It’s International Data Privacy Day! Every year on January 28, the United States, Canada and 27 countries of the European Union celebrate Data Privacy Day. This day is designed to raise awareness of and generate discussion about data privacy rights and practices. Indeed, each day new reports surface about serious data breaches, data practice concerns, and calls for legislation. How can businesses manage data privacy expectations and risk amid this swirl of activity?
Here, we share some tips from our firm’s practice and some recent FTC guidance. We don’t have a cake to celebrate International Data Privacy Day but we do have our “Top 10 Data Privacy Tips”:
3. Ensure Your U.S.-E.U. Safe Harbor Is Up-to-Date. Last year, the FTC took action against several companies, including the Atlanta Falcons and Level 3 Communications, for stating in their privacy policies that they were U.S.-E.U. Safe Harbor Certified by the U.S. Department of Commerce when, in fact, the companies had failed to keep their certification current by reaffirming their compliance annually. While your organization is not required to participate in Safe Harbor, don’t say you are Safe Harbor Certified if you haven’t filed with the U.S. Department of Commerce. And, remember that your company needs to reaffirm compliance annually, including payment of a fee. You can check your company’s status here.
4. Understand Your Internal Risks. We’ve said this before – while malicious breaches are certainly out there, a significant percentage of breaches (around 30 percent, according to one recent study) occurs due to accidents or malicious acts by employees. These acts include lack of firewalls, lack of encryption on devices (such as laptops and flash drives), and failing to change authentications when employees leave or are terminated. Many data breaches are While you are at it, review who has access to confidential information and whether proper restrictions are in place.
5. Educate Your Workforce. While today is International Data Privacy Day, your organization should educate your workforce on privacy issues throughout the year. Depending on the size of the company and the type of information handled (for instance, highly sensitive health information versus standard personal contact details), education efforts may vary. You should review practices like the confidentiality of passwords, creating a secure password and changing it frequently, and avoiding downloading personal or company sensitive information in unsecured forms. Just last week, a security firm reported that the most popular passwords for 2014 were “123456” and “password.” At a minimum, these easily guessed passwords should not be allowed in your system.
6. Understand Specific Requirements of Your Industry/Customers/ Jurisdiction. Do you have information on Massachusetts residents? Massachusetts requires that your company have a Written Information Security Program. Does your company collect personal information from kids under 13? The organization must comply with the federal Children’s Online Privacy Protection Act and the FTC’s rules. The FTC has taken many actions against companies deemed to be collecting children’s information without properly seeking prior express parental consent.
7. Maintain a Data Breach Response Plan. If there were a potential data breach, who would get called? Legal? IT? Human Resources? Public relations? Yes, likely all of these. The best defense is a good offense – plan ahead. Representatives from in-house and outside counsel, IT/IS, human resources, and your communications department should be part of this plan. State data breach notification laws require prompt reporting. Some companies have faced lawsuits for alleged “slow” response times. If there is potential breach, your company needs to gather resources, investigate, and if required, disclose the breach to governmental authorities, affected individuals, credit reporting agencies, etc.
8. Consider Contractual Obligations. Before your company commits to data security obligations in contracts, ensure that a knowledgeable party, such as in-house or outside counsel, reviews these commitments. If there is a breach of a contracting party’s information, assess the contractual requirements in addition to those under data breach notification laws. The laws generally require notice to be given promptly when a company’s data is compromised while under the “care” of another company. On the flip side, consider the service providers your company uses and what type of access the providers have to sensitive data. You should require service providers to adhere to reasonable security standards, with more stringent requirements if they handle sensitive data.
9. Review Insurance Coverage. While smaller businesses may think “we’re not Target” and don’t need cyber insurance, that’s a false assumption. In fact, smaller businesses usually have less sophisticated protections and can be more vulnerable to hackers and employee negligence. Data breaches – requiring investigations, hiring of outside experts such as forensics, paying for credit monitoring, and potential loss of goodwill – can be expensive. Carriers are offering policies that do not break the bank. Cyber insurance is definitely worth exploring. If you believe you have coverage for a data incident, your company should promptly notify the carrier. Notice should be part of the data breach response plan.
