IoT Device Companies: COPPA Lessons Learned from VTech’s FTC Settlement

IoT Device Companies: COPPA Lessons Learned from VTech’s FTC Settlement

By Jennifer Thompson


See all of Our JDSupra Posts by Clicking the Badge Below

View Patrick Law Group, LLC

In “IoT Device Companies:  Add COPPA to Your “To Do” Lists,” I summarized the Federal Trade Commission (FTC)’s June, 2017 guidance that IoT companies selling devices used by children will be subject to the Children’s Online Privacy Protection Act (COPPA) and may face increased scrutiny from the FTC with respect to their data collection practices.  That warning became a harsh reality for VTech Electronics Limited (VTech), which recently entered into a settlement with the FTC to, among other things, pay $650,000 for alleged violations of COPPA and the FTC Act.

The Department of Justice, on behalf of the FTC, filed a complaint against VTech alleging that the Kid Connect application embedded in a variety of online platforms and portable devices distributed by VTech collected personal information from hundreds of thousands of children, without providing the requisite direct notice of VTech’s information practices to parents; and without obtaining verifiable consent to the collection of the information from parents, both as required by COPPA.  In addition, the FTC stated that VTech’s data security measures to protect the information it had collected were neither reasonable, nor appropriate to satisfy the requirements of COPPA.  The complaint further alleged deceptive practices by VTech in connection with statements in its privacy policy relating to whether VTech encrypted collected data.

COPPA

COPPA requires that any company which collects personal information online from children under the age of 13 must: 1) have a privacy policy which clearly and completely discloses to parents what information is collected, how the collected information will be used and what the parent’s rights are with respect to modifying or deleting the information; 2) obtain verifiable consent from the parent to the collection and intended use; and 3) take reasonable measures to protect the security and confidentiality of the obtained information.  VTech required parents to provide personal information, including the parent’s name and email address, as well as the child’s name, gender and date of birth when signing up for platforms or devices leveraging the Kid Connect application.  However, The FTC found various violations of COPPA in VTech’s practices.  Alleged violations of COPPA are detailed below, along with key takeaways for IoT companies.

Violation: Although VTech had a privacy policy in place, it was posted only on certain registration pages, which violated COPPA’s requirement to provide a direct notice of its policies to parents.  The FTC asserted that VTech failed to provide the required direct and clear link to its information practices, because the link to the VTech privacy policy was not posted in each place where children’s information was collected and on the landing screen of the application.

Lesson:  Post frequent and prominent links to the company’s privacy policy in each and every location where the information is collected, as well as on the home/landing page for each service.  Note that information may be collected during initial sign up or subscription, at log in and/or account set up screens and during play or use on platforms devices.

Violation:  The FTC alleged that VTech failed to provide complete notice of its information collection and intended use practices.  COPPA requires organizations, among other things, to post their physical and email address, a full description of the information collected from children, as well as information about the parents’ rights to modify, review and delete their children’s information.   VTech failed to provide a complete description of collection practices and intended uses.

Lesson:  Ensure that privacy policies provide a complete and accurate description of how data is collected and used.  In the VTech case, multiple platforms and devices connecting to the application collected different data elements and provided different functionality.  For example, some devices permitted chatting with authorized contacts and briefly stored recordings of such chats and messages, whereas other platforms simply stored names, addresses and gender.  It is critical that the privacy policy completely explains each and every use.

Violation:  In its complaint, the FTC noted that VTech also failed to have a mechanism in place to verify that the registrant was a parent and not a child, thereby failing to obtain verifiable consent from the parents prior to collecting the information.

Lesson:  IoT companies must use available technology to be reasonably certain that the person providing the consent is, in fact, a parent.  There are a variety of FTC- approved methodologies, including knowledge based questions and facial recognition technologies.  Note that consent should be obtained again if an organization institutes any material change to previously consented to collection or use practices.

Violation:  VTech allegedly failed to implement adequate security measures to protect stored and transmitted information as required by COPPA.  The FTC noted weaknesses in VTech’s overall security program, which included inadequate training of employees as to information security requirements, and lack of penetration testing.  Specifically, the FTC identified VTech’s failure to institute an intrusion prevention or detection system, so that VTech would be apprised of any unauthorized attempted or actual breaches of its network.  In fact, VTech only learned of the intrusion and access to consumer information in November, 2015, from a journalist.  VTech also failed to monitor for or to identify the extraction of the children’s information across the VTech network boundaries.  Finally, VTech stored certain information in a manner that linked that information to a parent’s name and physical address, and failed to encrypt certain pieces of information, both of which could identify a child to a hacker.

