’s more than 50 data-security settlements. In the Guide, the FTC discusses a specific settlement that helps clarify the 10 lessons:

  1. Start with security;
  2. Control access to data sensibly;
  3. Require secure passwords and authentication;
  4. Store sensitive personal information securely and protect it during transmission;
  5. Segment networks and monitor anyone trying to get in and out of them;
  6. Secure remote network access;
  7. Apply sound security practices when developing new products that collect personal information;
  8. Ensure that service providers implement reasonable security measures;
  9. Implement procedures to help ensure that security practices are current and address vulnerabilities; and
  10. Secure paper, physical media and devices that contain personal information.

The FTC also offers an online tutorial titled “Protecting Personal Information.”

We expect that the 10 lessons in the Guide will become the FTC’s road map for handling future enforcement actions, making the Guide required reading for any business that processes personal information.




read more

FTC Approves Final Order with AmeriFreight: Websites Must Disclose Endorsements

Earlier this year, AmeriFreight, a Georgia-based auto shipment broker, settled with the Federal Trade Commission (FTC) over charges that the company posted customer reviews on its website while failing to disclose that it had given cash discounts to customers in exchange for the reviews.  According to the FTC complaint, AmeriFreight touted on its website homepage that it had “more highly ranked ratings and reviews than any other company in the automotive transportation business” and that a majority of the online reviews on  AmeriFreight’s website failed to disclose that the reviewers were compensated $50 for posting reviews and were also eligible to receive an additional $100 if selected for the “Best Monthly Review Award.”  The FTC charged that AmeriFreight, by failing to disclose the incentives it had given to reviewers, had misrepresented its customer reviews as those of unbiased consumers.  The FTC’s position can be summed up best by the following quotes from its Director of the Bureau of Consumer Protection: “Companies must make it clear when they have paid their customers to write online reviews” and if companies “fail to do that – as AmeriFreight did – then they’re deceiving consumers, plain and simple.”

The FTC’s Endorsement Guidelines

Guidelines issued in 2009 by the Federal Trade Commission (the “FTC Endorsement Guidelines”) make clear that an advertiser must fully disclose any connection between the advertiser and an endorser of the advertiser’s product or service that might materially affect the weight or credibility of the endorsement, such as the fact that the endorser received compensation or some other benefit or incentive from the advertiser in exchange for providing a favorable review.  An advertiser’s failure to disclose an endorser’s material connection with the advertiser constitutes an unfair and deceptive trade practice as well as false advertising, both in violation of Section 5(a) of the Federal Trade Commission Act.  The requirement of disclosure of material connections applies not only to celebrity, expert or professional endorsers, but also to ordinary consumer-endorsers.  Many companies today use consumer endorsements in promoting their products or services, including the so-called “word-of-mouth advertising” whereby satisfied customers tell other people how much they like a product or service.  A common example of this form of advertising is publishing consumer-submitted reviews on the internet.  Good word of mouth generated by favorable customer reviews can make a big difference in a company’s online ad campaign.  However, companies that are looking to incentivize customers to submit good reviews must be wary of not running afoul of the FTC Endorsement Guidelines.  In particular, where a company offers money or other benefits to customers in exchange for good reviews, it must disclose such fact when publishing reviews.

Key Takeaways for Businesses

The FTC’s complaint against AmeriFreight is the first time the agency has charged a company with misrepresenting online reviews by failing to disclose that it gave cash discounts to customers to post the reviews.  This has significant implications for businesses that use customer [...]

Continue Reading




read more

National Roadmap for Health Data Sharing: FTC Advocates Preservation of Privacy and Competition

On April 1, 2015, the Office of the National Coordinator for Health Information Technology (ONC), which assists with the coordination of federal policy on data sharing objectives and standards, issued its Shared Nationwide Interoperability Roadmap and requested comments.  The Roadmap seeks to lay out a framework for developing and implementing interoperable health information systems that will allow for the freer flow of health-related data by and among providers and patients.  The use of technology to capture and understand health-related information and the strategic sharing of information between health industry stakeholders and its use is widely recognized as critical to support patient engagement, improve quality outcomes and lower health care costs.

On April 3, 2015, the Federal Trade Commission issued coordinated comments from its Office of Policy Planning, Bureau of Competition, Bureau of Consumer Protection and Bureau of Economics.  The FTC has a broad, dual mission to protect consumers and promote competition, in part, by preventing business practices that are anticompetitive or deceptive or unfair to consumers.  This includes business practices that relate to consumer privacy and data security.  Notably, the FTC’s comments on the Roadmap draw from both its pro-competitive experience and its privacy and security protection perspective, and therefore offer insights into the FTC’s assessment of interoperability from a variety of consumer protection vantage points.

