Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On June 27, the FTC held its fourth annual PrivacyCon, which hosted research presentations on a wide range of consumer privacy and security issues. Following opening remarks by FTC Chairman Joseph Simons, the one-day conference featured four plenary sessions covering a number of hot topics:
- Session 1: Privacy Policies, Disclosures, and Permissions. Five presenters discussed various aspects of privacy policies and notices to consumers. The panel discussed current trends showing that privacy notices to consumers have generally become lengthier in recent years, which helps cover the information regulators require, but often results in information overload for consumers more generally. One presenter advocated the concept of a condensed “nutrition label” for privacy, but acknowledged the challenge of distilling complicated activities into short bullets.
- Session 2: Consumer Preferences, Expectations, and Behaviors. This panel addressed research concerning consumer expectations and behaviors with regard to privacy. Among other anecdotal information, the presenters noted that many consumers are aware that personal data is tracked, but consumers are generally unaware of what data collectors ultimately do with the personal data once collected. To that end, one presenter advocated prescriptive limits on data collection in general, which would take the onus off consumers to protect themselves. Separately, with regard to the Children’s Online Privacy Protection Act (COPPA), one presenter noted that the law generally aligns with parents’ privacy expectations, but the implementing regulations and guidelines are too broad and leave too much room for implementation variations.
- Session 3: Tracking and Online Advertising. In the third session, five presenters covered various topics, including privacy implications of free versus paid-for applications to the impact of the EU’s General Data Protection Regulation (GDPR). According to the presenters, current research suggests that the measurable privacy benefits of paying for an app are “tenuous at best,” and consumers cannot be expected to make informed decisions because the necessary privacy information is not always available in the purchase program on a mobile device such as a phone. As for GDPR, the panel agreed that there are notable reductions in web use, with page views falling 9.7 percent in one study, although it is not clear whether such reduction is directly correlated to the May 25, 2018 effective date for enforcement of GDPR.
- Session 4: Vulnerabilities, Leaks, and Breach Notifications. In the final presentation, presenters discussed new research on how companies can mitigate data security vulnerabilities and improve remediation. One presenter discussed the need for proactive identification of vulnerabilities, noting that the goal should be to patch the real vulnerabilities and limit efforts related to vulnerabilities that are unlikely to be exploited. Another presenter analyzed data breach notifications to consumers, noting that all 50 states have data breach notification laws, but there is no consensus as to best practices related to the content or timing of notifications to consumers. The presenter concluded with recommendations for future notification regulations: (i) incorporate readability testing based on standardized methods; (ii) provide concrete guidelines of when customers need to be notified, what content needs to be included, and how the information should be presented; (iii) include visuals to highlight key information; and (iv) leverage the influence of templates, such as the model privacy form for the Gramm-Leach-Bliley Act.
On April 24, the FTC announced separate settlements with the operators of an online rewards website and a dress-up games website to resolve allegations concerning poorly implemented data security measures and Children’s Online Privacy Protection Act (COPPA) violations. According to the FTC, the online rewards website operator collected personal information (PII) from users who participated in their online offerings and made promises that their account information was secure. However, the operator allegedly failed to implement data security measures or utilize encryption techniques, which granted hackers access to the network. In addition, the operator allegedly maintained PII in clear unencrypted text. As a result of the breach, hackers published and offered for sale PII for approximately 2.7 million consumers. Under the terms of the decision and order, the operator is, among other things, prohibited from misrepresenting the measures taken to protect consumers’ PII and is required to implement a comprehensive information security program for future collections of PII.
On the same day, the FTC reached a proposed settlement with a dress-up games website and its operators, who allegedly violated COPPA by failing to obtain parental consent before collecting personal information from children under 13 or provide reasonable and appropriate security for the collected data. According to the FTC, data security failures allowed hackers access to the company’s network, which stored information for roughly 245,000 users under age 13. As part of the proposed settlement filed in the U.S. District Court for the Northern District of California, the company and operators, among other things, (i) have agreed to pay $35,000 in civil penalties; (ii) will change their business practices to comply with COPPA; and (iii) are prohibited from selling, sharing, or collecting personal information until a comprehensive data security program is implemented and undergoes independent biennial assessments.
On February 27, the FTC announced a $5.7 million settlement with the operators of a video social networking app concerning alleged violations of the Children’s Online Privacy Protection Case (COPPA). Among other things, the FTC claims the operators failed to provide parents notice of its information collection practices, illegally collected personal information from children under the age of 13 without first obtaining verifiable parental consent, failed to delete personal information when parents requested, and retained information “longer than reasonably necessary to fulfill the purpose for which the information was collected.” Under COPPA, operators of websites and online services directed at children are prohibited from collecting personal information of children under the age of 13, unless the company has explicit parental consent. The FTC alleges that the operators knew a “significant percentage” of its users were under 13 and received thousands of complaints from parents that their children under 13 had created accounts on the app. While neither admitting nor denying the allegations, the operators have agreed to the monetary penalty, will change their business practices to comply with COPPA, and will remove all videos made by children younger than 13. According to the FTC, this settlement is the largest civil penalty obtained to date by the agency for COPPA violations.
New York Attorney General reaches largest ever COPPA settlement to resolve violations of children’s privacy
On December 4, the New York Attorney General announced the largest Children’s Online Privacy Protection Act (COPPA) settlement in U.S. history—totaling approximately $6 million —to resolve allegations with a subsidiary of a telecommunications company that allegedly conducted billions of auctions for ad space on hundreds of websites it knew were directed to children under the age of 13. According to the Attorney General’s office, the subsidiary collected and disclosed personal data on children through auctions for ad space, allowing advertisers to track and serve targeted ads to children without parental consent. Under COPPA, operators of websites and other online services are prohibited from collecting or sharing the information of children under the age of 13 unless they give notice and have express parental consent. Among other things, the subsidiary also allegedly placed ads on other exchanges that possessed the capability to auction ad space on child-directed websites, but that when it won ad space on COPPA-covered websites, the subsidiary treated the space as it would any other and collected user information to serve targeted ads.
