Your business booked a large charity event. However, the customer contact turns out to be a nightmare. She complains (during and after the event) that the service was slow, the food looked and tasted like a frozen meal, and the drinks were watered down. She even claims she was overcharged. You reviewed the situation and, while you disagree, you offer her a credit. She declines and instead decides to post scathing reviews on Yelp, TripAdvisor, and several other review sites. She also gets her friends to post similar reviews. You remember, however, that the booking contract this irate customer signed barred her from posting negative reviews and imposes a $200 per negative review penalty. You ring up your attorney and ask her to send Ms. Nasty Customer a demand. Your lawyer tells you there may be a problem with this approach – under a new law signed by President Obama in December, the Consumer Review Fairness Act of 2016 – form contracts restricting reviews or imposing penalties are void.
Exceptions and Carve-Outs
There are several significant exceptions to the new law, offering some protections to organizations. First, individually-negotiated agreements are not covered by the new legislation. Second, Congress carved out employer-employee and independent contractor agreements from the “form contract” definition. Thus, under the new Act, employment provisions barring negative online reviews of an employer are not void. However, the National Labor Relations Board strongly disfavors restrictions on employees’ rights to discuss wages and working conditions in public forum. Further, some states may also seek to bar restrictions on online reviews. California and Maryland already have enacted laws barring non-disparagement clauses in consumer contracts.
Third, the Act does not bar an organization or individual from suing for defamation, libel, or slander. Thus, companies may still file suit for reviews containing false statements (and presumably include a clause in a form agreement or terms and conditions addressing such statements). Fourth, the law preserves any confidentiality required by law – such as HIPPA. Fifth, the Act expressly allows a party to remove or to refuse to display on a website/webpage operated by that party the content of a “covered communication” : (1) that contains personal information or the likeness of another person; (2) is libelous, harassing, abusive, obscene, vulgar, sexually explicit “or is inappropriate with respect to race, gender, sexuality, ethnicity or other “intrinsic characteristic”; or (3) that is false or misleading. Thus, companies that host their own webpages for customer comments and interactions may remove customer reviews meeting these standards. It would also appear lawful to advise customers in company terms and conditions or form contracts that such content may be reviewed.
Congress further created a carve-out from the Act’s consumer review protections for trade secrets or commercial or financial information considered privileged or confidential, personnel and medical files where disclosure would result in an invasion of personal privacy, records compiled for law enforcement purposes, content that is unlawful, and content containing computer viruses, worms, or other damaging code.
Federal Trade Commission Enforcement
The Federal Trade Commission (“FTC”) will enforce the Consumer Review Fairness Act of 2016. State Attorney Generals may also bring a civil action in federal court to obtain relief for their residents. The new law requires the FTC (within 60 days) to conduct education and outreach to businesses, including non-binding “best practices” for complying with the Act. Companies get 90 days (until March 14, 2017) before their contracts containing the now-proscribed practices are considered void.
The FTC may target a few “brand name” organizations in early enforcement actions to garner industry attention. Companies should be aware, however, that they retain the right to object to assessments that are exempted, including those that disclose confidential or personal information, or that are defamatory, misleading, obscene, vulgar, or unrelated to the products and services offered on the company’s webpage. So, while consumers cannot be penalized through a form contract by posting reviews, their rights to post are not unfettered. Contrary to the popular adage, as the Union Street Guest House learned, not all press is good press – and companies may still address false or defamatory reviews and those reviews containing other exempted content.
Every week, we learn about new data breaches affecting consumers across the country. Federal government workers and retirees recently received the unsettling news that a breach compromised their personal information, including social security numbers, job history, pay, race, and benefits. Amid a host of other public relations issues, the Trump organization recently discovered a potential data breach at its hotel chain. If you visited the Detroit Zoo recently, you may want to check your credit card statements, as the zoo’s third party vendor detected “malware” which allowed access to customers’ credit and debit card numbers. And, certainly, none of us can forget the enormous data breach at Target, and the associated data breach notifications and subsequent lawsuits.
