November 2022 AFS Privacy Report: FTC Is Tracking Twitter Developments With “Deep Concern”
Headlines that Matter for Privacy and Data Security.
FTC Is Tracking Twitter Developments With “Deep Concern”
Elon Musk’s recent purchase of Twitter has led to numerous resignations in the security department. Most recently, Twitter’s chief information security officer, chief privacy officer, and chief compliance officer resigned on November 9, 2022. Some employees were reported to have openly questioned Twitter’s ability and Musk’s willingness to comply with Twitter’s FTC orders. In response, the FTC stated that “No CEO or company is above the law, and companies must follow our consent decrees. Our revised consent order gives us new tools to ensure compliance, and we are prepared to use them.” This is not the first time the FTC has turned an eye to the social media platform. In May of 2022, the FTC fined the company $150 million in an order after Twitter used users’ personal information for advertisements in a way that violated a 2011 FTC consent order. The FTC’s comments signal a real-time monitoring of order compliance concerns that heralds a heightened commitment to enforcing its orders.
New York Announces $4.5 Million Cybersecurity Settlement
After a multi-day phishing attack in June and July of 2020 that led to the exposure of hundreds of thousands of consumers’ health data records, including data records concerning minors, EyeMed Vision Care LLC (EyeMed) agreed to a $4.5 million settlement to resolve allegations that it violated the New York Department of Financial Services (NYDFS) Cybersecurity Regulation, 23 NYCRR Part 500, by failing to:
Implement multifactor authentication in its email systems;
Limit user access privileges to accounts containing sensitive information;
Conduct adequate cybersecurity risk assessments; and
Implement appropriate data retention and disposal protocols.
FTC Takes Action Against Drizly and Its CEO for Security Failures
The Federal Trade Commission (FTC) reached a settlement with online alcohol marketplace Drizly and its CEO James Cory Rellas over allegations that Drizly’s failed security measures led to a data breach, which exposed the personal information of around 2.5 million consumers and failed to act despite warnings of improper security.
Under the terms of the proposed Order, Drizly and Rellas are required to destroy unnecessary data, limit future data collection, and implement a detailed information security program. Notably, the Order applies personally to Rellas, and he will be required to implement information security programs at future companies where he may be employed, subject to certain threshold requirements, for 20 years. The FTC Complaint is here, and the stipulated Order is here. The FTC’s Press Release is here.
Washington Court Finds Illinois’ BIPA Does Not Have Extraterritorial Application
On October 17, 2022, the US District Court for the Western District of Washington granted summary judgment in favor of two tech companies defending themselves against class action complaints alleging that they violated Illinois’ Biometric Information Privacy Act. The plaintiffs were Illinois residents who uploaded images of themselves to the photo-sharing website Flickr. A dataset of about 100 million photographs was released publically, one million of which were provided free of charge to researchers at the two tech companies. Based on this, the plaintiffs claimed that the tech companies violated BIPA by unlawfully collecting and obtaining their biometric data and by unlawfully profiting from their biometric data. The district court held that, under Illinois law, BIPA is without extraterritorial effect. The court also found that the relevant conduct, namely downloading, reviewing, and evaluating the data set, took place in Washington and New York and not Illinois. These holdings will be important in future contemplations of extraterritoriality claims in the context of privacy law. The Order is here.
FTC Brings Action Against Chegg for Its Lax Security Practices
On October 31, 2022, the FTC filed a Complaint alleging that Chegg, an education technology provider, failed to provide reasonable security for personal information it had collected from its users and employees. Chegg faced four data breaches that exposed the personal information of its 40 million users. The FTC alleged that these data breaches originated from the company’s inadequate data security practices, which included the following notable practices:
Failing to implement basic security measures. For example, the FTC alleged that Chegg allowed employees and third-party contractors to access the storage service database with a single access key that provided full administrative privileges over all of the information.
Storing information insecurely. For example, the FTC alleged that Chegg stored users’ and employees’ personal information as plain text, rather than in the more secure, encrypted format.
Failing to implement an appropriate written information security policy and accompanying employee training.
The proposed order, found here, will require Chegg to take several steps, including the following: follow a schedule that sets out what personal information the company collects, why it collects it, and when it will delete the information; provide consumers with access to the data collected about them; implement multifactor authentication; and implement a comprehensive written security program that addresses the specific flaws alleged to have existed in the company’s data security program.
CPPA Advances Proposed CPRA Regulations
On November 3, 2022, the California Privacy Protection Agency (CPPA) issued modifications to the text of the proposed draft regulations pursuant to the California Privacy Rights Act (CPRA). The updated draft CPRA regulations are here.
Following a two-day meeting on October 28 and 29, the CPPA Board authorized the Agency to take all steps necessary to prepare modifications to the proposed CPRA regulations. The newly-revised set of proposed draft regulations, have since been submitted for a 15-day comment period, ending on November 21, 2022. The final proposal will undergo a regulatory review. The final text of the rules is expected early in Q1, 2023.
