SEC Proposes New Cybersecurity Rules for Public Companies

On March 9, 2022, the Securities and Exchange Commission (“SEC”) announced proposed amendments to its rules on cybersecurity. The proposed rules aim to “enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies” and would dramatically increase disclosure requirements compared to the current guidance (which dates from 2011 and 2018). If adopted, the proposals will significantly impact how public companies and boards disclose cyber incidents and information relating to their cybersecurity oversight.

The new SEC rules would require:

• material cybersecurity incidents to be disclosed within four business days (with ongoing updates);
• individually immaterial cybersecurity incidents to be disclosed if they become material in the aggregate;
• enhanced disclosure of cybersecurity policies and procedures; and
• disclosures regarding management’s role in addressing cybersecurity risks (including cybersecurity expertise at board level).

The clock starts running on the four-business day deadline to report a material cybersecurity incident once the company has both: (i) discovered the cybersecurity incident; and (ii) determined that the incident is material. The SEC acknowledges that there may be a lag between discovery and concluding that an incident is material. The SEC provides no specific definition of “material” in the context of cybersecurity incidents; rather, it is to be assessed consistently with case law interpreting materiality requirements in other securities laws, which involves an objective evaluation of the total mix of information. However, the SEC does provide some examples of incidents that may require disclosure, such as ransomware attacks, loss of control of systems, or theft of data. Disclosures of material cybersecurity incidents must include:

• the timing/duration of the incident;
• the nature and scope of the incident;
• whether any data was stolen, altered, accessed, or misused;
• the effect on the company’s operations; and
• the company’s remediation efforts.

More details about the proposals can be found in Dechert’s related OnPoint available here.

The comment period is open until May 9, 2022 or 30 days following publication in the Federal Register, whichever is later.

Takeaway: The proposed rules highlight the need for companies to have appropriate cybersecurity policies and procedures in place, including an incident response plan. Companies should review their existing policies and procedures and determine whether any enhancements or updates should be made, for example, in relation to assessing materiality and timescales. The proposed rules would add another layer of disclosure requirements on top of existing federal and state disclosure obligations. In addition, the four-business day rule will create significant obstacles for companies. While the SEC acknowledges the potential for duplicative disclosures and seeks comment on this issue, compliance costs are nonetheless likely to increase.

_____________________________________________________

WW International Enters FTC Settlement for Illegally Collecting Children’s Health Data Imposing Fine and Requiring Destruction of Data and Algorithms

On March 3, 2022, the Federal Trade Commission (“FTC”), along with the U.S. Department of Justice, reached a settlement with WW International, Inc., formerly known as Weight Watchers, and its subsidiary Kurbo, Inc., over allegations that the companies marketed a weight loss app to children as young as eight and then collected their personal information without parental permission, in violation of the Children’s Online Privacy Protection Act (“COPPA”).

Kurbo is a health tracking app for children and teens. In its complaint, filed on February 16, the government alleged that the app’s “gate screen” at sign-up encouraged children under 13 to lie about their ages by signaling that they could register for the app without involving a parent, by indicating that they were at least 13 years old, despite text indicating that children under 13 were required to sign up through a parent. The government also alleged that children could revise their birthdate downwards and continue to use the app, something the complaint alleges was done by hundreds of children. The app allegedly provided no form of notice to parents that the companies were collecting personal information from children and did not seek to obtain parents’ consent for that collection. From November 2019, the companies included a notice located via a series of hyperlinks, but the government alleged that parents were not required to click on these, and they did not specify all of the categories of information the app collected from children or implement any mechanism for seeking parental consent. The government also considered a later revised notice incomplete because it did not inform parents of the data collected through the website in addition to the app and contained no measures to ensure that the individual clicking the box was in fact a parent.

The Stipulated Order requires the companies to pay a $1.5 million penalty, delete all illegally harvested data, create and retain specific records and compliance reports, and make submissions to the FTC for 10 years. In addition, WW and Kurbo must destroy not only the illegally collected data but also “any algorithms derived from [that] data.” In other words, the order requires WW and Kurbo not only to comply with COPPA but also to give up benefits they may have gained from allegedly violating the statute. The Stipulated Order also restricts the use of even legally collected children’s data going forward: the companies must delete any future data collected from children under 13 within one year if the child stops using the app. The Stipulated Order notes that the companies neither admitted nor denied the allegations in the complaint.

Takeaway: The WW settlement underscores the FTC’s ongoing focus on technology companies that are alleged to have collected personal data directly from children without prior parental consent. The settlement coincides with President Biden’s State of the Union address in which he called for Congress to strengthen data privacy protections for children. Companies may be surprised to learn that COPPA catches operators of general audience online sites and services – not just those directed to children. Data practices should be assessed and reviewed to determine if COPPA applies and, if so, whether these practices are aligned with the law. The portion of the Stipulated Order requiring WW and Kurbo to “destroy any algorithms derived from the data” is especially significant because it demonstrates the FTC’s commitment to algorithmic disgorgement as a remedy, in COPPA and other actions.

_____________________________________________________

The Way the Cookie Crumbles: Tackling Cookie Banner Compliance

NOYB (which stands for “none of your business”), the privacy activism organization fronted by Max Schrems, has launched a second round of 270 draft complaints over cookie banners. This follows its first round of 560 draft complaints in May 2021. NOYB’s approach is to send draft complaints to website operators whose cookie banners NOYB judges to be non-compliant with the GDPR, alongside guidelines it has produced on how to comply. It says that it only files formal complaints with regulators against those who remain non-compliant after a 60-day grace period.

