FTC Beat
Posts Tagged ‘Michelle Cohen’
Apr 05
2016

Wells Fargo Learns That Recording Calls In California Can Be Costly

iStock_000050698192_Small

In the past few years, many organizations such as Capital One, Bass Pro Outdoor, and the Cosmopolitan Hotel have faced class actions alleging violations of California’s call recording law.  This week, California’s Attorney General demonstrated that her office, working with state prosecutors, will also vigorously enforce the law under the state’s criminal statutes.  Attorney General Harris announced an $8.5 million dollar settlement with Wells Fargo Bank, N.A. over the alleged failure to provide call recording announcements to California consumers.

The complaint alleged violations of Sections 632 and 632.7 of California’s Penal Code, including the purported failure of Wells Fargo’s employees to “timely and adequately disclose the recording of communications with members of the public.”  These laws form part of California’s Invasion of Privacy Act. Section 632 makes it illegal to eavesdrop (monitor) or record a “confidential communication” without the consent of all parties. The statute defines a “confidential communication” as including “any communication carried on in circumstances as may reasonably indicate that any party to the communication desires it to be confined to the parties thereto.“ The law specifically excludes communications in circumstances “in which the parties to the communication may reasonably expect that the communication may be overheard or recorded. “ Section 632.7 bars the recording of cell phone conversations, without the consent of all parties.

Wells Fargo Bank settled the case, agreeing in a stipulated judgment to the $8.5 million settlement and certain compliance requirements.  Specifically, Wells Fargo must make a “clear, conspicuous, and accurate disclosure” to any consumer in California of the fact that Wells Fargo is recording the call.  The settlement requires that this disclosure occur “immediately at the beginning” of the call, but allows Wells Fargo to precede the disclosure with an introductory greeting identifying the customer service representative and the entity on whose behalf the call is made (presumably, a Wells Fargo-affiliated entity). Wells Fargo also committed to a compliance program for one year and periodic internal testing of its employees’ and agents’ compliance with the call disclosure requirement.  The bank agreed to appoint an officer or supervisor with specific oversight responsibility for compliance with the settlement obligations.  Within a year following the stipulated judgment, Wells Fargo must provide the Attorney General with a report summarizing the testing.

Interestingly, the Attorney General previously pursued a similar action against home improvement platform Houzz Inc. for allegedly failing to notify all parties of its recording of incoming and outgoing telephone calls.  In that case, Houzz agreed to appoint a Chief Privacy Officer to oversee Houzz’s compliance, a first for a California Department of Justice settlement.

As we have advised before, all organizations recording calls – whether inbound or outbound – should immediately disclose to called parties that the call is being recorded.  The disclosure should occur at the outset of the call.  One type of introduction could be, “This is Michelle, calling on behalf of XYZ Company. This call is being recorded and/or monitored.”  Some companies may wish to announce the option of a non-recorded line, available via a key press. It is also important to time the recording to begin after the announcement, to avoid potential liability based on even a few seconds of a recorded call before an announcement is given.

A few important reminders are worth repeating:

  • The announcement requirement applies to inbound and outbound calls, including requested return calls.
  • Recording announcements apply to all types of calls – not just sales calls.
  • Maintain proof of the announcement.
  • Implement a short, written call recording policy.
  • Train customer service representatives to understand the call recording policies.
  • Periodically “test” call recording procedures.
  • Promptly investigate any call recording complaints and take appropriate corrective action.
  • Have customer service representatives sign an acknowledgment that they understand they are being monitored and/or recorded.

The recording of customer service and other calls is an important component to prevent fraud, fulfill legal requirements and augment customer service, among other reasons. Companies can implement call recording effectively, but must comply with announcement requirements and should take proactive measures, such as training and testing, to protect against civil and criminal liability and to safeguard consumer goodwill.

