In an important decision in a federal court case in New Jersey, In Re Nickelodeon Privacy Litigation, Google and Viacom obtained a dismissal of a claim against them under the Video Privacy Protection Act (“VPPA”). The decision narrows the scope of who can be liable under the VPPA and what information is within the scope of the statute.
Congress passed the VPPA in 1988 after Robert Bork, a nominee for the U.S. Supreme Court, had his video rental history published during the nomination process. While Judge Bork’s viewing habits were unremarkable, members of Congress became understandably concerned that any individual’s private viewing information could easily be made public. The VPPA makes any “video tape service provider” that discloses rental information outside the ordinary course of business liable for $2,500 in damages per person, in addition to attorneys’ fees and punitive damages. There is no cap on the damages that plaintiffs can be awarded under the statute and cases are typically brought as class actions with large groups of plaintiffs.
In 2013, Congress passed and President Obama signed the first major change to the VPPA since it was enacted, the Video Privacy Protection Act Amendments Act of 2012. These amendments made it easier for companies to obtain consent from consumers to share their video viewing history. The amendment removed the requirement that video service providers obtain written consent from users every time a user’s viewing choice is disclosed. Additionally, the amendment allowed for a provider to obtain a user’s consent online and that the consent can apply on an ongoing basis for two years as long as the user is given the opportunity to withdraw that consent. The amendments were enacted in response to the interest by consumers in sharing videos on social media platforms.
Viacom owns and operates three websites through which users can stream videos and play video games. The plaintiffs in the lawsuit were registered users of those websites. When a user registered with the site, that individual would be assigned a code name based on that user’s gender and age. The plaintiffs alleged that the user code name would be combined with a code that identified which videos the user watched and that code was disclosed by Viacom to Google. The plaintiffs sued Viacom and Google alleging among other things that this disclosure was a violation of the VPPA.
The VPPA claim against Google was dismissed because the court found that Google was not a “video tape service provider” (“VTSP”) as required for liability under the statute. The court reasoned that Google is not “engaged in the business of renting, selling, or delivering either video tapes or similar audio materials.” Some courts have shown a willingness to extend the definition of a VTSP to companies such as Hulu and Netflix that offer video-streaming services, but the court in this case stopped short of extending it to Google, a company that does not offer video services as its main business.
The VPPA claim against Viacom failed because the court found that, even if Viacom were a VTSP, an issue the court did not reach, Viacom did not release personally identifiable information to Google, which is required to have occurred under the VPPA. The court concluded that “anonymous user IDs, a child’s gender and age, and information about the computer used to access Viacom’s websites” – even if disclosed by Viacom – were not personally identifiable information.
With its potential for large damages there has been a recent uptick in cases filed under the VPPA. Recently, plaintiffs have filed cases against well-known media companies including Hulu, Netflix, ESPN, the Cartoon Network, and The Wall Street Journal. These cases have started to show a trend in shifting away from the intended defendants, companies whose main line of business is renting and selling videos, and toward companies that provide streaming video as part of their business.
The line drawn by the court in this case of who can be considered a VTSP could be a significant win for companies that offer mobile apps with streaming video capabilities by limiting the definition of a VTSP to companies that are in the business of renting or selling videos. Such a limitation would be welcome by many operators of new technologies. Given the vast number of devices and platforms that deliver video content of some kind, an expansion of the definition of a VTSP could lead to a flood of litigation involving companies that are not in the business of renting or selling videos and were not the intended defendants under the statute.
While this decision will not stop the recent uptick in VPPA litigation, it will provide courts with guidance as how to determine who should be liable under the VPPA. The text of the VPPA was written in a way that did not anticipate the current environment where streaming video is available on a multitude of devices. As more cases are filed, the limits of the statute’s scope will be tested. However, this court’s decision provides precedent for a common sense approach to determining who should be held liable under the VPPA.
Recently, the Maryland Attorney General’s Office announced that it reached a settlement with Snapchat, Inc. over alleged deceptive trade practices in violation of Maryland law and violations of federal laws that are intended to protect children’s online privacy. This is another reminder that state attorneys general’s offices will continue to be vigilant in addressing consumer privacy issues under both state and federal laws, when the federal laws permit state attorney general action.
