FTC seems more confident than ever in its authority to go after companies with insufficient data security measures. As of January 2015, FTC had settled 53 data-security enforcement actions, and FTC Senior Attorney Lesley Fair expects that number to increase.
Not everyone is sanguine about FTC’s enforcement efforts. Companies targeted for administrative action complain that the Commission is acting beyond its delegated powers under the Federal Trade Commission Act (the “FTCA”). So far, courts have declined to intervene in any administrative action that is not yet resolved at the agency level.
One such case involves LabMD, Inc., an Atlanta-based cancer-screening laboratory. At least nine years ago, someone downloaded onto the billing department manager’s computer a peer-to-peer file-sharing application called Limewire. Hundreds of files on the computer were designated for sharing on the network, including an insurance aging report that contained personal information for more than 9,000 LabMD customers. In 2008, a third party notified LabMD that the aging report was available on Limewire. The application was promptly removed from the billing department manager’s computer, but the damage allegedly had been done. According to FTC, authorities discovered in October 2012 that data from the aging report and other LabMD files were being used to commit identify theft against LabMD’s customers.
Ten months later, FTC filed an administrative complaint against LabMD alleging that it had failed to employ reasonable and appropriate data security measures. FTC further alleged that LabMD could have corrected the problems at relatively low cost with readily available security measures. By contrast, LabMD’s customers had no way of knowing about the failures and could not reasonably avoid the potential harms, such as identity theft, medical identity theft, and disclosure of sensitive, private, medical information. On these facts, FTC alleged that LabMD had committed an unfair trade practice in violation of the FTCA.
LabMD tried to get the administrative action dismissed on several grounds, including that the FTCA does not give the Commission express authority to regulate data-security practices. The Commission denied LabMD’s motion, explaining that Congress gave FTC broad jurisdiction to regulate unfair and deceptive practices that meet a three-factor test: section 5(n) provides that, in enforcement actions or rulemaking proceedings, the Commission has authority to determine that an act or practice is “unfair” if (i) it causes or is likely to cause substantial injury to consumers which is (ii) not reasonably avoidable by consumers themselves and (iii) not outweighed by countervailing benefits to consumers or competition. Commissioners noted that the FTCA as passed in 1918 granted FTC the authority to regulate unfair methods of competition. When courts took a narrow view of that authority, Congress responded by amending the FTCA to clarify that the Commission has authority to regulate unfair acts or practices that injure the public, regardless of whether they injure one’s competitors. According to the Commission, the statutory delegation is intentionally broad, giving FTC discretionary authority to define unfair practices on a flexible, incremental basis. For these and other reasons, the administrative action against LabMD would proceed.
Having failed to get the case dismissed, LabMD sought relief from the federal courts to no avail. On January 20, 2015, the U.S. Court of Appeals for the Eleventh Circuit dismissed LabMD’s suit for lack of subject-matter jurisdiction. The court explained that it lacked the power to decide LabMD’s claims in the absence of final agency action. FTC had filed a complaint and issued an order denying LabMD’s motion to dismiss. But neither was a reviewable agency action because neither represented a “consummation of the agency’s decision-making process.” Moreover, “no direct and appreciable legal consequences” flowed from the actions and “no rights or obligations had been determined” by them.
LabMD can challenge FTC’s data-security jurisdiction only after the Commission’s proceedings against it are final. That may well be too late. As a result of FTC’s enforcement action, the company was forced to wind down its operations more than a year ago.
LabMD is one of very few companies to test FTC’s data-security jurisdiction. In 2007, a federal court in Wyoming sided with FTC in holding that the defendant’s unauthorized disclosure of customer phone records was an unfair trade practice in violation of the FTCA. The Tenth Circuit affirmed that decision on appeal.
More recently, a district court in New Jersey gave FTC a preliminary victory against Wyndham Worldwide Corporation. In that case, the court held that FTC’s unfairness jurisdiction extends to data-security practices that meet the three-factor test under Section 5(n). That decision is currently on appeal before the Third Circuit. During oral argument on March 3rd, the three-judge panel signaled little doubt that FTC has authority to regulate unreasonable cybersecurity practices. Instead, the panel was concerned with how the Commission exercises that authority—specifically, whether and how it has given notice as to what data security measures are considered to be “unfair.”