The FTC agreed that ONC’s Roadmap has the potential to benefit both patients and providers by “facilitating innovation and fostering competition in health IT and health care services markets” – lowering health care costs, improving population health management and empowering consumers through easier access to their personal information.  The concepts advanced in the Roadmap, however, if not carefully implemented, can also have a negative effect on competition for health care technology services.  The FTC comments are intended to guide ONC’s implementation with respect to: (1) creating a business and regulatory environment that encourages interoperability, (2) shared governance mechanisms that enable interoperability, and (3) advancing technical standards.

Taking each of these aspects in turn, creating a business and regulatory environment that encourages interoperability is important because, if left unattended, the marketplace may be resistant to interoperability.  For example, health care providers may resist interoperability because it would make switching providers easier and IT vendors may see interoperability as a threat to customer-allegiance.  The FTC suggests that the federal government, as a major payer, work to align economic incentives to create greater demand among providers for interoperability.

With respect to shared governance mechanisms, the FTC notes that coordinated efforts among competitors may have the effect of suppressing competition.  The FTC identifies several examples of anticompetitive conduct in standard setting efforts for ONC’s consideration as it considers how to implement the Roadmap.

Finally, in advancing core technical standards, the FTC advised ONC to consider how standardization could affect competition by (1) limiting competition between technologies, (2) facilitating customer lock-in, (3) reducing competition between standards, and (4) impacting the method for selecting standards.

As part of its mission to protect consumers, the FTC focuses its privacy and security [...]

Continue Reading




read more

FTC Merger Review Likely to Incorporate Analysis of Privacy Issues

The Federal Trade Commission (FTC or the Commission), along with the U.S. Department of Justice, can challenge mergers it believes will result in a substantial lessening of competition – for example through higher prices, lower quality or reduced rates of innovation.  Although the analysis of whether a transaction may be anticompetitive typically focuses on price, privacy is increasingly regarded as a kind of non-price competition, like quality or innovation.  During a recent symposium on the parameters and enforcement reach of Section 5 of the FTC Act, Deborah Feinstein, the director of the FTC’s Bureau of Competition, noted that privacy concerns are becoming more important in the agency’s merger reviews.  Specifically she stated, “Privacy could be a form of non-price competition important to customers that could be actionable if two kinds of companies competed on privacy commitments on technologies they came up with.”

At this same symposium, Jessica Rich, director of the FTC’s Bureau of Consumer Protection, remarked on the agency’s increasing expectations that companies protect the consumer data they collect and be more transparent about what they collect, how they store and protect it, and about third parties with whom they share the data.

The FTC’s Bureaus of Competition and Consumer Protection fulfill the agency’s dual mission to promote competition and protect consumers, in part, through the enforcement of Section 5 of the FTC Act.  With two areas of expertise and a supporting Bureau of Economics under one roof, the Commission is uniquely positioned to analyze whether a potential merger may substantially lessen privacy-related competition.

The concept that privacy is a form of non-price competition is not new to the FTC.  In its 2007 statement upon closing its investigation into the merger of Google, Inc. and DoubleClick Inc., the Commission recognized that mergers can “adversely affect non-price attributes of competition, such as consumer privacy.”  Commissioner Pamela Jones Harbour’s dissent in the Google/DoubleClick matter outlined a number of forward-looking competition and privacy-related considerations for analyzing mergers of data-rich companies.  The FTC ultimately concluded that the evidence in that case “did not support the theories of potential competitive harm” and thus declined to challenge the deal.  The matter laid the groundwork, however, for the agency’s future consideration of these issues.

While the FTC has yet to challenge a transaction on the basis that privacy competition would be substantially lessened, parties can expect staff from both the Bureau of Competition and the Bureau of Consumer Protection to be working closely together to analyze a proposed transaction’s impact on privacy.  The FTC’s review of mergers between entities with large databases of consumer information may focus on: (1) whether the transaction will result in decreased privacy protections, i.e., lower quality of privacy; and (2) whether the combined parties achieve market power as a result of combining their consumer data.

This concept is not unique to the United States.  The European Commission’s 2008 decision in TomTom/Tele Atlas examined whether there would be a decrease [...]

