FTC Beat
Posts Tagged ‘Consumer Protection’
Dec 23
2015

Will The Floodgates Open As Consumer Backlash To Spam Unleashes?

Anti spam filter vector concept in flat style

Every e-mail user receives them, some days in numbers hitting the triple digit mark – those targeted, often annoying and unsolicited e-mails that clog our inboxes, originating from any of a multitude of establishments, including retailers, service establishments, and even our own social media.  Regulation over unwanted e-mails has been limited mostly to the federal Can Spam Act of 2003, which doesn’t prohibit the deluge of e-mails, but rather protects against misleading and deceptive ones and requires the sender to comply with certain requirements, including offering a clear opt-out. A private consumer has limited retribution to enforce the Act, however, and must rely on the FTC, as well as other government entities and Internet service providers, to bring suit to stop the unwanted e-mails. It seems that consumers in recent years are ever more fed up and frustrated with “spam” messages and desire change.  However, as evidenced by a recent class action lawsuit by certain LinkedIn members against the social media giant, consumers may utilize other legal maneuvers to get relief from new marketing tactics employing spam.

LinkedIn is often referred to as the “Facebook of the Professional World.”  With over 300 million+ users, LinkedIn has become the world’s largest professional network since it launched in 2003.  One feature of the network allows a member to import his or her e-mail contacts list and send invitations to connect with others on LinkedIn.  A user is prompted by LinkedIn to click an “Add Connections” link, which then allows LinkedIn to import the list from external e-mail accounts.  LinkedIn uses this feature to grow its number of members.

According to the class action lawsuit filed against LinkedIn, if a connection invitation was not accepted within a certain period of time, up to two “reminder’ spam e-mail messages would be sent to the prospects, without the LinkedIn member’s consent to do so. In Perkins v. LinkedIn Corp., the federal district court in the Northern District of California determined that the motion to dismiss filed by LinkedIn would be granted in part and denied in part, thereby allowing the suit to move forward.  In its partial denial of the motion to dismiss, the court reasoned that although the members consented to importing their contacts and sending the invitation to connect, they did not consent to sending the reminder messages on their behalf.  In her Order, Judge Lucy Koh explains,

“Nothing in LinkedIn’s disclosures alerts users to the possibility that their contacts will receive not just one invitation, but three. In fact, by stating a mere three screens before the disclosure regarding the first invitation that ‘We will not . . . email anyone without your permission,’ LinkedIn may have actively led users astray.”

(Order Granting in Part and Denying in Part Defendant’s Motion to Dismiss with Leave to Amend *30).  The plaintiffs also contended that LinkedIn members did not consent to the use of their names and likenesses in the reminder e-mails and were embarrassed and felt that the unwanted e-mails sent to personal contacts affected their professional reputations.

Following the court’s Order, the parties agreed to settle the suit.  The settlement requires the social media giant to pay at least $13 million, as well as  $2.25 million in legal fees, to LinkedIn members who had accounts between Sept. 17, 2011 and Oct. 31, 2014 and sent e-mails through the Add Connections feature. Although LinkedIn did not admit any wrongdoing in the settlement, it agreed to revise its disclosures and clarify that the reminder e-mails would be sent as part of the “Add Connections” service. LinkedIn also indicated its intent to provide an option to cancel the connection invitation, and thereby the reminders, by the end of the calendar year.

Interestingly, with perhaps the fear of a lawsuit on the horizon, Mark Zuckerberg preemptively announced at a recent town hall meeting held in Delhi, India, that Facebook will be reducing the number of invitations it sends to outside contacts of players of the game Candy Crush Saga. Facebook often sends the invitations to contacts who have never used a game and never played games on Facebook, suggesting that they join their friends in a Candy Crush Saga game.  Zuckerberg noted that reducing the number of invitations received was the most upvoted question in an online thread, and he has promised to reduce the number of these unwanted requests.  After the recent LinkedIn settlement, we advise Mr. Zuckerberg to take action swiftly or we may see other unhappy consumers following suit. . . .  with their own suit!

