FTC Beat
Posts Tagged ‘FTC’
May 26
2015

Keeping Your Privacy Promises: Retail Tracking and Opt-Out Choices

No time for talking. Cropped image of beautiful young woman in pink dress holding shopping bags and mobile phone

As children, many of us were taught how important it is to “keep your word.” Similarly, it is black letter privacy law that if a company commits (for instance, in a privacy policy or in website statements) to certain actions or practices, such as maintaining certain security features or implementing consumers’ choices on opt-outs, the organization must abide by those practices. Many companies have faced the Federal Trade Commission’s (“FTC”) ire when the agency found the organizations’ practices failed to comport with their privacy promises. Recently, the FTC settled the first action against a retail tracking company, Nomi Technologies, Inc. (“Nomi”). The FTC alleged that Nomi mislead consumers with promises that it would provide an in-store mechanism for consumers to opt-out of tracking and that consumers would be informed when locations were utilizing Nomi’s tracking services. In fact, according to the FTC, Nomi did not provide an in-store opt-out and did not inform consumers of locations where the tracking services were used. This action signals that the FTC will continue to exert its jurisdiction over privacy practices it deems false or deceptive, including those occurring in emerging technologies like retail tracking.

The FTC’s complaint stated that Nomi’s technology (called its “Listen” service) allows retailers to track consumers’ movements through stores. The company places sensors in its clients’ stores, which collect the MAC addresses of consumers’ mobile devices as the devices search for WiFi networks. While Nomi “hashes” the MAC addresses prior to storage in order to hide the specific MAC addresses, the process results in identifiers unique to consumers’ mobile devices which can be tracked over time. Nomi provided its retail clients with aggregated information, such as how long consumers stayed in the store, the types of devices used by consumers, and how many customers had visited a different location in a chain of stores. Between January and September 2013, Nomi collected information on approximately 9 million mobile devices, according to the FTC’s complaint.

What Nomi did wrong, according to the FTC, was fail to honor its privacy policy which “pledged to…always allow consumers to opt out of Nomi’s service on its website as well as at any retailer using Nomi’s technology.” Nomi presented an opt-out on its website, but (per the complaint), no option was available at retailers using Nomi’s service. The FTC also asserted that consumers were not informed of the tracking (contrary to the privacy policy promises). Thus, the FTC alleged that Nomi’s privacy promises were false because no in-store opt-out mechanism was available, nor were consumers informed when the tracking occurred.

Nomi’s settlement does not require any monetary payment but prohibits Nomi from misrepresenting the options through which consumers can exercise control over the collection, use, disclosure or sharing of information collected from or about them or their devices. The settlement also bars Nomi from misrepresenting the extent to which consumers will be provided notice about how data from or about a particular consumer or device is collected, used, disclosed or shared. Nomi is required to maintain certain supporting records for five years. As is typical with FTC consent orders, this agreement remains in force for 20 years.

What can companies learn from Nomi’s settlement, even those not in the retail tracking business?

  • While this is the first FTC action against a retail tracking company, the FTC has repeatedly stated that it will enforce the FTC Act and other laws under its jurisdiction against emerging as well as traditional technologies.
  • Consumers could opt-out on Nomi’s website by providing a MAC address in an online form. The FTC did not seem to have a problem with this part of Nomi’s practices. If Nomi had not promised that consumers could also opt-out at the retail locations, and that they would be notified of tracking, there would not have been an FTC action. In other words, it was Nomi’s words (in its privacy policy) that got it in hot water with the FTC. All companies should review their privacy policies regularly to make sure the language comports with their practices.  If you don’t do it, don’t say it.
  • The FTC noted that Nomi had about 45 clients. Most of those clients did not post a disclosure or notify consumers regarding their use of the Listen service, and Nomi did not mandate such disclosures by its clients. The FTC did not address what, if any, obligation, these businesses may have to make such disclosures. Will it become common/mandated to see a sign in a retail location warning that retail tracking via mobile phones is occurring (similar to signs about video surveillance)? One industry group’s self-regulatory policy requires retail analytics firms to take “reasonable steps to require that companies using their technology display, in a conspicuous location, signage that informs consumers about the collection and use of MLA [mobile location analytics] Data at that location.” This issue will become more prevalent as more retailers and other businesses use tracking technology.
  • Interestingly, the FTC brought this action even though traditional “personal information” was not collected (such as name, address, social security number, etc.). Organizations should not assume that collecting IP addresses, MAC addresses, or other less personalized information presents no issues. The FTC takes privacy statements seriously, whatever the information collected (though certainly there is more sensitivity toward certain categories such as health, financial, and children’s information).

The bottom line is “do what you say” when it comes to privacy practices. All companies should evaluate their privacy policies at least every six months to ensure that they remain accurate and complete, have working links (if any), and reflect a company’s current practices.

posted in:
Privacy
Apr 02
2015

Telemarketing Tips: What We Can Learn From Caribbean Cruise Lines’ Excursion With The FTC

iStock_000013768185_Large

The FTC’s “Do Not Call” and “robocall” rules do not apply to political survey calls.  So, if Hillary Clinton sought to “voice blast” a survey about international issues, she could do so without violating the Telemarketing Sales Rule (“TSR”).  (Though under FCC rules she would have an issue calling wireless numbers).  However, companies may not telemarket under the guise of exempt political calls.  Caribbean Cruise Lines (CCL) and several other companies working with CCL recently learned this lesson the hard way. The FTC and a dozen state attorneys general sued CCL and others for offering cruises and vacation “add ons” following purported political calls.  CCL settled, agreeing to pay $500,000 of a $7.2 million dollar penalty, and to comply with multiple compliance mechanisms.

