Earlier this month, the Federal Trade Commission released its revised Green Guidelines, providing parameters for advertising and marketing claims of supposedly eco-friendly products. The publication completes a two-year revision process that the FTC undertook, involving the updating of guidelines last visited in 1998. The Commission touted the new guidelines as helping marketers “avoid making misleading environmental claims” and leveling the playing field for “honest business people.”
The revised guidelines address 14 categories of claims, including general environmental claims, carbon offsets, certifications and seals of approval, and claims of recyclability and renewability. Under the guidelines, marketers and advertisers are cautioned to avoid general claims that products are green or eco-friendly: “Marketers should qualify general claims with specific environmental benefits. Qualifications for any claim should be clear, prominent, and specific.”
Marketers are further cautioned to disclose material connections to any certifying organization. And when it comes to claims of compostability, degradability, recyclability and other claims about product and packaging content, the FTC advises that marketers be able to substantiate such claims and avoid deceiving consumers by replacing one environmental red flag with another. For instance, the guidelines note that “[i]t would be deceptive to claim that a product is “free-of” a substance if it is free of one substance but includes another that poses a similar environmental risk.”
The FTC’s revisions appear to take on a holistic approach to environmental claims. A company cannot willy-nilly claim that its product or packaging is recyclable if it is only recyclable in limited locations, and it cannot claim it is “green” and made with recycled content “if the environmental costs of using recycled content outweigh the environmental benefits of using it.” The guidelines require the marketer to limit and qualify green claims based on a thorough review of the production, distribution, and disposal stream for the product and its packaging.
In many ways, this new guidance seems fair – it should help ferret out the unscrupulous marketer who wants to charge a premium, or carve a market niche, based on dubious environmental claims.
But how much benefit will the new guidelines bring? The guidelines, in and of themselves, do not truly bring more enforcement power to the FTC. With or without Green Guidelines, old or new, the FTC can bring enforcement actions against marketers for false and deceptive claims – like several enforcement actions from 2009 forward that the FTC highlights on its website. With or without the guidelines, the truly unscrupulous marketer remains subject to FTC oversight and liability.
Our concern is that the guidelines may discourage some well-intentioned market entrants. An entrepreneur may have a good green idea but opt not to pursue it because of heightened advertising and labeling standards. For instance, the FTC guidelines caution companies about the need to provide “competent and reliable scientific evidence” for several categories of environmental claims. That could necessitate big R&D bucks to the exclusion of Mom & Pop.
More importantly, the guidelines could provide more ammunition for big companies to pursue claims against small competitors and effectively shut out upstarts. NAD, the advertising industry’s self-regulatory body, apparently plans on using the guidelines. There have been a host of cases by companies like Clorox and Procter & Gamble taking to task smaller companies marketing eco-friendly alternatives. In the end, while the revised Green Guidelines may be a good faith effort by the FTC to level the playing field and may have some positive impact, it will be important to monitor its unintended consequences.
POM Wonderful LLC recently received a setback in its longstanding dispute with the Federal Trade Commission. On Sept. 30, 2012, U.S. District Judge Richard Roberts in the District of Columbia dismissed the juice maker’s declaratory judgment action against the FTC. The judge’s ruling, though, does not put an end to the POM-FTC battle, which is still on appeal in a related administrative proceeding.
POM filed suit in federal district court in September 2010, in anticipation of an impending FTC administrative action. The company challenged what it perceived as agency overreaching, in violation of its First and Fifth Amendment rights, and in violation of the Administrative Procedure Act. The basis of POM’s complaint was the FTC’s use of consent orders with two other companies (Nestle U.S.A. and Iovate Health Systems, Inc.) to establish new and more stringent advertising standards for medical and health claims.
When the FTC waved these consent orders in front of POM (in an apparent attempt to pressure the company into agreeing to tougher standards like Nestle and Iovate), POM responded by thumbing its nose and filing suit in federal court. POM contended that the FTC failed to adhere to the requirements of administrative law that, in order to modify advertising standards, the agency must go through a notice-and-rulemaking process. The FTC subsequently filed its administrative action against the company for alleged failures to adhere to the more stringent standards.
