Photo of Sheila MillarPhoto of Tracy Marshall

“Native Advertising” has been on the radar screen for several years, with consumer groups, businesses and regulators alike considering what the rules of the game should be to avoid deception as the nature of publishing and advertising continue to evolve at a dizzying pace. Those rules became clearer on December 22, 2015, when the Federal Trade Commission (FTC) released an Enforcement Policy Statement on native advertising and deceptively formatted advertising, along with associated guide for business, entitled Native Advertising: A Guide for Business.

Emphasizing that its Enforcement Policy Statement applies to commercial speech under the FTC’s jurisdiction, the watchword is transparency. The FTC’s policy cites decades of prior policy statements, guidance and cases, but in its business guidance, the FTC distills its recommendations into three basic points:

  1. From the FTC’s perspective, the watchword is transparency.  An advertisement or promotional message shouldn’t suggest or imply to consumers that it’s anything other than an ad.
  2. Some native ads may be so clearly commercial in nature that they are unlikely to mislead consumers even without a specific disclosure.  In other instances, a disclosure may be necessary to ensure that consumers understand that the content is advertising.
  3. If a disclosure is necessary to prevent deception, the disclosure must be clear and prominent.

Be fair and tell the truth. These principles remain the lodestones by which the FTC will likely continue to evaluate advertising, including native advertising.

Photo of Sheila MillarPhoto of Tracy Marshall

Two app developers have settled complaints from the Federal Trade Commission (FTC) that they allowed third parties to collect information, including persistent identifiers, through their apps, and allowed third parties to serve advertising to children, in violation of the Children’s Online Privacy Protection Act (COPPA). The FTC’s announcement was released the same day it announced agreement on a stipulated order with LifeLock settling contempt charges related to an earlier order related to data security practices and misrepresentations about those practices (see blog post here). Respondent LAI Systems, LLC agreed to pay a civil penalty of $60,000; Respondent Respondent Retro Dreamer and two of its principals agreed to pay a civil penalty of $300,000. These cases are the first under the updated COPPA Rule, effective July, 2013, that revised the definition of “personal information” to include “persistent identifiers” except when used to support internal operations.

Photo of Sheila MillarPhoto of Tracy Marshall

On December 15, 2015, the European Commission announced that an agreement has been reached with the European Parliament and the Council (the “trilogue” meetings) regarding the Commission’s sweeping 2012 EU Data Protection Reform proposal.  The reform package, which consists of a General Data Protection Regulation and a Data Protection Directive for Police and Criminal Justice Authorities, updates and replaces Data Protection Directive (Directive 95/46/EC) and 2008 Framework Decision, and provides a comprehensive data protection regime for the entire EU.  The reforms will give European consumers new rights and control over their personal information, and impose new obligations on businesses. While some of the new measures will serve to make the system less cumbersome, the broad reach, new restrictions, expanded obligations and enhanced penalties imposes on businesses could more than offset these reductions.  For a more detailed summary, click here.

Photo of Sheila MillarPhoto of Tracy Marshall

On December 17, 2015, the Federal Trade Commission (FTC) announced that Lifelock, Inc. (LifeLock), agreed to pay a record-breaking $100 million to settle charges that it violated an earlier consent agreement related to flawed data security practices issued in March 2010. The LifeLock settlements implicate both the “fairness” of the company’s data security practices and its representations about those practices. The FTC contended that LifeLock both failed to implement a comprehensive security program as required by the earlier order, and falsely advertised the level of its security practices. The bulk of the $100 million – $68 million – is earmarked to pay class action consumers restitution for fees paid to LifeLock, but must be paid directly to consumers and may not be used towards administrative or legal fees.

The stipulated order requires LifeLock to share with the Commission information on customers sufficient to allow the FTC to administer the order, requires reporting for 5 years, and extends record-keeping obligations for 13 years. Commissioner Ohlhausen dissented on grounds that LifeLock’s Payment Card Industry Data Security Standard (PCI DSS) and other certifications undermine the staff’s ability to assert that it was in contempt, pointing out also that PCI DSS certifications were “important evidence of reasonable security” in the recent settlement with Wyndham Laboratories.

The stipulated order represents the largest amount obtained by the FTC in a proceeding to enforce an order.

