Photo of Sheila MillarPhoto of Tracy Marshall

As many marketers spend a large and growing share of the ad spend on social media, basic principles of truthful advertising must be kept in mind and applied in the new and varied media.  After all, the platforms may change, but the underlying requirements do not.  Thus, for responsible marketers, a robust social media policy is a must.  A well-crafted policy will help get a message across, meeting consumers’ and regulators’ expectations while avoiding common yet confusing pitfalls.  For an overview of the requirements applicable to social media advertising – with attention to new developments and specifics of application in the new environments – click here.  We discuss important points about endorsements and testimonials, privacy policies, sweepstakes and contests, and other key do’s and don’ts of social media advertising policies.

Photo of Tracy Marshall

As we previously reported, the Federal Communications Commission (“FCC” or “Commission”) adopted a significant Declaratory Ruling and Order on June 18, 2015 to clarify aspects of the Telephone Consumer Protection Act (“TCPA”), namely, the use of “automatic telephone dialing systems” and/or artificial or prerecorded voice messages to send telemarketing and informational calls and texts to consumers (“robocalls”).  The Order was released and took effect on July 10, 2015, and impacts all businesses that use automated technologies, including text messaging, to communicate with consumers.  Click here to review highlights of the Order and some practical implications for businesses.

Photo of Sheila MillarPhoto of Tracy Marshall

The U.S. Federal Trade Commission (FTC) issued new data security guidance for businesses on June 30, 2015. The publication, Start With Security: A Guide for Business, consolidates other guidance from the FTC that reflects its position that security by design, much as privacy by design, should be integrated into business processes. The guidance isn’t new, but includes 10 tips:

  1. Start with security.
  2. Control access to data sensibly.
  3. Require secure passwords and authentication.
  4. Store sensitive personal information securely and protect it during transmission.
  5. Segment your network and monitor who’s trying to get in and out.
  6. Secure remote access to your network.
  7. Apply sound security practices when developing new products.
  8. Make sure your service providers implement reasonable security measures.
  9. Put procedures in place to keep your security current and address vulnerabilities that may arise.
  10. Secure paper, physical media, and devices.

The FTC offers many other resources on data security and privacy, and its enforcement actions in this area highlight some chief concerns. With the increase in data breaches and resulting regulatory investigations and class action lawsuits, the FTC’s guidance is a good reminder of some security basics for businesses.

Photo of Sheila MillarPhoto of Tracy Marshall

At its Open Meeting on June 18, 2015, the Federal Communications Commission (“FCC”) adopted a significant Declaratory Ruling and Order to clarify aspects of the Telephone Consumer Protection Act (“TCPA”), namely, the use of automatic dialing systems and/or artificial or prerecorded voice messages to send telemarketing and informational calls and texts to consumers (“robocalls”). The Order follows a proposal circulated by FCC Chairman Wheeler last month to address nearly two dozen TCPA petitions filed with the FCC, “close loopholes” in the TCPA, and “crack down” on robocalls. The Order has not yet been released, but it will take effect immediately, and will impact all businesses that use automated technologies, including text messaging, to communicate with consumers. A summary of the Order based on the FCC’s News Release and discussion at the Open Meeting with some practical implications for businesses is available here. We will provide more details once the Order is released.

Photo of Sheila MillarPhoto of Tracy Marshall

A federal appellate court will consider early next month whether the Video Privacy Protection Act (VPPA) makes an “Android ID” – a device identifier used in Google’s smartphones –personally identifiable information (PII). The Eleventh Circuit has scheduled oral argument in the case, Ellis v. Cartoon Network, Inc., for June 3, 2015.

The plaintiff in the putative class action, Mark Ellis, downloaded the Cartoon Network app, which he used to watch video clips on his Android device. With each use of the app, the user’s video history and Android ID are transmitted to a third-party data analytics provider, Bango, based in the United Kingdom. Bango could use the information to identify Ellis by combining its information with information collected from other sources. The question is whether the Android ID constitutes PII under the VPPA. An Atlanta federal district court previously ruled against Ellis, dismissing his case and finding that an “Android ID, without more, is not [PII].” Ellis v. Cartoon Network, Inc., Case No. 1:14-CV-484-TWT (N.D. Ga. Oct. 8, 2014).

