Photo of Sheila MillarPhoto of Tracy Marshall

Thirteen companies have agreed to settle with the Federal Trade Commission (FTC) charges relating to their participation in the U.S.–EU and U.S.–Swiss Safe Harbor Frameworks. Seven companies allegedly failed to renew their Safe Harbor self-certifications, including a sports marketing firm, two software developers, a research organization, a business information firm, a security consulting firm, and an e-discovery service provider. Another six allegedly failed to seek certification under the Frameworks, but nevertheless claimed in their privacy policies to be certified, including an amusement park, two sporting companies, a medical waste service provider, a food manufacturer, and an e-mail marketing firm. Last year, fourteen companies settled with the FTC over similar claims (see our alert here), and advocacy group named 30 companies in a complaint alleging that they were out of compliance with the Safe Harbor Frameworks (see our alert here).

The European Commission’s Directive on Data Protection prohibits the transfer of personal data to non-EU countries that do not meet the EU standard for privacy protection, so the U.S. Department of Commerce (DOC) negotiated the Safe Harbor Frameworks to allow U.S entities to receive such data provided that they comply with the Directive. To participate in the Safe Harbor Frameworks, companies must annually self-certify that they comply with seven key privacy principles for meeting EU’s adequacy standard: notice, choice, onward transfer, security, data integrity, access, and enforcement. Only appropriately self-certified companies may display the Safe Harbor certification mark on their websites, and the FTC is charged with enforcing violations.

This enforcement action is a reminder of the importance of maintaining current Safe Harbor status for those who elect to participate the program. It is also a reminder that companies must act in accordance with their published privacy policies, and periodically review their privacy policies to ensure that they remain current and reflect companies’ actual practices.

Photo of Sheila MillarPhoto of Peter L. de la Cruz

In a 4–1 vote, the Federal Trade Commission (FTC) has issued its long-awaited Statement of Enforcement Principles outlining the Commission’s approach to “unfair methods of competition” prohibited by Section 5 of the Federal Trade Commission Act (FTCA) but not necessarily by the Sherman or Clayton Act. The statement is brief, and those awaiting the type of detailed policy statement that the FTC previously issued in connection with its deception and unfairness advertising enforcement will be disappointed. The policy outlines three central concepts framing when the Commission will decide to challenge an act or practice as an unfair method of competition in violation of Section 5 on a standalone basis:

  • the Commission will be guided by the public policy underlying the antitrust laws, namely, the promotion of consumer welfare;
  • the act or practice will be evaluated under a framework similar to the rule of reason, that is, an act or practice challenged by the Commission must cause, or be likely to cause, harm to competition or the competitive process, taking into account any associated cognizable efficiencies and business justifications; and
  • the Commission is less likely to challenge an act or practice as an unfair method of competition on a standalone basis if enforcement of the Sherman or Clayton Act is sufficient to address the competitive harm arising from the act or practice.

In comments announcing the principles, Chairwoman Edith Ramirez reiterated her prior support for a common-law approach to the development of Section 5 doctrine. Acknowledging that the principles are “concise,” she nevertheless stressed that was because those widely-used antitrust concepts, like “consumer welfare,” “rule of reason,” “harm to competition” and “cognizable efficiencies” “derive their content from 125 years of precedent under the Sherman and Clayton Acts, and that precedent will information Commission analysis under Section 5 as well.”

Commissioner Maureen Ohlhausen dissented, saying the policy statement was too abbreviated in substance and process for her to support it. In particular, she criticized the majority for failing to address case law, including instances where courts failed to support FTC action. Expressing concern about the potential expansive application of the policy, she stated:

I would prefer that any Section 5 policy statement be put out for public comment before adoption and include, among other things: (1) a substantial harm requirement; (2) a disproportionate harm test; (3) a stricter standard for pursuing conduct already addressed by the antitrust laws; (4) a commitment to minimize FTC-DOJ conflict; (5) reliance on robust economic evidence on the practice at issue and exploration of available non-enforcement tools prior to taking any enforcement action; and (6) a commitment generally to avoid pursuing the same conduct as both an unfair method of competition and an unfair or deceptive act or practice.

Time will tell if the policy statement becomes the basis for more expansive enforcement action, and how courts will react. Given the brevity of the Statement, future actions by the Commission may better define the current Commission’s views on the meaning of “consumer welfare” and “harm to competition,” particularly whether these terms mean anything other than the concepts as used under the Sherman and Clayton Acts, as opposed to the FTCA.

Photo of Sheila MillarPhoto of Tracy Marshall

As many marketers spend a large and growing share of the ad spend on social media, basic principles of truthful advertising must be kept in mind and applied in the new and varied media.  After all, the platforms may change, but the underlying requirements do not.  Thus, for responsible marketers, a robust social media policy is a must.  A well-crafted policy will help get a message across, meeting consumers’ and regulators’ expectations while avoiding common yet confusing pitfalls.  For an overview of the requirements applicable to social media advertising – with attention to new developments and specifics of application in the new environments – click here.  We discuss important points about endorsements and testimonials, privacy policies, sweepstakes and contests, and other key do’s and don’ts of social media advertising policies.