In large part because of the significant overlap of issues between POM’s action in U.S. district court and the FTC’s administrative action, Judge Roberts dismissed the district court case. The judge noted that judicial efficiency militated towards having the dispute play out in the administrative case only: “While the administrative proceeding is not identical to POM’s current action, that forum is ‘perfectly capable’ of determining whether the proposed order exceeds the bounds of the FTC Act, violates the First and Fifth Amendments, and seeks to abrogate the FDA’s power,” he wrote. Other factors in the judge’s holding were (1) that granting declaratory relief would have required the resolution of an anticipatory defense and (2) that POM’s district court action appeared to be filed in part to secure tactical leverage.
As we wrote earlier this year, the administrative law judge already ruled on the parties’ dispute in May. POM touted that ruling largely as a victory because the judge rejected the enhanced advertising standards at issue. However, the FTC and POM appealed the decision before the full commission (POM appealed because the judge still found POM liable under separate standards). Oral arguments in the appeal were held in August, and the outcome of the appeal is still pending.
We find it interesting – and somewhat encouraging for advertisers who are concerned about agency overreaching – that neither the district court action nor the administrative proceeding have rejected on the merits POM’s challenge to the FTC’s use of settlement agreements to effect enhanced standards. Any company that has come under the regulatory microscope can appreciate the tremendous pressure companies face to cooperate with an agency just to get out of hot water – at almost any cost. POM’s bold stance may eventually have the result of reminding regulators to follow the rules set forth for them by the principles of administrative law.
The Federal Trade Commission recently announced a settlement with Jason Pharmaceuticals regarding its use of consumer testimonials and health benefits claims. Any company that relies on testimonials in its advertising, even a company that like Jason Pharmaceuticals, sells products that often have beneficial health results, must become aware of this settlement.
Jason Pharmaceuticals sells Medifast brand low-calorie meal substitutes. In 1992, the FTC settled a case with Jason for allegedly deceptive weight-loss claims. The settlement order barred Jason from making unsupported claims to consumers about losing weight or keeping weight off. According to the FTC, since at least November 2009, Jason ran ads that featured weight loss claims about low-calorie meal substitutes.
The ads run by Jason Pharmaceuticals prominently featured the use of consumer testimonials. One advertisement stated that:
“When you lose up to 2 to 5 lbs a week with Medifast, you’ll feel terrific. And so will your doctor.
THE PROGRAM THE DOCTORS RECOMMEND.
Jeff & Maureen lost a combined 169 lbs.!”
According to the FTC, the only disclaimer displayed in most Medifast advertisements containing consumer endorsements was a small, inconspicuous “Results will vary.” The FTC alleged that this disclaimer violated the 1992 order because was insufficient to change consumers’ net impressions that users of these products could expect to achieve the results represented in the advertisements.
As part of the settlement, Jason Pharmaceuticals will have to pay a civil penalty of $3.7 million to settle charges that it violated the previous order by making unsupported claims about its weight loss products.
Under the settlement, Jason is prohibited from misrepresenting that consumers who use any low-calorie meal replacement program can expect to achieve the same results that an endorser does or can lose a particular amount of weight or maintain that weight loss.
In addition, representations in the company’s ads cannot mislead consumers and must be backed up with competent and reliable scientific evidence that includes at least one clinical study. The company is also barred from making any other representations about the health benefits, safety, or side effects of any meal replacement program, unless it’s backed up by scientific research.
The settlement also has a compliance and recordkeeping requirement that for 20 years after the entry of judgment, Jason Pharmaceuticals needs to keep extensive records relating to any marketing or substantiation of any advertising claim.
The FTC continues to push the limits in pursuing enforcement actions. This, for example, is a very aggressive prosecution. People do lose weight using products such as Medifast, and in some instances people have lost significant weight. These ads may have been in violation of the prior settlement, but the FTC decision to pursue this action shows just how far they are willing to go in pursuing enforcement actions.