A class action lawsuit recently instituted in federal court in the Northern District of California, Hunter v. Lenovo et al., alleges that Lenovo Inc., a computer manufacturer, violated its customers’ rights by selling computers which came preinstalled with alleged spyware manufactured by Superfish Inc., another named defendant. The purported class alleges that the Superfish software monitors user activity and displays pop-up ads, among other things, as part of an “image-based search” function which identifies images on the user’s screen and seeks out similar images on the web. The complaint states causes of action for violations of the Electronic Communications Privacy Act and the Stored Communications Act, as well as unjust enrichment.
The Stored Communications Act (“SCA”), 18 U.S.C. §§ 2701-2712 provides criminal penalties for anyone who “intentionally accesses without authorization a facility through which an electronic communication service is provided” or “intentionally exceeds an authorization to access that facility.” The SCA has been cited by plaintiffs in other class actions in which users allege that a technology company has overstepped its bounds. For instance, in Perkins v. LinkedIn Corp., No. 13-CV-04303-LHK, 2014 WL 2751053 (N.D. Cal. June 12, 2014), a putative class of LinkedIn users alleged that the social networking company violated the SCA by collecting contacts from users’ external email accounts. The court granted LinkedIn’s motion to dismiss the SCA claims, noting that the users consented to the collection of email addresses in a prominent disclosure, and therefore LinkedIn was “authorized” to collect the information, an exception to the SCA pursuant to 18 U.S.C. §2701(c).
Although the suit is still pending, Lenovo has reversed course on the Superfish software. Lenovo has disabled Superfish on computers which came pre-installed with the software, its websites offer instructions for users to uninstall the software altogether, and Lenovo computers no longer come preinstalled with the program. While these remedial actions may be an appropriate response to user concerns, they do not constitute an admission of legal liability in the class action suit. The defendants may still argue that users consented to the software, even as they remove it from the computers.
The law of unintended consequences – a distant cousin of Murphy’s Law – states that the actions of human beings will always have effects that are unanticipated and unintended. The law could prove a perfect fit for recent efforts by class action counsel to rely upon the Federal Wiretap Act in lawsuits arising from adware installed on personal home computers.
Take, for example, the recently filed case of Bennett v. Lenovo (United States), Inc. In that case, the plaintiff seeks to represent a class of purchasers of Lenovo laptop computers complaining that “Superfish” software that was preloaded on the laptops directed them to preferred advertisements based on their internet browsing behavior. The most interesting claim included in the complaint is the assertion that Lenovo and Superfish violated the Federal Wiretap Act.
Wiretap? What wiretap?
The Federal Wiretap Act was originally passed as Title III of the Omnibus Crime Control and Safe Streets Act of 1968. These provisions were included, at least in part, as a result of concerns about investigative techniques used by the FBI and other law enforcement agencies that threatened the privacy rights of individuals. In passing the Wiretap Act, Congress was clearly focused on the need to protect communications between individuals by telephone, telegraph and the like. The Electronic Communications Privacy Act of 1986 (ECPA) broadened the application of the statute by expanding the kinds of communications to which the statute applied. But the focus was still on communications between individuals.
As is often the case, technology is testing the boundaries of this nearly 50-year-old law. The Bennett case is not the first case in which a plaintiff has argued that software on his or her computer that reads the user’s behavior violates the Wire Act. In some cases, the software in question has been so-called “keylogging” software that captures every one of a user’s keystrokes. Cases considering such claims (or similar claims under state statutes modeled after the federal Act) have been split – some based on the specifics of when and how the software actually captured the information, and others based possibly on differences in the law in different parts of the country.
One of the more interesting cases, Klumb v. Gloan, 2-09-CV 115 (ED Tenn 2012), involved a husband who sued his estranged wife when he discovered that she had placed spyware on his computer. At trial, the husband demonstrated that during his marriage, his wife installed eBlaster, a program capable of not only recording key strokes, but also intercepting emails and monitoring websites visited. The husband alleged that once intercepted, the wife altered the emails and other legal documents to make it appear as if the husband was having an affair. The motive? Money, of course. Adultery was a basis to void the pre-nuptial agreement that the parties had executed prior to their ill-fated marriage. The wife – who was a law school graduate – argued that the installation was consensual. Although consent is a recognized defense to a claim of violating the Federal Wiretap Act, for a variety of reasons, the court discredited the wife’s testimony regarding the purported consent and awarded damages and attorney’s fees to the husband plaintiff.