Sep 16
2015

TCPA Trouble Continues: FCC Slams Lyft and First National Bank for Terms of Service Requiring Consent

Profile shot of male exhausted trader with head in hands leaning at computer desk in office

Most of the attention involving the Telephone Consumer Protection Act (“TCPA”) has centered on the stream of class actions around the country. It is important to remember that the Federal Communications Commission (“FCC”) and state attorney generals can, and do, enforce the TCPA. In fact, the FCC recently issued citations to Lyft, the ride-sharing service, and First National Bank (“FNB”). Under the Communications Act, before the FCC may issue monetary penalties against a company or person that does not hold an FCC license or authorization, it must first issue a citation warning the company or person.

The TCPA requires prior express written consent for telemarketing calls/texts to mobile phones utilizing an autodialer or prerecorded call and for prerecorded telemarketing calls to residential lines. FCC rules mandate that the “prior written consent” contain certain key features. Among these requirements is the disclosure informing the consenting person that “the person is not required to sign the agreement – directly or indirectly – or agree to enter into an agreement as a condition of purchasing any property, goods, or services.”

For years, the FCC focused on actual consumer complaints of having received telemarketing calls/texts without the required prior express written consent. Interestingly, here, the FCC did not allege that either Lyft or FNB sent texts/robocalls without the required consent. The FCC’s accompanying press release indicates that its Enforcement Bureau initiated the two investigations after becoming aware of “violative provisions in those companies’ service agreements.” The citations issued to Lyft and FNB, along with recent correspondence by the FCC to Paypal concerning similar issues, represent new FCC attention on terms/conditions of service in the TCPA context, particularly on “blanket take it or leave it” agreements. The FCC Enforcement Bureau Chief, Travis LeBlanc, put all companies on notice, urging “any company that unlawfully conditions its service on consent to unwanted marketing calls and texts to act swiftly to change its policies.” The FCC directed Lyft and FNB to take “immediate steps” to comply with FCC rules and the TCPA – presumably meaning that the companies should immediately revise their terms and practices.

Lyft Citation

According to the FCC, Lyft’s terms require customers to expressly consent to receive communications from Lyft to customer’s mobile numbers, including text messages, calls, and push notifications. The messages could include Lyft-provided promotions and those of third party partners. The terms advise customers that they can opt-out by following the “unsubscribe” option, and that customers are not required to consent to receive promotional messages as a condition of using the Lyft platform or the services.

However, the FCC found that contrary to Lyft’s terms of service, Lyft does not actually provide “unsubscribe options” for consumers. If a consumer independently searches and gets to Lyft’s “help center,” the only option to opt-out subsequently prevents consumers from using Lyft’s service. Thus, per the FCC, “Lyft effectively requires all consumers to agree to receive marketing text messages and calls on their mobile phones in order to use services.”

The FCC concluded that while Lyft’s terms of service stated that consumers were not required to consent as a condition to using Lyft, in actuality, consumers could not refuse consent and remain Lyft users. Thus, the FCC cited Lyft, warning that it would be liable for any advertising text messages for which it did not collect proper, prior express written consent. The agency further stated that it would continue to monitor Lyft’s practices.

FNB Citation

In FNB’s investigation, the FCC noted that consumers wishing to use FNB’s online banking services are required to agree to receive text messages and emails for marketing purposes at consumer-provided phone numbers. FNB customers wishing to enroll in the Apply Pay service are similarly required to consent to receive marketing-related text messages and emails. The FCC objected to FNB requiring consumers to agree to receive marketing text messages in order to use the online banking and Apple Pay services, and failing to inform consumers that they have the option to refuse consent. The agency reiterated that under FCC rules, prior express written consent to receive telemarketing messages requires that, among other things, consumers receive a clear and conspicuous disclosure informing the consumer of his or her right to refuse to provide consent.

Our Recommendations

When it comes to autodialed/prerecorded telemarketing calls and texts to mobile phones and prerecorded telemarketing calls to residential lines, companies need to be diligent in ensuring they have proper, defensible prior express written consent. The FCC’s citations to Lyft and FNB make clear that organizations may not rely on blanket mandatory opt-in agreements. While it may be acceptable to seek consent in terms of service, consumers must be informed of their opt-out abilities, and must be able to access the opt-out and still use the service or make the purchase.

