Photo of Janis Kestenbaum

Janis Kestenbaum is a partner in the Privacy & Security practice and Advertising, Marketing & Promotions industry group. Janis represents companies under investigation by the Federal Trade Commission (FTC), state attorneys general, congressional committees, and foreign data protection authorities regarding privacy, data security, and consumer protection issues.

The Federal Trade Commission issued a supplemental notice of proposed rulemaking on February 15, 2024, in which it recommended a trade regulation rule that would (1) impose liability on businesses who provide goods or services (including artificial intelligence technology) with knowledge or reason to know they will be used to engage in unlawful impersonation of

On February 1, 2024, the Federal Trade Commission announced a complaint and proposed consent order against Blackbaud, Inc. concerning a 2020 data security incident that included a ransomware demand and payment. According to the FTC’s complaint, Blackbaud’s allegedly unfair and misleading conduct included not just deficient data security practices but also a delay in providing

The Federal Trade Commission announced its first enforcement action alleging that discriminatory use of artificial intelligence was an unfair practice under Section 5 of the FTC Act on December 19, 2023. 

The enforcement action signals that the FTC is using and will continue to use its Section 5 unfairness authority to require reasonable safeguards on

Just a few years ago, the legal landscape governing health-related personal information was relatively simple: Protected Health Information was regulated under Health Insurance Portability and Accountability Act, a discrete set of rules that applies to a specified set of healthcare plans, clearinghouses, and providers. While narrowly targeted statutes governed particular types of health data and

Under an amendment to the Safeguards Rule under the Gramm-Leach-Bliley Act announced on October 27, 2023, the Federal Trade Commission will require a broad range of nonbank financial institutions to notify the FTC of instances of the unauthorized acquisition of unencrypted, personally identifiable, nonpublic financial information of more than 500 customers.

The new notification obligation

For the first time since 2015, the Federal Trade Commission (FTC) has been asked to approve a new “verifiable parental consent” (VPC) method under the Children’s Online Privacy Protection (COPPA) Rule. Under COPPA, operators of online sites and services “directed to children” under 13 must obtain VPC before collecting personal information from a child online. The COPPA Rule enumerates several acceptable methods for obtaining VPC, but also allows interested parties to submit new VPC methods to the FTC for approval. The FTC has announced that the Entertainment Software Rating Board (ESRB), which operates a COPPA safe harbor program, along with Yoti Ltd., a digital identity company that offers identity verification, age assurance, reusable digital identity, and e-signature solutions, and SuperAwesome Ltd., which provides technology to help companies comply with parental verification requirements, submitted an application for a new VPC method utilizing “Privacy-Protective Facial Age Estimation,” which is designed to analyze the geometry of a parent’s face to confirm that they are an adult.Continue Reading COPPA: Public Comment Period Open for Proposed Verifiable Parental Consent Method

On June 6, 2023, Florida Governor Ron DeSantis signed Senate Bill 262 into law. SB 262 is a departure from the comprehensive privacy laws enacted by other states for a variety of reasons, including its (1) ban on government-directed moderation of social media, (2) restrictions on online interactions with minors (somewhat akin to the California Age-Appropriate Design Code), and (3) establishment of a “digital bill of rights” that creates general consumer privacy rights similar in many respects to those adopted in other states but, unlike them, Florida’s are narrowly applicable. Governor DeSantis has not shied away from saying the new law is directly aimed at “Big Tech,” and the targeted application of certain aspects of the law reflects that goal.

The ban on government-directed moderation took effect on July 1, 2023, with the protections for minors and digital bill of rights provisions set to take effect on July 1, 2024.Continue Reading Florida Enacts “Digital Bill of Rights” Combining Narrowly Applicable “Comprehensive” Privacy Provisions and More Broadly Applicable Restrictions on Children’s Privacy and Social Media Restrictions

As the hype about generative artificial intelligence (AI) has grown, the Federal Trade Commission (FTC) has made clear that it intends to be at the forefront of federal agencies working to ensure the responsible use of AI. In just the last few months, it has spoken repeatedly about AI, issuing multiple warnings about the risks of AI technology. In many respects, this is not new terrain for the FTC. Since at least 2016, the FTC has cautioned about the potential for machine learning and AI algorithms to lead to discrimination against protected classes. The FTC recently reiterated those concerns and cautioned businesses about the use of generative AI to spread manipulative, fraudulent, or unsubstantiated content.Continue Reading The FTC Can’t Stop Talking about AI

International, federal, and state privacy regulators highlighted their ambitious agendas at the 2023 IAPP Global Privacy Summit in Washington, D.C. They, along with speakers from an array of private organizations, underscored the following takeaways that should be top of mind for businesses:Continue Reading Ten Takeaways From the 2023 IAPP Global Privacy Summit