The Bennett plaintiffs may or may not succeed in showing the facts and arguing the law sufficient to prevail in their claim, and we know too little about the facts in that case to express a prediction of the result in that case. But we can state with confidence that the continued expansion of how the Wiretap Act is applied will, at some point, require that Congress step in and update the statute to make clear how it applies in the new internet-based world in which we now live.
Employers Running Background Checks: Top 10 Tips to Avoid Joining the Fair Credit Reporting Act Litigation “Club”
What do Whole Foods, Chuck E. Cheese, Michael’s Stores, Dollar General, Panera, Publix, and K-Mart have in common? Each of these companies has faced lawsuits (including class actions) under the Fair Credit Reporting Act (“FCRA”). Although Congress passed the FCRA way back in 1970 and litigation has focused on credit reporting agencies’ duties under the law, class action plaintiff firms have recently focused on the FCRA’s employer-related provisions. Several large settlements (such as Publix’s $6.8 million class action settlement, Dollar General’s $4 million, and K-Mart’s $ 3 million) have spurred further litigation. While some of the alleged FCRA violations may appear minor or technical in nature, these “technical violations” still result in costly lawsuits. Employers should re-familiarize themselves with the FCRA to avoid becoming class action defendants.
The FCRA’s Employer-Related Provisions
Many employers understandably want to conduct background checks on prospective employees, or current employees who may be obtaining new responsibilities or accessing sensitive information. In particular, companies in the retail and restaurant sectors, whose employees have access to cash receipts and credit card account numbers, want to guard against employees whose background checks may reveal issues of concern. Further, organizations whose employees enter homes and businesses (such as service providers – e.g., carpet cleaners, plumbers, contractors) have additional concerns about potential liability.
The FCRA is usually thought of as a federal law that regulates consumer reporting agencies, like credit bureaus. However, the FCRA also prescribes certain requirements for employers who use consumer reports. The FCRA broadly defines the term “consumer reports” as information prepared by a consumer reporting agency “bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for—credit or insurance to be used primarily for personal, family, or household purposes; employment purposes” or other permitted purposes. This definition draws in more than a traditional credit report. It can include driving records, civil lawsuits, and reference checks, among other information.
Disclosure and Consent
Employers may not obtain a consumer report from a consumer reporting agency unless they first make a “clear and conspicuous” written disclosure to the prospective employee/employee. The disclosure document must consist “solely” of the disclosure that a consumer report may be obtained. The job applicant/employee must provide written permission for the employer to obtain a consumer report. The FTC has indicated the disclosure form may include a signature line for the individual’s consent. (In 2001, the FTC also issued an opinion letter stating it believes such consent can be obtained electronically, consistent with the federal E-Sign law). The employer further certifies to the consumer reporting agency that is has a permissible purpose for the report and that it has complied with the FCRA and applicable equal opportunity laws.
These steps sound simple enough, however, litigation has ensued based upon employers’ alleged failures to comply. For instance, in the Whole Foods case in federal court in California, the plaintiffs claim the online application process included a liability waiver in the disclosure form for the background check, allegedly violating the FCRA requirement that a disclosure form not include other information. In a separate case in federal court in Florida involving retailer Nine West, the plaintiff alleges he did not receive a separate form, and that the background check authorization was on a web page with various other types of information.
Adverse Action Based on Report
If the employer intends to take “adverse action” against the prospective employee/employee (based even in part on the information in the report), the FCRA requires the employer to follow certain additional steps. The term “adverse action” includes “a denial of employment or any other decision for employment purposes that adversely affects any current or prospective employee.”
Before the employer takes the adverse action, it must provide a “pre-adverse action” notice to the affected person. This notice must include a copy of the consumer report and a statutory “Summary of Rights.” (This is an updated form, required since January 2013 by the new Consumer Financial Protection Board, which now has responsibility for FCRA rulemaking). The purpose of this notice requirement is to permit the individual to discuss the report with the employer before the employer implements the adverse action.
Next, if the employer intends to take the adverse action, the FCRA requires the employer to provide an adverse action notice to the individual. This notice must contain certain information, including:this is a test one
a statement setting forth the applicant’s or employee’s right to obtain a free disclosure of his or her report from the consumer reporting agency if the individual requests the disclosure within 60 days; and
In a case involving Domino’s Pizza employees, the company settled a class action that included allegations that it took adverse employment actions against certain individuals based on information contained in consumer reports without providing those individuals the required notice and a copy of such reports in advance. K-Mart settled a class action suit based upon allegations that the statement of consumer rights provided to individuals after a background check contained outdated disclosures, among other alleged FCRA failures.