Companies should review their service agreements and the operational mechanisms to make sure consumers have information on opting-out. Further, any opt-out mechanisms must work as promised. A user’s opt-out should not block services/purchases. Of course, the best way to obtain consent is to seek a separate, prior express written consent in an agreement that contains all the required elements, as follows:

  • Is in writing (can be electronic);
  • Has the signature (can be electronic) of the person who will receive the advertisement/telemarketing calls or texts;
  • Authorizes the caller to deliver advertisements or telemarketing messages via autodialed calls, texts, or robocalls;
  • Includes the telephone number to which the person signing authorizes advertisements or telemarketing messages to be delivered;
  • Contains a clear and conspicuous disclosure informing the person signing that:
    • By executing the agreement, the person signing authorizes the caller to deliver ads or telemarketing messages via autodialed calls, texts or robocalls; and
    • The person signing the agreement is not required to sign the agreement (directly or indirectly) or agree to enter into such an agreement as a condition of purchasing any property, goods, or services.

As a reminder, the FCC repeatedly takes the position that the company claiming prior express written consent will bear the burden of providing that consent.

May 26
2015

Keeping Your Privacy Promises: Retail Tracking and Opt-Out Choices

No time for talking. Cropped image of beautiful young woman in pink dress holding shopping bags and mobile phone

As children, many of us were taught how important it is to “keep your word.” Similarly, it is black letter privacy law that if a company commits (for instance, in a privacy policy or in website statements) to certain actions or practices, such as maintaining certain security features or implementing consumers’ choices on opt-outs, the organization must abide by those practices. Many companies have faced the Federal Trade Commission’s (“FTC”) ire when the agency found the organizations’ practices failed to comport with their privacy promises. Recently, the FTC settled the first action against a retail tracking company, Nomi Technologies, Inc. (“Nomi”). The FTC alleged that Nomi mislead consumers with promises that it would provide an in-store mechanism for consumers to opt-out of tracking and that consumers would be informed when locations were utilizing Nomi’s tracking services. In fact, according to the FTC, Nomi did not provide an in-store opt-out and did not inform consumers of locations where the tracking services were used. This action signals that the FTC will continue to exert its jurisdiction over privacy practices it deems false or deceptive, including those occurring in emerging technologies like retail tracking.

The FTC’s complaint stated that Nomi’s technology (called its “Listen” service) allows retailers to track consumers’ movements through stores. The company places sensors in its clients’ stores, which collect the MAC addresses of consumers’ mobile devices as the devices search for WiFi networks. While Nomi “hashes” the MAC addresses prior to storage in order to hide the specific MAC addresses, the process results in identifiers unique to consumers’ mobile devices which can be tracked over time. Nomi provided its retail clients with aggregated information, such as how long consumers stayed in the store, the types of devices used by consumers, and how many customers had visited a different location in a chain of stores. Between January and September 2013, Nomi collected information on approximately 9 million mobile devices, according to the FTC’s complaint.

What Nomi did wrong, according to the FTC, was fail to honor its privacy policy which “pledged to…always allow consumers to opt out of Nomi’s service on its website as well as at any retailer using Nomi’s technology.” Nomi presented an opt-out on its website, but (per the complaint), no option was available at retailers using Nomi’s service. The FTC also asserted that consumers were not informed of the tracking (contrary to the privacy policy promises). Thus, the FTC alleged that Nomi’s privacy promises were false because no in-store opt-out mechanism was available, nor were consumers informed when the tracking occurred.

Nomi’s settlement does not require any monetary payment but prohibits Nomi from misrepresenting the options through which consumers can exercise control over the collection, use, disclosure or sharing of information collected from or about them or their devices. The settlement also bars Nomi from misrepresenting the extent to which consumers will be provided notice about how data from or about a particular consumer or device is collected, used, disclosed or shared. Nomi is required to maintain certain supporting records for five years. As is typical with FTC consent orders, this agreement remains in force for 20 years.

What can companies learn from Nomi’s settlement, even those not in the retail tracking business?