10. Remember the Basics! Many organizations have faced the wrath of the FTC, state attorneys general or private litigants because the companies or its employees failed to follow basic data security procedures. The FTC has settled 53 data security law enforcement actions. Many involve the failure to take common sense steps with data, such as transmitting sensitive data without encryption, or leaving documents with personal information in a dumpster. Every company must have plans to secure physical and electronic information. The FTC looks at whether a company’s practices are “reasonable and appropriate in light of the sensitivity and amount of consumer information you have, the size and complexity of your business, and the availability and cost of tools to improve security and reduce vulnerabilities.” If the FTC calls, you want to have a solid explanation of what you did right, not be searching for answers, or offering excuses. Additional information on the FTC’s guidance can be found here.
* * *
Remember, while it may be International Data Privacy Day, data privacy isn’t a one day event. Privacy practices must be reviewed and updated regularly to protect data as well as enable your company to act swiftly and responsively in the event of a data breach incident.
Health cleanses to lose unwanted weight in a matter of weeks! Images of beautiful jewelry to be purchased at great prices that you can even resell! Personalized handbags made to order! If you have a Facebook account, it is more than likely you have seen many of these and similar posts by “friends” in your news feeds or through sharing or commenting by your friends on others’ posts. Facebook has announced that it will filter out unpaid promotional materials in user news feeds starting in January 2015.
If you run a business that uses social media as an advertising platform, you will need to be aware of these changes. Alternatively, if you have ever wondered how to curb these marketing posts, which seem to increase daily, your wishes may have been heard.
Specifically, Facebook will utilize a new algorithm to filter out posts that advertise products, such as repurposing paid advertisements and promoting sweepstakes or special deals. At first glance, it would appear that this will make it more difficult for entrepreneurs and small businesses to attain new contacts and customers, promote their brand names, and pitch products. However, while this initial fear is legitimate, it may be unwarranted in the long term, as much of the benefit that this free advertising once provided has already started to dissipate.
Unpaid as well as paid promotional posts in social media have been widely and increasingly utilized for well over a decade. The Wall Street Journal recently stated that Facebook was used as the top promotional tool by more than 80% of small businesses utilizing social media. Small businesses have lost much of the glory and benefit that unpaid advertising once provided, as news feeds have been flooded by a plethora of entrepreneurial pitches. The unpaid posts have become less effective at building a marketing channel, as users have become desensitized to the promotional pitches. Increasingly, users scroll quickly through the incessant free marketing to read more personal feeds.
Additionally, the reach of unpaid posts on Facebook has fallen in recent years. Research supports the notion that simply racking up “likes” or posting ads repeatedly does not produce the sales that were initially anticipated. In a Forrester Research Report released in November, it was suggested that on average, fewer than .1% of people interact with each post. Rather than simply acquiring numbers of user “likes”, companies should look at the value of each fan and how to more fully connect with and engage the loyal fan base. Many also believe that there is still some value to having a direct Facebook page where users can access and like the page, take advantage of special promotions, and invite friends to like and partake in the offers.
While unpaid marketing posts will be filtered, Facebook will still offer “promoted posts,” that allows businesses to pay a certain amount, starting at $5 and reaching to several thousand dollars, in order to have posts on their pages viewed by a wider pool of users. Facebook is not the only platform to seek payment for wider distribution. For a fee, Google likewise offers businesses the opportunity to “boost their ranking” in search results. It is likely that if entities have to pay a small fee for advertising, they may take a longer look at the content of the business post or material being promoted to be sure it is interesting and grabs a user’s attention.
Although start-up companies with very little initial cash may take a hit as these rules begin to take effect, small business may not see a big difference in the long term. As the saying goes, nothing of value comes for free, and it seems that the value of unpaid advertising has already fallen dramatically. Social media paid advertising is still rather cost effective when compared to other methods of advertising. Although the quantity of posts by businesses may fall, one can also anticipate that small businesses will value the content in each post. In other words, if people are paying to advertise, the quality of each post will likely improve. Small businesses will also look to other social media platforms such as LinkedIn and Twitter or perhaps the next “hot” social media outlet that offers the benefit of unpaid marketing, at least until those platforms likewise become ineffective. Small businesses may still want to use Facebook for advertising, but in a more creative, targeted way and by means of engaging with their fan base. One thing is for certain, the world of social media is ever changing and evolving, and still offers entrepreneurs and small businesses tremendous benefits, which were not present two decades ago. Social media platforms will, however, continue to review and modify the types of advertisements and promotions permitted on their sites.
