Commercial Litigation Update

In a previous blog, we discussed the Federal Trade Commission’s (“FTC”) proposed changes to its Guides Concerning the Use of Endorsements and Testimonials in Advertising (the “Endorsement Guides”). The Endorsement Guides are intended to help businesses ensure that their endorsement and testimonial advertising conforms with Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce,” including false advertising. We specifically highlighted the FTC’s proposed changes related to social media platforms and their users, deceptive endorsements by online “influencers,” businesses’ use of consumer reviews, and the impact of advertising on children. Now, approximately one year later, and after receiving and considering public comments on its proposed changes, the FTC has issued its final rule adopting revisions to the Endorsement Guides. See Guides Concerning the Use of Endorsements and Testimonials in Advertising, 88 Fed. Reg. 48092 (July 26, 2023) (to be codified at 16 C.F.R. pt. 255). In issuing its final revised Endorsement Guides, the FTC stated that the changes are intended to “reflect the ways advertisers now reach consumers to promote products and services, including through social media and reviews.” We summarize below the FTC’s final revisions to the same sections of the Endorsement Guides covered in our earlier blog.

On July 26, 2023, the Securities and Exchange Commission (“SEC”) adopted its long-anticipated cybersecurity reporting rule (the “Final Rule”). The Final Rule applies to public companies subject to the reporting requirements of the Securities Exchange Act of 1934 and, in some cases, to foreign private issuers. As quoted in the SEC’s press release, SEC Commissioner Gary Gensler noted that many public companies already make cybersecurity disclosures to investors, and the Final Rule provides uniformity and structure for these future disclosures. The Final Rule also imposes a tight timeline for cybersecurity incident reporting and may include disclosure of an ongoing cybersecurity incident, as well as requiring periodic disclosures concerning organizational cybersecurity risk management processes and governance.

On July 7, 2022, the Consumer Financial Protection Bureau (“CFPB”) issued an advisory opinion entitled ‘“Fair Credit Reporting: Permissible Purposes for Furnishing, Using, and Obtaining Consumer Reports.”[1] The advisory opinion clarifies that “permissible purposes” under the Fair Credit Reporting Act (the “FCRA”) are “consumer specific” and highlights that a person who uses or obtains a “consumer report” is “strictly prohibit[ed]” from doing so without a permissible purpose under the FCRA. In the midst of ongoing Congressional efforts to pass a comprehensive federal data privacy law, the CFPB’s advisory opinion is a reminder of the existing rules that protect consumer privacy.

On March 15, 2022, President Biden signed into law the 2022 Consolidated Appropriations Act containing the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the “Cyber Incident Reporting Act”). While President Biden’s remarks highlighted the $13.6 billion in funding “to address Russia’s invasion of Ukraine and the impact on surrounding countries,” the 2022 Consolidated Appropriations Act contained numerous other laws, including the Cyber Incident Reporting Act, which should not be overlooked. The Cyber Incident Reporting Act puts in motion important new cybersecurity reporting requirements that will likely apply to businesses in almost every major sector of the economy, including health care, financial services, energy, transportation and commercial facilities. Critical infrastructure entities should monitor the upcoming rule-making by the Cybersecurity and Infrastructure Security Agency (“CISA”), as the final regulations will clarify the scope and application of the new law.

Recent decisions from the European Union (EU) have placed renewed focus on the use of common cookies used on ecommerce and other websites used by consumers and employees and transfers of personal data collected through cookies to the United States. The EU Data Protection Authorities (DPAs) found that the use of widely used website technologies (i.e., cookies and java script) to automatically collect identifiers from the users’ devices or through their use of internet protocols (e.g., IP addresses) resulted in the collection of personal data. The DPAs further found that the subsequent transfer of this data to Google servers located in the United States violated EU cross-border data transfer requirements because there were inadequate safeguards under the Schrems II decision invalidating the EU-US Privacy Shield. One notable impact of the decisions is to dismiss the adequacy of encryption technologies where the service provider (such as Google) has access to the cryptographic key and can be compelled to surrender it in order for the data to be decrypted and read by U.S. surveillance authorities. Consideration of the impact of these decisions is critically important for ecommerce and other websites operating in the EU, as well as more generally for organizations that transfer personal data of consumers and employees to the U.S.