  • While this is the first FTC action against a retail tracking company, the FTC has repeatedly stated that it will enforce the FTC Act and other laws under its jurisdiction against emerging as well as traditional technologies.
  • Consumers could opt-out on Nomi’s website by providing a MAC address in an online form. The FTC did not seem to have a problem with this part of Nomi’s practices. If Nomi had not promised that consumers could also opt-out at the retail locations, and that they would be notified of tracking, there would not have been an FTC action. In other words, it was Nomi’s words (in its privacy policy) that got it in hot water with the FTC. All companies should review their privacy policies regularly to make sure the language comports with their practices.  If you don’t do it, don’t say it.
  • The FTC noted that Nomi had about 45 clients. Most of those clients did not post a disclosure or notify consumers regarding their use of the Listen service, and Nomi did not mandate such disclosures by its clients. The FTC did not address what, if any, obligation, these businesses may have to make such disclosures. Will it become common/mandated to see a sign in a retail location warning that retail tracking via mobile phones is occurring (similar to signs about video surveillance)? One industry group’s self-regulatory policy requires retail analytics firms to take “reasonable steps to require that companies using their technology display, in a conspicuous location, signage that informs consumers about the collection and use of MLA [mobile location analytics] Data at that location.” This issue will become more prevalent as more retailers and other businesses use tracking technology.
  • Interestingly, the FTC brought this action even though traditional “personal information” was not collected (such as name, address, social security number, etc.). Organizations should not assume that collecting IP addresses, MAC addresses, or other less personalized information presents no issues. The FTC takes privacy statements seriously, whatever the information collected (though certainly there is more sensitivity toward certain categories such as health, financial, and children’s information).

The bottom line is “do what you say” when it comes to privacy practices. All companies should evaluate their privacy policies at least every six months to ensure that they remain accurate and complete, have working links (if any), and reflect a company’s current practices.

posted in:
Privacy
Feb 20
2015

Employers Running Background Checks: Top 10 Tips to Avoid Joining the Fair Credit Reporting Act Litigation “Club”

Human resources and CRM

What do Whole Foods, Chuck E. Cheese, Michael’s Stores, Dollar General, Panera, Publix, and K-Mart have in common?  Each of these companies has faced lawsuits (including class actions) under the Fair Credit Reporting Act (“FCRA”).  Although Congress passed the FCRA way back in 1970 and litigation has focused on credit reporting agencies’ duties under the law, class action plaintiff firms have recently focused on the FCRA’s employer-related provisions.  Several large settlements (such as Publix’s $6.8 million class action settlement, Dollar General’s $4 million, and K-Mart’s $ 3 million) have spurred further litigation.  While some of the alleged FCRA violations may appear minor or technical in nature, these “technical violations” still result in costly lawsuits.  Employers should re-familiarize themselves with the FCRA to avoid becoming class action defendants.

The FCRA’s Employer-Related Provisions

Many employers understandably want to conduct background checks on prospective employees, or current employees who may be obtaining new responsibilities or accessing sensitive information.  In particular, companies in the retail and restaurant sectors, whose employees have access to cash receipts and credit card account numbers, want to guard against employees whose background checks may reveal issues of concern.  Further, organizations whose employees enter homes and businesses (such as service providers – e.g., carpet cleaners, plumbers, contractors) have additional concerns about potential liability.

The FCRA is usually thought of as a federal law that regulates consumer reporting agencies, like credit bureaus.  However, the FCRA also prescribes certain requirements for employers who use consumer reports.  The FCRA broadly defines the term “consumer reports” as information prepared by a consumer reporting agency “bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for—credit or insurance to be used primarily for personal, family, or household purposes; employment purposes” or other permitted purposes. This definition draws in more than a traditional credit report. It can include driving records, civil lawsuits, and reference checks, among other information.

Disclosure and Consent

Employers may not obtain a consumer report from a consumer reporting agency unless they first make a “clear and conspicuous” written disclosure to the prospective employee/employee.  The disclosure document must consist “solely” of the disclosure that a consumer report may be obtained.  The job applicant/employee must provide written permission for the employer to obtain a consumer report.  The FTC has indicated the disclosure form may include a signature line for the individual’s consent.  (In 2001, the FTC also issued an opinion letter stating it believes such consent can be obtained electronically, consistent with the federal E-Sign law).  The employer further certifies to the consumer reporting agency that is has a permissible purpose for the report and that it has complied with the FCRA and applicable equal opportunity laws.