These developments should offer welcomed relief for consumers and our busy delete buttons. However, this may be the tip of the iceberg with regard to the use of the courts and unwanted e-mails. Is the broad Can-Spam Act sufficient to deter spammers? Does the Can-Spam Act do enough to filter out unwanted e-mails? New scenarios have arisen since the enactment of the Act in 2003 and consumers seem to desire more regulation to deter the deluge of e-mails. If swift action isn’t taken by Congress and other regulators, it seems that consumers may take to the courts to set precedent in this ever-changing arena.

posted in:
Internet Law
May 26
2015

Keeping Your Privacy Promises: Retail Tracking and Opt-Out Choices

No time for talking. Cropped image of beautiful young woman in pink dress holding shopping bags and mobile phone

As children, many of us were taught how important it is to “keep your word.” Similarly, it is black letter privacy law that if a company commits (for instance, in a privacy policy or in website statements) to certain actions or practices, such as maintaining certain security features or implementing consumers’ choices on opt-outs, the organization must abide by those practices. Many companies have faced the Federal Trade Commission’s (“FTC”) ire when the agency found the organizations’ practices failed to comport with their privacy promises. Recently, the FTC settled the first action against a retail tracking company, Nomi Technologies, Inc. (“Nomi”). The FTC alleged that Nomi mislead consumers with promises that it would provide an in-store mechanism for consumers to opt-out of tracking and that consumers would be informed when locations were utilizing Nomi’s tracking services. In fact, according to the FTC, Nomi did not provide an in-store opt-out and did not inform consumers of locations where the tracking services were used. This action signals that the FTC will continue to exert its jurisdiction over privacy practices it deems false or deceptive, including those occurring in emerging technologies like retail tracking.

The FTC’s complaint stated that Nomi’s technology (called its “Listen” service) allows retailers to track consumers’ movements through stores. The company places sensors in its clients’ stores, which collect the MAC addresses of consumers’ mobile devices as the devices search for WiFi networks. While Nomi “hashes” the MAC addresses prior to storage in order to hide the specific MAC addresses, the process results in identifiers unique to consumers’ mobile devices which can be tracked over time. Nomi provided its retail clients with aggregated information, such as how long consumers stayed in the store, the types of devices used by consumers, and how many customers had visited a different location in a chain of stores. Between January and September 2013, Nomi collected information on approximately 9 million mobile devices, according to the FTC’s complaint.

What Nomi did wrong, according to the FTC, was fail to honor its privacy policy which “pledged to…always allow consumers to opt out of Nomi’s service on its website as well as at any retailer using Nomi’s technology.” Nomi presented an opt-out on its website, but (per the complaint), no option was available at retailers using Nomi’s service. The FTC also asserted that consumers were not informed of the tracking (contrary to the privacy policy promises). Thus, the FTC alleged that Nomi’s privacy promises were false because no in-store opt-out mechanism was available, nor were consumers informed when the tracking occurred.

Nomi’s settlement does not require any monetary payment but prohibits Nomi from misrepresenting the options through which consumers can exercise control over the collection, use, disclosure or sharing of information collected from or about them or their devices. The settlement also bars Nomi from misrepresenting the extent to which consumers will be provided notice about how data from or about a particular consumer or device is collected, used, disclosed or shared. Nomi is required to maintain certain supporting records for five years. As is typical with FTC consent orders, this agreement remains in force for 20 years.

What can companies learn from Nomi’s settlement, even those not in the retail tracking business?

  • While this is the first FTC action against a retail tracking company, the FTC has repeatedly stated that it will enforce the FTC Act and other laws under its jurisdiction against emerging as well as traditional technologies.
  • Consumers could opt-out on Nomi’s website by providing a MAC address in an online form. The FTC did not seem to have a problem with this part of Nomi’s practices. If Nomi had not promised that consumers could also opt-out at the retail locations, and that they would be notified of tracking, there would not have been an FTC action. In other words, it was Nomi’s words (in its privacy policy) that got it in hot water with the FTC. All companies should review their privacy policies regularly to make sure the language comports with their practices.  If you don’t do it, don’t say it.
  • The FTC noted that Nomi had about 45 clients. Most of those clients did not post a disclosure or notify consumers regarding their use of the Listen service, and Nomi did not mandate such disclosures by its clients. The FTC did not address what, if any, obligation, these businesses may have to make such disclosures. Will it become common/mandated to see a sign in a retail location warning that retail tracking via mobile phones is occurring (similar to signs about video surveillance)? One industry group’s self-regulatory policy requires retail analytics firms to take “reasonable steps to require that companies using their technology display, in a conspicuous location, signage that informs consumers about the collection and use of MLA [mobile location analytics] Data at that location.” This issue will become more prevalent as more retailers and other businesses use tracking technology.
  • Interestingly, the FTC brought this action even though traditional “personal information” was not collected (such as name, address, social security number, etc.). Organizations should not assume that collecting IP addresses, MAC addresses, or other less personalized information presents no issues. The FTC takes privacy statements seriously, whatever the information collected (though certainly there is more sensitivity toward certain categories such as health, financial, and children’s information).