Snapchat is a photo and video messaging app that allows users to take photos and videos, add text and drawings, and send them to selected contacts. The sent images are commonly referred to as “snaps” and users can set a time limit of up to ten seconds for how long the image will be visible to the contact. According to Snapchat, its app’s users were sending 700 million photos and videos per day in May 2014.
Maryland’s Attorney General asserted that Snapchat misled consumers when it represented that snaps are temporary and disappear after they are opened by a recipient. The Attorney General claimed that, in fact, the snaps could be copied or captured by recipients. Additionally, the Maryland Attorney General alleged that Snapchat collected and maintained the names and phone numbers from contact lists on consumers’ electronic devices, which was a practice that Snapchat had not always disclosed to consumers and to which consumers did not always consent. Lastly, the Attorney General alleged that Snapchat was aware that some users were under the age of 13, but it failed to comply with the federal Children’s Online Privacy Protection Act (“COPPA”), when it collected personal information from children without verifiable parental consent. COPPA has a provision that empowers state attorneys general to bring enforcement actions under the statute on behalf of residents of their states.
Snapchat agreed to pay the state of Maryland $100,000 to settle this case. Additionally, as part of its settlement, Snapchat agreed to not make false representations or material omissions in connection with its app. Furthermore, Snapchat is specifically enjoined from misrepresenting the temporary nature of the snaps and must disclose to users that recipients of snaps have the ability to copy the image they receive. Snapchat must also obtain affirmative consent from consumers before it collects and saves any contact information. In response to the COPPA allegations, Snapchat agreed to comply with COPPA for a period of ten years and to take specific steps to ensure that children under the age of 13 are not creating Snapchat accounts.
Snapchat has faced other actions as well. Last month, Snapchat reached a settlement with the Federal Trade Commission (“FTC”) on charges that it deceived consumers with promises about the disappearing nature of messages sent through the service. According to the FTC, Snapchat promised users that messages and images sent through the app would self-destruct and disappear in ten seconds or less despite there being ways for recipients to save the snaps. The FTC case also alleged that Snapchat told users that it did not collect information about their location when one version of the app did collect location information.
The FTC case did not include any accusation of violating COPPA, nor did it include any financial penalty. As part of the settlement, Snapchat agreed to implement privacy programs that will be subject to monitoring for 20 years and agreed not to misrepresent the confidentiality, privacy, and security of user information. Snapchat is also prohibited from misrepresenting how it maintains the privacy and confidentiality of user agreements.
On its official blog, Snapchat emphasized that its app does not retain users’ snaps and that both investigations largely revolved around how well users understood that recipients of their snaps could save their snaps. In response to the COPPA claims, Snapchat pointed out that its terms of service have always provided that the app is intended for users who are 13 years of age or older and has instituted controls to ensure it.
Mobile app companies need to be aware of the fact that they are being closely monitored by both the FTC and state attorneys general offices. In particular, any claim made by an app about consumer privacy may be scrutinized by regulators. Companies need to be prepared to justify their claims and must be forthcoming about any data that is collected from consumers. In other words: if you say you do something then you need to do it; if you say that you do not do something, do not do it. Your company does not want the FTC or a state attorney general “snapping” at your privacy practices.
We’ve all heard the statistics showing obesity rates rising in the U.S. year after year. Most of us are well aware of the billion dollar diet and weight-loss supplement industry to which millions turn with the hope of finding that one “miracle pill” to help them lose that stubborn belly fat or get rid of those unsightly love-handles. Advertisers should be aware that the Federal Trade Commission has taken an interest in advertising involving weight loss claims. In a 2011 study, the FTC concluded that weight loss product false advertising is the most common type of consumer fraud. More recently, the agency testified on the issue during a June 17, 2014 hearing before the Senate Subcommittee on Consumer Protection, Product Safety, and Insurance, in addition to several witnesses from the advertising industry.
In addition to the FTC representative, witnesses who testified at the hearing included the CEO of a natural products non-profit organization, and the president of the nation’s advertising self-regulatory body. However, one witness received the most attention and the toughest questions from Subcommittee Chair, Senator Claire McCaskill, regarding the problem of deceptive advertising of weight-loss products: television personality, and Oprah-favorite, Dr. Mehmet Oz.
