Consumer Protection Connection

Consumer Protection

FTC Seeks Comments on Proposed Changes to TRUSTE’s COPPA Safe Harbor Program

Posted in Privacy

In a Federal Register notice, the FTC has asked for comments on intended changes to TRUSTe’s existing safe harbor program under the Children Online Privacy Protection Act (COPPA). TRUSTe proposed the changes following its settlement earlier this month with the New York Attorney General over allegations that the compliance and security company did not adequately assess whether companies certified under its safe harbor program allowed third party sites to track children.

In its submission of the proposed changes to the FTC, TRUSTe stated its changes would “address regulatory expectations related to: (1) third party tracking technologies and (2) the timing for seal removal for participants who have not completed annual review and remediation by the anniversary of the prior year certification date.” TRUSTe also said that it “is making structural changes to its Children’s Privacy Certification Standards to align them with the TRUSTe Enterprise Privacy Certification Standards since many participants in our COPPA Safe Harbor program also participate in the TRUSTe Enterprise Privacy Program.” In particular, the FTC is seeking input on whether the compliance mechanisms and the incentives for operators’ compliance with the updated safe harbor program are effective.

The comment period ends May 24, 2017.

FTC Warns Influencers to be Clear About Endorsements on Social Media

Posted in Advertising

Everyone who is anyone is on Instagram these days, apparently. But not all posts on the photo-sharing platform are purely organic; some result from material connections between influencer or celebrity posters and the brands or products they are endorsing. This connection is not always made clear to viewers, however, according to the Federal Trade Commission (FTC). This week, the FTC sent letters to 90 marketers and influencers, warning of the obligation to “clearly and conspicuously disclose their relationships … when promoting or endorsing products through social media.”

The FTC’s letters came after public interest groups filed a number of petitions concerning influencer advertising on Instagram. Instagram came under particular scrutiny because disclosures on some posts are available to viewers in the Instagram mobile app only after a viewer clicks on the post’s “more” button. The FTC advised recipients that disclosure of any material connection should be made clear above the “more” button, and suggested that disclosures made in a hashtag string at the end of a description was likely insufficient.

The FTC’s Endorsement Guides, which apply to both marketers and endorsers, stress that “when there exists a connection between the endorser and the seller of the advertised product that might materially affect the weight or credibility of the endorsement (i.e., the connection is not reasonably expected by the audience), such connection must be fully disclosed.”

The FTC has filed complaints against a number of businesses for lack of adequate endorsement disclosures, but this is the first time warning letters have been sent to influencers directly. Both marketers and influencers need to bear in mind the importance of disclosing a material connection, and doing so in a way consumers will likely see. Marketers may wish to update their social media policies with this in mind.

TRUSTe Settles COPPA Safe Harbor Enforcement Action with NYAG

Posted in Privacy

TRUSTe has settled allegations by the New York Attorney General that it did not adequately assess whether companies certified under its Children’s Online Privacy Protection Act (COPPA) Safe Harbor seal program allowed third party sites to track children. TRUSTe agreed to pay $100,000 and will be required to adopt new procedures to make its COPPA Safe Harbor certification review process more rigorous.

TRUSTe’s Children’s Privacy Program is an authorized safe harbor scheme that requires TRUSTe to carry out at least one yearly comprehensive evaluation of its customer’s websites to ensure they remain in compliance with COPPA. Under COPPA, companies are required to obtain parental consent before permitting any tracking of children under 13. While TRUSTe carried out electronic scans of seal program participants’ websites for third party tracking technology, the NYAG alleged that TRUSTe failed to perform similar searches of those companies’ child-directed webpages. The NYAG also alleged that TRUSTe failed to provide its customers with complete results of the investigations, including information on the tracking software they uncovered in their scans.

This settlement comes two years after TRUST found itself in hot water with the Federal Trade Commission (FTC) over allegations that the privacy company neglected to re-certify more than 1,000 companies between 2006 and 2013 under the EU-US Safe Harbor program in place at the time.

