The Download September 2019

Introduction

In this issue, we highlight inquiries sent to education technology companies from three senators on the collection of student data. We also detail settlements between the Federal Trade Commission (FTC) and multiple technology companies regarding alleged Children's Online Privacy Protection Act (COPPA) violations and false claims related to Privacy Shield participation. We look at the Ninth Circuit's holding regarding the Computer Fraud and Abuse Act (CFAA), and we discuss privacy legislation that passed in New York and Illinois. Lastly, we report on the passing of European Data Protection Supervisor (EDPS) Giovanni Buttarelli and cover former EDPS Assistant Supervisor Wojciech Wiewiórowski's new role as acting EDPS.

Heard on the Hill

Senators Write to EdTech and Data Collection Companies About Use of Student Data

On August 12, 2019, Democratic Senators Dick Durbin (D-IL), Ed Markey (D-MA), and Richard Blumenthal (D-CT) sent letters to dozens of education technology (EdTech) companies and data collection firms, asking questions about their practices and voicing concerns over the amount of student data that is being collected and how it is being used. The senators cited a Federal Bureau of Investigation Public Service Announcement issued last year and the hacking of Slate, a college admissions database, as major sources of concern. Last year's Public Service Announcement warned that the malicious use of student data could result in socihttp:al engineering, bullying, and identity theft.

The senators sent different letters to EdTech companies and data collection companies. In the letter to EdTech companies, the senators requested that the companies explain how long student data is being held, how it is being deleted, whether students and parents can opt-out of data collection, whether data is used or sold for advertising, and whether hackers have accessed any student data. In the letter to the data collection companies, the senators point to a Fordham University Law School report that found some firms were selling information that included grade point average, ethnicity, religion, and wealth. Both letters instructed the firms to respond within three weeks with details about how they collect information, the categories of data they gather, the disclosures made to third parties, and any known data breaches.

Around the Agencies and Executive Branch

Technology Companies Settle With FTC Regarding Alleged COPPA Violations

On September 4, 2019, the Federal Trade Commission (FTC) announced a settlement that included $170 million in penalties with a technology company and one of its subsidiaries (referred to collectively as the "companies") to resolve alleged violations of the FTC's Children's Online Privacy Protection Act (COPPA). In the complaint, the FTC and the New York Attorney General alleged that the companies had actual knowledge that they were collecting information from users of "child-directed channels" and that the defendants failed to provide parental notice or obtain verifiable parental consent as required under COPPA. The settlement represents the largest monetary penalty in the history of COPPA enforcement. The complaint also expressed the FTC's view that commercial operators of child-directed channels on YouTube are "operators" subject to COPPA in connection with this activity. Following the announcement of the settlement, the FTC warned that they will be conducting a sweep of child-directed channels.

As previously reported in the Download, the FTC published a Request for Public Comment in the Federal Register on July 25, 2019 to solicit public comment on potential revisions to the current iteration of the COPPA Rule, and will convene an event, "The Future of the COPPA Rule: An FTC Workshop", on October 7, 2019.

FTC Settles with Companies Over Privacy Shield Misrepresentations

The Federal Trade Commission (FTC) announced earlier this month that it settled with five companies over allegations of misrepresenting participation in the EU-U.S. Privacy Shield data transfer framework.

The Privacy Shield allows participants to transfer personal data from the European Union (EU) to the United States while complying with EU privacy and data protection laws. In order to participate, companies must annually self-certify compliance with seven Privacy Shield Principles (and sixteen Supplementary Principles) designed to ensure "adequate" protection for personal data.

The FTC alleged that four of the companies had falsely claimed on their websites that they were certified under the Privacy Shield, despite never having completed the certification process. The FTC also claims that the fifth company allowed its Privacy Shield certification to lapse in 2018, but failed to remove the Privacy Shield certification from its website; failed to...