Photo of Tracy Marshall

As we previously reported, the Federal Communications Commission (“FCC” or “Commission”) adopted a significant Declaratory Ruling and Order on June 18, 2015 to clarify aspects of the Telephone Consumer Protection Act (“TCPA”), namely, the use of “automatic telephone dialing systems” and/or artificial or prerecorded voice messages to send telemarketing and informational calls and texts to consumers (“robocalls”).  The Order was released and took effect on July 10, 2015, and impacts all businesses that use automated technologies, including text messaging, to communicate with consumers.  Click here to review highlights of the Order and some practical implications for businesses.

Photo of Sheila MillarPhoto of Tracy Marshall

The U.S. Federal Trade Commission (FTC) issued new data security guidance for businesses on June 30, 2015. The publication, Start With Security: A Guide for Business, consolidates other guidance from the FTC that reflects its position that security by design, much as privacy by design, should be integrated into business processes. The guidance isn’t new, but includes 10 tips:

  1. Start with security.
  2. Control access to data sensibly.
  3. Require secure passwords and authentication.
  4. Store sensitive personal information securely and protect it during transmission.
  5. Segment your network and monitor who’s trying to get in and out.
  6. Secure remote access to your network.
  7. Apply sound security practices when developing new products.
  8. Make sure your service providers implement reasonable security measures.
  9. Put procedures in place to keep your security current and address vulnerabilities that may arise.
  10. Secure paper, physical media, and devices.

The FTC offers many other resources on data security and privacy, and its enforcement actions in this area highlight some chief concerns. With the increase in data breaches and resulting regulatory investigations and class action lawsuits, the FTC’s guidance is a good reminder of some security basics for businesses.

Photo of Sheila MillarPhoto of Tracy Marshall

At its Open Meeting on June 18, 2015, the Federal Communications Commission (“FCC”) adopted a significant Declaratory Ruling and Order to clarify aspects of the Telephone Consumer Protection Act (“TCPA”), namely, the use of automatic dialing systems and/or artificial or prerecorded voice messages to send telemarketing and informational calls and texts to consumers (“robocalls”). The Order follows a proposal circulated by FCC Chairman Wheeler last month to address nearly two dozen TCPA petitions filed with the FCC, “close loopholes” in the TCPA, and “crack down” on robocalls. The Order has not yet been released, but it will take effect immediately, and will impact all businesses that use automated technologies, including text messaging, to communicate with consumers. A summary of the Order based on the FCC’s News Release and discussion at the Open Meeting with some practical implications for businesses is available here. We will provide more details once the Order is released.

Photo of Sheila MillarPhoto of Tracy Marshall

A federal appellate court will consider early next month whether the Video Privacy Protection Act (VPPA) makes an “Android ID” – a device identifier used in Google’s smartphones –personally identifiable information (PII). The Eleventh Circuit has scheduled oral argument in the case, Ellis v. Cartoon Network, Inc., for June 3, 2015.

The plaintiff in the putative class action, Mark Ellis, downloaded the Cartoon Network app, which he used to watch video clips on his Android device. With each use of the app, the user’s video history and Android ID are transmitted to a third-party data analytics provider, Bango, based in the United Kingdom. Bango could use the information to identify Ellis by combining its information with information collected from other sources. The question is whether the Android ID constitutes PII under the VPPA. An Atlanta federal district court previously ruled against Ellis, dismissing his case and finding that an “Android ID, without more, is not [PII].” Ellis v. Cartoon Network, Inc., Case No. 1:14-CV-484-TWT (N.D. Ga. Oct. 8, 2014).

In several recent similar cases, judges have ruled that the serial number for a Roku TV box (a video streaming device) was not PII under the VPPA (see Locklear v. Dow Jones & Co., Case No. 1:14-cv-007445-MHC (N.D. Ga. Jan. 23, 2015); Eichenberger v. ESPN, Inc., Case No. C14-463 TSZ (W.D. Wash. May 7, 2015)); that “anonymous user IDs, a child’s gender and age, and information about the computer used to access Viacom’s websites” likewise were not PII under the VPPA (see In re Nickelodeon Consumer Privacy Litig., No. Civ. A. 12-07829 (D.N.J. July 2, 2014)); and that a comScore anonymous identifier used by Hulu was not PII under the VPPA (see In re Hulu Privacy Litig., No. C 11-03764 LB (N.D. Cal. Apr. 28, 2014).

With this history, it would not be unexpected for the court to rule in favor of Cartoon Network in this case. An appellate ruling in favor of the defendant here would be a welcome narrowing of potential VPPA claims, which have proliferated as of late given the growth of over-the-Internet streaming video services. A related complexity for those offering kid-oriented apps, however, are provisions in the FTC’s Children’s Online Privacy Protection Act (COPPA) Rule, which does define device IDs as PII when associated with individually identifiable information, but exempts such collection from parental consent requirements when used to support internal operations.

Regardless of how the court rules, the evolving nature of technology means that questions of whether and when device or other IDs should be considered “PII” will continue to pose thorny issues. Broad categorization of such identifiers as PII could result in significant restrictions on collection of the type of data designed to improve services and offer appropriate content, so the case bears close watching.

