Acting Chairman of the Federal Trade Commission, Maureen Ohlhausen, answered questions about the FTC’s current role in data privacy before a crowded audience at the April 2017 IAPP Global Privacy Summit in D.C. Below are some take-aways we wanted to share from Commissioner Ohlhausen’s talk:
- Even if out of ISP oversight, the FTC is actively engaged in data privacy enforcement through its consumer protection role.
Ohlhausen expressed disappointment that FTC had to step out of ISP oversight in 2015, when the FCC reclassified broadband as a common carrier service (the reclassification means the FCC, no longer the FTC, has authority over privacy and data security enforcement of ISPs). But she said that the FTC is still active through holding companies to their data privacy policies and claims: “We enforce promises. We hold companies to their promises, even in technologically advanced areas.” She noted that FTC enforcement actions derive not only from consumer complaints, but that the FTC is getting cases from computer researchers and marketplace competitors.
- FTC to present positive findings from its enforcement actions.
Ohlhausen and her staff are considering changing up what they present publicly on their investigation findings. Normally, the FTC publishes what it has found companies doing wrong, but Ohlhausen believes the public could benefit from what the FTC has found companies doing right. The FTC therefore may be bolstering its public messages on enforcement actions with this positive twist.
- How FCC and FTC oversight of ISPs differs.
Ohlhausen noted that the FCC has ended up with a different approach to data security oversight. For instances, they have taken a different view on what constitutes sensitive data and on what types of opt-ins and opt-outs are permissible. She expressed concern that, with the Open Internet Order, which revoked FTC Privacy Rules, no one is really watching the hen house. She hopes either Congress or the FCC will reconsider the FTC’s role: The FCC could rescind its reclassification or Congress could rescind the FCC’s common carrier authority of broadband services.
- The Privacy Shield and the FTC’s role in working with Europe.
Ohlhausen noted that the current Administration seems committed to the Privacy Shield. She believes that the Privacy Shield meets Europe’s needs and further that the FTC has an important role to fill in (1) ensuring how information is disseminated and (2) enforcement. For instance, the FTC can provide guidance on how to inform EU consumers on the parameters of the Privacy Shield. Moreover, the FTC will enforce Privacy Shield violations—based on deception for failure to comply. She is optimistic that the Shield will withstand court challenges, in contrast to the Safe Harbor, which was negotiated in a different environment.
- Chinese forays into privacy.
Ohlhausen, who was heading to Beijing the day after her IAPP talk, expressed interest in Chinese developments in privacy regulation: where a communist country’s government controls so much, there still can be a real interest in privacy for the consumer. She noted that some international companies have concerns over whether they will be disadvantaged by Chinese privacy laws.
- Privacy and overlap with other areas of law
When asked whether privacy laws, such as anti-discrimination provisions contained in the GDPR, are carrying more water than just privacy, Ohlhausen noted that there is some overlap, such as with the Fair Credit Reporting Act and Civil Rights Act. She took the discussion as an opportunity to highlight the importance of balancing fear of the unknown against the benefits of innovation: it is good to identify the bad things that can happen. But we also need to weigh that against the good things. While consumer protection is important, we also want a competitive marketplace, and want to encourage innovation.
 A side note on the FCC reclassification: a persistent theme in Ohlhausen’s talk was expressing hope that the FTC would get authority back over ISPs.
Your business booked a large charity event. However, the customer contact turns out to be a nightmare. She complains (during and after the event) that the service was slow, the food looked and tasted like a frozen meal, and the drinks were watered down. She even claims she was overcharged. You reviewed the situation and, while you disagree, you offer her a credit. She declines and instead decides to post scathing reviews on Yelp, TripAdvisor, and several other review sites. She also gets her friends to post similar reviews. You remember, however, that the booking contract this irate customer signed barred her from posting negative reviews and imposes a $200 per negative review penalty. You ring up your attorney and ask her to send Ms. Nasty Customer a demand. Your lawyer tells you there may be a problem with this approach – under a new law signed by President Obama in December, the Consumer Review Fairness Act of 2016 – form contracts restricting reviews or imposing penalties are void.
