Insights

On December 17, 2024, the Federal Trade Commission (“FTC”) and the Illinois Attorney General (“AG”) announced a $140 million settlement with Grubhub to resolve charges involving an array of allegedly unlawful and deceptive business practices. Even though the FTC’s proposed final rule on junk fees (also announced on December 17, 2024) is limited to hotels, live events, and short-term rentals, this settlement demonstrates that the FTC will use its broad enforcement powers to pursue companies imposing junk fees online, and that both federal and state consumer protection regulators will formulate 2025 enforcement priorities with junk fees and click-to-cancel in mind. Indeed, this $140 million settlement, of which Grubhub will pay $25 million based on its demonstrated inability to pay the full amount, is the first of its kind in that it is a joint action by the FTC and state regulators to pursue both junk fees and click-to-cancel violations.

After conducting an investigation targeted at nine popular social media and video streaming companies, the Federal Trade Commission (FTC or Commission) released a Staff Report examining their data practices, including those relating to minors.  The FTC based its report on responses to questions it compelled under Section 6(b) (which enables the Commission to require an entity to file reports or answers in writing to specific questions) from Amazon.com, Inc. (which owns the gaming platform Twitch), Facebook, Inc. (now Meta Platforms, Inc.), YouTube LLC, Twitter, Inc. (now X Corp.), Snap Inc., ByteDance Ltd. (which owns the video-sharing platform TikTok), Discord Inc., Reddit, Inc., and WhatsApp Inc.

The rapid and evolving development of artificial intelligence (“AI”) has alarmed various government agencies, especially the Federal Trade Commission (“FTC”).  On November 21, the FTC approved an omnibus resolution simplifying the process for its staff to issue civil investigative demands (“CIDs”) in AI investigations.  This resolution comes on the heels of President Biden’s October executive order establishing new standards for AI safety and security.  Both actions may increase exposure for businesses involved in the use of products and services that use or are produced through AI.  Businesses should be knowledgeable about their use and marketing of AI and ensure their products and conduct do not pose a risk to consumers or competition.

On August 24, 2022, the California Attorney General’s Office announced a settlement with Sephora, Inc. (Sephora), a French multinational personal care and beauty products retailer. The settlement resolved Sephora’s alleged violations of the California Consumer Privacy Act (CCPA) for allegedly failing to: disclose to consumers that the company was selling their personal information, process user requests to opt out of sale via user-enabled global privacy controls, and cure these violations within the 30-day period currently allowed by the CCPA.

On August 11, 2022, the Federal Trade Commission (“FTC”, the “Commission”) published an Advance Notice of Proposed Rulemaking (“ANPR”, the “Notice”) intended to address what the FTC refers to as “commercial surveillance and lax data security practices,” involving companies’ collection, use and monetization of consumer data in ways that harm consumers and impact competition.  This ANPR marks the beginning of a long process that may or may not result in a final rule. This process begins with a sixty-day period after the ANPR’s publication in the Federal Register during which the Commission will accept public comment. Specifically, the FTC solicits public comment regarding:

On Friday, President Biden signed the Executive Order on Promoting Competition in the American Economy (“Executive Order”). The Executive Order includes 72 initiatives by more than a dozen federal agencies to address perceived competition issues across the economy, and establishes a White House Competition Council to monitor progress on facilitating and implementing these initiatives. The Executive Order announces a policy of increased antitrust enforcement -- “especially as these issues arise” in labor markets, agricultural markets, Internet platform industries, healthcare markets, repair markets, and U.S. markets directly affected by foreign cartel activity. 

On Thursday, February 4, the 11th Circuit held that a plaintiff cannot establish Article III standing to sue based on an increased risk of identity theft. The 11th Circuit joins the 2d, 3d, 4th, and 8th Circuit’s in rejecting standing based on such allegations. However, the 6th, 7th, 9th, and D.C. Circuit have all held to the contrary that a plaintiff can establish Article III standing when the defendant’s conduct has increased the risk of identity theft. The circuit split augurs U.S. Supreme Court intervention on this question in the coming years, if not sooner.

With the rising use of biometrics and facial recognition software in consumer-based applications, the FTC is cracking down—more than ever—on the unauthorized use of facial recognition technology. How? In its recent settlement order and in stark contrast with past settlements for similar alleged conduct, the FTC has required Everalbum, Inc. (“Everalbum”), a California-based developer of a photo storage and organization application called “Ever,” to delete (1) the photos and videos of Everalbum app users who deactivated their accounts; (2) all face embeddings—data reflecting features that can be used for facial recognition purposes—that the company derived from the photos of Everalbum users who did not give their express consent to their use; and (3) any facial recognition models or algorithms developed with Everalbum users’ photos or videos.

