Photo of Katy Spicer

Katy Spicer

Earlier this fall, the Fourth Circuit vacated the district court’s class certification order in the Marriott data breach MDL because of the potential applicability of a class action waiver defense. See In re Marriott Int’l Consumer Data Security Breach Litig., 78 F.4th 677 (4th Cir. 2023). Our post on this decision can be found here. On remand, the district court took little time to conclude that Marriott had waived the class action waiver in the Choice of Law and Venue provision of the putative class members’ contracts and that regardless “the adhesive provision, buried on the last page of the Terms cannot direct this Court to ignore the provisions of Rule 23 of the Federal Rules of Civil Procedure.”  In re Marriott Int’l Consumer Data Security Breach Litig., 2023 WL 8247865 (D. Md. Nov. 29, 2023). The district court thus reinstated the classes as earlier certified.Continue Reading District Court Quickly Reinstates Class Certification in Marriott Data Breach Litigation

Data breaches are an all-too-familiar issue, affecting businesses of all sizes and across all industries. Beyond dealing with the operational and reputational impacts and other resulting fallouts of a data breach, businesses also face enhanced class action litigation risk.

A recent high-profile case serves as a valuable reminder that companies should consider reliance upon a well-established mechanism of mitigating class action litigation risk. In In re Marriott International, Inc., Consumer Data Security Breach Litig., 78 F.4th 677 (4th Cir. 2023), the Fourth Circuit Court of Appeals reversed the district court’s certification order in a data breach class action dispute due to the effect of a class action waiver signed by all putative class members. The Marriott decision demonstrates how class action waivers can be utilized as a core strategy for mitigating heightened data breach litigation risks.Continue Reading Recent Marriott Data Breach Class Action Decision Underscores the Importance of Class Action Waivers

Last week, the Federal Trade Commission (FTC) released its Notice of Proposed Rulemaking, Negative Option Rule (“Rule”), which proposes to substantially amend the existing Negative Option Rule and set higher standards for autorenewal promotions and sales than under existing federal or state laws and regulations.  If promulgated, the revised Rule will apply to many more businesses and scenarios than are currently subject to autorenewal regulation. Once the proposed Rule is published in the Federal Register, which will be shortly, interested parties have 60 days after the date of publication to comment on the proposed Rule, which  covers all forms of so-called “negative option” marketing and sales in all media, including negative options sold in a business-to-business (B2B) context (think about autorenewal terms in business services contracts), for month-to-month auto-renewing terms (think about “no contract” cell, Internet, media or entertainment services, and even auto-renewing monthly residential and commercial real estate tenancies) and for both the sale of goods and services. Other notable additions include enhanced disclosure, consent, and cancellation requirements, as well as a powerful misrepresentation prohibition and annual reminders.
Continue Reading UNSUBSCRIBED! — FTC Proposes Substantial Amendments to the Negative Option Rule to Cover all Autorenewals, including B2B Services, and Add New Disclosure, Consent, and Cancellation Requirements

Some would say that Commissioner Christine Wilson foreshadowed her resignation in her recent GoodRx concurrence. Indeed, Commissioner Wilson has been vocal in recent months about some of her concerns with how the FTC is doing business. Much of her criticism came after the Supreme Court’s AMG Capital Management, LLC v. FTC decision, which stripped the FTC of certain powers. Of course Privacy World has kept you in the know with how the FTC reacted to AMG HERE, HERE, and HERE. Much of the FTC’s reactions center on increasing rulemaking efforts, especially as the rulemaking impacts privacy and advertising programs, while also escalating its enforcement actions. Recently, the U.S. Chamber sent an open letter to Congress requesting more congressional oversight of the FTC in light of Commissioner Wilson’s resignation. Here are three points from the U.S. Chamber’s open letter that reflect what Commissioner Wilson’s resignation may mean for Congress and the FTC over the coming year:
Continue Reading What Commissioner Wilson’s Resignation Means for the Year Ahead

In the National Defense Authorization Act, Congress directed the National Institute of Standards and Technology (NIST) to work with public and private organizations to create a voluntary risk management framework for trustworthy artificial intelligence systems. Following up on that Congressional directive, NIST has released Artificial Intelligence Risk Management Framework 1.0 (AI RMF 1.0)

746 years. That is the total amount of time criminal defendants have been sentenced to prison from consumer fraud cases the Federal Trade Commission (FTC) has referred to prosecutors the past five years. Indeed, the FTC’s Bureau of Consumer Protection Criminal Liaison Unit (Bureau) highlighted these figures in its recently published Criminal Liaison Unit Report. Notably, this report emphasized the FTC’s growing enforcement concern over the use of deceptive negative option marketing (or dark patterns) and its intended aim to push egregious cases to prosecutors in the future. The Criminal Liaison Unit Report (the Report) is consistent with FTC’s November 4, 2021 Enforcement Policy Statement Regarding Negative Option Marketing, and the Report outlines four key takeaways for companies going forward.
Continue Reading FTC Signals More Criminal Referrals for Negative Option Fraudsters

Privacy World has been talking about the importance of data inventories for years. Why? Because it is next to impossible to build a compliant privacy and data security program without first doing a data inventory. A data inventory will serve as a roadmap to help a company meet various privacy and security compliance milestones. Yet, completing a data inventory is one of the hardest and most daunting parts to building a privacy program. At least it was for Katy when she was in-house as a Global Data Protection Officer. The alternative to proactively creating a data inventory is trying to hastily create one during the middle of an incident response or responding to a regulatory demand, which Katy and Shea have seen numerous times helping clients during a crisis. Indeed, building a data inventory during a time of turmoil is the worst time to confirm a company’s data processing practices, and we want to help you avoid this worst-case scenario as you work to build out your 2023 privacy and data security compliance action plan.
Continue Reading Kick Start Your Data Inventory Project in 7-Steps