Because of the FTC’s aggressiveness in cases such as this one, companies that invoke claims of health benefits to consumers need to be sure that these claims are backed by reliable scientific evidence. Companies should also be aware that merely making a flat statement that “results may vary” will likely not help them avoid liability.
As part of the Federal Trade Commission’s ongoing efforts to shut down scams that target financially vulnerable consumers, a U.S. district judge has issued a $478 million judgment at the request of the FTC against the marketers of three get-rich-quick systems that the agency says are used for deceiving consumers. The order is the largest litigated judgment ever obtained by the FTC.
The judgment was awarded against companies and individuals who marketed the schemes, titled “John Beck’s Free & Clear Real Estate System,” “John Alexander’s Real Estate Riches in 14 Days,” and “Jeff Paul’s Shortcuts to Internet Millions.”
Nearly a million consumers paid $39.95 for one of these “get-rich-quick” systems, and some consumers purchased personal coaching services, which cost up to $14,995. According to the FTC complaint filed in June 2009, one system was marketed to consumers with the promise that consumers could “quickly and easily earn substantial amounts of money by purchasing homes at tax sales in their area ‘free and clear’ for just ‘pennies on the dollar’ and then turning around and selling these homes for full market value or renting them out for profit.”
The FTC said that nearly all the consumers that bought the systems lost money.
The FTC’s suit alleged violations of the Federal Trade Commission Act, based on the defendants’ representations in connection with the advertising, marketing, promoting and sale of the systems. The FTC also alleged that the defendants’ violated the Telemarketing Sales Rule through their marketing to consumers.
Two of the individual defendants, Douglas Gravnik and Gary Hewitt, were held jointly and severally liable for the monetary part of the judgment. The judge also imposed a lifetime ban from infomercial products and telemarketing against Gravnik and Hewitt. Gravnik and Hewitt indicated that they are likely to appeal the order to the extent it imposes a lifetime ban. A third individual, John Beck, is responsible for $113.5 million of the judgment.
In its case, the FTC filed 30 consumer declarations detailing consumers’ experiences with the defendants’ products. The defendants objected to many of these declarations on various grounds, including hearsay, relevance, and the best evidence rule among other objections, but these objections were all overruled.
The defendants also objected to the use of a survey by the FTC that showed that less than 0.2 percent of consumers who purchased the defendants’ system made any profits and only 1.9 percent of consumers who purchased coaching material made any revenue. The defendants moved to exclude all evidence relating to the survey on the ground that the pre-notification letter “poisoned the well in such a way as to invalidate whatever survey finding the FTC obtained” and argued that the manner in which the survey was conducted rendered the results unreliable. The court found that the survey was performed under accepted principles used by experts in the field and was admissible.
The court granted summary judgment for the FTC , finding that the defendants made material misrepresentations that were either false or unsubstantiated. The court pointed out that the materials provided by the defendants to consumers taught consumers how to purchase tax liens and certificates, but these purchasers do not obtain title to the property and thus were not “purchasing” the homes as the advertising materials stated.
The court also granted summary judgment on the Telemarketing Sales Rule allegations. The basis of the defendants’ argument was that the violations were isolated and should not be the basis for liability. The court found that there was no dispute that the defendants’ telemarketers repeatedly initiated calls to consumers who asked the defendants not to contact them. The FTC also produced “overwhelming” evidence that the defendants lacked a meaningful compliance program or any written procedures in place to comply with the regulations.
Jeffrey Klurfeld, director of the FTC’s Western Region, stated in a press release that “This huge judgment serves notice to anyone thinking of using phony get-rich-quick schemes to defraud consumers. The FTC will come after you if you violate the law.”
In this case, the FTC had already completed its surveys when it went to court. Trial judges will often be very impressed with FTC surveys and will grant judgment to the agency in nearly every case. Therefore, it is critical that a company that is being targeted by the FTC obtain counsel at the earliest possible stage, before the agency files anything in court. Counsel should be ready to vigorously defend the client’s marketing practices with techniques such as the use of countersurveys and customer testimonials and expert testimony, before the FTC files in court.
