The Federal Trade Commission (FTC) has entered into a settlement with a provider of management software for car dealerships that held personal information, including SSN’s and payroll information, in cleartext, holding its practices to be in violation of the FTC Act’s prohibition against unfair practices and GLBA’s Safeguards Rule, which requires financial institutions to develop, implement and maintain a comprehensive information security program. The settlement requires the provider to implement a written information security plan,…

Red Card! The Spanish Data Protection Authority has issued LaLiga a 250,000 EUR fine for using its mobile app to detect bars illegally broadcasting soccer matches, without duly disclosing this data processing activity in violation of GDPR. When installing the application and receiving user approval, LaLiga remotely activated the microphone of any user’s mobile phone in order to detect, through the analysis of ambient sound, whether the user is in a bar broadcasting the match…

The U.S. Congress is considering increased enforcement powers for the Federal Trade Commission (FTC), reports Bloomberg’s Sara Merken “House and Senate lawmakers are weighing whether to give the FTC broad or targeted new rulemaking authority, and more resources, to enforce privacy and data security obligations. They also are discussing whether federal legislation should override state privacy laws, including California’s sweeping privacy law, the California Consumer Protection Act, taking effect in January” “U.S. Rep. Jan Schakowsky…

To sue or not to sue (for privacy violations), that is the question. “Lawmakers negotiating a national privacy bill are clashing over whether to allow consumers to sue companies … over privacy violations — in what’s shaping up to be another potential roadblock to bipartisan legislation. Republicans and Democrats are split over whether to include a so-called private right of action, which would create a legal mechanism for individuals to take companies to court for…

When dealing with data subject access requests (DSAR) under GDPR: Take your time and think about the response. Document and audit your response process. These are the key takeaways from a panel at the recent International Association of Privacy Professionals privacy summit in Washington DC. Take the time and communicate: Reading over the inquiries thoroughly is important in determining whether the information falls within the scope of the request. Engage with the data subject and…

Some basics about how the California Consumer Privacy Act applies to selling children’s personal information: Businesses subject to CCPA cannot sell the personal information of consumers who are 16 years old or younger without prior authorization. If the minor is less than 13 years old, the businesses must obtain authorization from a parent or guardian. If the minor is between the ages of 13 and 16 years old, businesses can obtain authorization from the minor.…