Yesterday, two FTC officials urged companies, websites and
parties (including third-parties) involved in the online and mobile
ecosystem to reassess and carefully evaluate their data collection,
use and sharing practices in light of the FTC's recent broad
expansion of its online privacy rule for children. [
Click to view our December 19, 2012 blog post]. The FTC
made clear that they would pursue entities that ignored their
obligations. During a webinar hosted by the International
Association of Privacy Professionals, FTC senior attorneys Mamie
Kresses and Phyllis Marcus described the COPPA Rule changes saying
that companies need to examine their data collection practices in
light of technological advances, and that this was the whole
purpose of the new Rule. Since the issuance of the new Rule,
there have been a lot of questions from businesses. While
many of these questions remain unanswered, what is clear is that
companies that never had to think about COPPA before, will now have
To help address some of the uncertainty, the regulators said the
FTC is planning to release a guide for businesses about the new
Rule and said they would not be issuing a static guide, signaling
their input may vary over time leading up to July 1st the effective
date of the new Rule. For instance, FTC Chief Technologist
Steve Bellovin recently proposed that industry should create a
standard--perhaps through the URL - that would allow websites to
explicitly signal their COPPA-covered status to third-parties in a
position to track children with plug-ins, widgets, or other
third-party content or services.
While much uncertainty remains, what is certain is that companies
should be evaluating their data collection practices - in light of
the new COPPA Rule changes - now. A company should identify
the spectrum of third-parties implicated by their websites and
mobile apps in order to determine: (1) which "persistent
identifiers" qualify as personal information subject to the
new Rule, (2) those instances where parental consent can be readily
obtained, and (3) those situations where parental consent is not
desired and the third-party tag or server call will need to either
be removed or replaced with one that is compliant, and (4) those
third-party arrangements which require intensive oversight and
On Friday, November 13, Federal Trade Commission ("FTC" or the "Commission") Chief Administrative Law Judge ("ALJ") D. Michael Chappell issued an Initial Decision in In the Matter of LabMD, Inc. (FTC Docket No. 9357), dismissing the Commission's Complaint against LabMD, Inc. ("LabMD"), upon a finding that the FTC had failed to "demonstrate a likelihood that [LabMD's] computer network will be breached in the future and cause substantial computer injury."
Whether you are in-house counsel or external counsel, upon first hearing of a massive data breach affecting your client, your first reaction will likely be at least a twinge of panic. So first, take a deep breath and calm down.
Anthony Albanese, the head of the New York Department of Financial Services, issued a letter to more than 20 federal and state regulators outlining proposed cybersecurity regulations for banks and insurance companies operating in New York.
High-profile data breaches seem to hit the headlines almost every day. These breaches have proved terrifying for many companies, particularly as the attackers release embarrassing emails and other information.