CCL and the other defendants implemented an extensive calling campaign involving 12 to 15 million calls per day for approximately ten months offering a political survey.  However, the survey calls invited consumers to “press one” to receive a “free” two-day cruise to the Bahamas (port taxes would apply).  A live telemarketer working on behalf of CCL then offered consumers pre-cruise hotels, excursions, and other value packages.

While political calls remain exempt under the TSR’s robocall and Do Not Call provisions, if a caller offers a good, product or service during an otherwise exempt call, an “upsell” has occurred and the call is now telemarketing.  FTC rules prohibit robocalls to telemarket except with prior express consent.  Thus, the FTC asserted that CCL violated the TSR’s robocall provision since the called parties had not consented to the recorded sales calls.  While the calls started as political survey calls, they were actually standard telemarketing, subject to all TSR telemarketing rules.  The FTC also alleged violations of the Do Not Call rules, the caller identification rules, and the “company-specific Do Not Call requirements,” among other violations.

In addition to the reminder about “upsells” or “mixed messages,” this action highlights several important TSR enforcement lessons:

bulletThe FTC and State Attorneys General work closely in telemarketing enforcement – in this action, ten state attorneys general joined the FTC’s action.

bulletMany of the State AGs involved tend to be those most active in telemarketing litigation– Florida, Indiana, Mississippi, North Carolina, Ohio, and Washington State.

bulletThe FTC does not require a company to actually make the prohibited calls. An enforcement action will lie where a company paid or directed others to make calls in violation of the TSR.

bulletThe TSR also bars third parties from providing “substantial assistance” to others who violate the rule. Here, the FTC’s complaint charged a group of five companies and their individual owner with assisting and facilitating the illegal cruise calls, by providing robocallers with telephone numbers to use in the caller ID field, to hide the robocallers’ identities.

bulletAs part of its settlements, the FTC may impose a variety of remedies, including requiring the seller (here, CCL) to monitor its lead generators.

bulletThe FTC may also bar the seller from purchasing leads from a lead generator who is determined by the seller to obtain leads through unlawful TSR calling.

bulletThe FTC will carefully review, and proceed against companies who violate other TSR provisions, including caller ID requirements, scrubbing of the federal Do Not Call database, and the company-specific Do Not Call list.

bulletA settlement often requires ongoing recordkeeping. Here, the FTC required CCL to create records for ten years (and retain each one for 5 years), including records of consumer complaints and documentation of all lead generators.

bulletThe FTC and state AGs may proceed against individuals as well as companies.

bulletMany states have their own “do not call” laws, caller ID requirements and TSR-similar rules which can be used to bolster claims and penalties.

*                                  *                                              *

            While it should not come as a surprise that a “mixed message” call must comply with the TSR, the recent joint case against CCL and others serves as a potent reminder that the FTC and state attorneys general continue to monitor robocalling and other mass telemarketing campaigns. Further, the enforcers will use the full panoply of legal requirements and enforcement mechanisms to address telemarketing violations.  The seller, the telemarketer, the lead generator, the caller ID provider, and any other party providing substantial assistance may find themselves at the receiving end of a call from the FTC if they fail to follow each of the TSR’s obligations or engage in activities that the TSR prohibits.

Mar 06
2015

Why the FTC Can Go After Companies For Insufficient Data Security Allegations

iStock_000018208381_Large

FTC seems more confident than ever in its authority to go after companies with insufficient data security measures. As of January 2015, FTC had settled 53 data-security enforcement actions, and FTC Senior Attorney Lesley Fair expects that number to increase.

Not everyone is sanguine about FTC’s enforcement efforts. Companies targeted for administrative action complain that the Commission is acting beyond its delegated powers under the Federal Trade Commission Act (the “FTCA”). So far, courts have declined to intervene in any administrative action that is not yet resolved at the agency level.

One such case involves LabMD, Inc., an Atlanta-based cancer-screening laboratory. At least nine years ago, someone downloaded onto the billing department manager’s computer a peer-to-peer file-sharing application called Limewire. Hundreds of files on the computer were designated for sharing on the network, including an insurance aging report that contained personal information for more than 9,000 LabMD customers. In 2008, a third party notified LabMD that the aging report was available on Limewire. The application was promptly removed from the billing department manager’s computer, but the damage allegedly had been done. According to FTC, authorities discovered in October 2012 that data from the aging report and other LabMD files were being used to commit identify theft against LabMD’s customers.

Ten months later, FTC filed an administrative complaint against LabMD alleging that it had failed to employ reasonable and appropriate data security measures. FTC further alleged that LabMD could have corrected the problems at relatively low cost with readily available security measures. By contrast, LabMD’s customers had no way of knowing about the failures and could not reasonably avoid the potential harms, such as identity theft, medical identity theft, and disclosure of sensitive, private, medical information. On these facts, FTC alleged that LabMD had committed an unfair trade practice in violation of the FTCA.

