On July 19, 2018, the French Data Protection Authority (“CNIL”) announced that it served a formal notice to two advertising startups headquartered in France, FIDZUP and TEEMO. Both companies collect personal data from mobile phones via software development kit (“SDK”) tools integrated into the code of their partners’ mobile appseven when the apps are not in useand process the data to conduct marketing campaigns on mobile phones. Continue Reading CNIL Serves Formal Notice to Marketing Companies to Obtain User’s Consent for Processing Geolocation Data for Ad Targeting

Recently, Iowa and Nebraska enacted information security laws applicable to personal information. Iowa’s law applies to operators of online services directed at and used by students in kindergarten through grade 12, whereas Nebraska’s law applies to all commercial entities doing business in Nebraska who own or license Nebraska residents’ personal information. Continue Reading Iowa and Nebraska Enact Information Security Laws

Recently, the Personal Data Collection and Protection Ordinance (“the Ordinance”) was introduced to the Chicago City Council. The Ordinance would require businesses to (1) obtain prior opt-in consent from Chicago residents to use, disclose or sell their personal information, (2) notify affected Chicago residents and the City of Chicago in the event of a data breach, (3) register with the City of Chicago if they qualify as “data brokers,” (4) provide specific notification to mobile device users for location services and (5) obtain prior express consent to use geolocation data from mobile applications.  Continue Reading Chicago Introduces Data Protection Ordinance

On May 24, 2018, the Federal Trade Commission granted final approval to a settlement (the “Final Settlement”) with PayPal, Inc., to resolve charges that PayPal’s peer-to-peer payment service, Venmo, misled consumers regarding certain restrictions on the use of its service, as well as the privacy of transactions. The proposed settlement was announced on February 27, 2018. In its complaint, the FTC alleged that Venmo misrepresented its information security practices by stating that it “uses bank-grade security systems and data encryption to protect your financial information.” Instead, the FTC alleged that Venmo violated the Gramm-Leach-Bliley Act’s (“GLBA’s”) Safeguards Rule by failing to (1) have a written information security program; (2) assess the risks to the security, confidentiality and integrity of customer information; and (3) implement basic safeguards such as providing security notifications to users that their passwords were changed. The complaint also alleged that Venmo (1) misled consumers about their ability to transfer funds to external bank accounts, and (2) misrepresented the extent to which consumers could control the privacy of their transactions, in violation of the GLBA Privacy Rule. Continue Reading FTC Approves Settlement with PayPal Regarding Alleged Venmo Privacy Misrepresentations

On February 27, 2018, the Federal Trade Commission (“FTC”) announced an agreement with PayPal, Inc., to settle charges that its Venmo peer-to-peer payment service misled consumers regarding privacy and the extent to which consumers’ financial accounts were secured. This is the second significant FTC settlement in the past three months that addressed these issues, following the FTC’s action against TaxSlayer, Inc. and signals a renewed focus by the FTC on violations of the Gramm-Leach-Bliley Act’s (“GLBA’s”) Privacy and Safeguards Rules. Continue Reading FTC Announces Settlement for Venmo’s Alleged Violations of the GLBA’s Privacy and Safeguards Rules

On February 22, 2018, the Federal Trade Commission (“FTC”) published a blog post that provides tips on how consumers can use Virtual Private Network (“VPN”) apps to protect their information while in transit over public networks. The FTC notes that some consumers are finding VPN apps helpful in protecting their mobile device traffic over Wi-Fi networks at coffee shops, airports and other locations. Through a VPN app, a user can browse websites and use apps on their mobile devices, still shielding the traffic from prying eyes as it transmits via public networks.

Continue Reading FTC Issues Tips on VPN Apps

Recently, the Office of the Privacy Commissioner of Canada (“OPC”) issued its 2017 Global Privacy Enforcement Network Sweep results (the “Report”), which focused on certain privacy practices of online educational tools and services targeted at classrooms. The OPC examined the privacy practices of two dozen educational websites and apps used by K-12 students. The “sweep” sought to replicate the consumer experience by interacting with the websites and apps, and recording the privacy practices and controls in place. The overarching theme of the Report is “user controls over personal information,” which the OPC further refined into four subthemes: (1) transparency, (2) consent, (3) age-appropriate collection and disclosure, and (4) deletion of personal information. Continue Reading Canadian Privacy Commissioner Issues Report on Children’s Educational Apps

On October 14, 2016, California Attorney General Kamala D. Harris announced the release of a publicly available online form that will enable consumers to report potential violations of the California Online Privacy Protection Act (“CalOPPA”). CalOPPA requires website and mobile app operators to post a privacy policy that contains certain specific content. Continue Reading California AG Announces Launch of Online CalOPPA Reporting Form