The bottom line is “do what you say” when it comes to privacy practices. All companies should evaluate their privacy policies at least every six months to ensure that they remain accurate and complete, have working links (if any), and reflect a company’s current practices.

posted in:
Privacy
Nov 07
2014

Report from an Energized Brand Activation Association Marketing Law Conference

Group Of Multi-Ethnic People Social Networking

Ifrah Law is a proud member the Brand Activation Association (“BAA”). This week, we attended the BAA’s 36th annual BAA Marketing Law Conference in Chicago.  Just as “Mad Men” reflects the 1960’s era advertising business, this year’s BAA conference demonstrated this generation’s marketing dynamic – where mobile is key, privacy concerns abound, and the Federal Trade Commission (“FTC”) and other agencies are watching and enforcing. Other key “take aways” from the conference are that sweepstakes, contests, and other promotions remain hugely popular via mobile devices and social networks.

Digital Rules

Advertisers representing top brand names made clear that companies must reach consumers through various digital devices.  Smartphones, tablets, and wearable technologies each represent ways to advertise a product or service.  Today’s consumers, especially younger consumers, rely extensively mobile devices. Many actually welcome behavioral and other advertising.  Consumers in the U.S. and abroad have shown receptiveness to “flash sales,” instant coupons and other deals, including those geared to their geo-location.

Emerging Privacy and Consumer Protection Trends

While advertisers interact with consumers and many consumers welcome offers and information, regulators’ and individuals’ concerns with the privacy of personal information dominate the landscape.  Almost a year after the notorious Target data breach, and with the holiday shopping season approaching, all stakeholders are understandably cautious about how to utilize various methods of marketing while securing consumer information.  Even assuming a network is secure, the FTC, state attorney generals, foreign regulators, consumer advocacy groups and consumers want to know how personal data is being collected, utilized and shared.  In the consumer protection context, the FTC actively enforces the Federal Trade Commission Act’s prohibition on “deceptive acts and practices,” requiring that advertisers have substantiation for product claims.

Two Significant Forces – the FTC and California’s Attorney General

Top representatives from the FTC and the California Attorney General presented at the conference.  Both representatives asserted their agencies remain active in enforcing their consumer protection and privacy laws, especially as to certain areas.  Jessica Rich, Director, Bureau of Consumer Protection at the FTC, discussed the agency’s focus on advertising substantiation, particularly as to claims involving disease prevention and cure, weight loss, and learning enrichment (such as the “Your Baby Can Read “ case).

On the privacy side, Ms. Rich also noted the FTC’s specialized role in enforcing the Children’s Online Privacy Protection Act (“COPPA”).  The FTC’s recent action against Yelp demonstrates that the FTC will not hesitate to enforce COPPA even where a website is not a child-focused website, per se. If a website or online service (such as a mobile app) collects personal information from children under 13, it must comply with COPPA’s notice and consent requirements. The agency is also exploring the privacy and consumer protection concerns associated with interconnected devices, known as “the Internet of Things.”

The representative from the California Attorney General’s office noted that California has a keen interest in mobile apps, as demonstrated by its action against Delta for allegedly failing to have a privacy policy available through its mobile app.  California is also gearing up for its “Eraser Law,” set to go in effect on January 1, 2015. This law provides an opportunity for young people under 18 to “erase” embarrassing or damaging content they posted online, including on social media.

