The Federal Communications Commission recently adopted certain final rules, policies, and proposed rules to “stem the tide of foreign-originated illegal robocalls.” The FCC Order targets so-called “gateway providers,” which are U.S.-based intermediate providers that receive calls directly from a foreign provider or its U.S.-based facilities before transmitting the calls downstream. Among other things, the Order requires gateway providers to block illegal traffic upon notification from the FCC, respond to robocall traceback requests within 24 hours, and implement “know your upstream provider” obligations. The Order’s proposed rules would extend most of the Order’s obligations to all forms of U.S.-based telecom providers.
The standards can act as a reference point in drafting and implementing company privacy policies for their products or services.
In recent years, apparel and retail businesses have increasingly sought to provide customers with options to interact with the brand’s merchandise and services in virtual environments. This includes everything from virtual try-on to virtual stores in the metaverse. Depending on their specific nature, these services could potentially trigger biometric privacy laws, generating risk for businesses. Careful and thoughtful consideration of key biometric privacy principles can help mitigate risk in this area.
National Security Presidential Memorandum-33 requires federal agencies to impose disclosure and security requirements as part of research and development grant programs.
Academic and research institutions will be subject to standardized and enhanced disclosure obligations at the institutional and individual levels. Major institutions will also have to implement security programs with elements including cybersecurity and insider threat.
New cybersecurity developments and observations, including those relating to U.S. Department of Labor review of cybersecurity issues, warrant prompt consideration by plan fiduciaries, including those plans covered by HIPAA.
The following update includes recommendations to help ERISA retirement and health and welfare plan sponsors and responsible fiduciaries protect benefit plans and participants against cybersecurity risks and to fulfill fiduciary obligations with respect to such plans and participants.
In its most recent open meeting, the Federal Trade Commission unanimously: (1) issued a Children’s Online Privacy Protection Act policy statement directed at ed tech providers, and (2) proposed amendments to the Endorsement Guides, which address influencer advertising on social media and consumer reviews.
The COPPA policy statement makes clear that the FTC is scrutinizing the privacy and data security practices of ed tech providers, with a focus on COPPA’s data collection, use, and retention limitations as well as data security obligations.
The proposed amendments to the Endorsement Guides would address fake reviews and add a provision that advertisers should not distort or misrepresent what consumers think of their products, such as by suppressing negative reviews.
The FTC has also proposed a new section to the Endorsement Guides that says that child-directed endorsements are of special concern. However, the FTC does not provide any guidance or best practices, explaining that it lacks sufficient evidence in the record to do so. To obtain more evidence, the FTC has announced a workshop on October 19, 2022.
Alvaro Bedoya has now been sworn in as a commissioner for the U.S. Federal Trade Commission. This restores a Democratic majority on the Commission and will enable the agency to move forward with the aggressive agenda of Chair Lina Khan. As a result, we can expect to see significant actions by the FTC on privacy and data security in the near term.
The Better Business Bureau recently announced the launch of the TeenAge Privacy Program, which proposes a self-regulatory framework for companies to use in order to protect teen consumers and guide the responsible collection and management of teen data. The CISR’s new framework helps to address recent attention to the privacy and safety of teens online, a topic that has received increasing attention over recent years.
TAPP specifies best practices for the collection, use, retention, and sharing of teens’ data as well as online safety to mitigate risk of harm (mental, emotional, physical, reputational, and otherwise).
The U.S. Securities and Exchange Commission proposed rules that will require public disclosure not only of cybersecurity incidents, but also of aspects of public companies’ preparedness for cyber threats. The proposed rules set a short time frame for reporting “material” compromises, and the rules do not provide for delayed disclosure at the request of law enforcement or other investigators.
The comment period for the proposed rules ends on May 9, 2022.
Federal Trade Commission Chair Lina Khan made her first speech about privacy at the opening of this year’s International Association of Privacy Professionals conference. She noted ways the FTC is using its resources to “rein in” what she called “surveillance-based business models.”