Photo of Sheila Millar

The Supreme Court of the United States granted certiorari late last month in a case with important implications for consumer privacy and for the ability of Congress generally to create wholly new protections for consumers. Plaintiffs must always show that they have standing – a legally-protected interest that allegedly has been violated – before a federal court can hear their case. To do this, they must show that they have suffered or will suffer a concrete harm (an injury-in-fact), not just a statutory violation (an injury-in-law). In this case, the Court has agreed to consider whether a statute that establishes a payment due to anyone who is the victim of a violation of the law has standing.

The case involves a suit against Spokeo, a “people search engine” that aggregates information about individuals from online and offline sources. Thomas Robins sued Spokeo in a putative class action, alleging that Spokeo disseminated inaccurate information about his education, professional experience and marital status to employers and others. Robins asserted that Spokeo was a “consumer reporting agency” within the meaning of the Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681 et seq., and that Spokeo violated several of the FCRA’s requirements, entitling him to seek statutory damages, which he requested. The FCRA limits the circumstances in which consumer reporting agencies may provide consumer reports for employment purposes, requiring agencies to follow procedures to ensure the accuracy of those reports, give notice to providers and users of the consumer information, and to allow consumers to request their information. Negligent violation of these requirements with respect to consumers subjects consumer reporting agencies to actual damages, attorney’s fees, and costs. Willful violations allow consumers to seek statutory damages of $100 to $1,000, plus punitive damages.

The district court agreed with Spokeo that Robins had not suffered any actual or imminent harm and dismissed his case. The United States Court of Appeals for the Ninth Circuit reversed. It held that “creation of a private cause of action to enforce a statutory provision implies that Congress intended the enforceable provision to create a statutory right,” and that “the violation of a statutory right is usually a sufficient injury in fact to confer standing.” Spokeo appealed to the Supreme Court.

The Supreme Court previously granted certiorari in a similar case, but ended up dismissing the case, likely because it did not present the same question here “cleanly” enough (in other words, without extraneous issues). The Court’s decision grant of certiorari is discretionary and requires the agreement of at least four members of the Court. Claims similar to the ones pursued under the FCRA here could be pursued under the Telephone Consumer Protection Act (TCPA) (statutory damages for telephone solicitations), and the Video Privacy Protection Act (VPPA) (consumer lawsuits for knowingly disclosing personally identifiable information), among others. If the Court rules against the claim here (and depending on the breadth of the ruling), claims about violations of privacy that lack any allegations concrete injury could have to be dismissed. Given the proliferation of such claims, businesses covered by such laws should pay close attention to the proceedings in this case, which is Spokeo, Inc. v. Robins, No. 13–1339 (cert. granted Apr. 27, 2015). Oral argument will be held next term, in early fall 2015, and a decision some time before summer 2016.

Ultimately a ruling could have implications for ongoing discussions about new data privacy and security legislation.

Photo of Sheila MillarPhoto of Tracy Marshall

On April 23, 2015, the Federal Trade Commission (FTC) announced that retail tracking company Nomi Technologies has agreed to settle FTC charges that it misled consumers. The FTC alleged that the company, which develops technology to allow retailers to track consumers’ movements through their stores, misled consumers by failing to uphold promises to provide a mechanism for consumers to opt-out of tracking at stores using Nomi’s tracking technology, and, in doing so, implied that consumers would be informed when retailers were using the company’s tracking services. The FTC alleged that, although the company did provide an opt-out on its website, there was no option to opt out at retailers’ locations using the service, and consumers were not informed of the tracking taking place in the stores at all. Under the settlement, Nomi will be prohibited from misrepresenting consumers’ options for controlling whether information is collected, used, disclosed or shared about them or their computers or other devices, as well as the extent to which consumers will be notified about information practices.

The Commission vote to issue the complaint and accept the proposed consent order was 3–2, with Republican Commissioners Maureen K. Ohlhausen and Joshua D. Wright dissenting. The dissenting commissioners argued that Nomi’s promise to provide in-store opt out was immaterial, because consumers could opt out online. Commissioner Olhausen stated that, as “a third party contractor collecting no personally identifiable information, Nomi had no obligation to offer consumers an opt out,” but nevertheless offered consumers this opportunity. She further wrote that she dissented due to “fear that the majority’s decision in this case encourages companies to do only the bare minimum on privacy, ultimately leaving consumers worse off.” Chairwoman Edith Ramirez, joined by Commissioners Julie Brill and Terrell McSweeney, asserted that Nomi offered an express opt-out promise, which was both false and material to consumers. The decision illustrates the importance of carefully choosing every word in a public privacy policy.

Photo of Sheila MillarPhoto of Jean-Cyril Walker

A California federal court this month ruled against defendants’ attempt to rely on a federal law requiring U.S.-origin claims on textile fabric products to displace a California statute with more stringent requirements about “Made in the USA” labels.  The ruling allows a class action suit to proceed, lowering the hopes of retailers and manufacturers that have found compliance with the California law burdensome and unduly complicated. Go here to learn more.