Privacy Report: FTC Investigates Financial Products Review Site

Important information for brand protection, including recent Arent Fox News on advertising and marketing issues, as well as headlines that matter for privacy and data security.

Arent Fox News

FTC Investigates Financial Products Review Site

As comparison sites become more popular, the fine print becomes increasingly important for both consumers and companies.

As one recent US Federal Trade Commission (FTC) settlement reminds us, companies that want to boast that their reviews are “honest,” “accurate,” or “unbiased” should carefully scrutinize their relationships with advertisers and brands and clearly disclose any payments or other business ties that could lead reasonable consumers to question the site’s objectivity.

View the full article here.

CCPA Update: Attorney General Makes Another Move with Revised Proposed Regulations

The California Consumer Privacy Act (CCPA) is the landmark privacy law that formally went into effect January 1, 2020 and provides California residents with various rights regarding the collection, use, and sharing of their personal information.

Read the full article here.

FTC Looks to the Public for Changes to the Endorsement Guides

The Federal Trade Commission announced on February 12, 2020, that it will seek public comment on issues related to the Endorsement Guide, formally known as the Guides Concerning the Use of Endorsements and Testimonials in Advertising.

Read the full article here.

Subscription Snack Company Hit with FTC Complaint for Misrepresenting Positive Consumer Reviews

UrthBox, a subscription snack company, was charged with a complaint by the FTC due to misrepresenting positive consumer reviews on the Better Business Bureau’s and other third-party websites.

Read the full article here.

2020 Brings New NAD and NARB Fees

The National Advertising Division (NAD) of BBB National Programs, Inc. has changed its filing fees effective January 1, 2020.

For companies with annual gross revenue of $5 billion or more, the new NAD filing fee is $35,000, while companies with annual revenue of between $250 million and $5 billion will have to pay $30,000. Previously companies with annual revenue over $1 billion were subject to a $25,000 filing fee, while those with revenue under $1 billion paid a $20,000 fee. There is still a discount for national corporate partners of the Council of Better Business Bureaus. The NARB filing fee has been increased from $20,000 to $25,000.

Read the full article here.

US News

Background Check Services Provider Agrees to Settle FTC Allegations that it Falsely Claimed Participation in the EU-US Privacy Shield

In a complaint, the FTC alleges that New York-based T&M Protection Resources, LLC continued to claim participation in the EU-US Privacy Shield after its certification lapsed. In addition, the company failed to verify annually that statements about its Privacy Shield practices were accurate and failed to affirm that it would continue to apply Privacy Shield protections to personal information collected while participating in the program. As part of the settlement, T&M is prohibited from misrepresenting its participation in the EU-US Privacy Shield framework, any other privacy or data security program sponsored by the government, or any self-regulatory or standard-setting organization. In addition, T&M is required either to continue to apply the Privacy Shield protections to personal information it collected while participating in the program or to return or delete the information.

MGM Resorts Data Breach Exposes Guests’ Personal Details

Hotel and casino giant MGM Resorts International has admitted that it suffered a data breach last summer that exposed the personal details, including names and contact information, of what one cybersecurity researcher said was more than 10 million guests. An MGM spokesperson confirmed Thursday that the company last summer discovered “unauthorized access” to a cloud computing server that stored guests’ phone numbers, addresses and other personal data. The company did not disclose the number of guests affected, but the technology website ZDNet and a security researcher with the soon-to-be-launched firm Under the Breach reported that stolen data from 10.6 million guests was published this week on an online forum monitored by security researchers and cybercriminals. 

Calif. Private AG Law: Coming To A State Near You?

New York, Massachusetts and a handful of other states may soon follow California’s lead and empower workers to bring wage, discrimination and other employment lawsuits on the state’s behalf, blunting the arbitration agreements many businesses have adopted to ward off costly class actions. Proposed legislation modeled after California’s Private Attorneys General Act — which businesses have nicknamed “the bounty hunter law” — would circumvent arbitration altogether by deputizing workers to act as enforcers on the state’s behalf. California lawmakers adopted PAGA in 2003 to enlist the private bar’s help in prosecuting violations of state wage standards as staffing at enforcement agencies lagged behind massive workforce growth. The law lets workers bring representative actions on behalf of their colleagues, a wrinkle that has proven consequential as arbitration agreements become pervasive.

First CCPA-Related Case Foreshadows Five Issues

A complaint foreshadows how plaintiffs are likely to rely on the CCPA. The plaintiff alleges that hackers infected Hanna Andersson’s e-commerce platform, operated by Salesforce.com, with malware that compromised customers’ names and credit card information. The lawsuit does not expressly bring a claim under the CCPA. Instead, it claims unspecified CCPA rights and alleges that the issue of whether the defendants violated the CCPA by failing to maintain “reasonable security procedures.” This case serves as an important reminder for businesses to evaluate their security environments against the Top 20 Critical Security Controls (CIS Controls), which the California attorney general recognizes as representing the “minimum level of information security that all organizations that collect or maintain personal information should meet.”

EU News

Europe Takes on China, US With Plan to Regulate Global Tech

The legislative plans, outlined by the European Commission, the bloc’s executive body, are designed to help Europe compete with the US and China’s technological power while still championing EU rights. The move is the latest attempt by the bloc to leverage the power of its vast, developed market to set global standards that companies around the world are forced to follow. US and Chinese firms hoping to deploy artificial intelligence and other technology in Europe will have to submit to a slew of new rules and tests, under a set of plans unveiled by the European Union to boost the bloc’s digital economy. On artificial intelligence, users and developers of AI systems used in high-risk fields, such as health, policing or transportation, would face legal requirements, including tests by authorities, which could also certify the data used by algorithms. High-risk AI could also face sanctions, while lower-risk applications should abide by a voluntary labeling program, the body said.

AI Auditing Framework – Draft ICO Guidance Published for Consultation

On February 19, 2020, the Information Commissioner’s Office (ICO), the data protection regulator in the United Kingdom, launched a consultation on its draft guidance on the artificial intelligence (AI) auditing framework. The ICO states that it understands the distinct benefits which AI can bring, but also the risks it can pose to the rights and freedoms of individuals. AI is therefore one of ICO’s top three strategic priorities, and it is why the ICO decided to develop a framework for auditing AI compliance with data protection obligations. The framework comprises (i) auditing tools and procedures that the ICO will use in audits and investigations and (ii) the draft guidance, which includes indicative risk and control measures that organizations and individuals can deploy when they use AI to process personal data. The framework connects with other work streams undertaken by the ICO in relation to AI, including as to how organizations can best explain their use of AI to individuals and the ICO’s investigation in relation to use of live facial recognition technology. The consultation will close on April 1, 2020, and any feedback must be provided by then, either by way of submitting the online questionnaire or by e-mailing the ICO at AIAuditingFramework@ico.org.uk. The final guidance is expected to be published in the summer of 2020.

Other Global News

NIST Drafts Guidelines for Coping With Ransomware

The National Institute of Standards and Technology has unveiled a pair of draft practice guidelines that offer updated advice and best practices on how to protect the confidentiality, integrity and availability of data in light of increasing threats from ransomware and other large-scale cyber events. The draft practice guidelines, Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events, and Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events, were developed by NIST’s National Cybersecurity Center of Excellence. NIST will accept comments on the draft advice until March 20, and then will issue final guidance later this year. In drafting the guidance, NIST researchers looked at events such as the WannaCry attacks of 2017 and other recent ransomware incidents and attempted to draw lessons for how organizations can either better protect their data from attackers or recover faster in the wake a significant security event. 

Contacts

Continue Reading