LabMD tried to get the administrative action dismissed on several grounds, including that the FTCA does not give the Commission express authority to regulate data-security practices. The Commission denied LabMD’s motion, explaining that Congress gave FTC broad jurisdiction to regulate unfair and deceptive practices that meet a three-factor test: section 5(n) provides that, in enforcement actions or rulemaking proceedings, the Commission has authority to determine that an act or practice is “unfair” if (i) it causes or is likely to cause substantial injury to consumers which is (ii) not reasonably avoidable by consumers themselves and (iii) not outweighed by countervailing benefits to consumers or competition. Commissioners noted that the FTCA as passed in 1918 granted FTC the authority to regulate unfair methods of competition. When courts took a narrow view of that authority, Congress responded by amending the FTCA to clarify that the Commission has authority to regulate unfair acts or practices that injure the public, regardless of whether they injure one’s competitors. According to the Commission, the statutory delegation is intentionally broad, giving FTC discretionary authority to define unfair practices on a flexible, incremental basis. For these and other reasons, the administrative action against LabMD would proceed.

Having failed to get the case dismissed, LabMD sought relief from the federal courts to no avail. On January 20, 2015, the U.S. Court of Appeals for the Eleventh Circuit dismissed LabMD’s suit for lack of subject-matter jurisdiction. The court explained that it lacked the power to decide LabMD’s claims in the absence of final agency action. FTC had filed a complaint and issued an order denying LabMD’s motion to dismiss. But neither was a reviewable agency action because neither represented a “consummation of the agency’s decision-making process.” Moreover, “no direct and appreciable legal consequences” flowed from the actions and “no rights or obligations had been determined” by them.

LabMD can challenge FTC’s data-security jurisdiction only after the Commission’s proceedings against it are final. That may well be too late. As a result of FTC’s enforcement action, the company was forced to wind down its operations more than a year ago.

LabMD is one of very few companies to test FTC’s data-security jurisdiction. In 2007, a federal court in Wyoming sided with FTC in holding that the defendant’s unauthorized disclosure of customer phone records was an unfair trade practice in violation of the FTCA. The Tenth Circuit affirmed that decision on appeal.

More recently, a district court in New Jersey gave FTC a preliminary victory against Wyndham Worldwide Corporation. In that case, the court held that FTC’s unfairness jurisdiction extends to data-security practices that meet the three-factor test under Section 5(n). That decision is currently on appeal before the Third Circuit. During oral argument on March 3rd, the three-judge panel signaled little doubt that FTC has authority to regulate unreasonable cybersecurity practices. Instead, the panel was concerned with how the Commission exercises that authority—specifically, whether and how it has given notice as to what data security measures are considered to be “unfair.”

posted in:
Cybersecurity
Feb 20
2015

Employers Running Background Checks: Top 10 Tips to Avoid Joining the Fair Credit Reporting Act Litigation “Club”

Human resources and CRM

What do Whole Foods, Chuck E. Cheese, Michael’s Stores, Dollar General, Panera, Publix, and K-Mart have in common?  Each of these companies has faced lawsuits (including class actions) under the Fair Credit Reporting Act (“FCRA”).  Although Congress passed the FCRA way back in 1970 and litigation has focused on credit reporting agencies’ duties under the law, class action plaintiff firms have recently focused on the FCRA’s employer-related provisions.  Several large settlements (such as Publix’s $6.8 million class action settlement, Dollar General’s $4 million, and K-Mart’s $ 3 million) have spurred further litigation.  While some of the alleged FCRA violations may appear minor or technical in nature, these “technical violations” still result in costly lawsuits.  Employers should re-familiarize themselves with the FCRA to avoid becoming class action defendants.

The FCRA’s Employer-Related Provisions

Many employers understandably want to conduct background checks on prospective employees, or current employees who may be obtaining new responsibilities or accessing sensitive information.  In particular, companies in the retail and restaurant sectors, whose employees have access to cash receipts and credit card account numbers, want to guard against employees whose background checks may reveal issues of concern.  Further, organizations whose employees enter homes and businesses (such as service providers – e.g., carpet cleaners, plumbers, contractors) have additional concerns about potential liability.

The FCRA is usually thought of as a federal law that regulates consumer reporting agencies, like credit bureaus.  However, the FCRA also prescribes certain requirements for employers who use consumer reports.  The FCRA broadly defines the term “consumer reports” as information prepared by a consumer reporting agency “bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for—credit or insurance to be used primarily for personal, family, or household purposes; employment purposes” or other permitted purposes. This definition draws in more than a traditional credit report. It can include driving records, civil lawsuits, and reference checks, among other information.

Disclosure and Consent

Employers may not obtain a consumer report from a consumer reporting agency unless they first make a “clear and conspicuous” written disclosure to the prospective employee/employee.  The disclosure document must consist “solely” of the disclosure that a consumer report may be obtained.  The job applicant/employee must provide written permission for the employer to obtain a consumer report.  The FTC has indicated the disclosure form may include a signature line for the individual’s consent.  (In 2001, the FTC also issued an opinion letter stating it believes such consent can be obtained electronically, consistent with the federal E-Sign law).  The employer further certifies to the consumer reporting agency that is has a permissible purpose for the report and that it has complied with the FCRA and applicable equal opportunity laws.

These steps sound simple enough, however, litigation has ensued based upon employers’ alleged failures to comply.  For instance, in the Whole Foods case in federal court in California, the plaintiffs claim the online application process included a liability waiver in the disclosure form for the background check, allegedly violating the FCRA requirement that a disclosure form not include other information.  In a separate case in federal court in Florida involving retailer Nine West, the plaintiff alleges he did not receive a separate form, and that the background check authorization was on a web page with various other types of information.