Liability and Enforcement
Plaintiffs can pursue a private right of action against employers for negligently or willfully violating the FCRA. Claims regarding negligent violations allow actual damages and reasonable attorneys’ fees and costs. Willful violations can result in actual damages or statutory damages ranging between $100 and $1,000, plus punitive damages and attorneys’ fees and costs. The Federal Trade Commission (“FTC”) has also brought actions against employers for FCRA violations.
10 Steps to Avoid Becoming a FCRA Defendant When Using Employment Background Checks
1. Review your current background check practices for prospective and current employees, including any online application materials.
2. Review disclosure/consent forms for compliance. Ensure you are presenting applicants or current employees with a simple, one page disclosure form. The form should inform individuals that you intend to obtain a consumer report for employment purposes.
3. You must obtain consent from the prospective employee/employee. You may include a line on the disclosure form for the individual to acknowledge and grant consent. Do not include other material, such as liability waivers, confirmation of at-will employment, or seek other consents.
4. If your application process is online, ensure the disclosure/consent is displayed separately, on one screen, without other content.
5. If you intend to conduct background checks periodically during an individual’s employment, state that in the disclosure and consent form.
6. Do not seek consent verbally. FCRA requires “written” consent (though FTC has stated it may be electronic).
7. Maintain backup of the disclosure and consent forms for at least 5 years from the date they were provided. (Lawsuits must be brought by the earlier of two years after the date of the plaintiff’s discovery of the violation, or five years after the date on which the violation occurred).
8. If you intend to take adverse action based on information in the consumer report, you should be providing the individual with a pre-adverse action notice, a copy of the consumer report, and the “Summary of Rights.” Ensure you are using the most updated “Summary of Rights.”
9. You should wait a reasonable amount of time (at least 5 days) before issuing an adverse action notice. Your company’s adverse action notice must contain the information required under the FCRA (see bulleted information, above).
10. Check state law regarding background checks for the states in which you operate/solicit employees. Some states have similar requirements to FCRA; others may further restrict the types of information you can request.
* * *
The FTC/EEOC have issued a joint statement on background checks. While many employers need to conduct background checks to avoid liability and risks to their businesses, employers also need to follow the FCRA’s mandates to avoid the deep end of litigation “pool.”
It’s International Data Privacy Day! Every year on January 28, the United States, Canada and 27 countries of the European Union celebrate Data Privacy Day. This day is designed to raise awareness of and generate discussion about data privacy rights and practices. Indeed, each day new reports surface about serious data breaches, data practice concerns, and calls for legislation. How can businesses manage data privacy expectations and risk amid this swirl of activity?
Here, we share some tips from our firm’s practice and some recent FTC guidance. We don’t have a cake to celebrate International Data Privacy Day but we do have our “Top 10 Data Privacy Tips”:
3. Ensure Your U.S.-E.U. Safe Harbor Is Up-to-Date. Last year, the FTC took action against several companies, including the Atlanta Falcons and Level 3 Communications, for stating in their privacy policies that they were U.S.-E.U. Safe Harbor Certified by the U.S. Department of Commerce when, in fact, the companies had failed to keep their certification current by reaffirming their compliance annually. While your organization is not required to participate in Safe Harbor, don’t say you are Safe Harbor Certified if you haven’t filed with the U.S. Department of Commerce. And, remember that your company needs to reaffirm compliance annually, including payment of a fee. You can check your company’s status here.
4. Understand Your Internal Risks. We’ve said this before – while malicious breaches are certainly out there, a significant percentage of breaches (around 30 percent, according to one recent study) occurs due to accidents or malicious acts by employees. These acts include lack of firewalls, lack of encryption on devices (such as laptops and flash drives), and failing to change authentications when employees leave or are terminated. Many data breaches are While you are at it, review who has access to confidential information and whether proper restrictions are in place.
5. Educate Your Workforce. While today is International Data Privacy Day, your organization should educate your workforce on privacy issues throughout the year. Depending on the size of the company and the type of information handled (for instance, highly sensitive health information versus standard personal contact details), education efforts may vary. You should review practices like the confidentiality of passwords, creating a secure password and changing it frequently, and avoiding downloading personal or company sensitive information in unsecured forms. Just last week, a security firm reported that the most popular passwords for 2014 were “123456” and “password.” At a minimum, these easily guessed passwords should not be allowed in your system.