Continue Reading




read more

Consumer Health Information Update from Both Sides of the Atlantic

As we reported in May 2014, the Federal Trade Commission (FTC) convened stakeholders to explore whether health-related information collected from and about consumers — known as consumer-generated health information (CHI) — through use of the internet and increasingly-popular lifestyle and fitness mobile apps is more sensitive and in need of more privacy-sensitive treatment than other consumer-generated data.

One of the key questions raised during the FTC’s CHI seminar is: “what is consumer health information”?  Information gathered during traditional medical encounters is clearly health-related.  Information gathered from mobile apps designed as sophisticated diagnostic tools also is clearly health-related — and may even be “Protected Health Information,” as defined and regulated by Health Information Portability and Accountability Act (HIPAA), depending on the interplay of the app and the health care provider or payor community.  But, other information, such as diet and exercise, may be viewed by some as wellness or consumer preference data (for example, the types of foods purchased).  Other information (e.g., shopping habits) may not look like health information but, when aggregated with other information generated by and collected from consumers, may become health-related information.  Information, therefore, may be “health information,” and may be more sensitive as such, depending on (i) the individual from whom it is collected, (ii) the context in which it is initially collected; (iii) the other information which it is combined; (iv) the purpose for which the information was initially collected; and (v) the downstream uses of the information.

Notably, the FTC is not the only regulatory body struggling with how to define CHI.  On February 5, 2015, the European Union’s Article 29 Working Party (an EU representative body tasked with advising EU Member States on data protection) published a letter in response to a request from the European Commission to clarify the definitional scope of “data concerning health in relation to lifestyle and wellbeing apps.”

The EU’s efforts to define CHI underscore the importance of understanding CHI.  The EU and the U.S. data privacy and security regimes differ fundamentally in that the EU regime broadly protects personally identifiable information.  The US does not currently provide universal protections for personally identifiable information.  The U.S. approach varies by jurisdiction and type of information and does not uniformly regulate the mobile app industry or the CHI captured by such apps.  These different regulatory regimes make the EU’s struggle to define the precise scope and definition of “lifestyle and wellbeing” data (CHI) and develop best practices going forward all the more striking because, even absent such a definition, the EU privacy regime would offer protections.

The Article 29 Working Party letter acknowledges the European Commission’s work to date, including the European Commission’s “Green Paper on Mobile Health,” which emphasized the need for strong privacy and security protections, transparency – particularly with respect to how CHI interoperates with big data  – and the need for specific legislation on CHI-related  apps or regulatory guidance that will promote “the safety and performance of lifestyle and wellbeing apps.”  But, [...]

Continue Reading




read more

The FTC Did Some Kid-ding Around in 2014

2014 was a busy year for the Federal Trade Commission (FTC) with the Children’s Online Privacy Protection Act (COPPA).  The FTC announced something new under COPPA nearly every month, including:

  • In January, the FTC issued an updated version of the free consumer guide, “Net Cetera:  Chatting with Kids About Being Online.”  Updates to the guide include advice on mobile apps, using public WiFi securely, and how to recognize text message spam, as well as details about recent changes to COPPA.
  • In February, the FTC approved the kidSAFE Safe Harbor Program.  The kidSAFE certification and seal of approval program helps children-friendly digital services comply with COPPA.  To qualify for a kidSAFE seal, digital operators must build safety protections and controls into any interactive community features; post rules and educational information about online safety; have procedures for handling safety issues and complaints; give parents basic safety controls over their child’s activities; and ensure all content, advertising and marketing is age-appropriate.
  • In March, the FTC filed an amicus brief in the 9th U.S. Circuit Court of Appeals, arguing that the ruling of U.S. District  Court for the Northern District of California in Batman v. Facebook that COPPA preempts state law protections for the online activities of teenagers children outside of COPPA’ coverage is “patently wrong.”
  • In April, the FTC updated its “Complying with COPPA:  Frequently Asked Questions” (aka the COPPA FAQs) to address how COPPA applies in the school setting.  In FAQ M.2, the FTC discussed whether a school can provide the COPPA-required consent on behalf of parents, stating that “Where a school has contracted with an operator to collect personal information from students for the use and benefit of the school, and for no other commercial purpose, the operator is not required to obtain consent directly from parents, and can presume that the school’s authorization for the collection of students’ personal information is based upon the school having obtained the parents’ consent.”  But, the FTC also recommends as “best practice” that schools provide parents with information about the operators to which it has consented on behalf of the parents.  The FTC requires that the school investigate the collection, use, sharing, retention, security and disposal practices with respect to personal information collected from its students.
  • In July, COPPA FAQ H.5, FAQ H.10, and FAQ H.16 about parental consent verification also were updated.  In FAQ H.5, the FTC indicates that “collecting a 16-digit credit or debit card number alone” is not sufficient as a parental consent mechanism, in some circumstances, “collection of the card number – in conjunction with implementing other safeguards – would suffice.”  Revised FAQ H.10 indicates that a developer of a child-directed app may use a third party for parental verification “as long as [developers] ensure that COPPA requirements are being met,” including the requirement to “provide parents with a direct notice outlining [the developer’s] information collection practices before the parent provides his or her consent.” In revised FAQ H.16, the FTC [...]