New updates to the draft CPRA regulations include:
The addition of Section 7302(b). The proposed section allows, but does not require, the CPPA to take into account delays in issuing regulations when engaging in an enforcement action.
Changes to Section 7027(m). Section 7027(m) lists the acceptable purposes for which businesses can process sensitive personal information without having to provide consumers with the right to limit the use of their sensitive information. Board members made several changes to the text of this section. Most notably, the preamble now includes the phrase “provided that the use or disclosure is reasonably necessary and proportionate to those purposes,” making it clearer than in previous versions that all specified purposes must satisfy this requirement.
Addition to Opt-Out Preference Signals. The CPPA added the requirement to Section 7025(c)(1) that businesses shall treat opt-out preference signals as a valid request to opt-out of a sale or sharing for that browser, device, and “any consumer profile associated with that browser or device, including pseudonymous profiles.”
Addition of Collection Standard. The Agency added the following standard to Section 7002(d): “The business’s collection, use, retention, and/or sharing of a consumer’s personal information shall also be reasonably necessary and proportionate to achieve any purpose for which the business obtains the consumer’s consent in compliance with subsection (e).”
FTC Shines Light on Dark Patterns in Recent Action Against Vonage; $100 Million in Refunds to Consumers
Highlighting its focus on dark patterns, the FTC filed a complaint against phone service provider Vonage, alleging that the company made it difficult for consumers to cancel subscription services. Vonage bills its customers for their services automatically every month, either by charging a card on file or withdrawing money from bank accounts directly. The FTC’s complaint alleged that Vonage has made the cancellation process more difficult than the process for signing up, which is easy and numerous in options. Consumers were allegedly harmed by Vonage because Vonage created significant cancellation hurdles, surprised customers with fees when they tried to cancel, and continued to charge customers even after they canceled. Vonage agreed to a proposed court order that would require it to stop unauthorized charges, simplify the cancellation process, stop using dark patterns to frustrate consumers’ efforts to cancel, be more upfront about subscription plans, and pay $100 million to customers in refunds.
Colorado AG Submits Draft Colorado Privacy Act Rules
Colorado has joined the growing list of states increasing their privacy protection requirements. On October 10, 2022, the Colorado Attorney General’s Office published the Colorado Privacy Act Rules (CPA Rules) in the Colorado Register. These rules will implement and enforce the laws passed by the Colorado Privacy Act (CPA), which provides Colorado residents with privacy protections that include the right to opt-out of targeted advertising, the sale of their personal data, and certain kinds of profiling. Comments were received from those concerned with the draft, which can be found here.
EU’s Digital Market Act Goes Into Effect
On November 1, 2022, the European Union’s Digital Markets Act (DMA) went into effect. The law will require large online platforms, or so-called “digital gatekeepers,” to make changes to their business models in an effort to increase competition in the digital market. There are two main criteria that bring a company into the scope of the DMA:
The company provides a core platform service to at least 45 million monthly users in the EU and to more than 10,000 yearly businesses users in the EU; and
The company provides a core platform service in at least three EU Member States and earns a certain annual revenue in the European Economic Area.
The DMA bans covered platforms from giving preference to their own offerings or requiring the default installation of web browsers on their devices. These platforms will not be able to reuse private data collected from one service for the purposes of another service. The companies covered will also have to obtain explicit consent from users to use their data for targeted advertising.
Importantly, if a covered company violates the DMA, the European Commission has the power to: (1) impose penalties and fines of up to 10% of the company’s worldwide “turnover” (revenue) and up to 20% in case of repeated infringements; and (2) carry out market investigations. The European Commission is scheduled to designate the covered gatekeepers by early June of 2023. Click here for the text of the DMA.
UK Privacy Advocacy Group Files Complaint with ICO over Facial Search Engine
The privacy advocacy group Big Brother Watch has filed a complaint with the Information Commissioner’s Office (ICO), claiming that the face recognition search engine PimEyes facilitated stalking and enabled surveillance on a scale previously unimaginable. Although PimEyes’ terms and conditions state that it is not intended for the surveillance of others, Big Brother Watch claims there are no safeguards against it being used for such purposes. Additionally, the advocacy group claims that PimEyes poses a threat to the privacy of millions of UK citizens because it is unlawfully processing their biometric data. ICO has not yet published a response. Big Brother Watch has highlighted the similarities between the practices of PimEyes and those of Clearview AI Inc., another facial recognition company that was fined 7.5 Million pounds and ordered to delete all UK data by ICO in May of this year. You can find Big Brother Watch’s post here, and PimEyes’ response here. You can find the Clearview press release here.
Is Your Business Ready? December 27, 2022 Deadline for Implementing New SCCs
On June 4, 2021, the European Commission issued modernized standard contractual clauses (SCCs) under the GDPR for data transfers from businesses subject to the GDPR to those not subject to the law. These modernized SCCs replace the SCCs adopted under the previous Data Protection Directive. Since September 27, 2021, it has no longer been possible to conclude contracts incorporating the earlier SCCs. After December 27, 2022, businesses will no longer be able to rely on those SCCs for contracts that were concluded before September 27, 2021. You can find more information here.