Tag Archives: FTC

Popular Music Video App Agrees to Record COPPA Settlement

Musical.ly, the popular social media app for children known as TikTok, and the FTC recently settled allegations of violations of the Children’s Online Privacy Protection Act (COPPA). The settled amount was  $5.7 million, the largest civil penalty the agency has collected for a children’s data privacy case.


The Musical.ly app allows users to make short lip-syncing videos that can be shared on the platform. Over 200 million users have downloaded the Musical.ly app worldwide, according to the FTC, with 65 million of those accounts being in the United States.


COPPA prohibits the unauthorized or unnecessary collection of children’s personal information online by internet website operators and online services, and requires that verifiable parental consent be obtained prior to the collecting, using, and/or disclosing of personal information of children under 13. Continue reading Popular Music Video App Agrees to Record COPPA Settlement

FTC Keeps CAN-SPAM Unchanged

The Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM) is here to stay, the Federal Trade Commission (FTC) recently announced after completing its review.

What is CAN-SPAM?

Effective January 1, 2004, CAN-SPAM establishes requirements for commercial messages, gives recipients the right to make you stop emailing them, and outlines tough penalties for violations. For example, each email in violation of CAN-SPAM is subject to penalties of up to about $40,000. That can quickly add up!

On February 12, 2019, the FTC announced that it had completed its first review of CAN-SPAM. Based on its review, the FTC announced its decision to retain the rule in its present form. Continue reading FTC Keeps CAN-SPAM Unchanged

FTC to Enforce Voluntary GDPR Compliance Statements

U.S. based companies that have updated their privacy policies to reflect increased consumer privacy protections intending to match the European Union’s GDPR protections may have unknowingly opened themselves up to added scrutiny from the Federal Trade Commission, according to FTC spokesperson Juliana Gruenwald Henderson.

Several organizations that collect consumer data on a large scale, including Facebook and Microsoft, have taken it upon themselves to increase personal data use transparency for their consumers through clearer privacy policies. This increase in transparency is designed, in part, to increase trust among their users, as well as potentially staying one step ahead of future U.S. regulation. That domestic regulation, however, might be coming sooner than anticipated.

The FTC’s Statement

Gruenwald Henderson explained, “If a company chooses to implement some or all of GDPR across their entire operations, and as a result makes promises to U.S. consumers about their specific practices they must live up to those commitments.” She added that this enforcement, although broad in nature, would only by applied towards specific and appropriate situations and “the FTC could initiate an enforcement action if the company does not comply with the EU data protection promises for U.S. customers.”

The FTC’s statement shows the government takes seriously companies’ privacy promises to their consumers. “If the company claims that it is compliant with EU law, it better be right, because the FTC will be looking for companies that are non-compliant but say otherwise,” said David Vladeck, former director of the FTC’s Bureau of Competition. Continue reading FTC to Enforce Voluntary GDPR Compliance Statements

Operation Main Street: The FTC’s Initiative to Battle Scams Against Small Business

Small businesses drive a significant portion of the American economy by providing jobs and services nationwide. As a vital component of domestic commerce, it is essential that there are protections in place to keep these companies safe from cyber scams. That’s where the FTC steps in, fulfilling their mission to protect consumers and small business owners.

The FTC, law enforcement, state and federal partners and the Better Business Bureau (BBB) have recently coordinated to form Operation Main Street, an education effort to help alert small businesses about scams and how to avoid them.

Example Scam Activity

In addition to cyber scams like business compromise emails and other phishing attacks, according to the FTC, some scammers actually call their targets claiming to be collecting on past-due bills for a variety of services including online directory listings, search engine optimization and web design and/or hosting. The scammer warns to “pay now” or the small businesses account will be turned over to collections and red flagged. The scammer warns that refusal to pay could have a negative impact on the company’s credit. However, the reality is the targeted small business never ordered the products or services to begin with; it’s all part of the con. Continue reading Operation Main Street: The FTC’s Initiative to Battle Scams Against Small Business

BLU Settles with FTC Over Privacy and Data Security Claims

Phone manufacturer BLU reached a settlement with the Federal Trade Commission (FTC) over allegations BLU allowed a Chinese third-party service to harvest user data without user knowledge or consent. This data harvesting was first brought to light in 2016, when security firm Kryptowire reported that BLU phones were sending information to China using software from Shanghai Adups Technology Company (ADUPS), a contracted third party of BLU.

What Data Was Harvested

According to the FTC’s press release, BLU contracted with ADUPS to issue security and operating system updates to BLU products. However, the BLU devices were also sending large amounts of data – more than BLU told its users – to ADUPS in China.

The harvested data included full text messages, location-tracking, call and text logs with corresponding phone numbers and contact lists, and a breakdown of applications installed on the BLU devices.

BLU’s Response Continue reading BLU Settles with FTC Over Privacy and Data Security Claims

FTC Brings the Enforcement Hammer for EU-US Privacy Shield Misrepresentations

For the first time, the Federal Trade Commission is holding companies accountable in three enforcement actions for misleading consumers about their Privacy Shield participation.