Photo of Sheila Millar

The Vermont Department of Health won approval for its new, burdensome children’s product green chemistry reporting program from the state’s Legislative Committee on Administrative Rules on November 19, 2015. The final version of the Toxic Substances in Children’s Products Rule took effect on December 10, 2015, and follows from the state’s 2014 green chemistry bill, VT S. 239. Under the rule, companies selling children’s products in Vermont must disclose the presence of any of 66 chemicals:

  • as a contaminant, at 100 ppm or more; or
  • as an intentionally added chemical, over the chemical’s practical quantification limit (PQL).

Unlike the requirements in Washington State, reporting obligations affect all regulated companies and are not phased in.  Moreover, product-level reports are required.  See more on the rule here and here.

Although the first reports were slated to be due July 1, 2016 (for the reporting period January 1 through July 1, 2016), and then every second July 1 thereafter, there is some good news: the Department has announced that it will not be able to accept reports until spring 2016, following beta testing of the reporting system. The online reporting system will be announced via this email list, and “[a]ll manufacturers will have six months to report to the Department from the date of the system’s availability. This will be true even if that six[-]month period extends past July 1st, 2016.”

While this short reprieve is good news, companies should begin to think about compliance now.

Photo of Sheila MillarPhoto of Tracy Marshall

We’ve written about the ground-breaking and panic-inducing ruling of the European Court of Justice (ECJ) invalidating the U.S.–EU Safe Harbor framework as an adequate data transfer mechanism, and ruling that national authorities are not bound by Commission approvals. Click here for our September 23, 2015 blog post, and here for a related October 16, 2015 post. The ECJ’s decision not only affects the more than 4,500 companies that have been using the Safe Harbor framework as a mechanism to legally transfer personal data from the EU to the U.S., but generated sometimes conflicting reactions about the validity of other data transfer mechanisms from member state data protection administrators. While the U.S. and EU officials negotiate on Safe Harbor 2.0, companies around the world are grappling with how to manage global data flows in a way that meets legal standards, is cost-effective, and allows European consumers to benefit from an array of global products and services.

To learn more about what the end of the U.S.–EU Safe Harbor could mean, join Keller and Heckman and colleagues from member firms of Mackrell International this Friday for a complimentary webinar. Click here for more information and to register.

Photo of Sheila MillarPhoto of Tracy Marshall

The Article 29 Working Party (WP) issued a press release on October 16, 2015 announcing the outcome of the meeting to discuss coordinated action after the Court of Justice of the European Union (ECJ) decision in the matter of Schrems v. Data Protection Commissioner (C-362-14), which invalidated the U.S.-EU Safe Harbor Agreement. While calling for a coordinated position and urging Member States to urgently open negotiations with the U.S. to address “indiscriminate surveillance,” the WP stated: “transfers that are still taking place under the Safe Harbour decision after the [ECJ] judgment are unlawful” (boldface in original). The WP expressed the view that standard contractual clauses and binding corporate rules (BCRs) can still be used, but said that “this will not prevent data protection authorities to investigate particular cases, for instance on the basis of complaints, and to exercise their powers in order to protect individuals” (boldface in original).

The WP further expressed the position that if negotiations with the U.S. are not successful by the end of January 2016, or if the assessment of transfer tools does not yield results deemed to be privacy protective, then EU data protection authorities would be prepared to take actions up to and including coordinated enforcement. In this increasingly complex landscape, companies need to continue to quickly assess data transfer options.

Photo of Sheila MillarPhoto of Tracy Marshall

A European Court of Justice (ECJ) advocate general, Yves Bot, has called for the European Union–U.S. Safe Harbor Agreement to be invalidated due to concerns over U.S. surveillance practices (press release here, opinion here). The ECJ has discretion to reject the recommendation, but such opinions are generally followed. A final decision on the issue is expected to be issued late this year or next year.

The issue arises out of the claims of an Austrian law student, Max Schrems, who challenged Facebook’s compliance with EU data privacy laws. (The case is Schrems v. (Irish) Data Protection Commissioner, ECJ C-362/14.) He claims that the Safe Harbor Framework fails to guarantee “adequate” protection of EU citizen data in light of the U.S. National Security Agency’s (NSA) surveillance activities. Although the Irish data protection authority rejected his claim, he appealed and the case was referred to the ECJ.