Last week, without much attention, four new regulations affecting online gaming operations in New Jersey became effective under the authority of the Division of Gaming Enforcement. The rules include changes to directives on funding from social games, requirements for exclusivity, and operator server locations.
However, the fourth rule is an addition which deals specifically with celebrity endorsements. What is most notable about this tenet is not the content, but the fact that regulators in New Jersey believe that iGaming will soon become an industry that uses celebrities to promote and market itself to consumers.
Because we’re lawyers, here is the actual language of Rule 13:69O-1.4 (u.):
Internet gaming operators may employ celebrity or other players to participate in peer to peer games for advertising or publicity purposes. Such players may have their accounts funded in whole or in part by an Internet gaming operator. An Internet gaming operator may pay a fee to the celebrity player. If a celebrity player is employed and the celebrity player generates winnings which he or she is not permitted to retain, such winnings shall be included as Internet gaming gross revenue in a manner approved by the Division.
It may be argued that the word “celebrity” is being used loosely in this context, as there isn’t exactly a line of blockbuster A-listers or superstar athletes waiting for their chance to be the face of online poker. Yet the addition of this specific provision importantly points to the fact that the Gaming Division not only anticipates a future where iGaming will carry big name endorsers, but that it wants to encourage effective advertising and publicity for the industry, which has had a slow start in its first year since becoming legal in the state.
Regulators looking to update this rule in the future should consider adding language geared toward consumer protection – namely, prohibitions against the use of celebrity endorsements in a deceptive or misleading manner. Last year, the FTC updated its advertising guidelines to account for the use of celebrity endorsements in advertising, specifically in the context of paid social media endorsements. Those guidelines provide, among other things, that celebrity endorsements must be truthful and accurately reflect the opinions of the celebrity, that paid celebrity endorsements must be adequately disclosed, and that the celebrity be a bona fide user of the product or services he/she is endorsing.
These guidelines should equally be applied by regulators in the context of iGaming, where increased competition, as more operators come on board, may lead operators to one up each other by throwing money at celebrities to endorse their games. The key to effective iGaming regulation is not just limited to overseeing how the game is played, but also to ensuring that the operators don’t play games that would unfairly hurt the competition and mislead the playing public. Updating these regulations so they are more inline with the FTC’s advertising guidelines will further these goals.
Ifrah Law is a proud member the Brand Activation Association (“BAA”). This week, we attended the BAA’s 36th annual BAA Marketing Law Conference in Chicago. Just as “Mad Men” reflects the 1960’s era advertising business, this year’s BAA conference demonstrated this generation’s marketing dynamic – where mobile is key, privacy concerns abound, and the Federal Trade Commission (“FTC”) and other agencies are watching and enforcing. Other key “take aways” from the conference are that sweepstakes, contests, and other promotions remain hugely popular via mobile devices and social networks.
Advertisers representing top brand names made clear that companies must reach consumers through various digital devices. Smartphones, tablets, and wearable technologies each represent ways to advertise a product or service. Today’s consumers, especially younger consumers, rely extensively mobile devices. Many actually welcome behavioral and other advertising. Consumers in the U.S. and abroad have shown receptiveness to “flash sales,” instant coupons and other deals, including those geared to their geo-location.
Emerging Privacy and Consumer Protection Trends
While advertisers interact with consumers and many consumers welcome offers and information, regulators’ and individuals’ concerns with the privacy of personal information dominate the landscape. Almost a year after the notorious Target data breach, and with the holiday shopping season approaching, all stakeholders are understandably cautious about how to utilize various methods of marketing while securing consumer information. Even assuming a network is secure, the FTC, state attorney generals, foreign regulators, consumer advocacy groups and consumers want to know how personal data is being collected, utilized and shared. In the consumer protection context, the FTC actively enforces the Federal Trade Commission Act’s prohibition on “deceptive acts and practices,” requiring that advertisers have substantiation for product claims.
