Peter A Clarke

The United States has quite an effective child privacy protection law, the Children’s Online Privacy Act. It also has a very sophisticated data broking and analytic industry. And some businesses have no problem in collecting data on children to assist in marketing products and services. The Federal Trade Commission has announced changes to Children’s Online Privacy Protection Rule which sets new requirements about the collection, use and disclosure of childrens’ personal information, requires parents to opt in to the third party advertising and places limits on data retention.

The United States and the European Union are far ahead of Australia when it comes to dedicated privacy protection. The E Safety Commissioner provides some regulatory assistance but it is not focused enough on privacy. In the amendments to the Privacy Act 1988, the Privacy and Other Legislation Amendment Bill 2024, passed late November last year the Commissioner will develop a a Children’s Online Privacy Code to better protect children from a range of online harms. That Code will take effect in 2 years.

The media release from the FTC provides:

The Federal Trade Commission finalized changes to the Children’s Online Privacy Protection Rule to set new requirements around the collection, use and disclosure of children’s personal information and give parents new tools and protections to help them control what data is provided to third parties about their children.

The final rule requires parents to opt in to third-party advertising and includes other changes to address the emerging ways that consumers’ data is collected and used by companies, and particularly how children’s data is being shared and monetized. Read the rest of this entry »

A fairly to update programs and install patches provided by the suppliers is a common way hackers can access websites and smart devices. In those cases the breach is caused by the negligence of the owner of the website or smart device who fails to update. But what if the supplier fails to provide support after a time? With time the program or smart device will become more and more vulnerable to cyber attacks not to mention potentially losing functionality. It is a ubiquitous problem. The Federal Trade Commission has considered it with its report released under a cover of a media release titled Smart Products Surveyed Fail to Provide Consumers with Information on How Long Companies will Provide Software Updates.

The FTC media release provides:

This report comes after a Read the rest of this entry »

The FTC, through the Department of Justice, has commenced an action against the video-sharing platform TikTok, and its parent company ByteDance,alleging that they flagrantly violating Children’s Online Privacy Protection Act.  The FTC also alleges Tick Tok infringed an existing FTC 2019 consent order against TikTok for violating COPPA shortly after it went into effect. The FTC also allege that two TikTok entities (previously Musical.ly and Musical.ly Inc., which ByteDance acquired in 2017 and renamed) agreed to the terms of the order to settle allegations that they violated the COPPA Rule by unlawfully collecting personal information from children under the age of 13.

The complaint alleges defendants failed to comply with the COPPA requirement to notify and obtain parental consent before collecting and using personal information from children under the age of 13.

The Press Release provides:

On behalf of the Federal Trade Commission, the Department of Justice sued video-sharing platform TikTok, its parent company ByteDance, as well as its affiliated companies, with flagrantly violating a children’s privacy law—the Children’s Online Privacy Protection Act—and also alleged they infringed an existing FTC 2019 consent order against TikTok for violating COPPA.

The complaint alleges defendants failed to comply with the COPPA requirement to notify and obtain parental consent before collecting and using personal information from children under the age of 13.

“TikTok knowingly and repeatedly violated kids’ privacy, threatening the safety of millions of children across the country,” said FTC Chair Lina M. Khan. “The FTC will continue to use the full scope of its authorities to protect children online—especially as firms deploy increasingly sophisticated digital tools to surveil kids and profit from their data.” Read the rest of this entry »

If there is any doubt about the value of health data and the importance of maintaining strict security look no further than the Federal Trade Commission’s (“FTC”) action against Monument Inc, a New York based alcohol addiction center for selling its users personal health data to, amongst others, Meta and Google without their consent. Under the agreed consent order Monument is banned from disclosing health data for advertising and must obtain consent before sharing for any other purpose. That however is only the tip of a very big administrative iceberg that Monument has to navigate around.  The FTC, as per its usual practice, has set down obligations for implementing procedures and taking action and being monitored by an assessor.  The enforceable undertakings are far better drafted and more encompassing that those, few, undertakings issued by the Information Commissioner.  They are useful to read because they contain clauses that could be incorporated into contracts, terms of settlement and, perhaps if the Information Commissioner became more active, the regulator could use.

The statement from the FTC provides:

The Federal Trade Commission has taken action against an alcohol addiction treatment service for allegedly disclosing users’ personal health data to third-party advertising platforms, including Meta and Google, for advertising without consumer consent, after promising to keep such information confidential.