    Continue Reading



read more

FTC Releases Extensive Report on the “Internet of Things”

On January 27, 2015, U.S. Federal Trade Commission (FTC) staff released an extensive report on the “Internet of Things” (IoT). The report, based in part on input the FTC received at its November 2013 workshop on the subject, discusses the benefits and risks of IoT products to consumers and offers best practices for IoT manufacturers to integrate the principles of security, data minimization, notice and choice into the development of IoT devices. While the FTC staff’s report does not call for IoT specific legislation at this time, given the rapidly evolving nature of the technology, it reiterates the FTC’s earlier recommendation to Congress to enact strong federal data security and breach notification legislation.

The report also describes the tools the FTC will use to ensure that IoT manufacturers consider privacy and security issues as they develop new devices. These tools include:

  • Enforcement actions under such laws as the FTC Act, the Fair Credit Reporting Act (FCRA) and the Children’s Online Privacy Protection Act (COPPA), as applicable;
  • Developing consumer and business education materials in the IoT area;
  • Participation in multi-stakeholder groups considering guidelines related to IoT; and
  • Advocacy to other agencies, state legislatures and courts to promote protections in this area.

In furtherance of its initiative to provide educational materials on IoT for businesses, the FTC also announced the publication of “Careful Connections: Building Security in the Internet of Things”.  This site provides a wealth of advice and resources for businesses on how they can go about meeting the concept of “security by design” and consider issues of security at every stage of the product development lifecycle for internet-connected devices and things.   

This week’s report is one more sign pointing toward our prediction regarding the FTC’s increased activity in the IoT space in 2015. 




read more

In with the New: Expect FTC Activity on IoT in 2015

The “Internet of Things” (IoT) continues to grow.  (IoT refers to the ability of everyday objects to connect to the Internet and one another.)  It is estimated that there will be 4.9 billion connected appliances, devices and other “things” in use worldwide by the end of 2015, an increase of 30 percent from 2014.  The global market for IoT products is expected to reach $7.1 trillion by 2020.

Proponents of IoT believe that the data generated and shared by connected objects can provide tremendous benefits for individuals, businesses and society as a whole.  For example, IoT devices could be used to alert a person of an impending heart attack, improve a business’ manufacturing processes and reduce vehicle traffic congestion.  While IoT can provide many benefits, it also poses privacy and security challenges.  Internet connected devices, especially when used in an individual’s home or on his or her body, can generate voluminous amounts of highly personal and sensitive data about that individual, including information about physical activity, existing health conditions, energy consumption and entertainment choices.  Many users of these devices are unclear about how this data is being used and shared with others. Moreover, the sheer amount and sensitivity of the data collected and transmitted by many IoT products make them an appealing target for hackers.

The Federal Trade Commission (FTC) did not file an enforcement action against a manufacturer of IoT products for inadequate data privacy and security practices in 2014, as it had in 2013. Nonetheless, the privacy and security challenges associated with the massive collection of consumer data by IoT products still are on the FTC’s radar.  Commissioner Julie Brill has written extensively about the need to weave in privacy principles to IoT.  While IoT products ranging from automated door locks to internet connected pet trackers dominated this year’s International Consumer Electronics Show (CES), Chairwoman Edith Ramirez’s keynote address at the CES outlined several concerns about IoT, including ubiquitous data collection, the ability of IoT devices to capture sensitive personal information about consumers, unexpected uses of consumer data and data security concerns.

Since IoT is on the FTC’s radar, I predict that the FTC will carefully scrutinize manufacturers of IoT products during 2015 and perhaps bring another action against a maker of IoT products for inadequate data privacy or security practices.




read more

STAY CONNECTED

TOPICS

ARCHIVES

2021 Chambers USA top ranked firm
LEgal 500 EMEA top tier firm 2021
U.S. News Law Firm of the Year 2022 Health Care Law