In several recent similar cases, judges have ruled that the serial number for a Roku TV box (a video streaming device) was not PII under the VPPA (see Locklear v. Dow Jones & Co., Case No. 1:14-cv-007445-MHC (N.D. Ga. Jan. 23, 2015); Eichenberger v. ESPN, Inc., Case No. C14-463 TSZ (W.D. Wash. May 7, 2015)); that “anonymous user IDs, a child’s gender and age, and information about the computer used to access Viacom’s websites” likewise were not PII under the VPPA (see In re Nickelodeon Consumer Privacy Litig., No. Civ. A. 12-07829 (D.N.J. July 2, 2014)); and that a comScore anonymous identifier used by Hulu was not PII under the VPPA (see In re Hulu Privacy Litig., No. C 11-03764 LB (N.D. Cal. Apr. 28, 2014).

With this history, it would not be unexpected for the court to rule in favor of Cartoon Network in this case. An appellate ruling in favor of the defendant here would be a welcome narrowing of potential VPPA claims, which have proliferated as of late given the growth of over-the-Internet streaming video services. A related complexity for those offering kid-oriented apps, however, are provisions in the FTC’s Children’s Online Privacy Protection Act (COPPA) Rule, which does define device IDs as PII when associated with individually identifiable information, but exempts such collection from parental consent requirements when used to support internal operations.

Regardless of how the court rules, the evolving nature of technology means that questions of whether and when device or other IDs should be considered “PII” will continue to pose thorny issues. Broad categorization of such identifiers as PII could result in significant restrictions on collection of the type of data designed to improve services and offer appropriate content, so the case bears close watching.

Photo of Sheila Millar

The Supreme Court of the United States granted certiorari late last month in a case with important implications for consumer privacy and for the ability of Congress generally to create wholly new protections for consumers. Plaintiffs must always show that they have standing – a legally-protected interest that allegedly has been violated – before a federal court can hear their case. To do this, they must show that they have suffered or will suffer a concrete harm (an injury-in-fact), not just a statutory violation (an injury-in-law). In this case, the Court has agreed to consider whether a statute that establishes a payment due to anyone who is the victim of a violation of the law has standing.

The case involves a suit against Spokeo, a “people search engine” that aggregates information about individuals from online and offline sources. Thomas Robins sued Spokeo in a putative class action, alleging that Spokeo disseminated inaccurate information about his education, professional experience and marital status to employers and others. Robins asserted that Spokeo was a “consumer reporting agency” within the meaning of the Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681 et seq., and that Spokeo violated several of the FCRA’s requirements, entitling him to seek statutory damages, which he requested. The FCRA limits the circumstances in which consumer reporting agencies may provide consumer reports for employment purposes, requiring agencies to follow procedures to ensure the accuracy of those reports, give notice to providers and users of the consumer information, and to allow consumers to request their information. Negligent violation of these requirements with respect to consumers subjects consumer reporting agencies to actual damages, attorney’s fees, and costs. Willful violations allow consumers to seek statutory damages of $100 to $1,000, plus punitive damages.

The district court agreed with Spokeo that Robins had not suffered any actual or imminent harm and dismissed his case. The United States Court of Appeals for the Ninth Circuit reversed. It held that “creation of a private cause of action to enforce a statutory provision implies that Congress intended the enforceable provision to create a statutory right,” and that “the violation of a statutory right is usually a sufficient injury in fact to confer standing.” Spokeo appealed to the Supreme Court.

The Supreme Court previously granted certiorari in a similar case, but ended up dismissing the case, likely because it did not present the same question here “cleanly” enough (in other words, without extraneous issues). The Court’s decision grant of certiorari is discretionary and requires the agreement of at least four members of the Court. Claims similar to the ones pursued under the FCRA here could be pursued under the Telephone Consumer Protection Act (TCPA) (statutory damages for telephone solicitations), and the Video Privacy Protection Act (VPPA) (consumer lawsuits for knowingly disclosing personally identifiable information), among others. If the Court rules against the claim here (and depending on the breadth of the ruling), claims about violations of privacy that lack any allegations concrete injury could have to be dismissed. Given the proliferation of such claims, businesses covered by such laws should pay close attention to the proceedings in this case, which is Spokeo, Inc. v. Robins, No. 13–1339 (cert. granted Apr. 27, 2015). Oral argument will be held next term, in early fall 2015, and a decision some time before summer 2016.