Exceptions and Carve-Outs
There are several significant exceptions to the new law, offering some protections to organizations. First, individually-negotiated agreements are not covered by the new legislation. Second, Congress carved out employer-employee and independent contractor agreements from the “form contract” definition. Thus, under the new Act, employment provisions barring negative online reviews of an employer are not void. However, the National Labor Relations Board strongly disfavors restrictions on employees’ rights to discuss wages and working conditions in public forum. Further, some states may also seek to bar restrictions on online reviews. California and Maryland already have enacted laws barring non-disparagement clauses in consumer contracts.
Third, the Act does not bar an organization or individual from suing for defamation, libel, or slander. Thus, companies may still file suit for reviews containing false statements (and presumably include a clause in a form agreement or terms and conditions addressing such statements). Fourth, the law preserves any confidentiality required by law – such as HIPPA. Fifth, the Act expressly allows a party to remove or to refuse to display on a website/webpage operated by that party the content of a “covered communication” : (1) that contains personal information or the likeness of another person; (2) is libelous, harassing, abusive, obscene, vulgar, sexually explicit “or is inappropriate with respect to race, gender, sexuality, ethnicity or other “intrinsic characteristic”; or (3) that is false or misleading. Thus, companies that host their own webpages for customer comments and interactions may remove customer reviews meeting these standards. It would also appear lawful to advise customers in company terms and conditions or form contracts that such content may be reviewed.
Congress further created a carve-out from the Act’s consumer review protections for trade secrets or commercial or financial information considered privileged or confidential, personnel and medical files where disclosure would result in an invasion of personal privacy, records compiled for law enforcement purposes, content that is unlawful, and content containing computer viruses, worms, or other damaging code.
Federal Trade Commission Enforcement
The Federal Trade Commission (“FTC”) will enforce the Consumer Review Fairness Act of 2016. State Attorney Generals may also bring a civil action in federal court to obtain relief for their residents. The new law requires the FTC (within 60 days) to conduct education and outreach to businesses, including non-binding “best practices” for complying with the Act. Companies get 90 days (until March 14, 2017) before their contracts containing the now-proscribed practices are considered void.
The FTC may target a few “brand name” organizations in early enforcement actions to garner industry attention. Companies should be aware, however, that they retain the right to object to assessments that are exempted, including those that disclose confidential or personal information, or that are defamatory, misleading, obscene, vulgar, or unrelated to the products and services offered on the company’s webpage. So, while consumers cannot be penalized through a form contract by posting reviews, their rights to post are not unfettered. Contrary to the popular adage, as the Union Street Guest House learned, not all press is good press – and companies may still address false or defamatory reviews and those reviews containing other exempted content.
The Office of the Inspector General, which enforces Health and Human Services, has long been averse to referral services that don’t meet certain criteria. To get protection against a possible enforcement action, the referral service can’t exclude anyone from participating in the service, and payments for referrals have to be reasonable and cannot be tied to the volume or value of the referrals that are made. All this complexity doesn’t simply keep referral services from earning a legitimate living; it denies patients access to superior healthcare options.
In a time when patients gravitate toward online resources, the OIG’s restrictions on medical referrals appear horribly out of date. Generally, when people want to find a pharmacy, lab, or doctor, they ask a friend or family member. In many circumstances, though—such as moving to a new city and not knowing anyone—people are likely to go online. Here they will find numerous referral services that can steer them to many reputable providers, who are often happy to pay for the hookup. This type of commercialized referral happens all the time in privatized industries—but because the government pays for healthcare (in the case of Medicare and Medicaid), it gets to set the rules for that space. Many of these rules are legitimately designed to protect against fraud and misuse of public funds, but that shouldn’t make them impervious to revision.
Thankfully, this has not escaped the notice of referral services and even the OIG, which has issued some enlightened opinions on the matter; case in point, No. 11-18. In 2011, a web-based provider of billing, electronic record, and patient messaging services asked if it could offer a coordination service whereby physicians could pay a transmission fee for connecting to other providers in order to share patient information, provider numbers, and clinical data. In response, the OIG determined that this service would not be afforded protection under the safe harbor, but it would not necessitate enforcement action either. In this instance, and many others in today’s marketplace, the referral service isn’t a health care provider that bills the government, but a third party provider of software and services. What would be the harm of facilitating the transmission of information between referring providers so that a patient can receive care? Here the OIG acknowledged that the fee structure was fair market value, that it would be assessed whether or not a patient followed through, and that it was unlikely to influence a provider’s decision to refer to any particular person or entity.