Government Agencies to be Rated on Cybersecurity Using NIST Framework

Posted in Cybersecurity

The Trump administration has announced that it will impose new metrics on federal agencies related to cybersecurity.  Agencies and departments will be required to comply with the framework developed by the National Institute of Standards and Technology (NIST) and report back to the Department of Homeland Security (DHS), the Office of Management and Budget (OMB), and the White House.

Homeland security advisor Thomas Bossert stated that the President’s budget will include an increase in federal funding to combat cyber threats, and that the administration’s priorities vis-à-vis cybersecurity are to modernize and centralize the existing system. To this end, the Administration intends to partner with business, including Silicon Valley, and state and local governments, on cybersecurity.

In the federal sector, the White House’s March 2017 budget blueprint calls for $1.5 billion for DHS activities to protect federal networks and critical infrastructure from cyberattacks. Additionally, a cybersecurity executive order will reportedly be finalized in the near future.

Plans to impose the NIST cybersecurity framework on federal agencies illustrate the Framework’s increasing importance as a standard for cybersecurity, not just for government agencies, but more broadly throughout the information ecosystem.  With security breaches, state-sponsored cyber-attacks, and ransomware demands increasing, the Framework offers useful guidance on processes and actions designed to enhance data security for government and industry alike.

FTC Takes on “Made in the USA” Claim for Second Time This Year

Posted in Advertising

“Made in the USA” is an attractive selling point for many consumers who want to support homegrown industry, so it is the topic of many advertising claims for a variety of products. But to establish that a product is American-made, manufacturers have to show all its key parts were made here. And if steel tags which proudly state “Made in the USA” were, in fact, manufactured overseas, that’s false advertising.

This is the situation faced by Texas-based Block Division, Inc., a manufacturer of metal pulleys. According to the FTC complaint released on March 8, 2017, Block’s advertising used images as well as explicit wording to reinforce its “Made in the USA” message. Yet, according to the FTC, the company imported integral components of its pulleys from other countries, including, ironically, the imported steel plates that were stamped with the words “Made in USA.”

Under a settlement with the FTC, Block Division is banned from advertising its products as USA-made unless the company can establish “the final assembly or processing of the product occurs in the United States, all significant processing that goes into the product occurs in the United States, and all or virtually all ingredients or components of the product are made and sourced in the United States.” The company can make “qualified” U.S. origin claims only if it clearly and conspicuously “conveys the extent to which the product contains foreign parts, ingredients, and/or processing.”

Acting FTC Chairman Maureen Ohlhausen commented “Consumers have the right to know that they can trust companies to be truthful when it comes to ‘Made in USA’ claims. This is an important issue for American business and their customers, and the FTC will remain vigilant in this area.”

Two FTC documents, Complying with the Made in USA Standard and Enforcement Policy Statement on U.S. Origin Claims, outline fundamental requirements to comply with FTC enforcement guidelines and to substantiate “Made in the USA” claims:

  • All significant parts and processing that go into the product are of U.S. origin (the “virtually all” standard);
  • Competent and reliable evidence exists to back up the claim that the product in question is made in the U.S.

Block Division and the iSpring Water Systems settlement last month are the latest in a line of complaints the FTC has brought in recent years against companies that deceptively promote “Made the USA” advertising. These cases indicate the ongoing seriousness with which the Commission will treat such claims in future.

Comments on the proposed settlement will be accepted online until April 7, 2017.

FCC Takes Initial Step to Give Privacy, Security Authority Back to FTC

Posted in Privacy

On March 1, the Federal Communications Commission (FCC) granted a temporary stay of one of the broadband privacy rules adopted in October of last year. That rule, which pertains to data security, would otherwise take effect on March 2. Newly installed FCC Chairman Ajit Pai and Federal Trade Commission (FTC) Acting Chair Maureen Ohlhausen issued a joint statement in support of the stay, which will allow the FCC to consider petitions for reconsideration of the October 2016 Report and Order before the data security and other new requirements for broadband internet service providers (ISPs) take effect. The Chairmen expressed their goal of “harmonizing the FCC’s privacy rules for broadband providers with the FTC’s standards for other companies in the digital economy.”