Lesson:  Information and data security is a constantly evolving obligation, and it is critical that each company collecting information online stay up to date on current technologies.   The FTC noted that there were available intrusion measures which VTech could have implemented.  In addition, companies should regularly test the effectiveness of their current administrative practices and procedures and ensure that proper training is in place for new and current employees.

FTC Act

In addition to the alleged violations of COPPA, the FTC accused VTech of engaging in deceptive practices in violation of the FTC Act, by implying in its privacy policy that the personal information submitted by the parents would be encrypted.  VTech’s privacy policy stated that, “in most cases” the data provided would be encrypted.  In practice, however, VTech did not encrypt the collected information.

Conclusion

The action brought against VTech is the first such action before the FTC with respect to Internet-connected toys, and may signal a shift in focus by the FTC toward greater scrutiny for IoT device companies marketing to children.  Acting FTC Chairman Maureen K. Ohlhausen noted that, “As connected toys become increasingly popular, it’s more important than ever that companies let parents know how their kids’ data is collected and used and that they take reasonable steps to secure that data.”  In addition to paying the $650,000 penalty, VTech must create and implement a comprehensive data security program (to be independently audited for 20 years), provide compliance reporting to the FTC and is enjoined from further violations of COPPA or misstatements of its privacy policies in the future.  Now more than ever, it is critical that IoT device companies review their posted policies and practices with respect to all personal information collected from or about children under the age of 13: 1) to ensure that such policies are clear and complete; 2) the parents receive direct and full access to the entirety of the policies; 3) verifiable consent is obtained from the parents; and 4) the companies’ information security measures and policies are adequate to guard against and promptly identify any breaches with respect to collected information.

OTHER THOUGHT LEADERSHIP POSTS:

Good, Bad or Ugly? Implementation of Ethical Standards In the Age of AI

By Dawn Ingley See all of Our JDSupra Posts by Clicking the Badge Below With the explosion of artificial intelligence (AI) implementations, several technology organizations have established AI ethics teams to ensure that their respective and myriad uses across...

IoT Device Companies: The FTC is Monitoring Your COPPA Data Deletion Duties and More

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below Recent Federal Trade Commission (FTC) activities with respect to the Children’s Online Privacy Protection Act (COPPA) demonstrate a continued interest in, and increased scrutiny of,...

Predictive Algorithms in Sentencing: Are We Automating Bias?

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below Although algorithms are often presumed to be objective and unbiased, recent investigations into algorithms used in the criminal justice system to predict recidivism have produced compelling...

My Car Made Me Do It: Tales from a Telematics Trial

By Dawn Ingley See all of Our JDSupra Posts by Clicking the Badge Below Recently, my automobile insurance company gauged my interest in saving up to 20% on insurance premiums.  The catch?  For three months, I would be required to install a plug-in monitor that...

When Data Scraping and the Computer Fraud and Abuse Act Collide

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below As the volume of data available on the internet continues to increase at an extraordinary pace, it is no surprise that many companies are eager to harvest publicly available data for their own use...

Is Your Bug Bounty Program Uber Risky?

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below In October 2016, Uber discovered that the personal contact information of some 57 million Uber customers and drivers, as well as the driver’s license numbers of over 600,000 United States...

IoT Device Companies: COPPA Lessons Learned from VTech’s FTC Settlement

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below In “IoT Device Companies:  Add COPPA to Your "To Do" Lists,” I summarized the Federal Trade Commission (FTC)’s June, 2017 guidance that IoT companies selling devices used by children will be...

Beware of the Man-in-the-Middle: Lessons from the FTC’s Lenovo Settlement

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below The Federal Trade Commission’s recent approval of a final settlement with Lenovo (United States) Inc., one of the world’s largest computer manufacturers, offers a reminder that when it comes to...

#TheFTCisWatchingYou: Influencers, Hashtags and Disclosures 2017 Year End Review

Influencer marketing, hashtags and proper disclosures were the hot button topic for the Federal Trade Commission (the “FTC”) in 2017, so let’s take a look at just how the FTC has influenced Social Media Influencer Marketing in 2017. First, following up on the more...