EU-U.S. Privacy Shield

The Privacy Shield framework allows companies to transfer consumer data across the pond from EU member states to the U.S. while complying with EU data protection laws. The Privacy Shield was birthed to replace the U.S.-EU Safe Harbor framework which was deemed invalid in 2015.

To participate in the framework, companies must certify with the U.S. Department of Commerce and demonstrate compliance with the Privacy Shield Principles. The Department of Commerce maintains the list of active members, while the FTC enforces compliance.

During Safe Harbor’s tenure as the preferred data transfer mechanism between the EU and U.S., the FTC brought 39 enforcement actions against companies for reasons of noncompliance. Now we see the first three enforcement actions under the newer Privacy Shield framework.

Privacy Shield Enforcement

The FTC announced that three companies violated the FTC Act by making false claims regarding their Privacy Shield certification to consumers. The companies never actually completed the certification process.

  • HR software company Decusoft LLC falsely stated in its privacy policy that it “participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework.”
  • Printing services company Tru Communication (aka TCPrinting.net) falsely stated in its privacy policy that it “will remain compliant and current with Privacy Shield at all times.”
  • Real estate management company Md7 LLC falsely stated in its privacy policy that it “complies with the EU-U.S. Privacy Shield Framework.”

Acting FTC Chairman Maureen K. Ohlhausen notes, “Today’s actions highlight the FTC’s commitment to aggressively enforce the Privacy Shield frameworks, which are important tools in enabling transatlantic commerce. Companies that want to benefit from these agreements must keep their promises or we will hold them accountable.”

In conjunction with the settlements, the FTC prohibits the three companies from misrepresenting their participation in any privacy or data security program sponsored by a government or regulatory agency.

Key Takeaways

What can other companies learn from the mistakes in these cases?

The FTC is committed to enforcing misrepresentations about Privacy Shield participation. Given the prior settlements under the Safe Harbor framework, the FTC remains consistent in their efforts to hold companies accountable.

The FTC advises, “If you apply to participate in Privacy Shield, follow through. If you apply but then decide not to participate, don’t tout your compliance in your privacy policy or elsewhere on your website. Furthermore, if the Department of Commerce contacts your company about a deficient or incomplete application, it’s wise to heed the warning by completing the self-certification process in a timely manner or by removing any false statement regarding participation in the Privacy Shield Framework.”

FTC Continues Its ‘Stick with Security’ Series

What are the key lessons learned from the mountain of data security investigations conducted by the FTC over the years?

The Federal Trade Commission (FTC) promised to reveal those lessons and provide practical guidance through a blog series titled ‘Stick with Security.’ Reviewing the blog posts within the series will give organizations actionable guidance and advice to protect consumer data.

The Stick with Security series spans ten blog posts, with a new one released each Friday. Last month, we covered the first five posts in our article – Stick with Security: FTC Provides Guidance on Reasonable Data Security Practices.

Below we recap the latter half of the FTC’s Stick with Security posts.

Stick with Security: Segment and Monitor Your Network

The FTC’s sixth post – “Stick with Security: Segment and Monitor Your Network” – demonstrates the benefits of segmenting your network and keeping a watchful eye on data transfers. It offers practical guidance and examples on how to:

  • Segment your network; and
  • Monitor activity on your network.

Stick with Security: Secure Remote Access to Your Network

The FTC’s seventh post – “Stick with Security: Secure Remote Access to Your Network” – calls on organizations to address the risks posed by remote access to networks and systems. The FTC provides a few examples of the good and the bad including:

  • Ensure endpoint security; and
  • Put sensible access limits in place.

Stick with Security: Apply Sound Security Patches

The FTC’s eighth post – “Stick with Security: Apply Sound Security Patches When Developing New Products” – emphasizes the importance and efficiency of building security into product development from the start. The post highlights several measures organizations can take to include security into their product development strategy including:

  • Train your engineers in secure coding;
  • Follow platform guidelines for security;
  • Verify that security features work; and
  • Test for common vulnerabilities.

Stick with Security: Make Sure Service Providers Implement Reasonable Security Measures

The FTC’s ninth post – “Stick with Security: Make Sure Service Providers Implement Reasonable Security Measures” – emphasizes the importance of reasonable security practices for an organization’s service providers. The FTC offers several steps and examples to incorporate reasonable security expectations with your service providers including:

  • Do your due diligence;
  • Put it in writing; and
  • Verify compliance.

Stick with Security: FTC Provides Guidance on Reasonable Data Security Practices

The Federal Trade Commission (FTC) is making good on its promise earlier this year to provide lessons and practical guidance from data security investigations. The FTC is publishing a series of blog posts under the theme “Stick with Security,” which will build on the principles in its previous Start with Security Guide for Businesses.

The Stick with Security series will highlight real-life security examples based on the FTC’s 60+ law enforcement actions, closed investigations, and FAQs. These efforts are designed to give businesses actionable advice to protect and secure consumer data.

Each Friday the FTC will publish a new blog in the series on their Business Blog. We will provide a recap and link to each blog posting here in our cyber newsletter updates.