Ultimately a ruling could have implications for ongoing discussions about new data privacy and security legislation.

Photo of Sheila MillarPhoto of Tracy Marshall

On April 23, 2015, the Federal Trade Commission (FTC) announced that retail tracking company Nomi Technologies has agreed to settle FTC charges that it misled consumers. The FTC alleged that the company, which develops technology to allow retailers to track consumers’ movements through their stores, misled consumers by failing to uphold promises to provide a mechanism for consumers to opt-out of tracking at stores using Nomi’s tracking technology, and, in doing so, implied that consumers would be informed when retailers were using the company’s tracking services. The FTC alleged that, although the company did provide an opt-out on its website, there was no option to opt out at retailers’ locations using the service, and consumers were not informed of the tracking taking place in the stores at all. Under the settlement, Nomi will be prohibited from misrepresenting consumers’ options for controlling whether information is collected, used, disclosed or shared about them or their computers or other devices, as well as the extent to which consumers will be notified about information practices.

The Commission vote to issue the complaint and accept the proposed consent order was 3–2, with Republican Commissioners Maureen K. Ohlhausen and Joshua D. Wright dissenting. The dissenting commissioners argued that Nomi’s promise to provide in-store opt out was immaterial, because consumers could opt out online. Commissioner Olhausen stated that, as “a third party contractor collecting no personally identifiable information, Nomi had no obligation to offer consumers an opt out,” but nevertheless offered consumers this opportunity. She further wrote that she dissented due to “fear that the majority’s decision in this case encourages companies to do only the bare minimum on privacy, ultimately leaving consumers worse off.” Chairwoman Edith Ramirez, joined by Commissioners Julie Brill and Terrell McSweeney, asserted that Nomi offered an express opt-out promise, which was both false and material to consumers. The decision illustrates the importance of carefully choosing every word in a public privacy policy.

Photo of Sheila MillarPhoto of Jean-Cyril Walker

A California federal court this month ruled against defendants’ attempt to rely on a federal law requiring U.S.-origin claims on textile fabric products to displace a California statute with more stringent requirements about “Made in the USA” labels.  The ruling allows a class action suit to proceed, lowering the hopes of retailers and manufacturers that have found compliance with the California law burdensome and unduly complicated. Go here to learn more.

Photo of Sheila MillarPhoto of Tracy Marshall

This week, the U.S. House of Representatives passed two cybersecurity information sharing bills that gained qualified support from the Obama Administration.  Together, the bills (the Protect Cyber Networks Act (PCNA) and the National Cybersecurity Protection Advancement Act (NCPAA)) would authorize companies to share cyber threat information and defensive measures with each other and the government, and would limit their liability in connection with such measures if certain privacy protections are implemented.  The Senate is already considering a similar bill, the Cyberthreat Information Sharing Act (CISA), and the President’s support for cyber threat information sharing measures may be key to passage there.  To read a more detailed summary, click here.

Photo of Sheila Millar

The Paris-based International Chamber of Commerce (ICC) today released a new guide to help companies manage their cybersecurity, including how to address cyberthreats and how to prevent cybercrime. The ICC Cyber security guide for business, prepared by the ICC’s Commission on the Digital Economy, was written to help companies address the new types of risks that have to be managed in an environment where new technologies and communications methods are rolled out constantly. The guide acknowledges the strong benefits that accrue to businesses through new technologies, including increased reach to new customers and newly available efficiencies, and aims to help businesses of all sizes – small, mid-sized, and large – grasp and handle the challenges. Connecting more people and more devices creates risks by opening a variety of vulnerabilities that must be addressed to secure individuals’ and organizations’ systems and communications.

There’s no turning back on cyber-connectedness – there are too many benefits for businesses, their employees, and their customers. There’s also no doubting the attendant risks and dangers, and legal and business authorities (including insurers) are increasingly pushing for businesses to take an active, rigorous, and thorough approach to managing their risks. The benefits of such an approach include not only security but potentially increased profits. The costs, on the other hand, are hard to overstate.