Privacy & Information Security Law Blog

The FTC will hold a virtual open meeting on Thursday, October 21, 2021, at 1pm ET to present the agency’s findings on evidence gathered pursuant to the FTC’s issuance of 6(b) orders in 2019 to six Internet Service Providers and three of their advertising affiliates regarding the parties’ privacy practices. Public release of the FTC Staff report is subject to a vote by the Commission. The presentation of findings will be followed by a verbal public comment period where commenters can share feedback on the FTC’s work and bring matters to the Commission’s attention ...

On September 29, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth published a paper on the Draft ePrivacy Regulation (“ePR”), in the context of the Trilogue Discussions between the EU Commission, EU Council and EU Parliament (the “Paper”).

On October 7, 2021, Federal Trade Commission Chair Lina Khan appointed Olivier Sylvain as a senior advisor on rulemaking and emerging technology. As announced by Fordham University School of Law, where Sylvain serves as a professor of communications, information and administrative law, Sylvain is an expert in the Communications Decency Act and also has focused his work on artificial intelligence and community-owned networked computing.

The Irish Data Protection Commissioner (“DPC”) has submitted a draft decision on Facebook Ireland Limited’s (“Facebook”) data protection compliance to other European regulators under the cooperation mechanism of the EU General Data Protection Regulation (“GDPR”) (the “Draft Decision”). The DPC proposes a fine between €28 and €36 million (i.e., up to $42 million) for infringements of the transparency obligations under the GDPR, specifically with respect to the legal basis upon which Facebook relied. In addition, the Draft Decision proposes imposing an order on Facebook to bring its terms of service and Data Policy into compliance within three months. However, the DPC indicates in its Draft Decision that Facebook is permitted to rely on contractual necessity as a legal basis for its personalized advertising, taking the view that this constitutes a core element of Facebook’s service.

On October 15, 2021, the U.S. District Court for the District of Massachusetts entered a final order approving a $14 million class action settlement resolving claims against HelloFresh for alleged violations of the Telephone Consumer Protection Act (“TCPA”), 47 U.S.C. § 227, et seq. The named plaintiffs alleged that HelloFresh violated the TCPA by (1) placing telemarketing calls to consumers whose phone numbers were listed on the federal Do Not Call registry; (2) placing telemarketing calls to consumers using an automatic telephone dialing system (“ATDS”) without prior express written consent; and (3) placing telemarketing calls to consumers who had requested to be placed on Hello Fresh’s internal Do Not Call list. According to plaintiffs’ attorneys, this settlement is the largest TCPA class action settlement in Massachusetts state history.

On October 12, 2021, New Jersey Acting Attorney General Andrew J. Bruck and the Division of Consumer Affairs announced a settlement with Diamond Institute for Infertility and Menopause, LLC, over a data breach that compromised the personal information of 14,663 patients, including 11,071 New Jersey residents. The Division of Consumer Affairs alleged that the fertility clinic violated the New Jersey Consumer Fraud Act and the federal Health Insurance Portability and Accountability Act’s (“HIPAA”) Privacy and Security Rules by removing protected health information (“PHI”) safeguards.

During the week of October 4, 2021, California Governor Gavin Newsom signed into law bills amending the California Privacy Rights Act of 2020 (“CPRA”), California’s data breach notification law and California’s data security law. Additional bills, amending the California Confidentiality of Medical Information Act (“CMIA”) and the California Insurance Code, also were also signed into law. The Governor also signed into law a bill protecting the privacy and security of genetic data processed by direct-to-consumer genetic testing companies and a bill designed to prevent the sale, purchase and use of data obtained by illegal means.

On October 8, 2021, Senator Ed Markey (D-Mass) and Representatives Kathy Castor (D-Fla) and Lori Trahan (D-Mass) penned a letter to Chair of the Federal Trade Commission Lina Khan, urging the agency to ensure that companies uphold the commitments made in their children’s privacy notices and “hold them accountable if they fail to do so.” In the letter, the lawmakers noted that many technology companies have recently announced updates to their respective platforms’ policies that are intended to enhance children and teen protections in compliance with the UK’s Age Appropriate Design Code (“AADC”), which took effect on September 2, 2021.

On October 12, 2021, the Oxford County Court determined that a homeowner had breached the Data Protection Act 2018 (“DPA”) and UK General Data Protection Regulation (“UK GDPR”) by using Ring security cameras around his property. In Dr Mary Fairhurst v Mr Jon Woodard, Fairhurst claimed harassment, nuisance and breach of UK data protection law based on her former neighbor, Woodard’s, use of security cameras and lights around his property. While the claim in nuisance failed, the judge found for the claimant on the claims of harassment and breach of data protection law.

On September 27, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth published a white paper on the “GDPR Enforcement Cooperation and the One-Stop-Shop (“OSS”) - Learning from the First Three Years” (the “Paper”). The Paper identifies the challenges faced by the OSS, defines CIPL’s position, and proposes possible solutions to improve the OSS mechanism, taking into account the European Data Protection Board’s (“EDPB”) recent work and decisions by the Court of Justice of the European Union (“CJEU”).