We’ve talked before about the FTC’s focus on consumer health privacy. In cases against BetterHelp and GoodRx, a blog post announcing rules it intends to enforce in the space, and a report summarizing its recent privacy and data security enforcement efforts and other initiatives, the agency has made clear that the privacy and security of sensitive health information is a top priority. In the last week, the agency announced two new enforcement actions: one against Monument, an online addiction treatment firm and another against Cerebral, an online telehealth provider that provides mental health ..read more

According to Chair Lina Khan, the Federal Trade Commission (“FTC”) recent action against Avast Limited and its subsidiaries for $16.5 million is the “highest monetary remedy in a de novo privacy violation case” and the first time a non-health service company has been banned from selling sensitive data after promising to keep it secure. In its complaint, the FTC alleged that Avast sold browsing data despite its promises to protect consumers from online tracking. It would be easy to skim past the Avast proposed consent agreement (or those in the X-Mode or InMarket cases) as just another example ..read more

The California Attorney General (“AG”) recently delivered (pun very much intended) a public CCPA enforcement action against DoorDash, its second following the 2022 settlement with Sephora. The DoorDash action stems from a notice of violation alleging that DoorDash’s personal information disclosures to a marketing co-op constituted a “sale” under the CCPA and that DoorDash failed to comply with CCPA “sale” opt-out and disclosure requirements. The complaint also asserted violations of CalOPPA, California’s 2004 website privacy policy law. A proposed stipulated judgment would require DoorDash to ..read more

On February 1, 2024, the Connecticut Office of the Attorney General (“OAG”) issued a Report to the General Assembly’s General Law Committee (“Report”), summarizing the OAG’s enforcement efforts during six months since the Connecticut Data Privacy Act (“CTDPA”) became effective. As a reminder, Connecticut was the fifth state to pass a comprehensive consumer privacy law, which took effect on July 1, 2023. As we previously noted, the CTDPA includes a qualified right to cure alleged violations of the law until January 1, 2025, so that the OAG must, before initiating an enforcement action, issue a ..read more

Just one month into 2024 and two states have already passed comprehensive consumer data privacy bills. In New Jersey, the legislature passed and on January 16 the governor signed S. 332 (“New Jersey Act”). And in New Hampshire, the legislature passed SB 225 (“New Hampshire Act”), which currently awaits Governor Chris Sununu’s signature. New Hampshire (if SB 225 is enacted) and New Jersey will thus join California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia, bringing the total count to fourteen states with comprehensive data privacy law ..read more

The FTC announced an action last week against location data broker X-Mode Social and its corporate successor Outlogic (collectively, “X-Mode”) based on several alleged violations of Section 5 of the FTC Act. According to FTC Chair Lina Khan, the case, which X-Mode has agreed to settle via a proposed consent order, will result in the “first ever ban on the use and sale of sensitive location data.” The case focuses in large part on X-Mode’s practices as a data broker, but should matter to any business that collects, uses, or discloses consumer location data. In this post, we offer five lessons f ..read more

The New York State Department of Financial Services (“NYDFS”), which regulates financial services institutions including banks, insurance companies, and mortgage brokers, finalized an amendment to its Cybersecurity Regulation on November 1. The amendment, which is the first since adoption of the original Cybersecurity Regulation in 2017, concludes a rulemaking process that began with an initial proposed rule issued in July 2022. This post summarizes several key developments for financial institutions subject to NYDFS’s authority. Unless otherwise noted below, the general compliance deadline is ..read more

The Colorado Privacy Act may have taken effect earlier this year, but that doesn’t mean all companies that do business in Colorado and fall within the scope of the law can take it easy just yet. Rather, for those companies that process personal data for purposes of targeted advertising or that sell personal data, an important requirement of the CPA is still to come: under C.R.S. § 6-1-1306(1)(a)(IV)(B), controllers subject to the CPA will, as of July 1, 2024, be required to comply with Colorado consumers’ requests to opt out of the processing of their personal data for targeted advertising or ..read more

The FTC recently sent five tax preparers a notice of its intention to pursue civil penalties (“Notice”) if they continue to use consumers’ data for purposes other than tax preparation (such as advertising) without first obtaining consumers’ consent. These facts are not particularly surprising. But the legal basis relied upon by the FTC for its threat is intriguing because it suggests a twist on the FTC’s usual approach to privacy enforcement actions under Section 5. Also noteworthy: The FTC made its move under its “penalty offense authority” under Section 5, which authorizes civil penalties up ..read more

A federal court in the Northern District of California recently granted a preliminary injunction in NetChoice v. Bonta that enjoins enforcement of the California Age-Appropriate Design Code (“Code”), which would have taken effect on July 1, 2024. The injunction will be in place during the pendency of the NetChoice action and will therefore limit near-term enforcement risk for entities that would have been subject to the Code. The opinion also concludes that the Code is likely unconstitutional as violating the First Amendment, suggesting the court may eventually issue a final judgment striking ..read more