When asked who the most popular television personality known to talk about green coffee bean extract, raspberry ketones, pure garcinia cambogia, or just weight loss products in general, there’s a good chance that the majority of Americans would name Dr. Oz. Despite his former days as the go-to doctor of Oprah’s talk show, and the celebrity he has become through the popularity of his own daytime television show, Senator McCaskill’s tone revealed how unimpressed she is by Dr. Oz’s “flowery” language- an adjective he used at the hearing to defend his enthusiastic statements when promoting the use of unproven weight-loss products. The Senator expressed her concern with the overreaching statements often made by the doctor, specifically his use of the words “magic” and “miracle” to describe the products he endorses on his show.
To be fair, Dr. Oz is by no means the only source of flowery language when it comes to weight-loss products. Surf the web for five minutes and at least one advertisement for an all-natural weight-loss supplement that melts away fat in a matter of days will have flashed on your screen. And in his defense, Dr. Oz does not appear to promote specific product brands on his show. He also generally adds that any weight-loss enhancement product must be supplemented by a healthy diet and regular exercise. But to Senator McCaskill and the FTC, the problem is too serious to not to make an example out of Dr. Oz, especially in light of the fact that some advertisers misleadingly use the Dr. Oz name brand (among others) for product promotion. Voltaire’s saying that with great power comes great responsibility was used more than once at the hearing.
Besides the scolding of one celebrity voice, the FTC appears to have a three-fold strategy for cracking down on what it views as misleading advertising practices.
First, the agency’s law enforcement efforts have included more than 80 weight-loss enforcement actions over the last 10 years, in addition to over $100 million amassed in consumer restitution, and that’s just since 2010. In January of this year, the FTC had its own New Year’s resolution with regard to fighting back against newer fraudulent weight-loss fads, appropriately named “Operation Failed Resolution.”
Second, the FTC also recently delivered a “Gut Check” to respected media outlets: a reference guide containing a list of fraudulent claims often used by those advertising weight-loss products. The goal of the guide is to encourage media outlets to carefully consider whether or not the endorsement of such ads is advisable.
Third, the FTC has issued numerous consumer education resources to teach and inform the public about exaggerated weight-loss product claims. Also, the same day it testified at the Senate Subcommittee hearing, the agency launched an interactive “Challenge” video and game, with the goal of helping consumers understand what’s true and what’s not when it comes to weight-loss products claiming guaranteed results without the added components of diet and exercise.
The FTC’s extensive program to fight what it views as weight-loss scams and fraudulent advertising, in addition to the Subcommittee’s admonishment of “America’s Doctor,” demonstrate that truth in weight loss advertisements remain a top priority for federal regulators and legislators. Organizations offering weight loss products should review their advertisements – whether on the Internet, in print advertisements, or elsewhere – for any potentially unsubstantiated claims. The FTC will remain vigilant regarding health and fitness claims. Advertisers need to be similarly vigilant, because there’s no magic pill that prevents expensive enforcement actions and lawsuits.
Career Education Corporation, like a host of other for-profit education companies, has found itself spinning on the courthouse revolving door. The latest legal challenge for CEC: a False Claims Act suit filed in federal court in New Jersey on May 16. The lawsuit alleges that CEC defrauded the federal government by (1) falsifying job placement statistics to exaggerate the number of graduates working in their fields of study, (2) misrepresenting accreditation status of some of its programs to remain eligible for federal funding, (3) admitting students who did not have high school diplomas or GEDs, could not speak English, or were mentally handicapped, and (4) paying bonuses to admissions staff based on enrollment numbers. Many of these allegations are familiar to CEC as well as others in the industry. Unfortunately CEC – like many other for-profit education companies – just can’t seem to free itself from the yoke of enforcement agencies and plaintiffs’ attorneys.
Last August, CEC entered a settlement agreement with the New York Attorney General’s office following an investigation into allegations of inflated job placement rates and allegations of inadequate disclosures regarding accreditation status. That agreement cost CEC $10.25 million and imposed significant reporting requirements.
The allegation of inappropriate incentive compensation for college recruiters is a popular basis for lawsuits against the for-profit education industry. In May, the Department of Justice filed a False Claims Act suit against Stevens-Henager College, Inc. for allegedly illegally compensating recruiters. These suits follow similar False Claims Act suits filed against the University of Phoenix (which settled in 2009 for a whopping $67.5 million, plus $11 million in attorneys’ fees) and Oakland City University (which settled in 2007 for $5.3 million) for their incentive compensation structures. There is also a pending False Claims Act case against Education Management Corporation with claims that largely mirror those faced by CEC.