Adverse Action Based on Report

If the employer intends to take “adverse action” against the prospective employee/employee (based even in part on the information in the report), the FCRA requires the employer to follow certain additional steps. The term “adverse action” includes “a denial of employment or any other decision for employment purposes that adversely affects any current or prospective employee.”

Before the employer takes the adverse action, it must provide a “pre-adverse action” notice to the affected person. This notice must include a copy of the consumer report and a statutory “Summary of Rights.” (This is an updated form, required since January 2013 by the new Consumer Financial Protection Board, which now has responsibility for FCRA rulemaking).  The purpose of this notice requirement is to permit the individual to discuss the report with the employer before the employer implements the adverse action.

Next, if the employer intends to take the adverse action, the FCRA requires the employer to provide an adverse action notice to the individual.  This notice must contain certain information, including:this is a test one

 bulletthe name, address, and telephone number of the consumer reporting agency that provided the report;

 bulleta statement that the consumer reporting agency did not make the adverse decision and is not able to explain why the decision was made;

bulleta statement setting forth the applicant’s or employee’s right to obtain a free disclosure of his or her report from the consumer reporting agency if the individual      requests the disclosure within 60 days; and

bulleta statement regarding the individual’s right to dispute directly with the consumer reporting agency the accuracy or completeness of any information contained in the       report.

In a case involving Domino’s Pizza employees, the company settled a class action that included allegations that it took adverse employment actions against certain individuals based on information contained in consumer reports without providing those individuals the required notice and a copy of such reports in advance.  K-Mart settled a class action suit based upon allegations that the statement of consumer rights provided to individuals after a background check contained outdated disclosures, among other alleged FCRA failures.

Liability and Enforcement

Plaintiffs can pursue a private right of action against employers for negligently or willfully violating the FCRA.  Claims regarding negligent violations allow actual damages and reasonable attorneys’ fees and costs.  Willful violations can result in actual damages or statutory damages ranging between $100 and $1,000, plus punitive damages and attorneys’ fees and costs.  The Federal Trade Commission (“FTC”) has also brought actions against employers for FCRA violations.

10 Steps to Avoid Becoming a FCRA Defendant When Using Employment Background Checks

1.       Review your current background check practices for prospective and current employees, including any online application materials.

2.      Review disclosure/consent forms for compliance. Ensure you are presenting applicants or current employees with a simple, one page disclosure form. The form should inform individuals that you intend to obtain a consumer report for employment purposes.

3.      You must obtain consent from the prospective employee/employee. You may include a line on the disclosure form for the individual to acknowledge and grant consent.  Do not include other material, such as liability waivers, confirmation of at-will employment, or seek other consents.

4.      If your application process is online, ensure the disclosure/consent is displayed separately, on one screen, without other content.

5.      If you intend to conduct background checks periodically during an individual’s employment, state that in the disclosure and consent form.

6.      Do not seek consent verbally. FCRA requires “written” consent (though FTC has stated it may be electronic).

7.      Maintain backup of the disclosure and consent forms for at least 5 years from the date they were provided. (Lawsuits must be brought by the earlier of two years after the date of the plaintiff’s discovery of the violation, or five years after the date on which the violation occurred).

8.      If you intend to take adverse action based on information in the consumer report, you should be providing the individual with a pre-adverse action notice, a copy of the consumer report, and the “Summary of Rights.” Ensure you are using the most updated “Summary of Rights.”

9.      You should wait a reasonable amount of time (at least 5 days) before issuing an adverse action notice. Your company’s adverse action notice must contain the information required under the FCRA (see bulleted information, above).

10.    Check state law regarding background checks for the states in which you operate/solicit employees. Some states have similar requirements to FCRA; others may further restrict the types of information you can request.

 

*                                  *                                  *

The FTC/EEOC have issued a joint statement on background checks.  While many employers need to conduct background checks to avoid liability and risks to their businesses, employers also need to follow the FCRA’s mandates to avoid the deep end of litigation “pool.”

posted in:
Privacy
Jan 28
2015

International Data Privacy Day: Our Top 10 Data Privacy Tips

iStock_000052810800_Large

It’s International Data Privacy Day!  Every year on January 28, the United States, Canada and 27 countries of the European Union celebrate Data Privacy Day.  This day is designed to raise awareness of and generate discussion about data privacy rights and practices.  Indeed, each day new reports surface about serious data breaches, data practice concerns, and calls for legislation.  How can businesses manage data privacy expectations and risk amid this swirl of activity?

Here, we share some tips from our firm’s practice and some recent FTC guidance.  We don’t have a cake to celebrate International Data Privacy Day but we do have our “Top 10 Data Privacy Tips”:

1. Review Your Organization’s Privacy Policy. Remember that privacy policy you had counsel prepare a few years ago?  It’s a good time to review it and assess whether it still reflects company practices.  What kind of personal information does your company collect? How does it move through your business?  How is it shared?  Has your organization’s policy on sharing personal information changed?  Does the privacy policy reflect legal changes in the states where you operate?  Privacy policies are not meant to be stagnant documents.  You should review them at least twice a year to ensure they are accurate. Even something as simple as the privacy officer’s contact information may need an update.