Stick with Security: Insights into FTC Investigations

In its first post – “Stick with Security: Insights into FTC Investigations” – the FTC notes important lessons and takeaways from investigations closed with no further action. While those matters fade away without any public attention, the FTC highlights common cases and examples in their posting.

Start with Security – and Stick with It

The FTC’s second post – “Start with Security – and Stick with It” – outlines five key security practices that apply to businesses of all sizes and industries. The blog post offers examples of each security practice:

  • Don’t collect personal information you don’t need
  • Hold onto information only as long as you have a legitimate business need
  • Don’t use personal information when it’s not necessary
  • Train your staff on your security standards
  • When feasible, offer consumers more secure choices

Stick with Security: Control Access to Data Sensibly

The third post in the Stick with Security Series – “Stick with Security: Control Access to Data Sensibly” – details security measures for businesses to consider when limiting unauthorized access to consumer and other sensitive data. The post emphasizes two key principles for access control, along with related examples:

  • Restrict access to sensitive data
  • Limit administrative access

Stick with Security: Require Secure Passwords and Authentication

The fourth blog post – “Stick with Security: Require Secure Passwords and Authentication” – aims to give businesses practical examples of effective authentication procedures to safeguard their networks. Examples are provided relating to the recommended security measures:

  • Require long, complex, and unique passwords
  • Store passwords securely
  • Guard against brute force attacks
  • Protect sensitive accounts with more than just a password
  • Protect against authentication bypass

Stick with Security: Store Sensitive Personal Information Securely

The fifth post – “Stick with Security: Store Sensitive Personal Information Securely and Protect it During Transmission” – describes examples of reasonable protections businesses can take to secure sensitive data:

  • Keep sensitive information secure throughout its lifecycle
  • Use industry-tested and accepted methods
  • Ensure proper configuration

Disney Gets Caught in COPPA Lawsuit

The Walt Disney Company ended up on the wrong end of a lawsuit over violations of the Children’s Online Privacy Protection Act (COPPA). The class action suit alleges violations related to embedded software collecting children’s personal information from Disney’s apps.

COPPA Background

COPPA rules are regulated by the Federal Trade Commission. They require operators of commercial websites and online services directed at children under the age of 13 to comply with certain privacy standards. For example, COPPA rules require applicable organizations to post privacy policies, notify parents about their information practices, and obtain parental consent before collecting, using, or disclosing children’s personal information.

Disney Lawsuit

Ad tech companies provide the software development kits that Disney uses to track behavior across various apps and devices. This class action complaint makes several allegations and claims about Disney’s potential violations:

  • Tracking children’s online behavior to facilitate behavioral advertising or marketing analysis
  • Creating online profiles for child users with data elements like location, browsing history, and app usage
  • Failing to obtain verifiable parental consent, and never providing a mechanism for consent to be given

Disney released a statement, “Disney has a robust COPPA compliance program, and we maintain strict data collection and use policies for Disney apps created for children and families. The complaint is based on a fundamental misunderstanding of COPPA principles, and we look forward to defending this action in Court.”

Disney has been involved in alleged COPPA violations in the past, when a subsidiary company was given a $3 million penalty in 2011 for collecting and disclosing children’s personal information without parental consent.

Safe Harbor Update

The FTC made news in regards to COPPA by approving TRUSTe’s modifications to its safe harbor program. Organizations in an approved safe harbor program – like TRUSTe’s – are subject to program-regulated guidelines rather than COPPA’s formal FTC investigation and enforcement process.

Organizations covered under TRUSTe’s safe harbor program should review the approved updates.

Increasing Regulatory Requirements for IoT

The COPPA update is part of a larger regulatory wave to address the expanding privacy and security issues surrounding the Internet of Things (IoT).

While the FTC update focuses on ‘smart toys,’ the overall trend will require all organizations to analyze the privacy and security implications stemming from the emerging ‘smart’ business models.

The security industry expects to see much more action in the near future (including legislation making its way through Congress) related to shifting regulation and new vulnerabilities for the Internet of Things.

FTC Updates COPPA Compliance Guidance

Anyone who falls under regulations with the COPPA knows the FTC takes children’s privacy seriously.

With more products being marketed towards minors (i.e. internet-connected toys) the Federal Trade Commission revisited compliance requirements under the Children’s Online Privacy Protection Act (COPPA).

The FTC released an update to the ‘Six-Step Compliance Plan for Your Business’ to simplify COPPA compliance for organizations. Several new focus areas are noted in the guidance including:

  • New business models. As technologies evolve, organizations are changing the way they collect data. Evolving data collection activities are addressed in the new update. For example: The update added regulations for voice-activated devices that collect personal information.
  • New products covered by COPPA. COPPA no longer applies strictly to websites and mobile apps. The law now covers a growing list of connected devices that make up the Internet of Things. This includes web-connected toys and other products intended for children that collect personal information, such as voice recordings or geolocation data.
  • New methods for getting parental consent. The revised Compliance Plan discusses two newly-approved methods for getting parental consent: asking knowledge-based authentication questions and using facial recognition to get a match with a verified photo ID.

The FTC offers an additional FAQ resource for organizations that have further questions regarding COPPA compliance.

The FBI also released a related article on privacy risks associated with Internet-connected children’s toys.