Unfortunately for CEC and its fellow for-profit educators, settling with one entity does not necessarily mean freedom from future suits by other regulators or supposed whistleblowers. The more common scenario follows the camel under the tent: once an investigation is initiated – and publicly announced – follow-on actions ensue. The host of False Claims Act cases against the industry is a perfect example.
Part of the problem is the nature of False Claims Act cases. These suits, which are brought on behalf of the federal government by private plaintiffs (known as “relators”), are intended to help root out fraud against the government. Whistleblower relators are given incentive to file claims as they can receive significant compensation should the lawsuit succeed (or settle). For instance, the whistleblowers in the U. Phoenix settlement received $19 million in compensation; the whistleblower in the Oakland City U. settlement received $1.4 million.
The concept of False Claims Act cases seems laudable – the government cannot possibly keep track of all fraudulent claims it pays out to government contractors and other recipients of federal funds; having private actors with personal knowledge come forward to help address the problem should save the government significant sums. But the host of False Claims Act cases against the for-profit education industry defendants has produced little new or damnable information. When False Claims Act cases are brought after the news of alleged problems breaks, or after an investigation is launched, the benefit to the government is substantially diminished. The lawsuits become more about economic opportunity for enterprising litigators and relators.
Sprint Gets a Wallop of a Reminder – Company-Specific Do Not Call Lists Still Matter – $7.5 Million Record Do Not Call Consent Decree
Yesterday, the Federal Communications Commission (“FCC”) announced a consent decree with Sprint Corporation for federal do not call violations. Specifically, under the terms of the agreement, Sprint will make a $7.5 million “voluntary contribution” to the United States Treasury. This payment represents the largest do not call settlement reached by the FCC. Sprint also agreed to various ongoing compliance initiatives, including enhanced training and reporting requirements. Importantly, the action also serves as an important reminder on an often overlooked section of the do not call rules – the requirement that companies maintain and abide by “company-specific” or internal do not call lists.
Under the federal do not call rules, organizations making telemarketing calls to residential customers (including mobile phones) are required to scrub the federal do not call database before initiating those calls, unless the calls meet certain exceptions – the called party has an existing business relationship (“EBR”) with the caller or has provided prior express consent for the calls or the call is from a tax-exempt non-profit. Of course, as we have written before, there are additional requirements for autodialed or prerecorded calls to mobile mobiles and prerecorded telemarketing calls to residential lines.
Another, sometimes overlooked requirement is that companies making permissible calls (for instance, after scrubbing the do not call database or with an existing business relationship or prior express consent) must maintain an internal, company-specific do not call list where companies log individuals’ subsequent requests not to be called. In other words, even if a consumer has an existing business relationship or has given prior express consent to be called, once the consumer tells the company not to call again, that request trumps the existing business relationship/prior consent or the do not call scrub. This company-specific do not call request must be implemented within 30 days and honored for five years from the date the consumer made the request. (The federal do not call registration, in contrast, lasts indefinitely). A company must also have a do not call policy, available upon request.
In 2009, the FCC investigated Sprint for do not call violations relating to the company-specific do not call list. Sprint subsequently settled that enforcement action in 2011 through a consent decree (which included a $ 400,000 payment). The decree required Sprint to report to the FCC’s Enforcement Bureau, for two years, any noncompliance with the consent decree or the FCC’s company-specific do not call rules.
In March 2012, Sprint disclosed to the FCC that it had discovered additional issues involving human error and technical malfunctions relating to Sprint’s or its vendor’s do not call processes that caused potential noncompliance with consumers’ do not call or do not text preferences, or prevented the timely capture of the preferences. Sprint represented that it had subsequently implemented improvements in its do not call data management systems. It had also ceased telemarketing and text campaigns to investigate the issues. The FCC investigated Sprint’s do not call compliance and ultimately entered into this record-setting $7.5 million settlement.