All mobile app developers need to know that the federal government is stepping up its regulation of data privacy and truth-in-advertising for mobile apps. The Federal Trade Commission is now actively monitoring mobile applications’ compliance with data privacy and truth-in-advertising regulations, and the House Committee on Energy and Commerce is considering a new mobile device privacy bill.
This month, the FTC published Marketing Your Mobile App: Get It Right From the Start, a short guide that provides guidance to mobile app developers concerning deceptive claims and privacy requirements. More broadly, the FTC’s focus on mobile app developers sends a message that all such developers or distributors will be subject to investigation, irrespective of how small their company is. As far as the FTC is concerned, “once you start distributing your app, you have become an advertiser,” and you will be regulated as such. The guide stresses the importance of clear and conspicuous communication to users and instructs app developers to consider the legitimacy of their statements “from the perspective of average users, not just software engineers and app experts.” It goes on to caution against burying important information behind “dense blocks of legal mumbo jumbo” and “vague hyperlinks.”
This guide can be seen as part of the FTC’s current initiative to address concerns regarding the unique ability of mobile apps to access a user’s personal information (i.e., automatically capturing their precise geospatial location, phone number, contact lists, call logs, and other unique identifiers, stored on mobile devices). In February, the agency issued a report looking specifically at apps offered for children. The report, Mobile Apps for Kids: Current Privacy Disclosures are Disappointing, warned app stores, developers, and third-party service providers to be more transparent about the issues raised by such data collection, such as sharing with third parties, connections to social media, and targeted advertising.
Additionally, the FTC has already taken action to establish that data privacy and truth-in-advertising laws apply to mobile apps. Last August, an app developer was ordered to pay $50,000 to settle FTC charges that it violated the Children’s Online Privacy Protection Act (COPPA) by failing to require parental notice and consent before collecting and disclosing children’s personal information. The following month, the agency settled its first actions addressing health claims in the mobile application marketplace. The complaints were against AcneApp and Acne Pwner, both of which claimed to treat acne through lights emitted from the user’s smartphone. The cases ended in settlements for monetary damages and injunctive relief barring the companies from making health-related claims without the backing of “competent and reliable scientific evidence.”
In the new FTC Guide, the FTC recommends that developers:
• Tell the truth about what the app can do – both in marketing materials and within the app itself.
• Disclose key information clearly and conspicuously.
• Err on the side of caution, and implement meaningful privacy-protection policies from the start.
• Only collect the information that developers really want, and require affirmative consent before collecting sensitive information.
• Offer user -friendly choices. For example, use default settings that collect a limited amount of user information, and allow users to adjust settings for increased sharing and functionality.
• Protect kids’ privacy by requiring parental consent before their information is collected and shared.
• Incorporate security measures to protect user data, especially when collecting medical and financial information.
On September 12, a new bill – the Mobile Device Privacy Act – was referred to the House Committee on Energy and Commerce. The bill, introduced by Reps. Ed Markey (D -Mass.) and Diana DeGette (D –Colo.), requires merchants, mobile service providers, and manufacturers to disclose information about mobile tracking software to consumers and to obtain users’ express consent before the software is activated. Specifically, customers must be told that the software is installed, what type of data it is collecting, the identity of all persons to whom the data will be transmitted, how the data will be used, and how the user can limit collection and sharing. Disclosures must be clear and conspicuous, and consumers must be able to prohibit further collection and sharing at any time.
If passed, this law will also require all recipients of user information to establish and implement information security policies and procedures for data collection, retention, system monitoring, and destruction. Finally, the bill requires that companies file all agreements relating to the transmission of user information with the FTC and the Federal Communications Commission. In the bill’s current form, penalties will range from $1,000 to $3,000 per violation (i.e., per user affected). Hence, a single policy error could expose large vendors to liability well into the billions of dollars, and a similar misstep could put a startup out of business.
All mobile app developers – including large players and new entrants – should review their compliance with this new FTC guidance and their overall truth-in-advertising and data privacy policies. The FTC has made it clear that it will take enforcement actions against industry participants large and small. In particular, we believe those making health claims, targeting children, and transmitting user information to third parties will continue to face significant FTC scrutiny. In general, the more personal information that an app collects from individuals, the greater the need for significant privacy projections and disclosures.
