The Federal Trade Commission (FTC) announced on April 26, 2024, that a final rule modifying its Health Breach Notification Rule (HBNR) adopted on a 3-2 vote along party lines. The final rule caps the FTC’s transformation of the HBNR into a broad privacy and data breach notice rule widely applicable to health and wellness apps and websites from a traditional cybersecurity data breach notice rule applicable to a limited set of companies that offer online personal health record repositories or applications and those companies’ service providers. That transformation began in 2021 when the FTC issued a policy statement that interpreted the rule to apply to the disclosure of covered information without an individual’s authorization and to a broad range of health and wellness apps. The final rule codifies the interpretations in the 2021 policy statement and several subsequent enforcement actions to apply the HBNR to a broad range of health and wellness apps and to require “breach” notification when consumer identifiable health data is disclosed without consumer authorization, even outside of traditional cybersecurity intrusions. The final rule goes into effect on July 29, 2024.Continue Reading FTC Expands Health Breach Notification Rule

As Allison Handy noted on our Public Chatter blog, Erik Gerding, the Director of the U.S. Securities and Exchange Commission (SEC) Division of Corporation Finance, issued a statement on May 21 clarifying public companies’ obligations to disclose cybersecurity incidents under Item 1.05 of Form 8-K. The statement looks like a response to the potential—and actual—“abundance of caution” filings in which public companies disclose that an incident occurred but do not announce whether the incident met the SEC’s materiality threshold.Continue Reading Clarifying Guidance on Abundance-of-Caution Disclosures under SEC Cybersecurity Rule

Sen. Maria Cantwell (D-WA) and Rep. Cathy McMorris Rodgers (R-WA) released a discussion draft of the American Privacy Rights Act on April 7, 2024. This announcement of a bipartisan, bicameral proposal for a federal comprehensive consumer privacy law was a significant—and unexpected—development in longstanding efforts to adopt federal privacy legislation. 

Read the full Update here.

The Federal Trade Commission issued a supplemental notice of proposed rulemaking on February 15, 2024, in which it recommended a trade regulation rule that would (1) impose liability on businesses who provide goods or services (including artificial intelligence technology) with knowledge or reason to know they will be used to engage in unlawful impersonation of

Artificial Intelligence-generated robocalls may trick some consumers into thinking they are being called by a human being, but the Federal Communications Commission clarified in a recent AI Declaratory Ruling that it will not be fooled. Moving forward, all AI-generated robocalls will be treated as artificial or prerecorded voice calls for purposes of the Telephone Consumer

On February 1, 2024, the Federal Trade Commission announced a complaint and proposed consent order against Blackbaud, Inc. concerning a 2020 data security incident that included a ransomware demand and payment. According to the FTC’s complaint, Blackbaud’s allegedly unfair and misleading conduct included not just deficient data security practices but also a delay in providing

Less than 10 days after announcing its complaint and proposed settlement against location data broker X-Mode, the Federal Trade Commission (FTC) followed its recent spate of enforcement in the location and sensitive data space with the announcement of another enforcement action and proposed settlement with InMarket Media, Inc. (InMarket). Continue Reading The FTC Continues its Focus on Location and Sensitive Data

On January 9, 2024, the Federal Trade Commission (FTC) announced its complaint and proposed settlement with location data broker X-Mode Social, Inc. and its successor Outlogic, LLC (collectively X‑Mode). Under the order, X-Mode will be prohibited from sharing or selling any “sensitive location data”—location data that identifies visits to sensitive locations such as medical facilities, religious organizations, and other locations that allow potentially sensitive inferences. The FTC’s action reflects the FTC’s continued focus on location data, particularly that reflects potentially sensitive information, and is similar to the case it is currently litigating against Kochava regarding its sales of precise geolocation data.Continue Reading FTC Cracks Down on Collection and Sharing of Sensitive Location Data With Proposed X-Mode Settlement

The Federal Trade Commission announced its first enforcement action alleging that discriminatory use of artificial intelligence was an unfair practice under Section 5 of the FTC Act on December 19, 2023. 

The enforcement action signals that the FTC is using and will continue to use its Section 5 unfairness authority to require reasonable safeguards on