Under the terms of the consent decree, in addition to the settlement payment, Sprint will designate a Compliance Officer to administer a new compliance plan and to comply with the consent decree. Sprint also must implement a compliance manual which will instruct “covered personnel” (including Sprint personnel and independent contractors who provide telemarketing services for Sprint) on Sprint’s do not call policies. The consent decree further requires Sprint to establish and maintain an annual compliance training program, and to file several compliance reports with the FCC at designated time frames. Significantly, Sprint acknowledges that actions or inactions of any independent contractors, subcontractors, or agents that result in a violation of the company-specific do not call rules or the consent constitute an act or inaction by Sprint – in other words, Sprint is specifically on the hook for third parties’ actions.
The consent decree and $7.5 million payment serve as a useful reminder of the company-specific do not call rules. Once a consumer indicates they do not wish to receive further telemarketing calls or texts, the FCC’s rules require that the telemarketer place that consumer on its internal, company-specific do not call list. This consumer requests trumps even an established business relationship or prior express consent. It can only be revoked by subsequent express consent – which we would recommend be in writing. Even if a consumer does business with your company every day, if he or she has asked not to receive telemarketing calls – don’t call! Compliance with the company-specific do not call rule means your organization does not call someone who has indicated they do not want to be called. And, it can also save your company great time, resources, and money spent defending private litigation or an FCC enforcement action. Further, if your organization utilizes third parties for telemarketing campaigns, your company should make sure the third party is taking do not call requests, logging them, and passing those to your company for future campaigns.
In a recent case in the U.S. District Court for the Eastern District of Missouri, the district court held that the plaintiff’s Telephone Consumer Protection Act (“TCPA”) claim should be dismissed. The court ruled that the plaintiff gave prior express consent when she agreed to the terms of her health insurance plan, which stated that the company could share her number with other businesses who work for the plan.
The plaintiff Suzy Elkins enrolled to receive prescription benefit management services through a group plan offered by her employer. The plaintiff then reenrolled after her employer changed plans to receive prescription management services from the Defendant, Medco Health Solutions, Inc. (“Medco”) through Coventry Health of Missouri (“Coventry”). On the reenrollment form, Elkins provided her cell phone number as her home phone number and certified that the information she provided was true and accurate. Ms. Elkins refilled several prescriptions using Medco’s retail pharmacy network.
Elkins filed a complaint alleging that the automated and prerecorded calls she received from Medco through her enrollment in her employer’s health insurance plan, Coventry, violated the TCPA’s prohibition on autodialed/prerecorded calls to mobile phones and the federal “do not call” rules. Elkins had registered her number in the federal do not call database. Elkins alleged that Medco called her cell phone twice utilizing autodialed, prerecorded calls in an attempt to sell prescription medications. Medco claimed that it was attempting to make Elkins aware of certain pharmacy benefits, such as obtaining refills at reduced prices. Both parties disputed whether the calls were actually autodialed or prerecorded, and the court did not address that issue.
Instead, the district court found that the plaintiff’s TCPA claim was barred because she gave her express prior consent to be called at the number she provided when she gave that number at the time of enrollment as hercontact number related to healthcare benefits. The court noted that the Certificate of Coverage that the plaintiff agreed to with Coventry stated that Coventry could use or share her personal information with “other businesses who work for the Plan . . . [t]o tell you about treatment options or health related services.” The Certificate of Coverage also provided that members have certain rights including the right to ask for restrictions.However, the plaintiff never provided notice requesting that she not be contacted at that number with respect to her health benefits.
The court concluded that the calls that were the basis of the complaint were made by a pharmacy benefits specialist on behalf of her existing health plan regarding the pharmacy benefits she was receiving on an ongoing basis. The court reasoned that the provision of her cell phone number reasonably evidenced prior express consent by the plaintiff to be contacted at that number regarding pharmacy benefits.
The district court also found that the plaintiff had an established business relationship with the defendant which barred liability under the “do not call” rules. The court held that it was uncontroverted that there was an established business relationship since the plaintiff had utilized Medco’s prescription benefit management services to fill twelve prescriptions in a six month period before the calls that served as the basis for the complaint.
This decision represents a victory for TCPA defendantsin that the court found that prior express consent was given by the plaintiff when she gave her phone number and agreed to the terms of the Certificate of Coverage, which authorized Coventry to share her phone number. TCPA litigation has been increasing significantly in the past few years. While this court did not address the recent changes that have gone into effect that placed stricter requirements on businesses that engage in marketing via mobile messaging and prerecorded telephone calls, this decision does serve as guidance for consent, at least to non-telemarketing calls.