These steps sound simple enough, however, litigation has ensued based upon employers’ alleged failures to comply.  For instance, in the Whole Foods case in federal court in California, the plaintiffs claim the online application process included a liability waiver in the disclosure form for the background check, allegedly violating the FCRA requirement that a disclosure form not include other information.  In a separate case in federal court in Florida involving retailer Nine West, the plaintiff alleges he did not receive a separate form, and that the background check authorization was on a web page with various other types of information.

Adverse Action Based on Report

If the employer intends to take “adverse action” against the prospective employee/employee (based even in part on the information in the report), the FCRA requires the employer to follow certain additional steps. The term “adverse action” includes “a denial of employment or any other decision for employment purposes that adversely affects any current or prospective employee.”

Before the employer takes the adverse action, it must provide a “pre-adverse action” notice to the affected person. This notice must include a copy of the consumer report and a statutory “Summary of Rights.” (This is an updated form, required since January 2013 by the new Consumer Financial Protection Board, which now has responsibility for FCRA rulemaking).  The purpose of this notice requirement is to permit the individual to discuss the report with the employer before the employer implements the adverse action.

Next, if the employer intends to take the adverse action, the FCRA requires the employer to provide an adverse action notice to the individual.  This notice must contain certain information, including:this is a test one

 bulletthe name, address, and telephone number of the consumer reporting agency that provided the report;

 bulleta statement that the consumer reporting agency did not make the adverse decision and is not able to explain why the decision was made;

bulleta statement setting forth the applicant’s or employee’s right to obtain a free disclosure of his or her report from the consumer reporting agency if the individual      requests the disclosure within 60 days; and

bulleta statement regarding the individual’s right to dispute directly with the consumer reporting agency the accuracy or completeness of any information contained in the       report.

In a case involving Domino’s Pizza employees, the company settled a class action that included allegations that it took adverse employment actions against certain individuals based on information contained in consumer reports without providing those individuals the required notice and a copy of such reports in advance.  K-Mart settled a class action suit based upon allegations that the statement of consumer rights provided to individuals after a background check contained outdated disclosures, among other alleged FCRA failures.

Liability and Enforcement

Plaintiffs can pursue a private right of action against employers for negligently or willfully violating the FCRA.  Claims regarding negligent violations allow actual damages and reasonable attorneys’ fees and costs.  Willful violations can result in actual damages or statutory damages ranging between $100 and $1,000, plus punitive damages and attorneys’ fees and costs.  The Federal Trade Commission (“FTC”) has also brought actions against employers for FCRA violations.

10 Steps to Avoid Becoming a FCRA Defendant When Using Employment Background Checks

1.       Review your current background check practices for prospective and current employees, including any online application materials.

2.      Review disclosure/consent forms for compliance. Ensure you are presenting applicants or current employees with a simple, one page disclosure form. The form should inform individuals that you intend to obtain a consumer report for employment purposes.

3.      You must obtain consent from the prospective employee/employee. You may include a line on the disclosure form for the individual to acknowledge and grant consent.  Do not include other material, such as liability waivers, confirmation of at-will employment, or seek other consents.

4.      If your application process is online, ensure the disclosure/consent is displayed separately, on one screen, without other content.

5.      If you intend to conduct background checks periodically during an individual’s employment, state that in the disclosure and consent form.

6.      Do not seek consent verbally. FCRA requires “written” consent (though FTC has stated it may be electronic).

7.      Maintain backup of the disclosure and consent forms for at least 5 years from the date they were provided. (Lawsuits must be brought by the earlier of two years after the date of the plaintiff’s discovery of the violation, or five years after the date on which the violation occurred).

8.      If you intend to take adverse action based on information in the consumer report, you should be providing the individual with a pre-adverse action notice, a copy of the consumer report, and the “Summary of Rights.” Ensure you are using the most updated “Summary of Rights.”

9.      You should wait a reasonable amount of time (at least 5 days) before issuing an adverse action notice. Your company’s adverse action notice must contain the information required under the FCRA (see bulleted information, above).