Promotions – Sweepstakes, Contests, Games

While some may think sweepstakes and contests are outdated, the opposite is true. Companies are utilizing mobile and social networks to engage with consumers through promotions.  Facebook and Pinterest-based sweepstakes and contests continue to grow in popularity. Advertisers also increasingly look to “text-based” offerings.

These promotions can generate great marketing visibility and grow consumer relationships. However, advertisers need to be aware of many legal minefields.  First and foremost is the federal Telephone Consumer Protection Act (“TCPA”), which requires prior express “written” consent for advertisements sent to mobile phones via text or calls utilizing an autodialer or prerecorded message.  Plaintiffs’ lawyers continue to file hundreds of TCPA class actions based on texts without consent.  Second, the social networks have their own policies. For instance, Facebook now bars advertisers from requiring consumers to “like” a company Facebook page in order to participate in a promotion.

Take Aways

BAA conference sessions were packed – many standing room only.  The popularity of programs about comparative advertising, native advertising, sweepstakes and contests, and enforcement trends demonstrates that advertisers are finding innovative ways to reach consumers across devices. These marketing initiatives face a host of federal, state, and international laws and regulations, as well as restrictions imposed by social networks and providers.  It’s an exciting and complex juncture in global marketing.

Sep 19
2014

Broken Promises: A Glimpse at the Dark Side of Crowdfunding

Vector crowdfunding concept in flat style

The fact is that social media has connected us to each other in ways which seemed unimaginable only a few decades ago.  Take for example the progression of social activism through online fundraising.  Over the course of two short months the ALS Ice Bucket Challenge (“IBC”) went viral with millions of videos being posted by people drenching themselves in ice water in order to spread awareness and raise money for the research and treatment of ALS.  To date, the total amount of donations made to the ALS Association through the IBC is an unprecedented $114 million.  The Association’s FAQs webpage regarding the IBC indicates that this amount is almost five times its annual overall budget.

The ALS Ice Bucket Challenge is also a good example of the online phenomenon of crowdfunding, where numerous individuals and groups pitch in to fund a project, cause or idea.  Simply put, crowdfunding is fundraising through social media.  There are several popular crowdfunding websites, however one of the most well-known sites is Kickstarter.com, which was launched in 2009, and boasts the facilitation of $1 billion in contributions by seven million backers who have so far funded 69,000 “creative projects” through the site.  However, as is common when dealing with new technology, there are often unanticipated legal aspects of such innovation which can be problematic.

Earlier this year, the first crowdfunding consumer protection lawsuit was filed in the state of Washington (State of Washington v. Altius Management, LLC; Edward J. Polchlopek III (No. 14-2-12425-SEA)).  In late 2012, defendant Ed Nash, as he is known, and his company Altius Management, were successfully funded through a Kickstarter campaign to produce a limited-edition playing card game called Asylum.  According to the campaign page, backers exceeded Nash’s goal of raising $15,000, giving more than $25,000 in total for the promise of the card game to be made.  In addition, many of those who funded Nash’s campaign expected certain perks for contributing, referred to by Kickstarter as “rewards,” as was detailed in his campaign’s backer pledge amounts, which included multiple card decks and custom artwork according to varying contribution levels.  However, two years later the card game has not been produced, backers have received no rewards or refunds and there has been no communication from Nash regarding the status of the Asylum project since July 2013.

Each project “creator” who signs up their campaign on Kickstarter is required to agree to the site’s Terms of Use, which includes language stating that the creator must fulfill all rewards promised to backers or issue refunds.  If the creator fails to deliver on both of these fronts, Kickstarter advises them that they may be open to litigation by backers.  Now, the Washington State Attorney General’s Office wants Nash to pay for breaking his promise to these backers under the state’s Consumer Protection Act (“CPA”) [RCW Chapter 19.86].  The filed lawsuit seeks up to $2,000 per violation of the CPA in civil penalties for restitution to the backers, and also includes all state costs and attorneys fees.

With this being the first case of its kind, there is no precedent to see exactly how these proceedings will develop or how this case will affect Kickstarter and other crowdfunding websites.  We suspect it will proceed like many of the other cases we write about in the internet space.  One thing is certain, whether they are made online or in person, people don’t like broken promises.