Under the terms of the settlement, the subsidiary must (i) create a comprehensive COPPA compliance program, which requires annual COPPA training for staff, regular compliance monitoring, and the retention of service providers that can comply with COPPA, as well as a third party who will assess the privacy controls; (ii) enable website operators that sell ad inventory to indicate what portion of a website is subject to COPPA; and (iii) destroy the personal data it collected on children.
New Mexico Attorney General sues technology companies over COPPA violations regarding the collection of children’s personal data
On September 12, the New Mexico Attorney General announced the filing of a lawsuit against a group of technology companies for allegedly designing and marketing mobile gaming applications (apps) targeted towards children that contain illegal tracking software. The complaint asserts that the defendants’ practices violate both the Children’s Online Privacy Protection Act (COPPA) and New Mexico’s Unfair Practices Act, and pose the risk of data breaches and third-party access. Among other things, the complaint alleges the defendants’ data collection and sharing practices did not comply with COPPA’s specific notice and consent requirements, while the apps’ embedded software development kits allow the apps to communicate directly with the advertising companies that analyze, store, use, share, and sell the data to other third-parties to build “increasingly-detailed profiles of child users” in order to send highly-targeted advertising. The complaint seeks injunctive relief and nominal and punitive damages.
On October 4, the FTC and the Department of Education issued a notice announcing a joint Ed Tech (education technology) workshop to examine the challenges concerning privacy implications as more schools are using school-issued personal computing devices. The workshop will discuss issues surrounding the FTC’s Children’s Online Privacy Protection Act Rule (COPPA) as it applies to schools and how it intersects with the Department of Education’s Family Educational Rights and Privacy Act, which is designed to protect the privacy of students’ education records. The workshop, which is open to the public, will be held in Washington, D.C., on December 1.
As previously covered in InfoBytes, the FTC made modifications to COPPA’s safe harbor program this past July that now require all participants to conduct a comprehensive annual internal assessment of any third-party or service provider that collects personal information from children on their websites or through online services, in addition to issuing updates in June regarding resources companies can use to ensure COPPA compliance.
- Amanda R. Lawrence to discuss "Navigating the challenges of the latest data protection regulations and proven protocols for breach prevention and response" at the ACI National Forum on Consumer Finance Class Actions and Government Enforcement
- Tim Lange to discuss "Ease your pain at the state level: Recommendations for navigating the licensing issues in the states" at the Online Lenders Alliance Compliance University
- Amanda R. Lawrence, Aaron C. Mahler, and Jonice Gray Tucker to discuss "Expanded role for the FTC ahead: Implications for bank and nonbank financial institutions" at an American Bar Association Banking Law Committee Webinar
- Buckley Webcast: Flirting with alternatives — Opportunities and challenges created by alternative data, modeling, and technology
- Daniel P. Stipano to discuss "Reporting requirements for credit unions: CTRs and SARs" at the National Association of Federally-Insured Credit Unions BSA Seminar
- Daniel P. Stipano and Moorari K. Shah to discuss "Vendor management: What is the NCUA looking for?" at the National Association of Federally-Insured Credit Unions BSA Seminar
- Sasha Leonhardt and John B. Williams to discuss "Privacy" at the National Association of Federally-Insured Credit Unions Summer Regulatory Compliance School
- Warren W. Traiger to discuss "CRA modernization" at the National Association of Industrial Bankers and the Utah Association of Financial Services Annual Convention
- Benjamin W. Hutten to discuss "Requirements for banking inherently high-risk relationships" at the Georgia Bankers Association BSA Experience Program
- Hank Asbill to discuss "Ethical guidance in conducting internal investigations – The intersection of Yates and Upjohn" at the American Bar Association Southeastern White Collar Crime Institute
- Brandy A. Hood to discuss "RESPA Section 8/referrals: How do you stay compliant?" at the New England Mortgage Bankers Conference
- Daniel P. Stipano to discuss "Risk management in enforcement actions: Managing risk or micromanaging it" at the American Bar Association Business Law Section Annual Meeting
- Daniel P. Stipano to discuss "Navigating the conflicting federal and state laws for doing business with cannabis companies" at the American Bar Association Business Law Section Annual Meeting
- Tim Lange to discuss "Services and value" at the North American Collection Agency Regulatory Association Annual Conference
- Amanda R. Lawrence to discuss "Data privacy litigation" at the Mortgage Bankers Association Regulatory Compliance Conference
- Brandy A. Hood to discuss "How to ace your TRID exam" at the Mortgage Bankers Association Regulatory Compliance Conference
- Jonice Gray Tucker to discuss "HMDA data is out, now what?" at the Mortgage Bankers Association Regulatory Compliance Conference
- Daniel P. Stipano to discuss "Assessing the CDD final rule: A year of transitions" at the ACAMS AML & Financial Crime Conference
- Daniel P. Stipano to discuss "Lessons learned from recent enforcement actions and CMPs" at the ACAMS AML & Financial Crime Conference
- Melissa Klimkiewicz to discuss "Navigating FHA rules and regs" at the Mortgage Bankers Association Regulatory Compliance Conference
- Kathryn L. Ryan to discuss "The state’s role in fintech: Providing an industry framework for innovation" at Lend360
- Amanda R. Lawrence to discuss "How to balance a successful (and stressful) career with greater personal well-being" at the American Bar Association Women in Litigation Joint CLE Conference