As part of a proposed order settling the FTC allegations, New York-based Monument, Inc. will be banned from disclosing health information for advertising and must obtain users’ affirmative consent before sharing health information with third parties for any other purpose. Read the rest of this entry »

The US Federal Trade Commission has taken action against Avast for claiming it represented to consumers that its software would protect their privacy by preventing tracking and collection of browser information while it tracked that browser information and sold it to more than 100 other companies. Avast tracked and collected the data and provided it to a subsidiary, Jumpshot, which from 2014 until 2020 sold that browsing information to some of its clients, including investment nad advertising companies, search enging optimisation firms and data brokers.  In short companies that need data as part of their business activities.  Avast has entered into a consent order whereby it agreed to pay $16.5 million and be prohibited from selling or licensing any web browsing data for advertising purposes.

The FTC generally relies upon representations for jurisdiction to take action.  That is different to the approach taken by the UK regulator, which relies the UK Data Protection Act.  In Australia the regulator relies on its powers under the Privacy Act.  FTC decisions are useful and relevant in the analysis of privacy cases because the principles relating to data security, collection and use are consistent with those principles under the UK, New Zealand and European laws. Given the FTC is a much more active regulator than the Austrlian Office of the Information Commissioner the analysis of the FTC in its complaints and consent orders is particularly useful.  The Australian resources are modest by comparison and often too general. 

The FTC’s very colourful media release provides:

When uttered by a pirate, “Avast!” is a nautical term for “Listen up and cut it out.” And when the FTC says “Avast!” to software company Avast, it means the same thing. UK-based Avast Limited told consumers that using its software would protect their privacy by preventing the tracking and collection of their browser information. But according to the FTC, from 2014 to 2020, guess who was tracking consumers’ browser information and then selling it to more than 100 other companies through an affiliate called Jumpshot? Ironically enough, Avast Limited. We’re not sure how much the $16.5 million financial remedy is in doubloons, but we hope the terms of the proposed settlement will remind other companies to relegate conduct like that to Davy Jones’ Locker.

For consumers concerned about their privacy, Avast’s claims for its anti-virus software and browser extensions were attention-getters. The company promised its products would block “annoying tracking cookies that collect data on your browsing activities.” In a major app store, the company pitched its Avast Mobile Software as way for consumers to “secure your device” by getting “alerted when you install spyware and adware apps that violate your privacy by sending your personal data to their servers.” In describing its desktop software, Avast promised it would “shield your privacy” and “stop anyone and everyone from getting to your computer.” Avast also told people that its software would allow them to “reclaim your browser. Get rid of unwanted extensions and hackers making money off your searches.” The company’s marketing hook for its Avast Secure Browser was its anti-tracking capabilities, promising it would “protect[] your privacy by preventing websites, advertising companies, and other web services from tracking your online activity.”  Read the rest of this entry »

The Federal Trade Commission has taken action action against Blackbaud and required it to delete personal data that it does not need. The genesis of this outcome was the poor security practices that let a hacker access a trove of sensitive personal information in 2020, much of it which should not have been kept.  The FTC set out the multiple Blackbaud transgressions; failing to segment data, failing to have multi factor authentication and not notifying customers of the breach.  In this case, as in many others, a data breach doesn’t reveal one flaw but usually a system wide failure. 

The media release provides:

South Carolina-based Blackbaud Inc. will be required to delete personal data that it doesn’t need to retain as part of a settlement with the Federal Trade Commission over charges that the company’s lax security allowed a hacker to breach the company’s network and access the personal data of millions of consumers including Social Security and bank account numbers.

In its complaint, the FTC says that Blackbaud, which provides data services and financial, fundraising, and administrative software services to companies, nonprofits, healthcare organizations, and others, failed to implement appropriate safeguards to secure and protect the vast amounts of personal data it maintains as part of the services it provides to its clients.

“Blackbaud’s shoddy security and data retention practices allowed a hacker to obtain sensitive personal data about millions of consumers,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Companies have a responsibility to secure data they maintain and to delete data they no longer need.”

The FTC says that, despite promising customers that it takes “appropriate physical, electronic and procedural safeguards to protect your personal information,” Blackbaud deceived users by failing to put in place such safeguards. For example, the company failed to monitor attempts by hackers to breach its networks, segment data to prevent hackers from easily accessing its networks and databases, ensure data that is no longer needed is deleted, adequately implement multifactor authentication, and test, review and assess its security controls. In addition, the company allowed employees to use default, weak, or identical passwords for their accounts, according to the complaint.