For years, members of Congress have stressed the need for national data breach standards and data security requirements. Aside from mandates in particular laws, such as HIPAA, movement on data breach requirements had stalled in Congress. Years ago, however, the states picked up the slack, establishing data breach notification laws requiring notifications to consumers and, in many instances to attorneys general and consumer protection offices when certain defined “personal information” was breached. California led the pack, passing its law in 2003. Today, 47 states have laws requiring organizations to notify consumers when a data breach has compromised consumers’ personal information. Several states’ laws also mandate particular data security practices, including Massachusetts, which took the lead on establishing “standards for protection of personal information.”
Many businesses and their lobbying organizations have urged Congress to preempt state laws and establish a national standard. Most companies have employees or customers in multiple states. Thus, under current laws, organizations have to address a multitude of state requirements, including triggering events, types of personal information covered, how quickly the notification must be made, who gets notified, what information should be included in the notification, among others. State Attorneys General, on the other hand, assert that, irrespective of these inconveniences, their oversight of data breaches through the supervision of notifications and enforcement has played a critical role in consumer protection.
This week, the Attorneys General from the 47 states wrote to Congressional leaders, urging Congress to maintain states’ authority in any federal law, by requiring data breach notifications, and preserving the states’ enforcement authority.
The AGs’ key points are:
- State AG offices have played critical roles in investigating and enforcing data security lapses for more than a decade.
- States have been able to respond to constant changes in data security by passing “significant, innovative laws related to data security, identity theft, and privacy.” This includes addressing new categories of information, such as biometric data and login credentials for online accounts.
- States are on the “front lines” of helping consumers deal with the fallout of data breaches and have the most experience in guiding consumers through the process of removing fraudulent charges and repairing their credit. By way of example, the Illinois AG helped nearly 40,000 Illinois residents remove more than $27 million in unauthorized charges from their accounts.
- Forty states participate in the “Privacy Working” group, where state AGs coordinate to investigate data breaches affecting consumers across multiple states.
- Consumers keep asking for more protection. Any preemption of state law “would make consumers less protected than they are right now.”
- States are better equipped to “quickly adjust to the challenges presented by a data-driven economy.”
- Adding enforcement and regulatory authority at the federal level could hamper the effectiveness of the state law. Some breaches will be too small to have priority at the federal level; however, these breaches may have a large impact at the state or regional level.
Interestingly, just this week, Rep. David Cicilline (D-RI) introduced a House bill mandating that companies inform consumers within 30 days of a data breach. The bill also requires minimum security standards. Representative Cicilline’s bill would not preempt stricter state-level data breach security laws. The bill also contains a broad definition of “personal information” to include data that could lead to “dignity harm” – such as personal photos and videos, in addition to the traditional categories of banking information and social security numbers. The proposed legislation would also impose civil penalties upon organizations that failed to meet the standards.
Without a doubt data breaches will continue – whether from bad actors, technical glitches, or common employee negligence. The states have certainly “picked up the slack” for over a decade while Congressional actions stalled. Understandably, the state AGs do not want Congress taking over the play in their large and established “privacy sandbox.” Preemption will continue to be a key issue for any federal data breach legislation before Congress. As someone who has guided companies through multi-state data breach notifications, I have seen firsthand that requiring businesses to deal with dozens of differing state requirements is costly and extremely burdensome. Small businesses, in particular, are faced with having to grapple with a data security incident while trying to understand and comply with a multitude of state requirements. Those businesses do not have the resources of a “Target” and complying with a patchwork of laws significantly and adversely impacts those businesses. While consumer protection is paramount, a federal standard for data breach notification would provide a common and clear-cut standard for all organizations and reduce regulatory burdens. While the federal standard could preempt state notification laws, states could continue to play critical roles as enforcement authorities.
In the interim, companies must ensure that they comply with the information security requirements and data breach notifications of applicable states. An important, and overlooked aspect is to remember that while an organization may think of itself as, say a “Vermont” or “Virginia” company, it is likely that the company has personal information on residents of various states – for instance, employees who telecommute from neighboring states, or employees who left the company and moved to a different state. Even a “local” or “regional” company can face a host of state requirements. As part of an organization’s data security planning, companies should periodically survey the personal information they hold and the affected states. In addition to data breach requirements in the event of a breach, organizations need to address applicable state data security standards.