On September 7, 2022, the Children’s Advertising Review Unit (“CARU”) of BBB National Programs announced its finding that Tilting Point Media, LLC (“Tilting Point”), owner and operator of the SpongeBob: Krusty Cook-Off app (the “App”), violated the Children’s Online Privacy Protection Act (“COPPA”) and CARU’s Self-Regulatory Guidelines for Advertising and for Children’s Online Privacy Protection (“CARU’s Guidelines”). CARU has recommended a variety of corrective actions with respect to Tilting Point’s advertising and privacy practices.

Continue Reading CARU Finds SpongeBob App in Violation of COPPA and CARU’s Guidelines

On September 21, 2022, Denmark’s data protection authority Datatilsynet (“Danish DPA”) announced its guidance that Google Analytics, Google’s audience measurement tool, is not compliant with the EU General Data Protection Regulation (“GDPR”), as the tool transfers personal data to the United States which, following Schrems II, does not offer an adequate level of data protection.

Continue Reading Danish DPA Declares Use of Google Analytics Unlawful Without Supplementary Measures

On September 20, 2022, Indonesia’s parliament ratified the Personal Data Protection Act (the “Act”). The Act is the first comprehensive data protection law to be enacted in Indonesia and will come into effect on a date set by the Minister of State Secretariat. Organizations subject to the Act will have two years to come into compliance with the Act’s requirements.

Continue Reading Indonesia Enacts its First Data Protection Act

On September 20, 2022, the U.S. Securities and Exchange Commission announced that Morgan Stanley Smith Barney agreed to pay a $35 million fine for the firm’s alleged failure to adequately protect the personal information of approximately 15 million customers. Morgan Stanley settled the SEC’s claims without agreeing to or denying the agency’s findings. 

Continue Reading SEC Fines Morgan Stanley $35 Million for Alleged Failure to Protect Customer Data

On August 23, 2022, the U.S. Department of Health & Human Services, Office for Civil Rights (“HHS”) announced that it had settled a case involving the disposal of physical protected health information (“PHI”).

Continue Reading OCR Announces $300,000 Settlement Related to Improper Disposal of Physical PHI

On August 16, 2022, the Securities and Exchange Commission (“SEC”) charged 18 individuals and entities in relation to their involvement in a fraudulent hacking scheme. The scheme targeted and hacked 31 online retail brokerage accounts and forced them to make large purchases of certain stocks from two public microcap companies: Lotus Bio-Technology Development Corp. (“LBTD”) and Good Gaming, Inc. (“GMER”). The owners of the accounts that purchased the shares did not authorize the purchases. Both LBTD and GMER already were controlled in large blocks by fraudsters who repeatedly took steps to conceal their ownership. In doing so, the fraudsters artificially inflated the trading price and volume of the stocks and then sold the shares they had acquired at the inflated prices, generating approximately $1.3 million in proceeds and creating substantial profits.

Continue Reading The SEC Charged Several Individuals and Entities in a Fraudulent Hacking Scheme

On September 15, 2022, California Governor Gavin Newsom signed into law the California Age-Appropriate Design Code Act (the “Act”). The Act, which takes effect July 1, 2024, places new legal obligations on companies with respect to online products and services that are “likely to be accessed by children” under the age of 18.

Continue Reading California Enacts the California Age-Appropriate Design Code Act

On September 6, 2022, the California legislature presented Assembly Bill 2392 to Governor Gavin Newsom. AB-2392, which has not yet been signed by Governor Newsom, would allow Internet-connected device manufacturers to satisfy existing device labeling requirements by complying with National Institute of Standards and Technology (“NIST”) standards for consumer Internet of Things (“IoT”) products.

Continue Reading New California Legislation Adds to Existing Smart Device Labeling Requirements

On September 8, 2022, the Federal Trade Commission hosted a virtual public forum on its Advanced Notice of Proposed Rulemaking (“ANPR”) concerning “commercial surveillance and lax data security.” The forum featured remarks from FTC Chair Lina Kahn, Commissioner Rebecca Kelly Slaughter and Commissioner Alvaro Bedoya, as well as panels with industry leaders and consumer advocates.

Continue Reading FTC Commercial Surveillance and Data Security Forum Highlights Industry and Consumer Perspectives

On September 5, 2022, the Irish Data Protection Commissioner (the “DPC”) imposed a €405,000,000 fine on Instagram (a Meta-owned social media platform) for violations of the EU General Data Protection Regulation’s (“GDPR’s”) rules on the processing of children’s personal data.

Continue Reading Irish Data Protection Commissioner Fines Instagram for Children’s Privacy Violations