The National Institute of Standards & Technology (NIST) has published three draft addenda to its manufacturer IoT guidance NISTIR 8259, as well as draft guidance for federal agencies, NIST SP 800-213, on integrating IoT devices into their networks. Notably, NIST published the addenda—8259B, 8259C, and 8259D—and 800-213 just days after the enactment of the Internet of Things Cybersecurity Improvement Act of 2020, in which Congress directed NIST to draft and finalize security guidelines for IoT devices procured by the federal government. While neither the 8259 addenda nor 800-213 fall within the Act's purview, they are likely to inform NIST's development of its IoT cybersecurity guidance under the Act. This is particularly true with regard to both 800-213 and addendum 8259D, the latter of which offers a "worked example" of implementing the core 8259 requirements within the specifications of the FISMA process and the NIST SP 800-53 security controls. 

Last week, the President signed the Internet of Things (IoT) Cybersecurity Improvement Act into law, kicking off a multi-year process that will culminate in the first-ever federal requirements for IoT devices. Under the law, the National Institute of Standards & Technology (NIST) is now charged with drafting and finalizing security requirements for IoT devices, as well as guidelines for managing disclosures about those devices’ security vulnerabilities. In two short years, the federal government will then be prohibited from procuring IoT devices unless (1) the devices meet the pending NIST requirements; or (2) the devices are granted a formal waiver by an agency Chief Information Officer. In addition to creating yet another cybersecurity regime for the government contracting community, the law will create a new benchmark for consumer-facing companies to consider when assessing and complying with the growing number of states imposing their own “reasonable security” requirements for IoT devices.

On November 3, 2020, California voters approved California Proposition 24, also known as the California Privacy Rights Act of 2020, or CPRA. The CPRA expands protections afforded to personal information, building off of the California Consumer Privacy Act (CCPA), which took effect in January of this year. While some of the CPRA changes will take effect immediately, most will not become enforceable until July 1, 2023, and apply only to personal information collected after January 1, 2022.

On August 14, 2020, California Attorney General Xavier Becerra released final implementing regulations for the California Consumer Privacy Act (CCPA). The CCPA became enforceable on July 1, 2020, and Becerra’s office submitted a final proposed draft of the regulations to the California Office of Administrative Law (OAL) on June 1, 2020. The Proposed Regulations have gone through several revisions since the publication of the initial draft in October of 2019. The OAL approved the final version along with an updated Addendum to the Final Statement of Reasons. The final implementing regulations take effect immediately. All businesses subject to the CCPA must now comply with both the statute and the regulations.

As the COVID-19 pandemic continues and there is mounting pressure to ease business and social restrictions, governments, non-profits, and private corporations are all increasingly focused on solutions that would not only track and trace the movements of individuals to determine exposure to the virus and compliance with stay-at-home orders, but also potentially signal the person’s COVID-19 status. This, of course, raises a slew of privacy issues.

On March 11, 2020, California’s Office of the Attorney General (OAG) released a second set of proposed revisions to the California Consumer Privacy Act (CCPA) draft regulations originally released in 2019 (Proposed Regulations).

California businesses have been nervously waiting for the first class action asserting a violation of California’s now-infamous California Consumer Privacy Act (CCPA). The wait is now over.

On February 7, 2020, California’s Office of the Attorney General (OAG) released proposed revisions to the California Consumer Privacy Act (CCPA) draft regulations of 2019.

Notable for being its first IoT guidance published since the January 1, 2020, implementation of California’s law requiring all IoT devices to include “reasonable security features,” the National Institute of Standards and Technology (NIST) has updated its manufacturer-facing IoT cybersecurity guidelines, NISTIR 8259, Recommendations for IoT Device Manufacturers: Foundational Activities and Core Device Cybersecurity Capability Baseline. This second draft “contains the same main concepts” as the first but revises how these concepts are presented to “clarify the concepts and address other comments from the public.” The second draft describes “voluntary, recommended activities related to cybersecurity” that IoT device manufacturers can use to enhance the security profiles of IoT devices when they are ultimately deployed by consumers.

On January 1, 2020, California’s landmark privacy law, the California Consumer Privacy Act (CCPA), took effect. The CCPA imposes various obligations on covered businesses and provides extensive rights to consumers with respect to controlling the collection and use of their personal information. While some companies have largely completed their CCPA compliance efforts, many others are still digesting the CCPA and draft proposed regulations, and taking steps to meet the CCPA’s myriad compliance obligations.

On October 10, 2019, California Attorney General Xavier Becerra announced a long-awaited notice of proposed rulemaking and draft regulations for the California Consumer Privacy Act (CCPA), California’s new consumer privacy law, which we have analyzed here, here, and here. 

On October 10, 2019, California Attorney General Xavier Becerra announced a long-awaited notice of proposed rulemaking and draft regulations for the California Consumer Privacy Act (CCPA), California’s new consumer privacy law, which we have analyzed here and here.