6. Understand Specific Requirements of Your Industry/Customers/ Jurisdiction. Do you have information on Massachusetts residents? Massachusetts requires that your company have a Written Information Security Program. Does your company collect personal information from kids under 13? The organization must comply with the federal Children’s Online Privacy Protection Act and the FTC’s rules. The FTC has taken many actions against companies deemed to be collecting children’s information without properly seeking prior express parental consent.
7. Maintain a Data Breach Response Plan. If there were a potential data breach, who would get called? Legal? IT? Human Resources? Public relations? Yes, likely all of these. The best defense is a good offense – plan ahead. Representatives from in-house and outside counsel, IT/IS, human resources, and your communications department should be part of this plan. State data breach notification laws require prompt reporting. Some companies have faced lawsuits for alleged “slow” response times. If there is potential breach, your company needs to gather resources, investigate, and if required, disclose the breach to governmental authorities, affected individuals, credit reporting agencies, etc.
8. Consider Contractual Obligations. Before your company commits to data security obligations in contracts, ensure that a knowledgeable party, such as in-house or outside counsel, reviews these commitments. If there is a breach of a contracting party’s information, assess the contractual requirements in addition to those under data breach notification laws. The laws generally require notice to be given promptly when a company’s data is compromised while under the “care” of another company. On the flip side, consider the service providers your company uses and what type of access the providers have to sensitive data. You should require service providers to adhere to reasonable security standards, with more stringent requirements if they handle sensitive data.
9. Review Insurance Coverage. While smaller businesses may think “we’re not Target” and don’t need cyber insurance, that’s a false assumption. In fact, smaller businesses usually have less sophisticated protections and can be more vulnerable to hackers and employee negligence. Data breaches – requiring investigations, hiring of outside experts such as forensics, paying for credit monitoring, and potential loss of goodwill – can be expensive. Carriers are offering policies that do not break the bank. Cyber insurance is definitely worth exploring. If you believe you have coverage for a data incident, your company should promptly notify the carrier. Notice should be part of the data breach response plan.
10. Remember the Basics! Many organizations have faced the wrath of the FTC, state attorneys general or private litigants because the companies or its employees failed to follow basic data security procedures. The FTC has settled 53 data security law enforcement actions. Many involve the failure to take common sense steps with data, such as transmitting sensitive data without encryption, or leaving documents with personal information in a dumpster. Every company must have plans to secure physical and electronic information. The FTC looks at whether a company’s practices are “reasonable and appropriate in light of the sensitivity and amount of consumer information you have, the size and complexity of your business, and the availability and cost of tools to improve security and reduce vulnerabilities.” If the FTC calls, you want to have a solid explanation of what you did right, not be searching for answers, or offering excuses. Additional information on the FTC’s guidance can be found here.
* * *
Remember, while it may be International Data Privacy Day, data privacy isn’t a one day event. Privacy practices must be reviewed and updated regularly to protect data as well as enable your company to act swiftly and responsively in the event of a data breach incident.
Health cleanses to lose unwanted weight in a matter of weeks! Images of beautiful jewelry to be purchased at great prices that you can even resell! Personalized handbags made to order! If you have a Facebook account, it is more than likely you have seen many of these and similar posts by “friends” in your news feeds or through sharing or commenting by your friends on others’ posts. Facebook has announced that it will filter out unpaid promotional materials in user news feeds starting in January 2015.
If you run a business that uses social media as an advertising platform, you will need to be aware of these changes. Alternatively, if you have ever wondered how to curb these marketing posts, which seem to increase daily, your wishes may have been heard.
Specifically, Facebook will utilize a new algorithm to filter out posts that advertise products, such as repurposing paid advertisements and promoting sweepstakes or special deals. At first glance, it would appear that this will make it more difficult for entrepreneurs and small businesses to attain new contacts and customers, promote their brand names, and pitch products. However, while this initial fear is legitimate, it may be unwarranted in the long term, as much of the benefit that this free advertising once provided has already started to dissipate.