The FTC recently sued satellite television service operator DISH Network in federal district court in Illinois for violations of the Telemarketing and Consumer Fraud and Abuse Act. The agency claims DISH violated “company-specific do-not-call rules” – in other words, the FTC claims that DISH called consumers who had previously asked DISH not to call them again. DISH disputes the FTC’s claims.
Under the FTC (and FCC’s) telemarketing rules, there are two do-not-call regimes. First is the national do-not-call registry. With certain exceptions, telemarketers and sellers may not telemarket to residential phone lines and wireless numbers unless they have first “scrubbed” their calling lists against the federal do-not-call registry. The exceptions include calling customers with whom an organization has an “existing business relationship” or who have given prior consent for the calls. However, even those customers to whom telemarketing calls might be permitted because of an existing business relationship or other reasons can always ask a telemarketer not to call again and to put the consumer on the company-specific do-not-call list. This company-specific request must be implemented promptly and maintained for five years.
This part of the federal telemarketing rules thus puts the power in the hands of the consumer who can decide if he or she wishes to receive telephone solicitations from a particular company. It does not matter if the consumer continues to do business with a particular seller – once the consumer asks not to be called again, telemarketing must cease.
The FTC’s complaint against DISH contends that, since September 2007, DISH had initiated – either on its own or through outside telemarketers working on its behalf –millions of outbound telephone calls to phone numbers of people who previously indicated that they did not want to receive telemarketing calls from DISH. The complaint seeks civil penalties and a permanent injunction to stop DISH from future violations of the telemarketing rules.
Indeed, the penalties could be steep. For violations before February 9, 2009, the specified penalties are $11,000 per violation. Those penalties were increased to $16,000 for each violation of the FTC’s Telemarketing Sales Rule occurring after that date. DISH is already litigating against the Department of Justice in another case for allegedly calling consumers on the national do-not-call registry or purportedly causing its dealers to make calls to those consumers. It was information developed in that litigation that led to this latest complaint, according to the FTC’s public statements.
Of course, various defenses are available to DISH and others facing similar lawsuits or enforcement actions. These defenses include the possibility that a number called was a business (rather than residential) telephone number; or that the company-specific do-not-call request had not been made to DISH in the first place. Written consent to receive telemarketing calls provided after a company-specific do-not-call request would also allow such calls prospectively (at least until the consent were revoked subsequently).
Companies engaging in telemarketing – either on their own or through outside telemarketing firms, affiliated dealers, or other third parties – should take note that the FTC is continuing to enforce its do-not-call rules. FTC Chairman Jon Leibowitz stated that the agency will continue to enforce the do-not-call rules “to protect consumers’ right to be left alone in the privacy of their own homes.”
While the FTC (and the FCC) have focused on compliance with the federal registry requirements, this latest case against DISH demonstrates that the agency will also initiate enforcement action against those it contends to be violating the “company-specific” do-not-call requirements. Companies using telemarketing should review their written and operational policies to ensure compliance with both the federal and company-specific do-not-call requirements. Customer service representatives, in particular, should receiving periodic training that when a consumer says, “No more calls,” no really does mean, “No more, Mr. Telemarketer, you’re done.”
In the past couple of years, a wide variety of computer viruses and other malware have allegedly been used by one nation against another. This secretive form of warfare even briefly plastered names like Stuxnet, Duqu, Flame, and Gauss across the front pages. In partial response to the threat posed to U.S. interests by hostile foreign countries and/or individuals, different cybersecurity bills are percolating through the halls of Congress, including the SECURE IT Act of 2012, the Cybersecurity Act of 2012, and others.
No one can dispute the very real danger posed by cybersecurity threats and the potentially disastrous results if they are unleashed upon a country or upon an industrial or financial system. In a recent Wall Street Journal op-ed, President Obama wrote that “the cyber threat to our nation is one of the most serious economic and national security challenges we face.” The president also stated that “foreign governments, criminal syndicates and lone individuals are probing our financial, energy and public safety systems every day.”