It is unclear whether the consent in this case would pass muster as “prior express written” consent for prerecorded or autodialed telemarketing calls to mobile phones and residential lines under the new rules, but since the calls at issue in this case predated the new rules the court did not need to address that point. We recommend businesses obtain “prior express written” consent for TCPA-covered calls and texts, consistent with the requirements under the new rules. It is important to note, however, this this court acknowledged that express consent can be extended to third parties through the plaintiff’s agreement to the terms if those terms are sufficiently broad to cover third parties. Finally, for non-autodialed or prerecorded telemarketing calls to mobile phone and live telemarketing calls to residential lines, this case is a useful reminder that an existing business relationship still constitutes a valid defense.
The Internet Corporation for Assigned Names and Numbers (ICANN) continues to make significant progress with its implementation of the New generic Top–Level Domain (gTLD) Program. Under the new program, ICANN has added more than 250 new gTLDs to the Domain Name System (DNS) and could add hundreds more in the next several years.
ICANN is a nonprofit organization that was formed in 1998 to coordinate the internet’s address system, promote competition in the domain–name space, and ensure the security and stability of the Domain Name System. Back then, there were a dozen or so Country Code TLDs (ccTLDs) and just eight gTLDs, including the most common top–level domains: .com, .edu, .mil, .net, and .org. As the internet grew, so did the demand for top–level domains. ICANN responded by hosting two gTLD application rounds in 2000 and 2003. Those trial rounds resulted in ICANN’s delegation of 15 new gTLDs and laid the groundwork for greater expansion under the New gTLD Program.
The New gTLD program evolved in two phases: the policy development phase and the implementation phase. The policy development phase was overseen by one of ICANN’s supporting organizations, the Generic Names Supporting Organization (GNSO). For two years, GNSO sought input from various constituencies in ICANN’s global internet community, including government, business, technology, and intellectual–property stakeholders. Participants submitted comments on a range of topics, such as the demand for gTLDs, associated risks and benefits, selection criteria, and allocation. As a result of that process, GNSO issued a set of policy recommendations for implementing the New gTLD Program, and ICANN adopted them in June 2008.
During the subsequent implementation phase, ICANN worked with stakeholders to establish consensus on the application, evaluation and delegation process for the New gTLD Program. Drafts of an Applicant Guidebook were released for public comment and revised to address stakeholder concerns over the protection of intellectual property and community interests, consumer protection, and DNS stability. In June 2011, the ICANN Board adopted the Applicant Guidebook and launched the New gTLD Program.
During the four–month application period, ICANN received 1,930 applications for new generic Top Level Domains. These included submissions from Europe, Asia, Latin America and Africa. More than 100 applications were first–time requests for Top-Level Domains in non–Latin scripts, including Chinese, Greek and the Indian alphabet, Devanagari.
ICANN has already completed its initial evaluation of the submissions. Approved applications are now moving toward “delegation” on a rolling basis. Each applicant must finalize and execute the required contract with ICANN. Then, the applicant must undergo pre–delegation testing. If the applicant meets the relevant technical requirements, ICANN “delegates” the new gTLD by adding it to the root zone database and turning over management of related domain–name registrations to the new registry operator. After that, the registry operator is free to sell second–level domain names under the new gTLD.
As mentioned, ICANN has already delegated more than 250 new gTLDs, with hundreds more to follow. In April alone, the organization delegated more than 50 new gTLDs.
If the expansion “transform[s] the way people use the Internet,” as ICANN hopes, the impacts will probably be most profound for the non–English speaking world. Indeed, it seems difficult to overstate the New gTLD Program’s transformative potential given ICANN’s addition of gTLDs comprising at least twelve non-Latin scripts. If the rollout continues as expected, millions of people who speak Arabic, Chinese, Hindi, Japanese, Korean, and Russian, will—for the first time—be able to use the internet in their native language.
For a current list of approved gTLDs, visit ICANN’s website.