Two Significant Forces – the FTC and California’s Attorney General
Top representatives from the FTC and the California Attorney General presented at the conference. Both representatives asserted their agencies remain active in enforcing their consumer protection and privacy laws, especially as to certain areas. Jessica Rich, Director, Bureau of Consumer Protection at the FTC, discussed the agency’s focus on advertising substantiation, particularly as to claims involving disease prevention and cure, weight loss, and learning enrichment (such as the “Your Baby Can Read “ case).
On the privacy side, Ms. Rich also noted the FTC’s specialized role in enforcing the Children’s Online Privacy Protection Act (“COPPA”). The FTC’s recent action against Yelp demonstrates that the FTC will not hesitate to enforce COPPA even where a website is not a child-focused website, per se. If a website or online service (such as a mobile app) collects personal information from children under 13, it must comply with COPPA’s notice and consent requirements. The agency is also exploring the privacy and consumer protection concerns associated with interconnected devices, known as “the Internet of Things.”
Promotions – Sweepstakes, Contests, Games
While some may think sweepstakes and contests are outdated, the opposite is true. Companies are utilizing mobile and social networks to engage with consumers through promotions. Facebook and Pinterest-based sweepstakes and contests continue to grow in popularity. Advertisers also increasingly look to “text-based” offerings.
These promotions can generate great marketing visibility and grow consumer relationships. However, advertisers need to be aware of many legal minefields. First and foremost is the federal Telephone Consumer Protection Act (“TCPA”), which requires prior express “written” consent for advertisements sent to mobile phones via text or calls utilizing an autodialer or prerecorded message. Plaintiffs’ lawyers continue to file hundreds of TCPA class actions based on texts without consent. Second, the social networks have their own policies. For instance, Facebook now bars advertisers from requiring consumers to “like” a company Facebook page in order to participate in a promotion.
BAA conference sessions were packed – many standing room only. The popularity of programs about comparative advertising, native advertising, sweepstakes and contests, and enforcement trends demonstrates that advertisers are finding innovative ways to reach consumers across devices. These marketing initiatives face a host of federal, state, and international laws and regulations, as well as restrictions imposed by social networks and providers. It’s an exciting and complex juncture in global marketing.
Online diploma mills, which require little or no coursework to complete a degree have recently garnered much attention within the online education realm. Websites which offer questionable diplomas for hundreds of dollars target vulnerable consumers seeking a degree to improve their life prospects, while simultaneously casting a shadow over legitimate online educational institutions which offer accredited programs and a complete educational experience including coursework, teacher interaction, and grading. In the latest crackdown on online diploma mills, the Federal Trade Commission obtained a temporary restraining order against Diversified Educational Resources, LLC and Motivational Management & Development Services, Ltd., companies which generated millions of dollars by selling worthless high school diplomas to thousands of consumers.
According to the allegations of the FTC’s complaint, the defendants have been operating purported online education sites since 2006, under the names Jefferson High School Online and Enterprise High School Online. The FTC alleges that the websites misleadingly represent that these are accredited schools by saying that the defendants “[p]rovide a respected and recognized high school diploma equivalency program,” that students completing the program will be “high school graduates,” and that the schools are registered with the Florida Department of Education. While the latter statement is technically true, the websites do not reveal that registering with Florida’s School Choice Program does not mean that the programs are accredited but rather, according to the complaint, registration is merely a “ministerial act, based solely on their own self-reported answers to Florida’s annual private school survey” which the Florida Department of Education does not verify. The truth of the accreditation status can only be found buried in dense paragraphs of text, in which the defendants note that they are “actively pursuing accreditation options” although they have not applied for any yet.
Consumers paid $200 to $300 to register on the websites. Those fees did not entitle them to any coursework, education, or test preparation. Rather, customers were immediately prompted to take a “test,” which was nearly impossible to fail because the websites provided hints to ensure that customers passed. After passing the test, customers received diplomas bearing the name “Jefferson High School Online” or “Enterprise High School Online.”