10.    Check state law regarding background checks for the states in which you operate/solicit employees. Some states have similar requirements to FCRA; others may further restrict the types of information you can request.

 

*                                  *                                  *

The FTC/EEOC have issued a joint statement on background checks.  While many employers need to conduct background checks to avoid liability and risks to their businesses, employers also need to follow the FCRA’s mandates to avoid the deep end of litigation “pool.”

posted in:
Privacy
Jan 28
2015

International Data Privacy Day: Our Top 10 Data Privacy Tips

iStock_000052810800_Large

It’s International Data Privacy Day!  Every year on January 28, the United States, Canada and 27 countries of the European Union celebrate Data Privacy Day.  This day is designed to raise awareness of and generate discussion about data privacy rights and practices.  Indeed, each day new reports surface about serious data breaches, data practice concerns, and calls for legislation.  How can businesses manage data privacy expectations and risk amid this swirl of activity?

Here, we share some tips from our firm’s practice and some recent FTC guidance.  We don’t have a cake to celebrate International Data Privacy Day but we do have our “Top 10 Data Privacy Tips”:

1. Review Your Organization’s Privacy Policy. Remember that privacy policy you had counsel prepare a few years ago?  It’s a good time to review it and assess whether it still reflects company practices.  What kind of personal information does your company collect? How does it move through your business?  How is it shared?  Has your organization’s policy on sharing personal information changed?  Does the privacy policy reflect legal changes in the states where you operate?  Privacy policies are not meant to be stagnant documents.  You should review them at least twice a year to ensure they are accurate. Even something as simple as the privacy officer’s contact information may need an update.

2. Do What You Say.  When you post a privacy policy, you are committing to the practices in the policy.  If your policy says “we will never share your information with third party marketers” – then you shouldn’t be sharing with third party marketers.  Common sense?  Yes, but companies have faced enforcement actions and litigation for pledging to “never share” when they did share.  Other companies like Snapchat settled with the FTC over statements in their privacy policies concerning how their apps operate and secure information that the FTC claimed were not true. Privacy policies should carve out disclosures for sharing information where sharing is likely to take place, such as in response to legal process, like a court order.  We also recommend a carve out in the event of a sale or reorganization of the business or of its assets. Other carve-outs may be warranted.

3. Ensure Your U.S.-E.U. Safe Harbor Is Up-to-Date. Last year, the FTC took action against several companies, including the Atlanta Falcons and Level 3 Communications, for stating in their privacy policies that they were U.S.-E.U. Safe Harbor Certified by the U.S. Department of Commerce when, in fact, the companies had failed to keep their certification current by reaffirming their compliance annually. While your organization is not required to participate in Safe Harbor, don’t say you are Safe Harbor Certified if you haven’t filed with the U.S. Department of Commerce. And, remember that your company needs to reaffirm compliance annually, including payment of a fee.  You can check your company’s status here.

4. Understand Your Internal Risks. We’ve said this before – while malicious breaches are certainly out there, a significant percentage of breaches (around 30 percent, according to one recent study) occurs due to accidents or malicious acts by employees.  These acts include lack of firewalls, lack of encryption on devices (such as laptops and flash drives), and failing to change authentications when employees leave or are terminated.  Many data breaches are While you are at it, review who has access to confidential information and whether proper restrictions are in place.

5. Educate Your Workforce. While today is International Data Privacy Day, your organization should educate your workforce on privacy issues throughout the year. Depending on the size of the company and the type of information handled (for instance, highly sensitive health information versus standard personal contact details), education efforts may vary. You should review practices like the confidentiality of passwords, creating a secure password and changing it frequently, and avoiding downloading personal or company sensitive information in unsecured forms.  Just last week, a security firm reported that the most popular passwords for 2014 were “123456” and “password.”  At a minimum, these easily guessed passwords should not be allowed in your system.