Part III of III | FTC Provides Guidance on Reasonable Data Security Practices

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below This is the third in a series of three articles on the FTC’s Stick with Security blog. Part I and Part II of this series can be found here and here. Over the past 15 years, the Federal Trade...

Lizz Patrick Honored with the Emily Warren Roebling Force Majeure Award

Lizz Patrick Honored with the Emily Warren Roebling Force Majeure Award

Congratulations to Lizz Patrick who was honored today with the Emily Warren Roebling Force Majeure Award by the ABA Forum on Construction Law for her Distinguished Service.

“The Women’s Committee will be honoring, for the first time, an Unsung Heroine of the Forum. The award is given to a woman who has made outstanding contributions to the Forum and recognizes the honoree for her previously unnoted yet valuable contribution to the Forum. For the inaugural award, come celebrate the contributions of A. Elizabeth (“Lizz”) Patrick.”

The above quote can be found in the ABA Forum Agenda linked here.

Beware of the Man-in-the-Middle: Lessons from the FTC’s Lenovo Settlement

Beware of the Man-in-the-Middle: Lessons from the FTC’s Lenovo Settlement

By Linda Henry


See all of Our JDSupra Posts by Clicking the Badge Below

View Patrick Law Group, LLC

The Federal Trade Commission’s recent approval of a final settlement with Lenovo (United States) Inc., one of the world’s largest computer manufacturers, offers a reminder that when it comes to consumers’ sensitive personal information, transparency is key, and failure to assess and address security risks created by third-party software vendors may be deemed an unfair act or practice under Section 5 of the FTC Act.

Lenovo’s problems began in August 2014 when Lenovo began selling laptops to consumers with preinstalled “man-in-the-middle” software provided by a third-party vendor, Superfish, Inc.  The software delivered pop-up ads notifying consumers of similar products sold by Superfish’s retail partners when consumers hovered over a product image on a shopping website.

In order to inject pop-up ads into encrypted connections, the software replaced the digital certificates for websites visited by consumers with Superfish’s own digital certificate, which had been installed in the laptop’s operating system.  As a result, there was no longer a direct, encrypted connection between the websites visited by consumers and their Internet browsers.  Superfish’s software was acting as a man-in-the-middle, and was decrypting and then re-encrypting the information traveling between the browsers and the websites. Consequently, Superfish’s software provided access to all personal information transmitted by consumers over the Internet, including login credentials, Social Security numbers, medical information, and financial information.  The FTC noted that although Superfish collected a more limited subset of consumer information, the software had the ability to collect additional information at any time.

In addition, the Superfish software replaced websites’ digital certificates without sufficiently verifying that the websites’ certificates were valid, and Superfish used the same insufficiently complex encryption key password on all laptops.  As a result, potential attackers could intercept consumers’ communications with websites by hacking the encryption key’s password “Komodia” (the name of the vendor that provided the code used by Superfish in its software).

The FTC’s complaint alleged that Lenovo’s failure to disclose the fact that pre-installed software would act as a man-in-the-middle between consumers and all websites with which consumers communicated, and that the Software would also collect and transmit consumer Internet browsing data to Superfish, was an unfair or deceptive act or practice.  The FTC also maintained that Lenovo had engaged in an unfair act or practice by failing to adequately assess (and then address) security risks created by the Superfish software Lenovo pre-loaded on consumer laptops.

“Lenovo compromised consumers’ privacy when it preloaded software that could access consumers’ sensitive information without adequate notice or consent to its use,” said Acting FTC Chairman Maureen Ohlhausen. “This conduct is even more serious because the software compromised online security protections that consumers rely on.”

The FTC’s subsequent commentary on the Lenovo settlement, together with past guidance provided by the FTC, offers several takeaways:

  • Be transparent.  Transparency is always the best policy when considering the privacy of consumers’ personal information.  Lenovo failed to adequately disclose to consumers (let alone get their consent) that a third-party would be able to intercept all of their online communications, or that man-in-the-middle software would transmit browsing data to a third party.  The FTC has made clear that businesses must clearly explain to consumers how their data will be used and provide an easy way for consumers to opt out of data use or collection practices involving their personal information.
  • Disclosures must be conspicuous and complete.  On the Lenovo laptops, a consumer did see a one-time popup window the first time the consumer visited a shopping website.  The popup window included the following message: “Explore shopping with VisualDiscovery: Your browser is enabled with VisualDiscovery which lets you discover visually similar products and best prices while you shop.”  Although the pop-up window did include a small opt-out link, it was not conspicuous and thus easy for consumers to miss.  If a consumer clicked anywhere on the screen, or on the “x” button to close the pop-up, the consumer was automatically opted in to the software.