President Obama then pushed for the passage of the Cybersecurity Act of 2012, which would require the sharing of information between the private and public sector, develop cybersecurity standards, and other protections. In support of that bill, President Obama wrote that “Congress must pass comprehensive cybersecurity legislation” and that “We all know what needs to happen.”
However, in early August the U.S. Senate rejected cybersecurity legislation, with Republican members concerned that the bill would impose burdensome obligations on businesses.
The president has indicated that he is considering imposing the same cybersecurity measures by executive order.
“In the wake of Congressional inaction and Republican stall tactics, unfortunately, we will continue to be hamstrung by outdated and inadequate statutory authorities that the legislation would have fixed,” Presidential press secretary Jay Carney said.
This possibility does concern us.
Although computer malware poses a real and credible danger to U.S. interests, we also need to discuss how cybersecurity is going to be achieved. The use of an executive order to bypass the legislative process is of questionable constitutionality because it may violate the separation of powers mandated by the Constitution.
A step that creates such an extensive public-private partnership and involves the government so much in private decisions to provide security at least deserves approval after full discussion by a majority of both houses of Congress. We hardly think that the threat has risen to the level of “war” that would permit the president to engage in unilateral emergency actions to protect national security.
As the tech editor of the Daily Caller wrote recently: “The failed cyber security bill, which could be revived by Sen. Majority Leader Harry Reid when the Senate comes back from recess in September, would have given federal agencies in charge of regulating critical infrastructure industries like power companies and utilities the ability to mandate cybersecurity recommendations … An executive order would be another action from the Obama administration to extend executive branch authority over a largely free and open Internet.”
On August 9, 2012, the Federal Trade Commission announced that Google has agreed to pay a $22.5 million penalty to settle the FTC’s charges that it violated a consent order regarding consumer privacy. This is the largest civil penalty that the FTC has ever exacted for a violation of one of the agency’s orders, and it has understandably garnered a great deal of attention.
Specifically, Google was accused of using “cookies” to track the online activities of people who use Apple’s Safari Web browser. Cookies are small segments of computer text that are used to collect information from computers and that can be used to target advertising to consumers.
Google, according to the FTC, had told Safari users on a Web page that because the Safari browser is set by default to block third-party cookies, the users needed to do nothing to prevent the use of the cookies. In fact, Google did place some cookies on the users’ computers. There was no allegation that any consumers actually received unwanted ads.
The settlement has received mixed reviews. Some commentators argue that the agreement is not tough enough on Google, which after all was already under a consent order barring it from engaging in this type of behavior. FTC Commissioner J. Thomas Rosch, who dissented from the Commission’s decision to accept the settlement, is one of the critics.
Commissioner Rosch wrote in a dissenting statement, “[i]t may be asserted that a denial of liability is justified by the prospect of a $22.5 million civil penalty. But $22.5 million represents a de minimis amount of Google’s profit or revenues.”
Some critics have contended that the settlement may be too tough in the sense that it will discourage pro-competitive behavior in the form of disclosures to consumers. For example, Ed Black, the president and CEO of the Computer & Communications Industry Association, wrote on August 13 that although Google was clearly at fault for not making it clear to the public what its precise privacy rules were, “it is fair to ask if the FTC’s enforcement action is out of proportion to the harm caused, and if it runs a very real risk of disincentivizing voluntary privacy disclosures in the future.”
Our view is that this consent order is indeed strong enough to send the message to Internet companies that the FTC is carefully scrutinizing the privacy protections that they provide and the statements that they make about them, and that they need to continue to be vigilant to adhere to the statements and promises they make in their privacy policies, web pages, and elsewhere.
On August 1, 2012, Illinois Governor Pat Quinn signed a bill into law (HB 3782) that prohibits employers from requesting or requiring employees or prospective employees to provide their Facebook or other social networking website passwords. With the new law, effective on January 1, 2013, Illinois becomes the second state (Maryland was the first) to bar employers from seeking social network passwords. Employers are still free to access employees’ social network sites (and the information, photos, videos and other content) that are publicly available.