FDA Says Product Containing No Tobacco is a “Tobacco Product” – FDA Expands Authority to Include E-Puffing
In an effort that Food and Drug Administration (FDA) officials say was motivated by the (Big Brother?) desire “to correct a misperception by consumers that tobacco products not regulated by FDA are safe alternatives to currently regulated tobacco products,” the FDA released proposed regulations this morning that would regulate the rapidly growing e-cigarette market. (The regulations would also regulate cigars, pipe tobacco, nicotine gels, and hookahs.) The long-awaited proposal would subject the $2 billion industry to federal regulation for the first time. The full text of the proposed regulations are available here. A 75-day public comment period follows.
Calls for Regulation and Basis
Last September, 40 state attorneys general wrote to the FDA asking the agency to take all available measures to issue regulations on the advertising, ingredients, and sale to minors of e-cigs. There has been very little regulation of the industry since its inception– partially because the extent of the FDA’s authority to regulate e-cigarettes is not clearly defined. In 2010, the U.S. Court of Appeals for the D.C. Circuit issued an opinion in Sottera, Inc. v. Food & Drug Administration, affirming the district court’s decision that the FDA could not regulate e-cigarettes as a medical device under the Food, Drug & Cosmetic Act and finding that the FDA’s authority is limited to traditional tobacco products.. Specifically, the Tobacco Control Act authorizes the FDA to regulate “tobacco products,” giving the agency authority to impose restrictions on their sale, advertising and promotions, and establish other standards for their distribution and production. The term “tobacco product” means any product made or derived from tobacco that is intended for human consumption, including any component, part, or accessory of a tobacco product (except for raw materials other than tobacco used in manufacturing a component, part, or accessory of a tobacco product).
E-Cigarettes are Tobacco Products?
The FDA claims that e-cigarettes contain nicotine and thus derive from tobacco. However, the agency acknowledges in its proposed rules that “the health consequences of e-cigarettes are not well understood because of their relatively new entrance into the market.” Despite its questionable authority and a lack of evidence showing a need for regulation, the FDA nevertheless proposes to subject e-cigarettes to regulation similar to cigarettes and other regulated tobacco products. We expect commenters will urge the FDA to support its jurisdiction over the e-cigarette industry with a sufficient statutory basis. However laudable the FDA’s actions to protect the public may be, agencies may obviously only act pursuant to the specific statutory authority granted by Congress.
Under the proposed rules, companies offering e-cigarettes and the other products deemed tobacco products will now be required to register all their products and ingredients with the FDA, though they would not be required to adhere immediately to specific product or quality control standards. Companies would also be required to submit new and existing products to the FDA for approval. They would have two years from the time the rule goes into effect to submit an application to enable their products to continue to stay on the market or to submit a new product application.
The new regulations would require e-cigs to have health warnings on packaging, though initially the only health warning that will be required is a warning regarding the potential for addiction to nicotine. Manufacturers would be able to market new products only after a FDA review, and scientific evidence would need to be provided before any direct or indirect claim can be made of risk reduction associated with their product. Manufacturers would also be prohibited from selling their products at vending machines unless they are in adult-only venues. The proposed rules would prohibit the offering of free samples. The regulations would also require that the minimum age to buy the products be set at 18 years old.
FDA Showing Some Restraint?
Although the FDA proposal is not as broad as the regulations sought by tobacco-control advocates, FDA officials noted that further restrictions may come in the future. At this point the regulations do not seek to ban the use of flavored e-cigs or restrict online sales or advertising. However, the Federal Trade Commission (“FTC”) is closely monitoring marketing and advertisements from the industry and has the ability to take action against companies that it believes are engaging in deceptive advertising. The proposed rules note that the FDA would consult with the FTC to harmonize their requirements for health warnings.
The FDA proposal also leaves many unanswered questions regarding how new products would be regulated in the long term. Under current law, new tobacco products can be approved if they are “substantially equivalent” to a product that was sold prior to February 15, 2007. It is unclear whether any e-cigarettes were on sale prior to that date that can be used as a benchmark. An FDA official said that it would seek more information during the public comment period to determine whether the substantial equivalence test is valid for e-cigarettes.
The recommendations from the FDA that were released today will be followed by a 75-day public comment period after which the regulations will be finalized. The exact time frame for the regulations to be finalized is unclear and the final rulemaking process could alter the regulations that were proposed today. It may be more than a year before the final regulations take effect. Of course, parties are expected to challenge the FDA’s rules in court, which could further delay any new regulations.