Unpaid as well as paid promotional posts in social media have been widely and increasingly utilized for well over a decade. The Wall Street Journal recently stated that Facebook was used as the top promotional tool by more than 80% of small businesses utilizing social media. Small businesses have lost much of the glory and benefit that unpaid advertising once provided, as news feeds have been flooded by a plethora of entrepreneurial pitches. The unpaid posts have become less effective at building a marketing channel, as users have become desensitized to the promotional pitches. Increasingly, users scroll quickly through the incessant free marketing to read more personal feeds.
Additionally, the reach of unpaid posts on Facebook has fallen in recent years. Research supports the notion that simply racking up “likes” or posting ads repeatedly does not produce the sales that were initially anticipated. In a Forrester Research Report released in November, it was suggested that on average, fewer than .1% of people interact with each post. Rather than simply acquiring numbers of user “likes”, companies should look at the value of each fan and how to more fully connect with and engage the loyal fan base. Many also believe that there is still some value to having a direct Facebook page where users can access and like the page, take advantage of special promotions, and invite friends to like and partake in the offers.
While unpaid marketing posts will be filtered, Facebook will still offer “promoted posts,” that allows businesses to pay a certain amount, starting at $5 and reaching to several thousand dollars, in order to have posts on their pages viewed by a wider pool of users. Facebook is not the only platform to seek payment for wider distribution. For a fee, Google likewise offers businesses the opportunity to “boost their ranking” in search results. It is likely that if entities have to pay a small fee for advertising, they may take a longer look at the content of the business post or material being promoted to be sure it is interesting and grabs a user’s attention.
Although start-up companies with very little initial cash may take a hit as these rules begin to take effect, small business may not see a big difference in the long term. As the saying goes, nothing of value comes for free, and it seems that the value of unpaid advertising has already fallen dramatically. Social media paid advertising is still rather cost effective when compared to other methods of advertising. Although the quantity of posts by businesses may fall, one can also anticipate that small businesses will value the content in each post. In other words, if people are paying to advertise, the quality of each post will likely improve. Small businesses will also look to other social media platforms such as LinkedIn and Twitter or perhaps the next “hot” social media outlet that offers the benefit of unpaid marketing, at least until those platforms likewise become ineffective. Small businesses may still want to use Facebook for advertising, but in a more creative, targeted way and by means of engaging with their fan base. One thing is for certain, the world of social media is ever changing and evolving, and still offers entrepreneurs and small businesses tremendous benefits, which were not present two decades ago. Social media platforms will, however, continue to review and modify the types of advertisements and promotions permitted on their sites.
Last week, without much attention, four new regulations affecting online gaming operations in New Jersey became effective under the authority of the Division of Gaming Enforcement. The rules include changes to directives on funding from social games, requirements for exclusivity, and operator server locations.
However, the fourth rule is an addition which deals specifically with celebrity endorsements. What is most notable about this tenet is not the content, but the fact that regulators in New Jersey believe that iGaming will soon become an industry that uses celebrities to promote and market itself to consumers.
Because we’re lawyers, here is the actual language of Rule 13:69O-1.4 (u.):
Internet gaming operators may employ celebrity or other players to participate in peer to peer games for advertising or publicity purposes. Such players may have their accounts funded in whole or in part by an Internet gaming operator. An Internet gaming operator may pay a fee to the celebrity player. If a celebrity player is employed and the celebrity player generates winnings which he or she is not permitted to retain, such winnings shall be included as Internet gaming gross revenue in a manner approved by the Division.
It may be argued that the word “celebrity” is being used loosely in this context, as there isn’t exactly a line of blockbuster A-listers or superstar athletes waiting for their chance to be the face of online poker. Yet the addition of this specific provision importantly points to the fact that the Gaming Division not only anticipates a future where iGaming will carry big name endorsers, but that it wants to encourage effective advertising and publicity for the industry, which has had a slow start in its first year since becoming legal in the state.
Regulators looking to update this rule in the future should consider adding language geared toward consumer protection – namely, prohibitions against the use of celebrity endorsements in a deceptive or misleading manner. Last year, the FTC updated its advertising guidelines to account for the use of celebrity endorsements in advertising, specifically in the context of paid social media endorsements. Those guidelines provide, among other things, that celebrity endorsements must be truthful and accurately reflect the opinions of the celebrity, that paid celebrity endorsements must be adequately disclosed, and that the celebrity be a bona fide user of the product or services he/she is endorsing.