2. Do What You Say.  When you post a privacy policy, you are committing to the practices in the policy.  If your policy says “we will never share your information with third party marketers” – then you shouldn’t be sharing with third party marketers.  Common sense?  Yes, but companies have faced enforcement actions and litigation for pledging to “never share” when they did share.  Other companies like Snapchat settled with the FTC over statements in their privacy policies concerning how their apps operate and secure information that the FTC claimed were not true. Privacy policies should carve out disclosures for sharing information where sharing is likely to take place, such as in response to legal process, like a court order.  We also recommend a carve out in the event of a sale or reorganization of the business or of its assets. Other carve-outs may be warranted.

3. Ensure Your U.S.-E.U. Safe Harbor Is Up-to-Date. Last year, the FTC took action against several companies, including the Atlanta Falcons and Level 3 Communications, for stating in their privacy policies that they were U.S.-E.U. Safe Harbor Certified by the U.S. Department of Commerce when, in fact, the companies had failed to keep their certification current by reaffirming their compliance annually. While your organization is not required to participate in Safe Harbor, don’t say you are Safe Harbor Certified if you haven’t filed with the U.S. Department of Commerce. And, remember that your company needs to reaffirm compliance annually, including payment of a fee.  You can check your company’s status here.

4. Understand Your Internal Risks. We’ve said this before – while malicious breaches are certainly out there, a significant percentage of breaches (around 30 percent, according to one recent study) occurs due to accidents or malicious acts by employees.  These acts include lack of firewalls, lack of encryption on devices (such as laptops and flash drives), and failing to change authentications when employees leave or are terminated.  Many data breaches are While you are at it, review who has access to confidential information and whether proper restrictions are in place.

5. Educate Your Workforce. While today is International Data Privacy Day, your organization should educate your workforce on privacy issues throughout the year. Depending on the size of the company and the type of information handled (for instance, highly sensitive health information versus standard personal contact details), education efforts may vary. You should review practices like the confidentiality of passwords, creating a secure password and changing it frequently, and avoiding downloading personal or company sensitive information in unsecured forms.  Just last week, a security firm reported that the most popular passwords for 2014 were “123456” and “password.”  At a minimum, these easily guessed passwords should not be allowed in your system.

6. Understand Specific Requirements of Your Industry/Customers/ Jurisdiction. Do you have information on Massachusetts residents?  Massachusetts requires that your company have a Written Information Security Program.  Does your company collect personal information from kids under 13?  The organization must comply with the federal Children’s Online Privacy Protection Act and the FTC’s rules.  The FTC has taken many actions against companies deemed to be collecting children’s information without properly seeking prior express parental consent.

7. Maintain a Data Breach Response Plan. If there were a potential data breach, who would get called?  Legal?  IT?  Human Resources?  Public relations?  Yes, likely all of these. The best defense is a good offense – plan ahead.  Representatives from in-house and outside counsel, IT/IS, human resources, and your communications department should be part of this plan. State data breach notification laws require prompt reporting. Some companies have faced lawsuits for alleged “slow” response times.  If there is potential breach, your company needs to gather resources, investigate, and if required, disclose the breach to governmental authorities, affected individuals, credit reporting agencies, etc.

8. Consider Contractual Obligations. Before your company commits to data security obligations in contracts, ensure that a knowledgeable party, such as in-house or outside counsel, reviews these commitments.  If there is a breach of a contracting party’s information, assess the contractual requirements in addition to those under data breach notification laws. The laws generally require notice to be given promptly when a company’s data is compromised while under the “care” of another company. On the flip side, consider the service providers your company uses and what type of access the providers have to sensitive data. You should require service providers to adhere to reasonable security standards, with more stringent requirements if they handle sensitive data.

9. Review Insurance Coverage. While smaller businesses may think “we’re not Target” and don’t need cyber insurance, that’s a false assumption. In fact, smaller businesses usually have less sophisticated protections and can be more vulnerable to hackers and employee negligence.  Data breaches – requiring investigations, hiring of outside experts such as forensics, paying for credit monitoring, and potential loss of goodwill – can be expensive. Carriers are offering policies that do not break the bank. Cyber insurance is definitely worth exploring.  If you believe you have coverage for a data incident, your company should promptly notify the carrier. Notice should be part of the data breach response plan.

10. Remember the Basics! Many organizations have faced the wrath of the FTC, state attorneys general or private litigants because the companies or its employees failed to follow basic data security procedures. The FTC has settled 53 data security law enforcement actions. Many involve the failure to take common sense steps with data, such as transmitting sensitive data without encryption, or leaving documents with personal information in a dumpster. Every company must have plans to secure physical and electronic information. The FTC looks at whether a company’s practices are “reasonable and appropriate in light of the sensitivity and amount of consumer information you have, the size and complexity of your business, and the availability and cost of tools to improve security and reduce vulnerabilities.” If the FTC calls, you want to have a solid explanation of what you did right, not be searching for answers, or offering excuses.  Additional information on the FTC’s guidance can be found here.

*                            *                            *

 Remember, while it may be International Data Privacy Day, data privacy isn’t a one day event. Privacy practices must be reviewed and updated regularly to protect data as well as enable your company to act swiftly and responsively in the event of a data breach incident.

Nov 19
2014

Celebrity Endorsements, Online Poker and the FTC

celebrity igaming

Last week, without much attention, four new regulations affecting online gaming operations in New Jersey became effective under the authority of the Division of Gaming Enforcement. The rules include changes to directives on funding from social games, requirements for exclusivity, and operator server locations.

However, the fourth rule is an addition which deals specifically with celebrity endorsements. What is most notable about this tenet is not the content, but the fact that regulators in New Jersey believe that iGaming will soon become an industry that uses celebrities to promote and market itself to consumers.