The FTC found that this initial pop-up window did not adequately disclose that the pre-installed software would act as a man-in-the-middle between consumers and the websites they visited, and consumers would have found the collection and transmittal of their sensitive information through this software a material fact when deciding whether to opt-into the pre-installed software.  In addition, had a consumer clicked on the opt-out link, although the consumer would have successfully opted-out of receiving the pop-up ads, the software would continue to act as man-in-the-middle, and thus would continue to expose consumer information despite the election to opt out.  The FTC also noted that neither the End User License Agreement nor the Privacy Policy for the Superfish software included a disclosure regarding the collection and use of consumers’ sensitive information.

  • Undertake adequate due diligence and include security requirements in Agreements. Companies are ultimately responsible for their third-party vendors and are expected to ensure that service providers implement reasonable measures to address security risks. As the FTC noted in its Stick with Security guide published in 2017, companies should take a “trust, but verify” approach to their service providers and undertake adequate due diligence to confirm that their service providers have sufficient security controls in place to maintain the security of sensitive data.  Companies should also include appropriate security requirements in their agreements with service providers.  The FTC may view a company’s failure to hold service providers to specific security requirements as a missed opportunity to take reasonable steps to safeguard customers’ data.
  • Verify compliance.  Although due diligence and contractual requirements with service providers are important components of a company’s data security policy, a company should also verify that its service providers are complying with contractual requirements.

As part of the settlement, Lenovo is prohibited from pre-installing similar software unless Lenovo (i) obtains a consumer’s affirmative, express consent, (ii) provides instructions as to how a consumer can revoke consent, and (iii) provides an option for consumers to opt-out, disable or remove the software or its offending features.  In addition, for the next twenty years, Lenovo must maintain a comprehensive software security program that is reasonably designed to address software security risks related to the development and management of new and existing application software, and protect the security, confidentiality, and integrity of sensitive information.  Acting Chairman Ohlhausen noted that the Lenovo settlement sends a message that “everyone in the chain really needs to pay attention.”

OTHER THOUGHT LEADERSHIP POSTS:

Good, Bad or Ugly? Implementation of Ethical Standards In the Age of AI

By Dawn Ingley See all of Our JDSupra Posts by Clicking the Badge Below With the explosion of artificial intelligence (AI) implementations, several technology organizations have established AI ethics teams to ensure that their respective and myriad uses across...

IoT Device Companies: The FTC is Monitoring Your COPPA Data Deletion Duties and More

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below Recent Federal Trade Commission (FTC) activities with respect to the Children’s Online Privacy Protection Act (COPPA) demonstrate a continued interest in, and increased scrutiny of,...

Predictive Algorithms in Sentencing: Are We Automating Bias?

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below Although algorithms are often presumed to be objective and unbiased, recent investigations into algorithms used in the criminal justice system to predict recidivism have produced compelling...

My Car Made Me Do It: Tales from a Telematics Trial

By Dawn Ingley See all of Our JDSupra Posts by Clicking the Badge Below Recently, my automobile insurance company gauged my interest in saving up to 20% on insurance premiums.  The catch?  For three months, I would be required to install a plug-in monitor that...

When Data Scraping and the Computer Fraud and Abuse Act Collide

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below As the volume of data available on the internet continues to increase at an extraordinary pace, it is no surprise that many companies are eager to harvest publicly available data for their own use...

Is Your Bug Bounty Program Uber Risky?

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below In October 2016, Uber discovered that the personal contact information of some 57 million Uber customers and drivers, as well as the driver’s license numbers of over 600,000 United States...

IoT Device Companies: COPPA Lessons Learned from VTech’s FTC Settlement

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below In “IoT Device Companies:  Add COPPA to Your "To Do" Lists,” I summarized the Federal Trade Commission (FTC)’s June, 2017 guidance that IoT companies selling devices used by children will be...

Beware of the Man-in-the-Middle: Lessons from the FTC’s Lenovo Settlement

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below The Federal Trade Commission’s recent approval of a final settlement with Lenovo (United States) Inc., one of the world’s largest computer manufacturers, offers a reminder that when it comes to...

