Online shopping and the use of virtual try-on technology continue to grow in popularity. Retailers today have a number of options when considering how to bring virtual try-ons to consumers. These range from licensing third-party technology to integrate virtual try-on within their own e-commerce channels to partnering with an online shopping network that offers the feature as an add-on. Regardless of how a retailer makes virtual try-ons available to consumers, use of virtual try-on technology introduces important privacy considerations. And if the feature collects data about consumers’ hands or faces, state biometric laws may come into play. Miriam Farhi, Andrew Grant, and Bipasana Joshee share some privacy best practices for retailers considering virtual try-ons in their article for Retail TouchPoints.

The U.S. Department of Justice’s (DOJ) Civil Cyber-Fraud Initiative, announced last October, is designed to leverage existing whistleblower incentives for employees, or other persons with inside knowledge, to identify lapses in federal contractors’ cybersecurity and privacy practices. We gave that issue in-depth treatment here, with particular focus on the U.S. District Court for the Eastern District of California’s opinion in United States ex. rel. Markus v. Aerojet Rocketdyne Holdings, Inc., No. 2:15-cv-02245 WBS AC, 2022 WL 297093 (E.D. Cal. Feb. 1, 2022), denying the defendant’s motions for summary judgment on a majority of the relator’s False Claims Act (FCA) claims.

Continue Reading Recent Settlement Highlights Cybersecurity Whistleblower Risk for Government Contractors

The Federal Communications Commission recently adopted certain final rules, policies, and proposed rules to “stem the tide of foreign-originated illegal robocalls.” The FCC Order targets so-called “gateway providers,” which are U.S.-based intermediate providers that receive calls directly from a foreign provider or its U.S.-based facilities before transmitting the calls downstream. Among other things, the Order requires gateway providers to block illegal traffic upon notification from the FCC, respond to robocall traceback requests within 24 hours, and implement “know your upstream provider” obligations. The Order’s proposed rules would extend most of the Order’s obligations to all forms of U.S.-based telecom providers.

Read More.

The National Information Security Standardization Technical Committee issued a draft of the new national standards on May 26, 2022. The new draft—Information Security Technology: Requirements of Privacy Policy of Internet Platforms, Products and Services—is available for public comment until July 25, 2022.

The Draft Requirements document is China’s first list of national standards focusing on privacy policy and covers five aspects of compliance requirements, including (1) the preparation procedures, (2) the privacy policy’s content, (3) release and visualization, (4) revision, and (5) the resolution of disputes over the privacy policy.

The standards can act as a reference point in drafting and implementing company privacy policies for their products or services.

Read More

In recent years, apparel and retail businesses have increasingly sought to provide customers with options to interact with the brand’s merchandise and services in virtual environments. This includes everything from virtual try-on to virtual stores in the metaverse. Depending on their specific nature, these services could potentially trigger biometric privacy laws, generating risk for businesses. Careful and thoughtful consideration of key biometric privacy principles can help mitigate risk in this area.

Read More

National Security Presidential Memorandum-33 requires federal agencies to impose disclosure and security requirements as part of research and development grant programs.

Academic and research institutions will be subject to standardized and enhanced disclosure obligations at the institutional and individual levels. Major institutions will also have to implement security programs with elements including cybersecurity and insider threat.

Read More

New cybersecurity developments and observations, including those relating to U.S. Department of Labor review of cybersecurity issues, warrant prompt consideration by plan fiduciaries, including those plans covered by HIPAA.

The following update includes recommendations to help ERISA retirement and health and welfare plan sponsors and responsible fiduciaries protect benefit plans and participants against cybersecurity risks and to fulfill fiduciary obligations with respect to such plans and participants.

Read More

In its most recent open meeting, the Federal Trade Commission unanimously: (1) issued a Children’s Online Privacy Protection Act policy statement directed at ed tech providers, and (2) proposed amendments to the Endorsement Guides, which address influencer advertising on social media and consumer reviews.

The COPPA policy statement makes clear that the FTC is scrutinizing the privacy and data security practices of ed tech providers, with a focus on COPPA’s data collection, use, and retention limitations as well as data security obligations.  

The proposed amendments to the Endorsement Guides would address fake reviews and add a provision that advertisers should not distort or misrepresent what consumers think of their products, such as by suppressing negative reviews. 

The FTC has also proposed a new section to the Endorsement Guides that says that child-directed endorsements are of special concern. However, the FTC does not provide any guidance or best practices, explaining that it lacks sufficient evidence in the record to do so. To obtain more evidence, the FTC has announced a workshop on October 19, 2022. 

Read More

Alvaro Bedoya has now been sworn in as a commissioner for the U.S. Federal Trade Commission. This restores a Democratic majority on the Commission and will enable the agency to move forward with the aggressive agenda of Chair Lina Khan. As a result, we can expect to see significant actions by the FTC on privacy and data security in the near term.

Read More

The Better Business Bureau recently announced the launch of the TeenAge Privacy Program, which proposes a self-regulatory framework for companies to use in order to protect teen consumers and guide the responsible collection and management of teen data. The CISR’s new framework helps to address recent attention to the privacy and safety of teens online, a topic that has received increasing attention over recent years.

TAPP specifies best practices for the collection, use, retention, and sharing of teens’ data as well as online safety to mitigate risk of harm (mental, emotional, physical, reputational, and otherwise).

Read More