The European Data Protection Directive prohibits data of EU citizens from being transferred to third countries unless the privacy protections of the third countries are deemed adequate to protect EU citizens’ data. The U.S. and EU signed the Safe Harbor Framework in 2000, which permits companies self-certify to the U.S. Department of Commerce (DOC) annually that they abide by certain privacy principles when transferring data outside the EU. Companies must agree to provide clear data privacy and collection notices and offer opt-out mechanisms for EU consumers.

In 2013, former NSA contractor Edward Snowden began revealing large-scale interception and collection of data about U.S. and foreign citizens from companies and government sources around the globe. The revelations, which continue, have alarmed officials around the world, and already prompted the European Commission to urge more stringent oversight of data security mechanisms. The European Parliament voted in March 2014 to withdraw recognition from the Safe Harbor Framework. Apparently in response to the concern, the Federal Trade Commission (FTC) has taken action against over two dozen companies for failing to maintain Safe Harbor certifications while advertising compliance with the Framework, and in some cases claiming compliance without ever certifying in the first place. For more, see here (FTC urged to investigate companies), here (FTC settles with 13 companies in August 2015), and here (FTC settles with 14 companies in July 2014).

Advocate General Bot does not appear to have been mollified by the U.S. efforts, however. He determined that “the law and practice of the United States allow the large-scale collection of the personal data of citizens of the [EU,] which is transferred under the [S]afe [H]arbor scheme, without those citizens benefiting from effective judicial protection.” He concluded that this amounted to interference in violation of the right to privacy guaranteed under EU law, and that, notwithstanding the European Commission’s approval of the Safe Harbor Framework, EU member states have the authority to take measures to suspend data transfers between their countries and the U.S.

While the legal basis of that opinion may be questioned, and larger political realities regarding the ability to negotiate agreements between the EU and the U.S. are at play, if followed by the ECJ, this opinion would make it extremely difficult for companies to offer websites and services in the EU. This holds true even for many EU companies, including those that may have cloud infrastructures that store or process data in U.S. data centers. It could prompt a new round of negotiations by the U.S. and European Commission to address increased concerns in the EU about surveillance.

Congressional action already underway may help release some tension, with the House Judiciary Committee unanimously approving legislation that would give EU consumers a judicial right of action in the U.S. for violations of their privacy. This legislation was a key requirement of the EU in an agreement in principle that would allow the EU and U.S. to exchange data between law enforcement agencies during criminal and terrorism investigations.

Although the specific outcome of this case will not be known for months, the implications for many businesses are clear: confusion and continued change in the realms of privacy and data security, and uncertainty about the legal rules of the game. Increased fragmentation across the EU may result, with a concomitant need to keep abreast of varying requirements in more countries. Change and lack of harmonization is surely the new normal now.

Photo of Sheila Millar

The Vermont Department of Health has released the final proposed version of its Toxic Substances in Children’s Products Rule (although it is not yet available on the Department’s website) adopted under state’s 2014 green chemistry law, Act 188. The rule, largely unchanged from the proposal, is now scheduled to go before the state’s Legislative Committee on Administrative Rules (LCAR) for its consideration on September 10, 2015. As with other state chemical disclosure rules, under the final proposed rule, companies selling children’s products in Vermont must disclose the presence of any of 66 chemicals present in children’s products at 100 parts per million or more as a contaminant or over the practical quantification limit (commonly known as the PQL) for the given chemical. In promulgating this rule, the Department refused to align its rule with Washington state’s, or to clarify important elements of the rule. The net result is that the Vermont green chemistry reporting requirement will impose significant, independent burdens on manufacturers selling children’s products in the state. Unless checked by LCAR, these onerous reporting requirements will be in place in 2016. Changes to the current green chemistry law were proposed in a 2015 bill, S. 139, which was rejected, but new legislation to further change the landscape may be re-proposed in the next legislative session. Vermont remains a state to watch.

Photo of Sheila MillarPhoto of Tracy Marshall

In a closely watched case where the Federal Trade Commission (FTC) pursued Wyndham Worldwide Corporation for several data breaches that led to millions of dollars in fraudulent charges on customers’ payment cards, the U.S. Court of Appeals for the Third Circuit on Monday agreed with the Commission’s broad interpretation of its “unfairness” authority (opinion here). The ruling ratifies the FTC’s authority in the domain of data security, and will allow the FTC to continue to seek settlements from companies that suffer data breaches when they fail to take adequate precautions to protect sensitive consumer data. More details can be found in the alert that we sent to clients on the ruling, available here.