#TheFTCisWatchingYou: Influencers, Hashtags and Disclosures 2017 Year End Review

Influencer marketing, hashtags and proper disclosures were the hot button topic for the Federal Trade Commission (the “FTC”) in 2017, so let’s take a look at just how the FTC has influenced Social Media Influencer Marketing in 2017. First, following up on the more...

Part III of III | FTC Provides Guidance on Reasonable Data Security Practices

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below This is the third in a series of three articles on the FTC’s Stick with Security blog. Part I and Part II of this series can be found here and here. Over the past 15 years, the Federal Trade...

#TheFTCisWatchingYou: Influencers, Hashtags and Disclosures 2017 Year End Review

#TheFTCisWatchingYou: Influencers, Hashtags and Disclosures 2017 Year End Review

Influencer marketing, hashtags and proper disclosures were the hot button topic for the Federal Trade Commission (the “FTC”) in 2017, so let’s take a look at just how the FTC has influenced Social Media Influencer Marketing in 2017.

First, following up on the more than 90 educational letters FTC staff sent to social media influencers and brands in April, the staff then sent warning letters to 21 of the influencers previously contacted. The earlier educational letters informed the influencers that if they are endorsing a brand and have a “material connection” to the marketer, this connection must be clearly and conspicuously disclosed, unless the connection is already clear from the context of the endorsement.

The warning letters cited specific social media posts of concern to FTC staff and provided details on why the influencers may not be in compliance with the FTC Act as explained in the FTC’s Endorsement Guides. For example, some of the letters noted that tagging a brand in an Instagram picture is an endorsement of the brand and does actually require an appropriate disclosure.

Second, the FTC then issued an updated version of The FTC’s Endorsement Guides (the “Guides”): “What People are Asking”, a staff guidance document that answers frequently asked questions. Previously revised in 2015, the newly updated Guides includes more than 20 additional questions and answers addressing specific questions social media influencers and marketers may have about whether and how to disclose material connections in their posts. For example, the Guides includes additional information depicting Instagram tags and how to meet FTC standards for disclosure on Snapchat or Instagram Stories.

The FTC suggests:

(1) #ambassador is not likely to be acceptable, while #[BRAND]Ambassador may be, assuming the brand name is one consumers would recognize; and

(2) #consultant is not permissible, while #[BRAND]Consultant may very well be allowable. While the FTC Staff seems to like the brand name in the disclosure, and we know they like #ad, they do not appear to support #[brand]ad using all lowercase letters, as readers’ might not discern that the disclosure clearly indicates the post is an ad for a brand.

In conjunction with the with 21 warning letters sent and the updated Guides, on September 7, 2017, the FTC announced its complaint against social media influencers, Trevor “TmarTn” Martin and Thomas “Syndicate” Cassell.  According to FTC Acting Chairman Maureen Ohlhausen, “Consumers need to know when social media influencers are being paid or have any other material connection to the brands endorsed in their posts…this action, the FTC’s first against individual influencers, should send a message that such connections must be clearly disclosed so consumers can make informed purchasing decisions.”

The complaint alleged that in late 2015, CSGOLotto, Inc., Martin, the company’s president and Cassell, the company’s vice-president, operated and advertised the csglotto.com website, which enabled consumers to gamble virtually. As further alleged in the complaint, Martin and Cassell each posted YouTube videos of themselves gambling on their website and encouraging others to use the service. Martin’s videos had titles such as, “HOW TO WIN $13,000 IN 5 MINUTES (CS-GO Betting)” and “$24,000 COIN FLIP (HUGE CSGO BETTING!) + Giveaway.”

Cassell posted videos with titles such as “INSANE KNIFE BETS! (CS:GO Betting),” and “ALL OR NOTHING! (CS:GO Betting).” In all, Cassell’s videos promoting the CSGO Lotto website were viewed more than 5.7 million times. Martin and Cassell also allegedly promoted the site on Twitter without adequately disclosing their connection to CSGO Lotto.

According to the FTC’s complaint, Martin, Cassell, and CSGO Lotto also had an “influencer program” and paid other gaming influencers between $2,500 and $55,000 to promote the CSGO Lotto website to their social media circles, while prohibiting them from saying anything negative about the site.  Specifically, the complaint stated that Martin, Cassell, and CSGO Lotto misrepresented that videos of themselves and other influencers gambling on the CSGO Lotto website and their social media posts about the website reflected the independent opinions of impartial users of the service. The complaint charged that, in truth, Martin and Cassell are owners and officers of the company operating the CSGO Lotto website and the other influencers were paid to promote the website and were prohibited from challenging its reputation.