6. Understand Specific Requirements of Your Industry/Customers/ Jurisdiction. Do you have information on Massachusetts residents?  Massachusetts requires that your company have a Written Information Security Program.  Does your company collect personal information from kids under 13?  The organization must comply with the federal Children’s Online Privacy Protection Act and the FTC’s rules.  The FTC has taken many actions against companies deemed to be collecting children’s information without properly seeking prior express parental consent.

7. Maintain a Data Breach Response Plan. If there were a potential data breach, who would get called?  Legal?  IT?  Human Resources?  Public relations?  Yes, likely all of these. The best defense is a good offense – plan ahead.  Representatives from in-house and outside counsel, IT/IS, human resources, and your communications department should be part of this plan. State data breach notification laws require prompt reporting. Some companies have faced lawsuits for alleged “slow” response times.  If there is potential breach, your company needs to gather resources, investigate, and if required, disclose the breach to governmental authorities, affected individuals, credit reporting agencies, etc.

8. Consider Contractual Obligations. Before your company commits to data security obligations in contracts, ensure that a knowledgeable party, such as in-house or outside counsel, reviews these commitments.  If there is a breach of a contracting party’s information, assess the contractual requirements in addition to those under data breach notification laws. The laws generally require notice to be given promptly when a company’s data is compromised while under the “care” of another company. On the flip side, consider the service providers your company uses and what type of access the providers have to sensitive data. You should require service providers to adhere to reasonable security standards, with more stringent requirements if they handle sensitive data.

9. Review Insurance Coverage. While smaller businesses may think “we’re not Target” and don’t need cyber insurance, that’s a false assumption. In fact, smaller businesses usually have less sophisticated protections and can be more vulnerable to hackers and employee negligence.  Data breaches – requiring investigations, hiring of outside experts such as forensics, paying for credit monitoring, and potential loss of goodwill – can be expensive. Carriers are offering policies that do not break the bank. Cyber insurance is definitely worth exploring.  If you believe you have coverage for a data incident, your company should promptly notify the carrier. Notice should be part of the data breach response plan.

10. Remember the Basics! Many organizations have faced the wrath of the FTC, state attorneys general or private litigants because the companies or its employees failed to follow basic data security procedures. The FTC has settled 53 data security law enforcement actions. Many involve the failure to take common sense steps with data, such as transmitting sensitive data without encryption, or leaving documents with personal information in a dumpster. Every company must have plans to secure physical and electronic information. The FTC looks at whether a company’s practices are “reasonable and appropriate in light of the sensitivity and amount of consumer information you have, the size and complexity of your business, and the availability and cost of tools to improve security and reduce vulnerabilities.” If the FTC calls, you want to have a solid explanation of what you did right, not be searching for answers, or offering excuses.  Additional information on the FTC’s guidance can be found here.

*                            *                            *

 Remember, while it may be International Data Privacy Day, data privacy isn’t a one day event. Privacy practices must be reviewed and updated regularly to protect data as well as enable your company to act swiftly and responsively in the event of a data breach incident.

Nov 07
2014

Report from an Energized Brand Activation Association Marketing Law Conference

Group Of Multi-Ethnic People Social Networking

Ifrah Law is a proud member the Brand Activation Association (“BAA”). This week, we attended the BAA’s 36th annual BAA Marketing Law Conference in Chicago.  Just as “Mad Men” reflects the 1960’s era advertising business, this year’s BAA conference demonstrated this generation’s marketing dynamic – where mobile is key, privacy concerns abound, and the Federal Trade Commission (“FTC”) and other agencies are watching and enforcing. Other key “take aways” from the conference are that sweepstakes, contests, and other promotions remain hugely popular via mobile devices and social networks.

Digital Rules

Advertisers representing top brand names made clear that companies must reach consumers through various digital devices.  Smartphones, tablets, and wearable technologies each represent ways to advertise a product or service.  Today’s consumers, especially younger consumers, rely extensively mobile devices. Many actually welcome behavioral and other advertising.  Consumers in the U.S. and abroad have shown receptiveness to “flash sales,” instant coupons and other deals, including those geared to their geo-location.

