On June 16, 2025, the Federal Trade Commission (FTC) issued FAQs that directly affect many automobile dealers, clarifying how its Safeguards Rule (the Rule), part of the FTC’s implementation of the Gramm-Leach-Bliley Act (GLBA), applies to the automotive sector. The Rule requires non-banking financial institutions to implement measures to protect customer information—and the FTC is
Gramm-Leach-Bliley Act
California Privacy Protection Agency Announces Investigative Sweep of Data Brokers’ Compliance with Registration Requirements
Last week, the California Privacy Protection Agency (CPPA) announced it will conduct a public investigative sweep of data broker registration compliance under the California Delete Act.
Pursuant to the Act, a “data broker” is “a business that knowingly collects and sells to third parties the personal information of a [California] consumer with whom the business…
FTC Warns Companies of Enforcement for Failing to Patch Log4j Vulnerability
In what I would describe as an unusual but interesting move by the Federal Trade Commission (FTC), on January 4, 2022, it issued a warning to companies “to remediate Log4j security vulnerability” or face an enforcement action for failing to do so.
In the warning, the FTC acknowledged that the Log4j vulnerability “is being widely…
Federal Trade Commission Amends Safeguards Rule for Non-Banking Financial Institutions
The Federal Trade Commission (FTC) issued a Final Rule on October 27, 2021, amending the Standards for Safeguarding Customer Information, known as “the Safeguards Rule,” under the Gramm-Leach-Bliley Act, which is applicable to a broad range of non-banking financial institutions. The FTC approved the Amendment by a vote of 3-2. The FTC’s press release states…
The Washington Privacy Act – Re-Introduced for 2020 – Is it the Best of CCPA and GDPR?
Washington legislators recently introduced the Washington Privacy Act (WPA). This legislation is a consumer-focused privacy law similar to the California Consumer Privacy Act (CCPA) but it also has some European Union General Data Protection Regulation (GDPR)-like concepts. The WPA protects personal data in much the same way as the CCPA, but with some significant differences.…
Introducing the New York SHIELD Act
The New York “Stop Hacks and Improve Electronic Data Security Act” (SHIELD Act), N.Y. Gen Bus. Law§ 899-bb, requires businesses that collect private information on New York residents to implement reasonable cybersecurity safeguards to protect that information. While this is a new law in the State of New York, it is simply joining other states,…
From California to Nevada: Another State Privacy Law That You Need to Know
While we’ve discussed the California Consumer Privacy Act (CCPA) at length, Nevada was busy amending its internet privacy law and in the process beat California’s deadline for the effective date by three months. Nevada’s SB 220 is effective as of October 1, 2019.
This law prevents covered operators from selling individual’s personal information and allows…
Privacy Tip #201 – Capital One Suffers Massive Data Breach
Many readers have reached out to learn about the Capital One data breach and how it affects us. If you haven’t been watching the story unfold as closely as I have, here is a summary of what happened, what information was included, and what to do about it.
Capital One announced on July 29 that…
Privacy Tip #151 – Can Banks Give or Sell My Information to Facebook or Other Social Media Platforms?
Many readers questioned me about the Wall Street Journal article this week entitled, “Facebook to Banks: Give Us Your Data, We’ll Give you Our Users.”
The questions and comments ranged from “Can they really do this?” to “This is outrageous!”
Without getting into a legal analysis, there are laws that banks have to follow when…
FCC unveils broadband privacy rules for Internet service providers
We have been waiting for—and the Federal Communications Commission (FCC) delivered—its long anticipated broadband data privacy and security rules on March 10, 2015. Through the proposed rules, the FCC has declared its enforcement authority over the data privacy and security practices of Internet service providers (ISPs), much to the chagrin of the industry, which argues…