We expect numerous, diverse parties will submit comments, including the scientific/medical community, public interest groups, and industry. The e-cigarette industry, representing a new product, would appear to have the most power to influence the outcome of the rules, because even the FDA acknowledges the product has yet to be studied in depth.
Last week the Federal Trade Commission (“FTC”) charged the operators of Jerk.com with harvesting personal information from Facebook to create profiles for more than an estimated 73 million people, where they could not be labeled a “Jerk” or “not a Jerk.”
In the complaint, the FTC charged the defendants, Jerk, LLC and the operator of the website, John Fanning, with violating the FTC Act by allegedly misleading consumers into believing that the content on Jerk.com had been created by registered users of the site, when most of it had been harvested from Facebook. The FTC alleged that the operators of Jerk.com falsely claimed that consumers could revise their online profiles by paying a $30 membership fee. Additionally, the FTC asserted that the defendants misled consumers to believe that by paying for a membership, they would have access to the website that could allow them to change their profiles on the site.
Facebook profile pictures and profile names generally are public. Facebook rules allow for developers to upload the names and pictures in bulk. However, Jerk.com allegedly violated Facebook’s policies in the way it mined data from people’s profiles. At the time, Facebook’s rules only allowed an app developer to keep a person’s profile picture for 24 hours. The complaint stated that Fanning registered several websites with Facebook and used Facebook’s application program to download the data needed to create the fake profiles on Jerk.com. The FTC is also seeking an order barring the defendants from using the personal information that was obtained and requiring them to delete the information.
This action is another indication that the FTC is closely monitoring companies that the FTC believes are scraping data on consumers from other sites and deceiving customers in their business practices. The complaint notes how Jerk.com profiles often appear high in search engine results when a person’s name is searched. “In today’s interconnected world, people are especially concerned about their reputation online, and this deceptive scheme was a brazen attempt to exploit those concerns,” said Jessica Rich, Director of the FTC’s bureau of Consumer Protection in a statement.
Companies should monitor their practices for obtaining data from other websites to ensure that they are in compliance with the terms and conditions of websites where they obtain data. Organizations should be cautious about how they use this data, including being careful about making any representations and disclosures that could be viewed as deceptive by the FTC or a state attorney general.
By Michelle Cohen, CIPP-US
After recovering from high-profile data breaches at Target and Neiman Marcus, signing up for free credit monitoring and analyzing our credit reports, a new Internet villain recently emerged: the “Heartbleed Bug.” The Heartbleed Bug is a security flaw present on Open SSL, popular software run on most webservers. This open source software is widely used to encrypt web communications. The Heartbleed Bug affects approximately 500,000 websites, including reportedly Yahoo, OK Cupid, and Tumblr. And, in addition to websites, the Bug may impact networking devices such as video conferencing services, smartphones, and work phones.
The danger of the Heartbleed Bug lies in its ability to reveal the content of a server’s memory. Then, the Bug can grab sensitive data stored in the memory, including passwords, user names, and credit card numbers. Adding insult to injury, the Bug has existed for at least two years, giving hackers a huge head start. News reports and some websites have urged users to change their passwords. Others have warned individuals not to change their passwords until a website has indicated it has installed the security patch that “cures” the Bug. Several sites offer tools to “test” whether an indicated website is vulnerable to the Heartbleed Bug, including one by McAfee. In terms of priorities, users should focus on sites where they bank, conduct e-commerce, e-mail and use file storage accounts.
Further intrigue comes from the fact that a recent Bloomberg report alleged that the National Security Agency (“NSA”) knew about the Bug for at least two years, but may have utilized the vulnerabilities to access information. The NSA has denied it had knowledge of the Bug.
While we have yet to see a “rush to the courthouse” following the announcement of the Heartbleed Bug, we anticipate lawsuits and enforcement could follow where organizations do not act in response to the Bug by installing the necessary security patch. Companies (including our clients in the Internet marketing and I-gaming industries) should investigate whether their websites, apps, or other services (such as cloud services) use Open SSL – then take immediate efforts to oversee the installation of the security patch. Organizations should also advise users of the status of the Heartbleed Bug fix and encourage users to change their passwords, with different passwords across different services.