These guidelines should equally be applied by regulators in the context of iGaming, where increased competition, as more operators come on board, may lead operators to one up each other by throwing money at celebrities to endorse their games. The key to effective iGaming regulation is not just limited to overseeing how the game is played, but also to ensuring that the operators don’t play games that would unfairly hurt the competition and mislead the playing public. Updating these regulations so they are more inline with the FTC’s advertising guidelines will further these goals.
Ifrah Law is a proud member the Brand Activation Association (“BAA”). This week, we attended the BAA’s 36th annual BAA Marketing Law Conference in Chicago. Just as “Mad Men” reflects the 1960’s era advertising business, this year’s BAA conference demonstrated this generation’s marketing dynamic – where mobile is key, privacy concerns abound, and the Federal Trade Commission (“FTC”) and other agencies are watching and enforcing. Other key “take aways” from the conference are that sweepstakes, contests, and other promotions remain hugely popular via mobile devices and social networks.
Advertisers representing top brand names made clear that companies must reach consumers through various digital devices. Smartphones, tablets, and wearable technologies each represent ways to advertise a product or service. Today’s consumers, especially younger consumers, rely extensively mobile devices. Many actually welcome behavioral and other advertising. Consumers in the U.S. and abroad have shown receptiveness to “flash sales,” instant coupons and other deals, including those geared to their geo-location.
Emerging Privacy and Consumer Protection Trends
While advertisers interact with consumers and many consumers welcome offers and information, regulators’ and individuals’ concerns with the privacy of personal information dominate the landscape. Almost a year after the notorious Target data breach, and with the holiday shopping season approaching, all stakeholders are understandably cautious about how to utilize various methods of marketing while securing consumer information. Even assuming a network is secure, the FTC, state attorney generals, foreign regulators, consumer advocacy groups and consumers want to know how personal data is being collected, utilized and shared. In the consumer protection context, the FTC actively enforces the Federal Trade Commission Act’s prohibition on “deceptive acts and practices,” requiring that advertisers have substantiation for product claims.
Two Significant Forces – the FTC and California’s Attorney General
Top representatives from the FTC and the California Attorney General presented at the conference. Both representatives asserted their agencies remain active in enforcing their consumer protection and privacy laws, especially as to certain areas. Jessica Rich, Director, Bureau of Consumer Protection at the FTC, discussed the agency’s focus on advertising substantiation, particularly as to claims involving disease prevention and cure, weight loss, and learning enrichment (such as the “Your Baby Can Read “ case).
On the privacy side, Ms. Rich also noted the FTC’s specialized role in enforcing the Children’s Online Privacy Protection Act (“COPPA”). The FTC’s recent action against Yelp demonstrates that the FTC will not hesitate to enforce COPPA even where a website is not a child-focused website, per se. If a website or online service (such as a mobile app) collects personal information from children under 13, it must comply with COPPA’s notice and consent requirements. The agency is also exploring the privacy and consumer protection concerns associated with interconnected devices, known as “the Internet of Things.”
Promotions – Sweepstakes, Contests, Games
While some may think sweepstakes and contests are outdated, the opposite is true. Companies are utilizing mobile and social networks to engage with consumers through promotions. Facebook and Pinterest-based sweepstakes and contests continue to grow in popularity. Advertisers also increasingly look to “text-based” offerings.
These promotions can generate great marketing visibility and grow consumer relationships. However, advertisers need to be aware of many legal minefields. First and foremost is the federal Telephone Consumer Protection Act (“TCPA”), which requires prior express “written” consent for advertisements sent to mobile phones via text or calls utilizing an autodialer or prerecorded message. Plaintiffs’ lawyers continue to file hundreds of TCPA class actions based on texts without consent. Second, the social networks have their own policies. For instance, Facebook now bars advertisers from requiring consumers to “like” a company Facebook page in order to participate in a promotion.
BAA conference sessions were packed – many standing room only. The popularity of programs about comparative advertising, native advertising, sweepstakes and contests, and enforcement trends demonstrates that advertisers are finding innovative ways to reach consumers across devices. These marketing initiatives face a host of federal, state, and international laws and regulations, as well as restrictions imposed by social networks and providers. It’s an exciting and complex juncture in global marketing.