The FCC’s 2016 Report and Order established a comprehensive set of rules for protecting the confidentiality and security of information that ISPs acquire from their customers. Pai was one of two FCC Commissioners who issued a strong dissent. The recent stay, approved by the FCC in a 2-to-1 vote along party lines, follows Pai’s statement on February 24, 2017 that he would seek to reconsider elements of the Obama-era FCC’s privacy rules that were inconsistent with the FTC’s rules.

The moves by the FCC presage the likely withdrawal of the prescriptive broadband privacy rules, which rely on a determination by the FCC that ISPs are common carriers under its jurisdiction. This would return ISPs’ treatment of consumer privacy to the FTC, which has more experience enforcing privacy and data security laws in a technology-neutral manner.

Sealed: Three IT Companies Settle FTC Deceptive APEC Privacy Claims

Posted in Advertising, Privacy

If a business advertises it is a member of a privacy program, even a voluntary one, it had better be, according to the Federal Trade Commission (FTC). In separate but related complaints, the FTC alleged that three businesses – software provider Sentinel Labs Inc., private messaging app developer SpyChatter Inc., and cybersecurity software company Vir2us Inc. – represented that they were members of the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) when they were not.

The CBPR is a voluntary, cross-border privacy regime designed “to protect data that flows between the regions.” Its system is based on nine data privacy principles: preventing harm, notice, collection limitation, use choice, integrity, security safeguards, access, correction, and accountability.

Although membership is voluntary, false representations about participation are enforceable. Furthermore, participation isn’t simply a matter of saying you support the principles; participants must undergo a review by an APEC-recognized accountability agent, which certifies companies that meet CBPR standards. Despite assertions in their online privacy policies that they were CBPR members, Sentinel, SpyChatter, and Vir2us Inc. had never been certified by an APEC agent.

FTC Acting Chair Maureen Ohlhausen commented that “Cross-border commerce is an important driver of economic growth, and our cross-border privacy commitments help enable U.S. companies to compete around the world. Companies, however, must live up to the promises they make to protect consumer data.” Ohlhausen’s comments indicate the seriousness with which the FTC continues to approach deceptive advertising related to privacy.

Under their settlement with the FTC, the three companies are barred from making any misleading assertions about their “participation, membership or certification in any privacy or security program sponsored by a government or self-regulatory or standard-setting organization.”

Public comments may be submitted electronically on the Sentinel Labs, Inc., SpyChatter, Inc., and Vir2us, Inc. agreements through March 24, 2017.

It is important to note that there are a growing number of privacy “seal” programs, and some organizations offer a variety of such programs. Whether ads involve compliance with the EU-U.S. Privacy Shield, APEC, or programs under the Health Information Portability and Accountability Act (HIPAA) or Children’s Online Privacy Protection Act (COPPA), to minimize risk, businesses need to ensure that claims accurately reflect the specific program they joined. And, of course, they should only advertise participation while their membership or seal status is current and their policies and practices remain in compliance.

Elliot Kaye Steps Down as CPSC Chair

Posted in Regulations

In line with the chairs of other U.S. government agencies and commissions, U.S. Consumer Product Safety Commission (CPSC) Chairman Elliot F. Kaye has resigned his seat as chairman, according to internal sources. Pursuant to the commissioners’ unanimous vote on January 19, 2017, Vice Chair Ann Marie Buerkle assumes the role of Acting Chair until a permanent replacement is appointed by President Trump and confirmed by the Senate.

Acting Chair Buerkle is a proponent of reducing testing burdens faced by manufacturers and working closely with the stakeholder community. She has opposed the recent increase in CPSC’s civil penalty settlements and criticized a lack of transparency in the civil penalty process.

Kaye was nominated by President Barack Obama on March 31, 2014, and was confirmed by the U.S. Senate on July 28, 2014, to a term set to run until 2020. He had two separate commissions—one as commissioner and one as chairman—and resigning the chairman’s seat does not automatically affect his seat as commissioner.