The “diplomas” that the defendants issued to customers were useless, according to the FTC. Many customers learned that their diplomas were invalid after unsuccessfully attempting to use them to apply to jobs, enroll in college, or join the military. Further, unsatisfied customers who sought a refund were refused, according to the FTC. Through this scam, the complaint says, the defendants collected over $11 million since 2009 without providing a real education product or service.
The U.S. District Court for the Southern District of Florida issued a temporary restraining order and asset freeze in response to these allegations, suspending the domain names and prohibiting any material misrepresentations regarding online education. The case remains pending in the Southern District of Florida and the defendants’ responsive pleadings are due in October.
Online Fraud and Abuse
The fact is that social media has connected us to each other in ways which seemed unimaginable only a few decades ago. Take for example the progression of social activism through online fundraising. Over the course of two short months the ALS Ice Bucket Challenge (“IBC”) went viral with millions of videos being posted by people drenching themselves in ice water in order to spread awareness and raise money for the research and treatment of ALS. To date, the total amount of donations made to the ALS Association through the IBC is an unprecedented $114 million. The Association’s FAQs webpage regarding the IBC indicates that this amount is almost five times its annual overall budget.
The ALS Ice Bucket Challenge is also a good example of the online phenomenon of crowdfunding, where numerous individuals and groups pitch in to fund a project, cause or idea. Simply put, crowdfunding is fundraising through social media. There are several popular crowdfunding websites, however one of the most well-known sites is Kickstarter.com, which was launched in 2009, and boasts the facilitation of $1 billion in contributions by seven million backers who have so far funded 69,000 “creative projects” through the site. However, as is common when dealing with new technology, there are often unanticipated legal aspects of such innovation which can be problematic.
Earlier this year, the first crowdfunding consumer protection lawsuit was filed in the state of Washington (State of Washington v. Altius Management, LLC; Edward J. Polchlopek III (No. 14-2-12425-SEA)). In late 2012, defendant Ed Nash, as he is known, and his company Altius Management, were successfully funded through a Kickstarter campaign to produce a limited-edition playing card game called Asylum. According to the campaign page, backers exceeded Nash’s goal of raising $15,000, giving more than $25,000 in total for the promise of the card game to be made. In addition, many of those who funded Nash’s campaign expected certain perks for contributing, referred to by Kickstarter as “rewards,” as was detailed in his campaign’s backer pledge amounts, which included multiple card decks and custom artwork according to varying contribution levels. However, two years later the card game has not been produced, backers have received no rewards or refunds and there has been no communication from Nash regarding the status of the Asylum project since July 2013.
With this being the first case of its kind, there is no precedent to see exactly how these proceedings will develop or how this case will affect Kickstarter and other crowdfunding websites. We suspect it will proceed like many of the other cases we write about in the internet space. One thing is certain, whether they are made online or in person, people don’t like broken promises.
The last few years have been tough on the for-profit education industry – it’s not easy being the target of a host of federal and state investigations. For-profit educators have been poked and prodded by, among others, the U.S. Congress, a coalition of state attorneys general, the Consumer Financial Protection Bureau, the Federal Trade Commission, and the Securities and Exchange Commission. Federal and state authorities, who see the industry as predatory, seem determined to squeeze it out of the education industry. A draconian set of regulations, known as the Gainful Employment Rule, that were issued by the Department of Education last year may be just what it takes for these detractors to get their way.
Amidst tougher regulations and incessant government probes, already two large institutions have flat-lined. In June, Corinthian Colleges announced its imminent bankruptcy. At the end of August, Anthem Education said that it would be closing its doors. Declining enrollment numbers, costly investigations and rigorous regulations (with hefty compliance costs) have been too much for these colleges to withstand. And their pleas for assistance from the DoE have fallen on deaf ears – the DoE has agreed only to facilitate orderly dissolution (in the case of Corinthian Colleges) or partial-campus acquisition (in the case of Anthem).