Jan 09
2014

Industry, Members of Congress Take Action on FTC Process

As the Federal Trade Commission (“FTC”) continues to flex its consumer protection muscles by bringing numerous administrative lawsuits, industry and members of Congress are questioning whether there is a level playing field that allows companies to properly defend themselves against FTC charges.  Or, as some say, does the FTC have the “home court advantage” in its role as investigator and prosecutor, armed with very broad authority under Section 5 of the FTC Act –leaving many companies to decide simply to settle rather than face the Goliath FTC.  However, some companies have been bucking that trend recently and challenging the FTC’s authority (particularly in the area of regulating data security and FTC officials’ impartiality.

As background, the FTC may begin an enforcement action if it has “reason” to believe that the FTC Act is being or has been violated. Section 5(a) of the FTC Act prohibits “unfair or deceptive acts or practices in or affecting commerce.”  The FTC also enforces several other consumer protection statutes, including the Fair Credit Reporting Act, the Do-Not-Call Implementation Act of 2003, and the Children’s Online Privacy Protection Act.

Under Section 5(b) of the FTC Act, the FTC can challenge “unfair or deceptive acts or practices” or violations of certain other laws (such as those listed above) in an administrative adjudication. The way this works is the FTC issues a complaint putting forth its charges.  Many companies faced with such complaints inevitably settle with the FTC, rather than endure an administrative trial.  Those companies that contest the charges face a trial-type proceeding before an FTC administrative law judge.  FTC staff counsel “prosecute” the complaint.  The administrative law judge later issues an initial decision. Either party can appeal the initial decision to the full FTC for review.

Many observers, including the American Bar Association, have criticized this situation — where the FTC acts as both prosecutor and judge — as inherently unfair. After the FTC’s decision, the respondent organization (or individual)may appeal to a federal court of appeals. However, at this point, an extensive record has been made and this assumes an organization or individual has the resources to devote to a federal appeal. (In addition, the FTC can also bring consumer protection enforcement directly in court rather than through administrative litigation).

The FTC’s winning record in these administrative proceedings has many observers questioning the process and the FTC’s potential impartiality.  House antitrust chairman Spencer Bachus (R-Ala.) called out the FTC’s apparent lack of impartiality and fairness, stating “ a company might wonder whether it is worth putting up a defense at all.”

Just a couple weeks ago, however, medical testing company LabMD went on the offense and sought the disqualification of an FTC Commissioner. Facing an administrative proceeding relating to its alleged failure to secure patient information data, LabMD moved to disqualify Commissioner Julie Brill from consideration of its case.  LabMD claimed that the Commissioner made numerous statements at industry conferences prejudging its ongoing litigation. Specifically, LabMD claimed Brill stated LabMD that had violated the law, rather than indicating that LabMD was under investigation or in litigation.  The FTC opposed the disqualification. However, Commissioner Brill voluntarily recused herself from the case on Christmas Eve to avoid “undue distraction” from the administrative litigation.

As the FTC litigates in several key areas – data privacy, financial services, credit repair, telemarketing – we expect administrative litigation will increase in 2014. While some companies will continue to settle to avoid continued litigation expenses and possible further detrimental outcomes, we think others will take the LabMD route and seek relief when they believe the processes are not transparent or the FTC is exceeding its authority.

Connect with Us Share

About Ifrah Law

FTC Beat is authored by the Ifrah Law Firm, a Washington DC-based law firm specializing in the defense of government investigations and litigation. Our client base spans many regulated industries, particularly e-business, e-commerce, government contracts, gaming and healthcare.

Ifrah Law focuses on federal criminal defense, government contract defense and procurement, health care, and financial services litigation and fraud defense. Further, the firm's E-Commerce attorneys and internet marketing attorneys are leaders in internet advertising, data privacy, online fraud and abuse law, iGaming law.

The commentary and cases included in this blog are contributed by founding partner Jeff Ifrah, partners Michelle Cohen and George Calhoun, counsels Jeff Hamlin and Drew Barnholtz, and associates Rachel Hirsch, Nicole Kardell, Steven Eichorn, David Yellin, and Jessica Feil. These posts are edited by Jeff Ifrah. We look forward to hearing your thoughts and comments!

Visit the Ifrah Law Firm website

Popular Posts