FTC Finds Water Company Claims Are All Washed Up

Posted in Advertising

The push to “Buy American” aims to encourage consumers and businesses to support homegrown industry.  So, when a water filter maker’s claims of “buil[t] in the U.S.” didn’t hold water, the company quickly found itself in a sea of trouble with the FTC.

Georgia-based iSpring advertised and sold its water filter to consumers on its website as well as via major retailers such as Amazon, Overstock, Sears, Home Depot, and Walmart.  The FTC complaint alleged that iSpring Water Systems misled consumers with “false, misleading, or unsupported claims” that its water filtration systems are “Built in USA.” The problem, FTC alleged, was that the company used substantial components produced overseas.

Under the standard terms of its settlement with the FTC, iSpring is prohibited from making any representation regarding country of origin unless such representation is demonstrably true and cannot describe its products as “Made in USA” unless it can establish that virtually all of its components are sourced and manufactured in the United States. Qualified “Made in USA” claims are, of course, permissible so long as iSpring makes them “include a clear and conspicuous disclosure about the extent to which the product contains foreign parts, ingredients, [or] processing.”

“Supporting American manufacturing is important to many consumers. If a product is advertised or labelled as ‘made’ or ‘built’ in the USA, consumers rightly expect that to be the case when they part with their hard-earned money,” said Acting FTC Chairman Maureen Ohlhausen. “This is an important issue for American business and their customers, and the FTC will remain vigilant in this area.”

Many consumers do look for products made in America.  The decision confirms that the FTC, which has been very active in enforcing against similar products over the past couple of years, will continue to take a close look at such claims.  Public comments on the proposed agreement will be accepted until March 3, 2017, and interested parties can submit comments here.

Smart TV Tracking Without Permission? Not So Clever

Posted in Privacy

Have you ever had the niggling suspicion your television was watching you?  Apparently, if it was made by smart technology manufacturer VIZIO, it very well may have been.  In a $2.2 million settlement with the Federal Trade Commission (FTC) and the New Jersey Attorney General, VIZIO acknowledged that it collected and sold data from 11 million televisions without viewers’ knowledge.

According to the FTC complaint, beginning in February 2014, VIZIO smart televisions covertly recorded continuous data of what viewers watched without their knowledge or consent. The television’s Smart Interactivity feature was advertised simply as way to get program recommendations.  But when the feature was activated, rather than make viewing suggestions, it collected data from cable, on-air broadcasts, dvds, broadband, and streaming devices and sent it back to VIZIO via the company’s embedded, proprietary ACR software.  The data, including a persistent identifier for each television, program and commercial viewed, when it was viewed, how long it was viewed, and what channel it was on, was then sold to third parties for audience measurement, analyzing advertising effectiveness, and behavioral advertising purposes. The complaint asserts that these actions violated Section 5 of the FTC Act and New Jersey consumer protection laws.

Under a stipulated federal court order, VIZIO is required to obtain express consent for its data collection and sharing practices, and must institute a comprehensive data privacy program.  The company is also barred from mispresenting the privacy, security, and confidentiality of consumer information it collects.

FTC Acting Chairman Maureen K. Ohlhausen issued a concurring statement in which she noted that “[e]vidence shows that consumers do not expect televisions to collect and share information about what they watch.”  She went on, however, to caution:

We must determine whether the practice causes substantial injury that is not reasonably avoidable by the consumer and is not outweighed by benefits to competition or consumers. This case demonstrates the need for the FTC to examine more rigorously what constitutes “substantial injury” in the context of information about consumers. In the coming weeks I will launch an effort to examine this important issue further.

Ohlhausen’s statement is consistent with earlier dissenting and concurring statements in other cases suggesting that FTC privacy and data security enforcement actions should focus on instances where business actions resulted in actual harm to consumers. The type of review Ohlhausen describes may result in affirming the importance of all three factors under the Commission’s 1980 Unfairness Policy Statement.  With the Internet of Things exploding, manufacturers of smart products should stay tuned.


Consumer Protection Connection