Because we’re lawyers, here is the actual language of Rule 13:69O-1.4 (u.):

Internet gaming operators may employ celebrity or other players to participate in peer to peer games for advertising or publicity purposes. Such players may have their accounts funded in whole or in part by an Internet gaming operator. An Internet gaming operator may pay a fee to the celebrity player. If a celebrity player is employed and the celebrity player generates winnings which he or she is not permitted to retain, such winnings shall be included as Internet gaming gross revenue in a manner approved by the Division.

It may be argued that the word “celebrity” is being used loosely in this context, as there isn’t exactly a line of blockbuster A-listers or superstar athletes waiting for their chance to be the face of online poker. Yet the addition of this specific provision importantly points to the fact that the Gaming Division not only anticipates a future where iGaming will carry big name endorsers, but that it wants to encourage effective advertising and publicity for the industry, which has had a slow start in its first year since becoming legal in the state.

Regulators looking to update this rule in the future should consider adding language geared toward consumer protection – namely, prohibitions against the use of celebrity endorsements in a deceptive or misleading manner.  Last year, the FTC updated its advertising guidelines to account for the use of celebrity endorsements in advertising, specifically in the context of paid social media endorsements.  Those guidelines provide, among other things, that celebrity endorsements must be truthful and accurately reflect the opinions of the celebrity, that paid celebrity endorsements must be adequately disclosed, and that the celebrity be a bona fide user of the product or services he/she is endorsing.

These guidelines should equally be applied by regulators in the context of iGaming, where increased competition, as more operators come on board, may lead operators to one up each other by throwing money at celebrities to endorse their games.  The key to effective iGaming regulation is not just limited to overseeing how the game is played, but also to ensuring that the operators don’t play games that would unfairly hurt the competition and mislead the playing public.  Updating these regulations so they are more inline with the FTC’s advertising guidelines will further these goals.

Oct 03
2014

School Scams: FTC Cracks Down on Florida Online Diploma Mills

3d man online school graduate concept

Online diploma mills, which require little or no coursework to complete a degree have recently garnered much attention within the online education realm.  Websites which offer questionable diplomas for hundreds of dollars target vulnerable consumers seeking a degree to improve their life prospects, while simultaneously casting a shadow over legitimate online educational institutions which offer accredited programs and a complete educational experience including coursework, teacher interaction, and grading.  In the latest crackdown on online diploma mills, the Federal Trade Commission obtained a temporary restraining order against Diversified Educational Resources, LLC and Motivational Management & Development Services, Ltd., companies which generated millions of dollars by selling worthless high school diplomas to thousands of consumers.

According to the allegations of the FTC’s complaint, the defendants have been operating purported online education sites since 2006, under the names Jefferson High School Online and Enterprise High School Online. The FTC alleges that the websites misleadingly represent that these are accredited schools by saying that the defendants “[p]rovide a respected and recognized high school diploma equivalency program,” that students completing the program will be “high school graduates,” and that the schools are registered with the Florida Department of Education.  While the latter statement is technically true, the websites do not reveal that registering with Florida’s School Choice Program does not mean that the programs are accredited but rather, according to the complaint, registration is merely a “ministerial act, based solely on their own self-reported answers to Florida’s annual private school survey” which the Florida Department of Education does not verify. The truth of the accreditation status can only be found buried in dense paragraphs of text, in which the defendants note that they are “actively pursuing accreditation options” although they have not applied for any yet.

Consumers paid $200 to $300 to register on the websites.  Those fees did not entitle them to any coursework, education, or test preparation.  Rather, customers were immediately prompted to take a “test,” which was nearly impossible to fail because the websites provided hints to ensure that customers passed.   After passing the test, customers received diplomas bearing the name “Jefferson High School Online” or “Enterprise High School Online.”

The “diplomas” that the defendants issued to customers were useless, according to the FTC.  Many customers learned that their diplomas were invalid after unsuccessfully attempting to use them to apply to jobs, enroll in college, or join the military.  Further, unsatisfied customers who sought a refund were refused, according to the FTC.  Through this scam, the complaint says, the defendants collected over $11 million since 2009 without providing a real education product or service.

The U.S. District Court for the Southern District of Florida issued a temporary restraining order and asset freeze in response to these allegations, suspending the domain names and prohibiting any material misrepresentations regarding online education.  The case remains pending in the Southern District of Florida and the defendants’ responsive pleadings are due in October.

Sep 04
2014

Federal Trade Commission Checks Out Mobile Shopping Apps

Happy young Asian woman shopping.

In August, the Federal Trade Commission (“FTC”) released a staff report concerning mobile shopping applications (“apps”).  FTC staff reviewed some of the most popular apps consumers utilize to comparison shop, collect and redeem deals and discounts, and pay in-store with their mobile devices.  This new report focused on shopping apps offering price comparison, special deals, and mobile payments. The August report is available here.

Popularity of Mobile Shopping Apps/FTC Interest

Shoppers can empower themselves in the retail environment by comparison shopping via their smartphones in real-time.  According to a 2014 Report by the Board of Governors of the Federal Reserve System, 44% of smartphone owners report using their mobile phones to comparison shop while in retail store, and 68% of those consumers changed where they made a purchase as a result.  Consumers can also get instant coupons and deals to present at checkout.  With a wave of a phone at the checkout counter, consumers can then make purchases.