The DoE and regulators may be toasting victory as these colleges fall like dominoes. But the result of their party is thousands of students left with unfinished degrees and fewer education opportunities. Corinthian Colleges enrolled students at over 100 campuses; Anthem at over 40. What are students who have not completed their degrees supposed to do? Credits are not always (or easily) transferrable. Some students may not have other local opportunities to complete their education.
One of the major benefits of for-profit colleges is that they have focused on providing education opportunities to underserved populations and non-traditional students. People like single parents or full time workers who may not have access to a campus or who can only take evening or online classes have found course programs that can accommodate their needs. But regulators haven’t seen these educators as opportunity-makers; rather, they see them as opportunists preying upon the underserved. Because these students generally fund their education through federal student loans, regulators think that for-profit education companies are merely using students as conduits to federal money. They use the fact that drop-out rates can be very high, or that post-graduate employment rates can be low to support their theory that for-profit educators are ruthless predators. But high drop-out rates and low employment rates can be tied to other factors. The very populations these colleges serve are ones that are at higher risk of dropping out: single moms and full-time workers may not be able or willing to maintain consistent enrollment. This is a reality that has explained similar problems at public colleges and universities that have also been plagued with high drop out rates for non-traditional students.
Unfortunately neither regulators nor regulations targeted at for-profit educators take these dynamics into account. For-profit campuses located outside military bases or in economically depressed areas used to be beacons of hope and opportunity. Now they are turning their lights out in these communities. No one wants to see poor students burdened with debt; but “protecting” underserved communities and non-traditional students by taking away education opportunities seems skewed. Regulators would do better to establish a reasonable set of metrics and limit the number of agencies swarming for-profit college campuses.
In August, the Federal Trade Commission (“FTC”) released a staff report concerning mobile shopping applications (“apps”). FTC staff reviewed some of the most popular apps consumers utilize to comparison shop, collect and redeem deals and discounts, and pay in-store with their mobile devices. This new report focused on shopping apps offering price comparison, special deals, and mobile payments. The August report is available here.
Popularity of Mobile Shopping Apps/FTC Interest
Shoppers can empower themselves in the retail environment by comparison shopping via their smartphones in real-time. According to a 2014 Report by the Board of Governors of the Federal Reserve System, 44% of smartphone owners report using their mobile phones to comparison shop while in retail store, and 68% of those consumers changed where they made a purchase as a result. Consumers can also get instant coupons and deals to present at checkout. With a wave of a phone at the checkout counter, consumers can then make purchases.
While the shopping apps have surged in popularity, the FTC staff is concerned about consumer protection, data security and privacy issues associated with the apps. The FTC studied what types of disclosures and practices control in the event of unauthorized transactions, billing errors, or other payment-related disputes. The agency also examined the disclosures that apps provide to consumers concerning data privacy and security.
Apps Lack Important Information
FTC staff concluded that many of the apps they reviewed failed to provide consumers with important pre-download information. In particular, only a few of the in-store purchase apps gave consumers information describing how the app handled payment-related disputes and consumers’ liability for charges (including unauthorized charges).
FTC staff determined that fourteen out of thirty in-store purchase apps did not disclose whether they had any dispute resolution or liability limits policies prior to download. And, out of sixteen apps that provided pre-download information about dispute resolution procedures or liability limits, only nine of those apps provided written protections for users. Some apps disclaimed all liability for losses.
Data Security Information Vague
FTC staff focused particular attention on data privacy and security, because more than other technologies, mobile devices are personal to a user, always on, and frequently with the user. These features enable an app to collect a huge amount of information, such as location, interests, and affiliations, which could be shared broadly with third parties. Staff noted that, “while almost all of the apps stated that they share personal data, 29 percent of price comparison apps, 17 percent of deal apps, and 33 percent of in-store purchase apps reserved the right to share users’ personal data without restriction.”
Staff concluded that while privacy disclosures are improving, they tend to be overly broad and confusing. In addition, app developers may not be considering whether they even have a business need for all the information they are collecting. As to data security, staff noted it did not test the services to verify the security promises made. However, FTC staff reminded companies that it has taken enforcement actions against mobile apps it believed to have failed to secure personal data (such as Snapchat and Credit Karma). The report states, “Staff encourages vendors of shopping apps, and indeed vendors of all apps that collect consumer data, to secure the data they collect. Further those apps must honor any representations about security that they make to consumers.”