Emerging Privacy and Consumer Protection Trends

While advertisers interact with consumers and many consumers welcome offers and information, regulators’ and individuals’ concerns with the privacy of personal information dominate the landscape.  Almost a year after the notorious Target data breach, and with the holiday shopping season approaching, all stakeholders are understandably cautious about how to utilize various methods of marketing while securing consumer information.  Even assuming a network is secure, the FTC, state attorney generals, foreign regulators, consumer advocacy groups and consumers want to know how personal data is being collected, utilized and shared.  In the consumer protection context, the FTC actively enforces the Federal Trade Commission Act’s prohibition on “deceptive acts and practices,” requiring that advertisers have substantiation for product claims.

Two Significant Forces – the FTC and California’s Attorney General

Top representatives from the FTC and the California Attorney General presented at the conference.  Both representatives asserted their agencies remain active in enforcing their consumer protection and privacy laws, especially as to certain areas.  Jessica Rich, Director, Bureau of Consumer Protection at the FTC, discussed the agency’s focus on advertising substantiation, particularly as to claims involving disease prevention and cure, weight loss, and learning enrichment (such as the “Your Baby Can Read “ case).

On the privacy side, Ms. Rich also noted the FTC’s specialized role in enforcing the Children’s Online Privacy Protection Act (“COPPA”).  The FTC’s recent action against Yelp demonstrates that the FTC will not hesitate to enforce COPPA even where a website is not a child-focused website, per se. If a website or online service (such as a mobile app) collects personal information from children under 13, it must comply with COPPA’s notice and consent requirements. The agency is also exploring the privacy and consumer protection concerns associated with interconnected devices, known as “the Internet of Things.”

The representative from the California Attorney General’s office noted that California has a keen interest in mobile apps, as demonstrated by its action against Delta for allegedly failing to have a privacy policy available through its mobile app.  California is also gearing up for its “Eraser Law,” set to go in effect on January 1, 2015. This law provides an opportunity for young people under 18 to “erase” embarrassing or damaging content they posted online, including on social media.

Promotions – Sweepstakes, Contests, Games

While some may think sweepstakes and contests are outdated, the opposite is true. Companies are utilizing mobile and social networks to engage with consumers through promotions.  Facebook and Pinterest-based sweepstakes and contests continue to grow in popularity. Advertisers also increasingly look to “text-based” offerings.

These promotions can generate great marketing visibility and grow consumer relationships. However, advertisers need to be aware of many legal minefields.  First and foremost is the federal Telephone Consumer Protection Act (“TCPA”), which requires prior express “written” consent for advertisements sent to mobile phones via text or calls utilizing an autodialer or prerecorded message.  Plaintiffs’ lawyers continue to file hundreds of TCPA class actions based on texts without consent.  Second, the social networks have their own policies. For instance, Facebook now bars advertisers from requiring consumers to “like” a company Facebook page in order to participate in a promotion.

Take Aways

BAA conference sessions were packed – many standing room only.  The popularity of programs about comparative advertising, native advertising, sweepstakes and contests, and enforcement trends demonstrates that advertisers are finding innovative ways to reach consumers across devices. These marketing initiatives face a host of federal, state, and international laws and regulations, as well as restrictions imposed by social networks and providers.  It’s an exciting and complex juncture in global marketing.

Connect with Us Share

About Ifrah Law

FTC Beat is authored by the Ifrah Law Firm, a Washington DC-based law firm specializing in the defense of government investigations and litigation. Our client base spans many regulated industries, particularly e-business, e-commerce, government contracts, gaming and healthcare.

Ifrah Law focuses on federal criminal defense, government contract defense and procurement, health care, and financial services litigation and fraud defense. Further, the firm's E-Commerce attorneys and internet marketing attorneys are leaders in internet advertising, data privacy, online fraud and abuse law, iGaming law.

The commentary and cases included in this blog are contributed by founding partner Jeff Ifrah, partners Michelle Cohen and George Calhoun, counsels Jeff Hamlin and Drew Barnholtz, and associates Rachel Hirsch, Nicole Kardell, Steven Eichorn, David Yellin, and Jessica Feil. These posts are edited by Jeff Ifrah. We look forward to hearing your thoughts and comments!

Visit the Ifrah Law Firm website

Popular Posts