NOYB complains that “annoying banners, designed to make rejecting cookies extremely complicated, appear all over the web. In their banner designs, companies use so-called ‘dark patterns’ to get more than 90% of users to click the ‘accept’ button while industry statistics show that only 3% actually agree.” It argues that cookie banners that do not offer users clear “yes”/”no” options (instead requiring a user to click through various settings and in some instances go through pages of cookies in order to reach a “reject” or “decline” button) are not compliant with the GDPR.

According to NOYB, following its first round of complaints, it had to file a total of 456 formal complaints with 20 different data protection authorities. A special taskforce to coordinate responses has been set up but no formal decisions have been reached yet.

So far, NOYB has focused on website operators using OneTrust as their consent management platform. However, it has warned that it has further rounds in preparation and intends to extend the scope of complaints to websites that use other consent management platforms such as TrustArc, Cookiebot, Usercentrics, and Quantcast.

Takeaway: Cookie compliance is in the spotlight. While data protection authorities have yet to issue their decisions on the formal complaints filed following NOYB’s first round of complaints, cookies have nevertheless been the subject of significant recent regulatory action. As NOYB is gearing up for further complaints, companies should proactively review their cookie banners to ensure that those banners offer appropriate options for users to decline cookies. Compliance requires a clear ‘decline all’ option on the initial banner and abstinence from "nudging" users (such as by using different colors, sizes and contrasts) to click "accept all."

_____________________________________________________

TickTalk Tech found to have violated Children’s Privacy Rules

The Children’s Advertising Review Unit (“CARU”), found that TickTalk Tech violated the Children’s Online Privacy Protection Act (“COPPA”) and CARU’s Self-Regulatory Guidelines and “safe harbor” for Children’s Online Privacy Protection. TickTalk has agreed to remedy the issues raised. CARU is an FTC-approved industry self-regulatory program that oversees and implements COPPA.

The CARU Privacy Guidelines apply to participating operators of commercial websites or online services that collect, use or disclose personal information of children under 13 where the operator: (i) has actual knowledge that it collects personal information collected from children under 13; or (ii) the website, app or online service is directed at children. CARU noted that the TickTalk 4 smartwatch is marketed and sold to parents as “the safest kids’ smartwatch phone for ages 5-12.” Its functionalities include video calling, secure messaging, activity and location tracking, radar-scanning, and automatic back-up.

CARU’s investigation determined that TickTalk failed to comply with COPPA requirements to provide clear, complete, and prominent notices to parents about the personal information that TickTalk can collect from children through the smartwatch and how that information is used and disclosed. TickTalk also failed to obtain a COPPA-compliant consent from parents. In particular, CARU:

• Criticized TickTalk for the location of its Privacy Policy. The link to the Privacy Policy was located at the bottom of a lengthy webpage amongst a number of links to other documents such as “Terms of Service,” “Return Policy” and “Warranty.” CARU believed it was not prominent prior to purchase and was likely to be missed by many parents.
• Determined that the Privacy Policy and Terms and Conditions did not make clear what personal information was collected from children or adequately explain data sharing arrangements with third parties. It found that the documents were inconsistent and unclear.
• Concluded that the Privacy Policy treated “device identifiers” (such as cookies) as “non-personal information” whereas under COPPA such information should have been treated as “personal information” and protected accordingly.
• Determined the TickTalk website failed to provide a means for parents to affirmatively consent to TickTalk’s information practices before TikTalk collected their children’s personal information and that, even if it had, the consent would not have been valid in light of confusing and contradictory information about TickTalk’s practices.

Takeaway: The FTC has aggressively enforced COPPA since its inception, targeting child-directed products and services that collect personal information through rapidly evolving technologies that have dramatically altered how children interact with the digital world. Operators of online services, including connected devices and apps, face ongoing scrutiny of their data practices by the FTC, consumer privacy groups and CARU. These companies will want to review their data practices, and monitor enforcement activity to understand their compliance obligations. The FTC periodically updates COPPA to reflect changes in technology. Companies may want to consider participating in related rulemaking proceedings to help shape the outcome of final rules and manage the risk of being monitored by the FTC and CARU.

_____________________________________________________

Colorado Attorney General’s Office Invites Input on Privacy Act Rulemaking

On March 7, 2022, the Colorado Attorney General’s Office invited the public to submit informal comments on the Colorado Privacy Act (“CPA”) and future related rulemaking.

Colorado’s Governor signed the CPA into law on July 7, 2021, to become effective as of July 1, 2023. The CPA applies to entities that conduct business in Colorado or deliver commercial products or services to residents of Colorado and either: (a) process the personal data of more than 100,000 Colorado residents in any calendar year; or (b) derive revenue or receive discounts on goods or services from the sale of personal data and process or control the personal data of 25,000 or more Colorado residents. The CPA also applies to service providers, contractors, and vendors that manage, maintain, or provide services relating to such data on behalf of such companies. Only the Attorney General and District Attorneys can enforce the CPA; there is no private right of action.

The CPA gives the Attorney General authority to adopt rules governing privacy, requiring specifically that the office adopt rules that “detail the technical specifications for one or more universal opt-out mechanisms that clearly communicate a consumer’s affirmative, freely given, and unambiguous choice to opt out of the processing of personal data for purposes of targeted advertising or the sale of personal data.” This rulemaking must be adopted by the CPA’s effective date. This first round of comments (which runs through August 31) will be considered “informal” and not constitute part of the rulemaking record. By authorizing this comment period, the Attorney General hopes to better understand the public’s thoughts and concerns ahead of formal rulemaking. Once any proposed rules are promulgated, there will be a formal notice and comment period.

Takeaway: The CPA applies to companies that do significant business in Colorado or that sell Colorado residents’ data. The Attorney General’s invitation gives these companies an opportunity to provide informal input as the Attorney General’s Office drafts proposed privacy rules instead of waiting to comment only after draft rules are promulgated. Parties interested in submitting comments can do so until August 31, 2022 through this form.