As a result of these failures, a hacker in early 2020 accessed a customer’s Blackbaud-hosted database, according to the complaint. Once logged in, the attacker was able to freely move across multiple Blackbaud-hosted environments by leveraging existing vulnerabilities and local administrator accounts and creating new administrator accounts, according to the complaint. The breach went undetected for three months, allowing the hacker to remove massive amounts of unencrypted sensitive consumer data belonging to Blackbaud’s customers. Read the rest of this entry »

The Federal Trade Commission is proposing changes to the COPPA Rule, the principle regulation relating to the protection of child privacy on line.  COPPA stands for Children’s Online Privacy Protection Act.The purpose is to restrict third parties monetising children’s data.

The release Read the rest of this entry »

The US Federal Trade Commission (“FTC”) is the most active Federal regulator in the United States of privacy and data breaches. It has its fair share of critics but is frenetic compared to Australian regulators. It has announced that it has taken action against Global Tel*Link Corp, a prison communications provider. It alleges that Global failed to secure sensitive personal information of hundreds of thousands of users by posting unencrypted personal information of 650,000 users in the cloud in August 2020 without firewall protection, encryption and monitoring software. It was only when a security researcher alerted the Global that it became aware of the problem. In the meantime hackers accessed billiions of bytes of this exposed data and put it on the dark web and was so advised in September 2020. Global waited 9 months to notify affected customers and in any event only notified 45,000. It has been reported in arstechnica with Prison phone company leaked 600K users’ data and didn’t notify them, FTC says.

The FTC Read the rest of this entry »

The Federal Trade Commission (“FTC”) and the US Department of Health and Human Services (“HHS”) have jointly released an updated guidance on collecting, using and sharing of Consumer Health Information.   As with Australia, New Zealand and the United Kingdom guidances play an important part of setting out standards and expectations regulators expect of individuals, companies and agencies who handle personal information.  It is something of the myth that the United States has no privacy protections.  In some areas the Federal regulations are very strong and breaches can result in harsh penalties.  One such area is a health data.  The United States has very stringent laws regarding the collection, use and storage of health information.

The guidance is not wholly translatable to the Australian environment.  The US legislation is quite specific and detailed.  That said, principles and methodologies applicable in handling health information is broadly similar.  Principles involved in securing information are virtually identical. 

The media release provides:

Ever wondered about the intersection of some of the health privacy and security-related laws and rules enforced by the Federal Trade Commission and the Department of Health and Human Services? You’re not alone, which is why FTC and HHS have teamed up to update a joint publication – Collecting, Using, or Sharing Consumer Health Information? Look to HIPAA, the FTC Act, and the Health Breach Notification Rule  – that helps businesses learn more about their legal obligations. Read the rest of this entry »

With the Report of Proposed Reforms to the Privacy Act recently released it is apposite that the Federal Trade Commission has recently announced that it is taking action against BetterHelp for sharing its consumers health information, including about mental health problems, with Facebook and other platforms for advertising.  The odious practice was well entrenched and longstanding, commencing in 2013 and not concluding until the media reported on it in 2020. The nature of the data misuse is all the more appalling given BetterHelp repeatedly promised to keep the data private. Instead it monetised the data to target them and others for the service it provides.  BetterHelp has reached a settlement with the FTC. 

Arising from this action

• the FTC’ makes it clear that an email or an IP address by themselves can disclose private information about consumers based on the entity sharing the data.
• the FTC regards a failure to obtain “affirmative express consent” for disclosure of health information to social media companies for advertising purposes to be an unfair practice.

• Companies should:

  • consider carefully whether any of their web pages or apps collect information that could be considered sensitive
  • review their privacy policies and ensure they can be understood
  • train employees regarding privacy
  • develop policies and restrictions on how personal data must be protected

The terms imposed by the FTC are onerous and particularly swingeing compared to the relatively relaxed enforceable undertakings imposed in Australia. 

The media was, as usual, scathing with Fortune’s Counseling service BetterHelp to return $7.8M to customers in FTC settlement after it shared private health data with Facebook and Snapchat and Yahoo’ s Teladoc’s (TDOC) BetterHelp Faces FTC Hurdle, to Pay $7.8M.

The media release provides:

The Federal Trade Commission has issued a proposed order banning online counseling service BetterHelp, Inc. from sharing consumers’ health data, including sensitive information about mental health challenges, for advertising. The proposed order also requires the company to pay $7.8 million to consumers to settle charges that it revealed consumers’ sensitive data with third parties such as Facebook and Snapchat for advertising after promising to keep such data private.

This is the first Commission action returning funds to consumers whose health data was compromised. In addition, the FTC’s proposed order will ban BetterHelp from sharing consumers’ personal information with certain third parties for re-targeting—the targeting of advertisements to consumers who previously had visited BetterHelp’s website or used its app, including those who had not signed up for the company’s counseling service. The proposed order also will limit the ways in which BetterHelp can share consumer data going forward. Read the rest of this entry »