Eye On Privacy

Eye On Privacy Blogs

Latest from Eye On Privacy

Following, by a day, a privacy-related claim challenge brought against another advertiser, the National Advertising Division found that advertiser DuckDuckGo had sufficiently substantiated its privacy claims. These cases are significant reminders in two ways. First, that claims made about privacy and security can be viewed through an advertising lens and examined to see if they are properly substantiated. Second, that the NAD, the self-regulatory body that actively examines truth and accuracy of advertising, is looking at privacy claims. As those familiar with the NAD are aware, it refers those who do not cooperate to the FTC for priority action to
Continue Reading NAD Examines Privacy Statements Made By DuckDuckGo in Online Ads

The National Advertising Division, a self-regulatory body that examines the truth and accuracy of advertising claims, recently examined privacy claims made by Brave, Inc. Using the same analysis given to other advertising claims, the NAD analyzed Brave’s statements about consumer privacy. It assessed both the implied as well as the express claims made by the company as well as the extent to which the substantiation Brave had for the claims supported those claims.
Continue Reading NAD Brings False Advertising Claims Over Privacy Representations

With six months before the first of the new US state general privacy laws go into effect, there are several steps companies can take now to begin to prepare. Unfortunately there are some parts of compliance that will be impacted by regulations that have either not been drafted, or if drafted, remain unfinalized. What, then, can companies do now? Familiarizing themselves with the types of requirements and beginning to address and develop mechanics for those requirements is a good start. Fortunately for most, these will not be new, as they are conceptually covered by CCPA, GDPR, or both.
Continue Reading Preparing for US State Privacy Law Compliance: The Six Month Mark

The New York Attorney General recently announced a data security-related settlement with Wegmans Food Markets. The issue arose in April 2021 regarding a cloud-based incident. At that time a security researcher notified Wegmans that the company had an Azure cloud storage container that was unsecured. Upon investigation, the company determined that the container had been misconfigured and that three million customer records had been publicly accessible since 2018. The records included email addresses and account passwords.
Continue Reading Wegmans Settles With NYAG for $400,000 Over Data Incident

In a recent letter to the UK law society, the UK Information Commissioner’s Office and the National Cyber Security Centre have provided lawyers with advice about ransomware payments. The two agencies cautioned lawyers that such payments would not help “protect” the data, mitigate the risk to individuals, or result in a lower ICO penalty in the event of a regulatory investigation. Instead, they stated in a release that accompanied the letter, lawyers “should not advise clients to pay ransomware demands should they fall victim to a cyber-attack.”
Continue Reading UK ICO and NCSC Issue Caution About Making Ransomware Payments

In this third post of our ongoing series, we examine key takeaways for companies in light of the recently released draft CPRA regulations. Today’s focus is on contractual requirements. (Visit here for information about collection and notice under the draft regulations, and here for information about choice.)
Continue Reading What Should We Do About the Draft CPRA Regulations?: Contracts

The California Privacy Protection Agency (CPPA) recently released the draft proposed CCPA Regulations and draft initial statement of reasons. Importantly, these are draft regulations that are likely to be subject to extensive public comment and modification before they become final. At the June 8 meeting, the board moved to approve the draft regulatory text to begin the formal rule making process and public comment period.

These draft regulations redline the existing CCPA regulations. Though some provisions were largely unedited, they could be modified in forthcoming updates. This includes notices regarding financial incentives, rules for consumers under the age of
Continue Reading What Should We Do About the Draft CPRA Regulations?: Collection and Notice

On June 13, US and UK governments announced that they are developing prize challenges focused on advancing the maturity of privacy-enhancing technologies (PETs) to combat financial crime. The announcements highlight that up to $2 trillion of cross-border money laundering takes place each year. The White House explained that PETs could address financial crime through maturing technologies, which allows machine learning models to be trained on high quality datasets, without the data leaving safe environments. PETs also facilitate privacy-preserving financial information sharing and collaborative analytics; allowing suspicious types of behavior to be identified without compromising the privacy of individuals, or requiring the transfer of
Continue Reading US, UK Collaborate on Prize Challenges for Privacy-Enhancing Technologies

On June 13, US and UK governments announced that they are developing prize challenges focused on advancing the maturity of privacy-enhancing technologies (PETs) to combat financial crime. The announcements highlight that up to $2 trillion of cross-border money laundering takes place each year. The White House explained that PETs could address financial crime through maturing technologies, which allows machine learning models to be trained on high quality datasets, without the data leaving safe environments. PETs also facilitate privacy-preserving financial information sharing and collaborative analytics; allowing suspicious types of behavior to be identified without compromising the privacy of individuals, or requiring the transfer of
Continue Reading US, UK Collaborate on Prize Challenges for Privacy-Enhancing Technologies

The Department of Defense recently provided some clarity on the timeline for implementation of its Cybersecurity Maturity Model Certification (CMMC) program. The DoD now expects to complete documentation to submit to the Office of Management and Budget for its rulemaking process by July 2022. And, it plans to issue interim final rules by March 2023. If DoD sticks to this new timeline, the CMMC requirements could begin appearing in solicitations for government contracts as early as May 2023 (60 days after the rules are published). 
Continue Reading Updated Timeline for DoD’s Cybersecurity Certification Program

Maryland recently passed two companion bills amending the state’s Personal Information Protection Act. The bills modify the data breach notification requirements and scope of businesses subject to the data security requirements. The key changes are summarized below, and will go into effect October 1 of this year:
Continue Reading Maryland Amends Data Security and Breach Notice Obligations

On June 7, Sen. Sherrod Brown (D-OH), Chair of the Senate Committee on Banking, Housing, and Urban Affairs, sent a letter to Treasury Secretary Janet Yellen to request a review by the Financial Stability Oversight Council of financial institutions’ consumer data activities and their potential threat to U.S. financial stability and security. The letter raised concerns that this information may be sold to third-party purchasers or data brokers who compile it with personal data collected from other sources often associated with advertising and exploited for other uses. The Committee also raised concerns that such data could be used for nefarious purposes including
Continue Reading Senate Banking Committee Sends Letter to Yellen on Collection, Use of Consumer Data

The FTC recently reminded companies that principles of fairness and the likelihood of harm may in some cases prompt breach notification. This requirement might exist even if state breach notice laws have not been triggered. The FTC emphasized at the same time the need for breach disclosures to be accurate. These comments appeared in the FTC blog, and underscore the agency’s continuing trend to exercise its enforcement authority under the FTC Act in the data security and data breach context.

When discussing breach notification, of focus for the FTC were situations when disclosing information to an individual might have “mitigate[d] reasonably
Continue Reading FTC Weighs In On Data Breach Notification

The FTC recently took two well-publicized steps in the children’s privacy space. First, it penalized WW International (formerly, Weight Watchers) and its subsidiary, Kurbo, for alleged COPPA violations. Second, it unanimously voted to adopt a new policy statement on education technology and COPPA. These actions follow its March COPPA settlement with TickTalk Tech.
Continue Reading FTC Continues Focus on Children’s Privacy