While the shopping apps have surged in popularity, the FTC staff is concerned about consumer protection, data security and privacy issues associated with the apps. The FTC studied what types of disclosures and practices control in the event of unauthorized transactions, billing errors, or other payment-related disputes.  The agency also examined the disclosures that apps provide to consumers concerning data privacy and security.

 Apps Lack Important Information

FTC staff concluded that many of the apps they reviewed failed to provide consumers with important pre-download information.  In particular, only a few of the in-store purchase apps gave consumers information describing how the app handled payment-related disputes and consumers’ liability for charges (including unauthorized charges).

FTC staff determined that fourteen out of thirty in-store purchase apps did not disclose whether they had any dispute resolution or liability limits policies prior to download.  And, out of sixteen apps that provided pre-download information about dispute resolution procedures or liability limits, only nine of those apps provided written protections for users.  Some apps disclaimed all liability for losses.

Data Security Information Vague

FTC staff focused particular attention on data privacy and security, because more than other technologies, mobile devices are personal to a user, always on, and frequently with the user. These features enable an app to collect a huge amount of information, such as location, interests, and affiliations, which could be shared broadly with third parties.  Staff noted that, “while almost all of the apps stated that they share personal data, 29 percent of price comparison apps, 17 percent of deal apps, and 33 percent of in-store purchase apps reserved the right to share users’ personal data without restriction.”

Staff concluded that while privacy disclosures are improving, they tend to be overly broad and confusing. In addition, app developers may not be considering whether they even have a business need for all the information they are collecting.  As to data security, staff noted it did not test the services to verify the security promises made.  However, FTC staff reminded companies that it has taken enforcement actions against mobile apps it believed to have failed to secure personal data (such as Snapchat and Credit Karma).  The report states, “Staff encourages vendors of shopping apps, and indeed vendors of all apps that collect consumer data, to secure the data they collect.  Further those apps must honor any representations about security that they make to consumers.”

FTC Staff Recommends Better Disclosures and Data Security Practices

The report urges companies to disclose to consumers their rights and liability limits for unauthorized, fraudulent, or erroneous transactions.  Organizations offering these shopping apps should also explain to consumers what protections they have based on their methods of payment and what options are available for resolving payment and billing disputes.  Companies should provide clear, detailed explanations for how they collect, use and share consumer data.  And, apps must put promises into practice by abiding by data security representations.

Consumer Responsibility Plays Role, Too

Importantly, the FTC staff report does not place the entire burden on companies offering the mobile apps. Rather, FTC staff urge consumers to be proactive when using these apps.  The staff report recommends that consumers look for and consider the dispute resolution and liability limits of the apps they download.  Consumers should also analyze what payment method to use when purchasing via these apps. If consumers cannot find sufficient information, they should consider an alternative app, or make only small purchases.

While a great “deal” could be available with a click on a smartphone, the FTC staff urges consumers to review available information on how their personal and financial data may be collected, used and shared while they get that deal.  If consumers are not satisfied with the information provided regarding data privacy and security, then staff recommends that they choose a different app, or limit the financial and personal financial data they provide.  (Though that last piece of advice may not be practical considering most shopping apps require a certain level of personal and financial information simply to complete a transaction).

Deal or No Deal?  FTC Will be Watching New Shopping Apps

               FTC Staff has concerns about mobile payments and will continue to focus on consumer protections.  The agency has taken several enforcement actions against companies for failing to secure personal and payment information and it does not appear to be slowing down.  While the FTC recognizes the benefits of these new shopping and payment technologies, it is also keenly aware of the enormous amount of data obtained by companies when consumers use these services. Thus, companies should anticipate that the FTC will continue to monitor shopping and deal apps with particular attention on disclosures and data practices.

Aug 14
2014

$3.5 Million Cactus Juice Settlement Should be a Warning to Advertisers

iStock_000038945684Small

In this health-conscious age, consumers are always on the lookout for new products which will improve wellness and quality of life.  Marketers attuned to this trend may be tempted to increase sales by extolling the virtues of their products, even if health claims are unsubstantiated by scientific testing.  A recent FTC case, however, demonstrates the price that advertisers pay for overstating health claims.

The FTC filed a case against TriVita Inc., a dietary supplement company, for its marketing of the Nopalea cactus juice drink.  The beverage was widely advertised in television infomercials and online as an “anti-inflammatory wellness drink.”  Nopalea includes juice from the nopal cactus, also known as the “prickly pear.” TriVita’s “Chief Science Officer” stated that the nopal cactus is proven to reduce inflammation, which he linked to Alzheimer’s disease, allergies, diabetes, and heart disease.  TriVita sold each 32-ounce bottle of Nopalea for $39.99, plus shipping and handling.

According to the FTC’s complaint, the Nopalea infomercial was one of the most frequently aired commercials in the United States. The ads stated that the juice would relieve pain, reduce swelling in joints and muscles, and improve breathing.  Infomercials featured “customer testimonials” in which individuals stated that Nopalea helped relieve them of symptoms of a wide variety of conditions, including inflammation, chronic pain, respiratory conditions, and skin conditions.  However, the FTC alleged that these individuals were paid for their endorsements, a fact not sufficiently disclosed in the advertisements.  When customers called the toll-free number advertised, sales representatives told customers that Nopalea would make them “pain-free,” according to the FTC’s complaint.  The health representations had not been substantiated with scientific studies at the time they were made.

