Yesterday, two FTC officials urged companies, websites and
parties (including third-parties) involved in the online and mobile
ecosystem to reassess and carefully evaluate their data collection,
use and sharing practices in light of the FTC's recent broad
expansion of its online privacy rule for children. [
Click to view our December 19, 2012 blog post]. The FTC
made clear that they would pursue entities that ignored their
obligations. During a webinar hosted by the International
Association of Privacy Professionals, FTC senior attorneys Mamie
Kresses and Phyllis Marcus described the COPPA Rule changes saying
that companies need to examine their data collection practices in
light of technological advances, and that this was the whole
purpose of the new Rule. Since the issuance of the new Rule,
there have been a lot of questions from businesses. While
many of these questions remain unanswered, what is clear is that
companies that never had to think about COPPA before, will now have
To help address some of the uncertainty, the regulators said the
FTC is planning to release a guide for businesses about the new
Rule and said they would not be issuing a static guide, signaling
their input may vary over time leading up to July 1st the effective
date of the new Rule. For instance, FTC Chief Technologist
Steve Bellovin recently proposed that industry should create a
standard--perhaps through the URL - that would allow websites to
explicitly signal their COPPA-covered status to third-parties in a
position to track children with plug-ins, widgets, or other
third-party content or services.
While much uncertainty remains, what is certain is that companies
should be evaluating their data collection practices - in light of
the new COPPA Rule changes - now. A company should identify
the spectrum of third-parties implicated by their websites and
mobile apps in order to determine: (1) which "persistent
identifiers" qualify as personal information subject to the
new Rule, (2) those instances where parental consent can be readily
obtained, and (3) those situations where parental consent is not
desired and the third-party tag or server call will need to either
be removed or replaced with one that is compliant, and (4) those
third-party arrangements which require intensive oversight and
In last year's BakerHostetler Incident Response Report, we reported the range of PCI DSS non-compliance fines as $5,000 – $50,000 and the per card amount of liability imposed to reimburse issuers of affected cards as $3-$25.
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
The Payment Card Industry Security Standards Council (PCI SSC) has released a new version of its data security standard for the protection of cardholder data, the Payment Card Industry Data Security Standard (PCI DSS).
The idea of cybersecurity may be foreign—or even frightening—to many attorneys. However, as evidenced in Part One of this series ("Cybersecurity: You Can't Afford to Ignore It Anymore," April 25) law firms appear to be the next great target for hackers. In light of that, as a risk management prevention tool, attorneys and firms need to be aware of how to protect themselves.
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).