The FTC ultimately approved the final consent order On November 28, 2017, settling its first ever case against individual social media influencers, and the order prohibits Martin, Cassell, and CSGOLotto, Inc. from misrepresenting that any endorser is an independent user or ordinary consumer of a product or service. The order also requires clear and conspicuous disclosures of any unexpected material connections with endorsers.

It is important to point out that the FTC, in this case, charged two specific social media influencers and their company but has yet to charge an independent social media influencer for failing to disclose a material connection to a separate company.  However, social media platforms have already responded to the FTC’s scrutiny this year.  For example, earlier this year, Instagram unveiled a new disclosure tool to a select group of influencers.  The tool was designed to streamline compliance with FTC disclosure requirements and bring more transparency to the platform.  Previously, influencers were responsible for how and where to disclose the sponsored nature of their posts.  Instagram’s new tool, however, removes this discretion by providing one clear, conspicuous and standardized form of disclosure.  Instagram described its new tool as a “first step” and promised to take additional actions in the area of sponsored posts.

Clearly, the FTC’s view of how to avoid consumer deception will continue to evolve in 2018 just as the forms of advertising and digital media advance; however, regardless of this evolution the FTC is likely to continue to reinforce tried and true advertising principles while leaning on the updated Guides.  Consequently, educating influencers and brands will be paramount, along with providing the technology and practical tools that enable these stakeholders to achieve their goals, while still protecting consumers.

OTHER THOUGHT LEADERSHIP POSTS:

Good, Bad or Ugly? Implementation of Ethical Standards In the Age of AI

By Dawn Ingley See all of Our JDSupra Posts by Clicking the Badge Below With the explosion of artificial intelligence (AI) implementations, several technology organizations have established AI ethics teams to ensure that their respective and myriad uses across...

IoT Device Companies: The FTC is Monitoring Your COPPA Data Deletion Duties and More

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below Recent Federal Trade Commission (FTC) activities with respect to the Children’s Online Privacy Protection Act (COPPA) demonstrate a continued interest in, and increased scrutiny of,...

Predictive Algorithms in Sentencing: Are We Automating Bias?

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below Although algorithms are often presumed to be objective and unbiased, recent investigations into algorithms used in the criminal justice system to predict recidivism have produced compelling...

My Car Made Me Do It: Tales from a Telematics Trial

By Dawn Ingley See all of Our JDSupra Posts by Clicking the Badge Below Recently, my automobile insurance company gauged my interest in saving up to 20% on insurance premiums.  The catch?  For three months, I would be required to install a plug-in monitor that...

When Data Scraping and the Computer Fraud and Abuse Act Collide

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below As the volume of data available on the internet continues to increase at an extraordinary pace, it is no surprise that many companies are eager to harvest publicly available data for their own use...

Is Your Bug Bounty Program Uber Risky?

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below In October 2016, Uber discovered that the personal contact information of some 57 million Uber customers and drivers, as well as the driver’s license numbers of over 600,000 United States...

IoT Device Companies: COPPA Lessons Learned from VTech’s FTC Settlement

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below In “IoT Device Companies:  Add COPPA to Your "To Do" Lists,” I summarized the Federal Trade Commission (FTC)’s June, 2017 guidance that IoT companies selling devices used by children will be...

Beware of the Man-in-the-Middle: Lessons from the FTC’s Lenovo Settlement

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below The Federal Trade Commission’s recent approval of a final settlement with Lenovo (United States) Inc., one of the world’s largest computer manufacturers, offers a reminder that when it comes to...

#TheFTCisWatchingYou: Influencers, Hashtags and Disclosures 2017 Year End Review

Influencer marketing, hashtags and proper disclosures were the hot button topic for the Federal Trade Commission (the “FTC”) in 2017, so let’s take a look at just how the FTC has influenced Social Media Influencer Marketing in 2017. First, following up on the more...

Part III of III | FTC Provides Guidance on Reasonable Data Security Practices

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below This is the third in a series of three articles on the FTC’s Stick with Security blog. Part I and Part II of this series can be found here and here. Over the past 15 years, the Federal Trade...