The FTC filed its complaint and request for permanent injunction on July 10, 2014.  On July 11, the FTC filed a stipulated settlement order in which TriVita agreed to forfeit $3.5 million to the FTC. The order prohibits the defendants from marketing Nopal cactus products using unsubstantiated or misleading health claims, and from using paid endorsers unless any material connection between the individual and the company is clearly and prominently disclosed.

The multi-million dollar settlement in this case should serve as a warning to marketers who are tempted to overstate health claims in order to generate traffic and sales.  The FTC takes health claims seriously and reviews health-related ads with extra scrutiny, so specific claims should only be made when supported by solid, scientific proof, and any paid testimonials should be clearly disclosed.  As the cactus juice company learned, failure to comply with these standards will lead to a prickly situation.

 

 

Jun 24
2014

Disappearing Act Fails – Maryland Attorney General and FTC “snap” back at Snapchat

Recently, the Maryland Attorney General’s Office announced that it reached a settlement with Snapchat, Inc. over alleged deceptive trade practices in violation of Maryland law and violations of federal laws that are intended to protect children’s online privacy.  This is another reminder that state attorneys general’s offices will continue to be vigilant in addressing consumer privacy issues under both state and federal laws, when the federal laws permit state attorney general action.

Snapchat is a photo and video messaging app that allows users to take photos and videos, add text and drawings, and send them to selected contacts.  The sent images are commonly referred to as “snaps” and users can set a time limit of up to ten seconds for how long the image will be visible to the contact.  According to Snapchat, its app’s users were sending 700 million photos and videos per day in May 2014.

Maryland’s Attorney General asserted that Snapchat misled consumers when it represented that snaps are temporary and disappear after they are opened by a recipient.  The Attorney General claimed that, in fact, the snaps could be copied or captured by recipients.  Additionally, the Maryland Attorney General alleged that Snapchat collected and maintained the names and phone numbers from contact lists on consumers’ electronic devices, which was a practice that Snapchat had not always disclosed to consumers and to which consumers did not always consent.  Lastly, the Attorney General alleged that Snapchat was aware that some users were under the age of 13, but it failed to comply with the federal Children’s Online Privacy Protection Act (“COPPA”), when it collected personal information from children without verifiable parental consent.  COPPA has a provision that empowers state attorneys general to bring enforcement actions under the statute on behalf of residents of their states.

Snapchat agreed to pay the state of Maryland $100,000 to settle this case.  Additionally, as part of its settlement, Snapchat agreed to not make false representations or material omissions in connection with its app.  Furthermore, Snapchat is specifically enjoined from misrepresenting the temporary nature of the snaps and must disclose to users that recipients of snaps have the ability to copy the image they receive.  Snapchat must also obtain affirmative consent from consumers before it collects and saves any contact information.  In response to the COPPA allegations, Snapchat agreed to comply with COPPA for a period of ten years and to take specific steps to ensure that children under the age of 13 are not creating Snapchat accounts.

Snapchat has faced other actions as well.  Last month, Snapchat reached a settlement with the Federal Trade Commission (“FTC”) on charges that it deceived consumers with promises about the disappearing nature of messages sent through the service.  According to the FTC, Snapchat promised users that messages and images sent through the app would self-destruct and disappear in ten seconds or less despite there being ways for recipients to save the snaps.  The FTC case also alleged that Snapchat told users that it did not collect information about their location when one version of the app did collect location information.

The FTC case did not include any accusation of violating COPPA, nor did it include any financial penalty. As part of the settlement, Snapchat agreed to implement privacy programs that will be subject to monitoring for 20 years and agreed not to misrepresent the confidentiality, privacy, and security of user information.  Snapchat is also prohibited from misrepresenting how it maintains the privacy and confidentiality of user agreements.

On its official blog, Snapchat emphasized that its app does not retain users’ snaps and that both investigations largely revolved around how well users understood that recipients of their snaps could save their snaps.  In response to the COPPA claims, Snapchat pointed out that its terms of service have always provided that the app is intended for users who are 13 years of age or older and has instituted controls to ensure it.

Mobile app companies need to be aware of the fact that they are being closely monitored by both the FTC and state attorneys general offices.  In particular, any claim made by an app about consumer privacy may be scrutinized by regulators.  Companies need to be prepared to justify their claims and must be forthcoming about any data that is collected from consumers.  In other words:  if you say you do something then you need to do it; if you say that you do not do something, do not do it.  Your company does not want the FTC or a state attorney general “snapping” at your privacy practices.

posted in:
Privacy
Connect with Us Share

About Ifrah Law

FTC Beat is authored by the Ifrah Law Firm, a Washington DC-based law firm specializing in the defense of government investigations and litigation. Our client base spans many regulated industries, particularly e-business, e-commerce, government contracts, gaming and healthcare.

Ifrah Law focuses on federal criminal defense, government contract defense and procurement, health care, and financial services litigation and fraud defense. Further, the firm's E-Commerce attorneys and internet marketing attorneys are leaders in internet advertising, data privacy, online fraud and abuse law, iGaming law.

The commentary and cases included in this blog are contributed by founding partner Jeff Ifrah, partners Michelle Cohen and George Calhoun, counsels Jeff Hamlin and Drew Barnholtz, and associates Rachel Hirsch, Nicole Kardell, Steven Eichorn, David Yellin, and Jessica Feil. These posts are edited by Jeff Ifrah. We look forward to hearing your thoughts and comments!

Visit the Ifrah Law Firm website

Popular Posts