While dubbed the “Facebook password law” in many news reports, the law covers all “social networking websites.” The term “social networking website” includes Internet-based services that allow individuals to: construct a public or semi-public profile within a system, created by the service; create a list of other users with whom they share a connection within the system; and view and navigate their list of connections and those made by others within the system. An employer’s asking for passwords to a prospective or current employee’s Facebook, Linkedin, Twitter, and other similar services would be covered by the new law.
The Illinois legislature passed the law in response to complaints from graduating college students and others that they had been denied employment based upon their refusal to provide passwords, or they felt the need to deactivate their accounts during the job search process. One study found that 75 percent of employers require their human resources departments to review online profiles before offering an applicant a job (with one-third of employers turning down applicants based on those searches). Sponsors of the bill also contend that access to social profiles can lead to unlawful discrimination, as information such as age, race, sexual orientation, political affiliations, and even disabilities can be gleaned from social network profile pages.
The new legislation specifically affirms that employers may obtain information that is in the “public domain” (such as any information on Facebook that is open to viewers rather than restricted) and general Google or other similar searches on an employee. Further, employers may continue to maintain workplace policies addressing workplace Internet use, social networking site use, and use of email. The law specifically does not cover an employer’s monitoring of electronic mail (as long as the employer does not request or demand an employee’s password for a social networking site).
Several other states and Congress are considering similar legislation. Facebook declares that employers asking for passwords violates its “Statement of Rights and Responsibilities,” along with sharing a password. Employers should review their social media policies, employment forms, interview processes and ongoing human resources operations if they operate in Illinois or Maryland and should not request password or other account information (including whether an individual even participates in social networking) in those states.
With other states and perhaps the U.S. Congress following suit, these restrictions are likely to become the law of the land sooner rather than later.
Of course, as the law states, if an employer wishes to Google an employee, troll for public Facebook, Twitter, or other public social networking information, it may do so. So, college graduates and others, you may want to double check your Facebook privacy settings so Mr. Human Resources doesn’t see your Spring Break photo adventures.
On August 1, 2012, the Federal Trade Commission announced that is issuing a Supplemental Notice of Proposed Rulemaking to modify certain of its rules under the Children’s Online Privacy Protection Act (COPPA). Industry has been waiting on FTC action regarding COPPA, as the agency previously undertook a COPPA rulemaking in September 2011 and proposed modifying certain COPPA rules to account for changes in technology, particularly mobile technology.
The FTC received over 350 comments during that time. After reviewing those comments, the FTC has decided to propose certain additional changes to its COPPA rule definitions.
In summary, COPPA gives parents control over the information websites can collect from their kids. It applies to websites designed for children under 13 – or those that have reason to know they are collecting information from a child. It requires a specific privacy notice and that consent be obtained from parents in many circumstances before children’s information may be collected and/or used.
The FTC has proposed several changes that are of interest. Some are meant to “tighten” the COPPA rule, others are meant to provide some additional flexibility to operators.
• The proposed change would make clear that an operator that chooses to integrate the services of third parties that collect personal information from visitors (like ad networks or plug-ins) would itself be considered a covered “operator” under the Rule.
• The FTC is also proposing to allow websites with mixed audiences (e.g., parents and over 13) to age-screen visitors to provide COPPA’s protections only to those under 13. However, kid-directed sites or services that knowingly target under-13s as their primary audience or whose overall content is likely to attract kids under that age could not use that method.
• Also, the FTC has proposed modifying the definition of what constitutes “personal information” relating to children to make it clear that a persistent identifier falls within that definition if it can be used to recognize a user over time or across different sites or services. The FTC is considering whether activities like site maintenance and analysis, use of persistent identifiers for authenticating users, maintaining user preferences, serving contextual ads, and protecting against fraud and theft should not be considered the collection of “personal information” as long what’s collected is not used or disclosed to contact a specific individual, including through the use of behaviorally-targeted advertising.
Comments on the FTC’s proposed rule changes are due by September 10, 2012.