Online diploma mills, which require little or no coursework to complete a degree have recently garnered much attention within the online education realm. Websites which offer questionable diplomas for hundreds of dollars target vulnerable consumers seeking a degree to improve their life prospects, while simultaneously casting a shadow over legitimate online educational institutions which offer accredited programs and a complete educational experience including coursework, teacher interaction, and grading. In the latest crackdown on online diploma mills, the Federal Trade Commission obtained a temporary restraining order against Diversified Educational Resources, LLC and Motivational Management & Development Services, Ltd., companies which generated millions of dollars by selling worthless high school diplomas to thousands of consumers.
According to the allegations of the FTC’s complaint, the defendants have been operating purported online education sites since 2006, under the names Jefferson High School Online and Enterprise High School Online. The FTC alleges that the websites misleadingly represent that these are accredited schools by saying that the defendants “[p]rovide a respected and recognized high school diploma equivalency program,” that students completing the program will be “high school graduates,” and that the schools are registered with the Florida Department of Education. While the latter statement is technically true, the websites do not reveal that registering with Florida’s School Choice Program does not mean that the programs are accredited but rather, according to the complaint, registration is merely a “ministerial act, based solely on their own self-reported answers to Florida’s annual private school survey” which the Florida Department of Education does not verify. The truth of the accreditation status can only be found buried in dense paragraphs of text, in which the defendants note that they are “actively pursuing accreditation options” although they have not applied for any yet.
Consumers paid $200 to $300 to register on the websites. Those fees did not entitle them to any coursework, education, or test preparation. Rather, customers were immediately prompted to take a “test,” which was nearly impossible to fail because the websites provided hints to ensure that customers passed. After passing the test, customers received diplomas bearing the name “Jefferson High School Online” or “Enterprise High School Online.”
The “diplomas” that the defendants issued to customers were useless, according to the FTC. Many customers learned that their diplomas were invalid after unsuccessfully attempting to use them to apply to jobs, enroll in college, or join the military. Further, unsatisfied customers who sought a refund were refused, according to the FTC. Through this scam, the complaint says, the defendants collected over $11 million since 2009 without providing a real education product or service.
The U.S. District Court for the Southern District of Florida issued a temporary restraining order and asset freeze in response to these allegations, suspending the domain names and prohibiting any material misrepresentations regarding online education. The case remains pending in the Southern District of Florida and the defendants’ responsive pleadings are due in October.
Online Fraud and Abuse
The fact is that social media has connected us to each other in ways which seemed unimaginable only a few decades ago. Take for example the progression of social activism through online fundraising. Over the course of two short months the ALS Ice Bucket Challenge (“IBC”) went viral with millions of videos being posted by people drenching themselves in ice water in order to spread awareness and raise money for the research and treatment of ALS. To date, the total amount of donations made to the ALS Association through the IBC is an unprecedented $114 million. The Association’s FAQs webpage regarding the IBC indicates that this amount is almost five times its annual overall budget.
The ALS Ice Bucket Challenge is also a good example of the online phenomenon of crowdfunding, where numerous individuals and groups pitch in to fund a project, cause or idea. Simply put, crowdfunding is fundraising through social media. There are several popular crowdfunding websites, however one of the most well-known sites is Kickstarter.com, which was launched in 2009, and boasts the facilitation of $1 billion in contributions by seven million backers who have so far funded 69,000 “creative projects” through the site. However, as is common when dealing with new technology, there are often unanticipated legal aspects of such innovation which can be problematic.
Earlier this year, the first crowdfunding consumer protection lawsuit was filed in the state of Washington (State of Washington v. Altius Management, LLC; Edward J. Polchlopek III (No. 14-2-12425-SEA)). In late 2012, defendant Ed Nash, as he is known, and his company Altius Management, were successfully funded through a Kickstarter campaign to produce a limited-edition playing card game called Asylum. According to the campaign page, backers exceeded Nash’s goal of raising $15,000, giving more than $25,000 in total for the promise of the card game to be made. In addition, many of those who funded Nash’s campaign expected certain perks for contributing, referred to by Kickstarter as “rewards,” as was detailed in his campaign’s backer pledge amounts, which included multiple card decks and custom artwork according to varying contribution levels. However, two years later the card game has not been produced, backers have received no rewards or refunds and there has been no communication from Nash regarding the status of the Asylum project since July 2013.
With this being the first case of its kind, there is no precedent to see exactly how these proceedings will develop or how this case will affect Kickstarter and other crowdfunding websites. We suspect it will proceed like many of the other cases we write about in the internet space. One thing is certain, whether they are made online or in person, people don’t like broken promises.