FTC Staff Recommends Better Disclosures and Data Security Practices
The report urges companies to disclose to consumers their rights and liability limits for unauthorized, fraudulent, or erroneous transactions. Organizations offering these shopping apps should also explain to consumers what protections they have based on their methods of payment and what options are available for resolving payment and billing disputes. Companies should provide clear, detailed explanations for how they collect, use and share consumer data. And, apps must put promises into practice by abiding by data security representations.
Consumer Responsibility Plays Role, Too
Importantly, the FTC staff report does not place the entire burden on companies offering the mobile apps. Rather, FTC staff urge consumers to be proactive when using these apps. The staff report recommends that consumers look for and consider the dispute resolution and liability limits of the apps they download. Consumers should also analyze what payment method to use when purchasing via these apps. If consumers cannot find sufficient information, they should consider an alternative app, or make only small purchases.
While a great “deal” could be available with a click on a smartphone, the FTC staff urges consumers to review available information on how their personal and financial data may be collected, used and shared while they get that deal. If consumers are not satisfied with the information provided regarding data privacy and security, then staff recommends that they choose a different app, or limit the financial and personal financial data they provide. (Though that last piece of advice may not be practical considering most shopping apps require a certain level of personal and financial information simply to complete a transaction).
Deal or No Deal? FTC Will be Watching New Shopping Apps
FTC Staff has concerns about mobile payments and will continue to focus on consumer protections. The agency has taken several enforcement actions against companies for failing to secure personal and payment information and it does not appear to be slowing down. While the FTC recognizes the benefits of these new shopping and payment technologies, it is also keenly aware of the enormous amount of data obtained by companies when consumers use these services. Thus, companies should anticipate that the FTC will continue to monitor shopping and deal apps with particular attention on disclosures and data practices.
Restaurant chain Applebee’s has joined other businesses such as Overstock.com, Hilton, Capitol One, and Bass Pro Shops as defendants in purported class action lawsuits alleging that they illegally recorded calls to or from California residents. In fact, plaintiffs have filed hundreds of individual and class actions in California courts under California’s various eavesdropping/call recording laws. Potential damages can include an award of $ 5,000 per violation – thus the damages in class actions could lead to multi-million dollar judgments and settlements. Capitol One recently settled a purported class action involving residents in California and several other states for $ 3 million dollars. Bass Pro Shops settled for $ 6 million, and Shell Oil forked out $ 2 million to resolve recent claims.
California is one of 12 states that require “two party” or “all party” consent to call recording. The majority of states (and the federal standard) only require that one party consent. So, in other words, if the recording party consents, that generally constitutes sufficient consent in most states. Further, in most states, if companies announce at the outset that the call is being monitored or recorded, that announcement has been sufficient to provide at least implicit consent where the parties continue with the call following the announcement. In the Appleee’s case, however, the plaintiff contends that she (and others) never received a notification that her call was recorded.
Applebee’s Suit Alleges Recording on Wireless Phone
Plaintiff Joneeta Byrd contends that in November 2013, she called Applebee’s customer service number from a wireless telephone. She alleges she was not aware that Applebee’s recorded the call, and that the customer service representative did not inform her that the call was being recorded. At some point after the call, Byrd claims she learned that Applebee’s records all incoming calls. Byrd contends that Applebee’s does not always disclose the recording to every caller. According to the complaint, “Plaintiff believes that the total number of Class members is at least in the tens of thousands and members of the Class are numerous and geographically dispersed across California.”
Byrd’s lawsuit is based on California’s Penal Code, Section 632.7, which prohibits the intentional recording of any telephone communication without the consent of all parties where at least one party is using a cordless or cellular phone. It also provides for criminal fines and imprisonment. It differs from, and has arguably broader coverage than another section of California’s law, Section 632, which bars the eavesdropping or recording of confidential communications (i.e., where the caller had a reasonable expectation of privacy), without the consent of all parties to the confidential communication. While some courts have dismissed claims under Section 632, they have allowed claims under Section 632.7 to go forward – often reasoning that the California legislature intended more stringent protections for mobile phone conversations.
Hilton Hotels Decision Holds the Law Not Intended to Cover Parties
A recent decision involving Hilton Hotels may provide some relief for companies in California Section 622.7 call recording suits. The district court (on remand) held that Section 632.7 only applies to third party recording of a wireless telephone conversation – and does not include recording by a party to the call. The order is available here. Specifically, the district court concluded that “[t]he statutory scheme makes it clear that these sections refer to the actual interception or reception of these radio signals by third parties and do not restrict the parties to a call from recording those calls.” The court further ruled that Hilton had consent and that California’s legislature “did not limit the service observing monitoring of calls that it is alleged in this case.” The plaintiff has appealed this decision.
Top “5” Recommendations When Recording Customer Service Calls
Applebee’s case and the other call recording cases serve as useful reminders on call recording. As counsel to many companies and call centers utilizing call recording for quality control and service monitoring, we generally recommend this top 5 list:
- Announce/Maintain — At the outset of a call, announce the call is being monitored and/or recorded. Maintain proof of the announcement in the event of litigation.
- Incoming & Outgoing Covered — Remember, both incoming and outgoing calls are covered, so make sure you inform all parties – whether they have called in or your company has called them – that the calls are recorded and/or monitored.
- Objections — If there is an objection, consider offering a non-monitored line. In any event, do not continue the call with the objecting party.
- Customer Service Rep Consent Form — Upon hire, consider having customer service representatives sign an acknowledgement and agreement that their calls may be monitored or recorded. Maintain copies of these consent forms in employee files.
- Train customer service representatives – Make sure customer service representatives can explain the call recording policy if asked. A consistent organization-wide message that accurately states the standard procedure helps ameliorate consumer concerns, and in the event of litigation, can bolster a defense.
In this health-conscious age, consumers are always on the lookout for new products which will improve wellness and quality of life. Marketers attuned to this trend may be tempted to increase sales by extolling the virtues of their products, even if health claims are unsubstantiated by scientific testing. A recent FTC case, however, demonstrates the price that advertisers pay for overstating health claims.
The FTC filed a case against TriVita Inc., a dietary supplement company, for its marketing of the Nopalea cactus juice drink. The beverage was widely advertised in television infomercials and online as an “anti-inflammatory wellness drink.” Nopalea includes juice from the nopal cactus, also known as the “prickly pear.” TriVita’s “Chief Science Officer” stated that the nopal cactus is proven to reduce inflammation, which he linked to Alzheimer’s disease, allergies, diabetes, and heart disease. TriVita sold each 32-ounce bottle of Nopalea for $39.99, plus shipping and handling.
According to the FTC’s complaint, the Nopalea infomercial was one of the most frequently aired commercials in the United States. The ads stated that the juice would relieve pain, reduce swelling in joints and muscles, and improve breathing. Infomercials featured “customer testimonials” in which individuals stated that Nopalea helped relieve them of symptoms of a wide variety of conditions, including inflammation, chronic pain, respiratory conditions, and skin conditions. However, the FTC alleged that these individuals were paid for their endorsements, a fact not sufficiently disclosed in the advertisements. When customers called the toll-free number advertised, sales representatives told customers that Nopalea would make them “pain-free,” according to the FTC’s complaint. The health representations had not been substantiated with scientific studies at the time they were made.
The FTC filed its complaint and request for permanent injunction on July 10, 2014. On July 11, the FTC filed a stipulated settlement order in which TriVita agreed to forfeit $3.5 million to the FTC. The order prohibits the defendants from marketing Nopal cactus products using unsubstantiated or misleading health claims, and from using paid endorsers unless any material connection between the individual and the company is clearly and prominently disclosed.
The multi-million dollar settlement in this case should serve as a warning to marketers who are tempted to overstate health claims in order to generate traffic and sales. The FTC takes health claims seriously and reviews health-related ads with extra scrutiny, so specific claims should only be made when supported by solid, scientific proof, and any paid testimonials should be clearly disclosed. As the cactus juice company learned, failure to comply with these standards will lead to a prickly situation.