When the referral services safe harbor was drafted it made some sense for the OIG to suspect that an online referral service could charge a fee to steer patients to a particular provider, thereby exploiting federally reimbursed services and products. However, in most cases, online referral services are there simply to expand access to care, allow patients to have more choices, and help them find options that best suit their needs. In any other industry it makes perfect business sense for a referral service to charge its users a fee in order to recoup the cost of implementation (if any) and achieve a profit. It’s high time the OIG gives medical referral services the air they need to do the same. Modifying the safe harbor could take a lot of time and effort, but the OIG can take it upon itself to revise its interpretation of the safe harbor’s requirements without having to turn a blind eye to the law.
On March 15, 2016, national retailer Lord & Taylor agreed to settle FTC charges that it “deceived consumers by paying for native advertisements.” The settlement is the first of its kind following the December 2015 guidance memorandum, Native Advertising: A Guide for Businesses, issued by the FTC. Under the terms of the settlement, Lord & Taylor is prohibited from “misrepresenting that paid ads are from an independent source, and is required to ensure that its influencers clearly disclose when they have been compensated in exchange for their endorsements”.
On the day the settlement was announced, the FTC also published a copy of the underlying complaint. The complaint alleges that Lord & Taylor developed plans to promote a clothing line for women which included a comprehensive social media campaign of blog posts, photos, native-advertising editorials in online fashion magazines, and a team of “influencers” recruited for their fashion sense and audience on social media. The FTC alleged that Lord & Taylor edited, pre-approved, and paid for a favorable Instagram post that was uploaded to the account of a fashion magazine called Nylon. The regulatory agency further alleged that Lord & Taylor reviewed, pre-approved, and paid for a favorable article in Nylon. In both cases, however, Lord & Taylor failed to disclose its commercial arrangement with Nylon. Similarly, the FTC alleged that Lord & Taylor gifted a dress from the clothing line to fifty “influencers” who were paid between $1,000 and $4,000 to post favorable photos and comments about the dress on social media. Again, Lord & Taylor did not disclose or require influencers to disclose that they had been paid for their posts. Based on Lord & Taylor’s alleged misrepresentations and failure to disclose, the FTC accused Lord & Taylor of engaging in unfair or deceptive acts or practices in violation of the Federal Trade Commission Act.
What is Native Advertising?
Native advertising, also known as sponsored content, is designed to fit in with original online content in a seamless, non-intrusive manner. It allows advertisers to directly reach online consumers, without severely interrupting the original content on the publishing website, video game, or mobile app. In the past few years, this advertising has reached all corners of the internet.
FTC Concerns With Native Advertising
As native advertising has grown, so have the FTC’s concerns about the possibility of deceiving consumers. Therefore, at the close of 2015, the FTC released the guidance memorandum, Native Advertising: A Guide for Businesses, which provides details and illustrative examples for businesses that use native advertising as part of their online marketing campaigns.
Native advertising creates a particular challenge for advertisers. Advertisers want to design an advertisement that appears native to the original content, but must do so without potentially confusing the consumer, who may mistake the advertisement for non-advertising content.
To assist advertisers in complying with these rules, the FTC issued its December 2015 guidance memorandum with examples and tips to ensure advertisers remain compliant. Most of the memorandum focuses on seventeen examples of advertising, including on news sites, in videos, through content recommendation widgets, and in video games. These examples illustrate how and why consumers might be confused by certain native advertising tactics. Most of the examples show how a native advertisement might bear too much similarity to the original content, which means the consumer might not understand that what they are viewing is, in fact paid-for, sponsored content.
Complying With FTC Native Advertising Requirements
The take-away from the Lord & Taylor settlement is that advertisers should avoid placing paid ads that appear to be independent editorial content. Put simply, advertisers must choose between control and disclosure. In other words, advertisers who want to make use of native advertising and “influencers” on social media must either relinquish influence or control over the advertising content or disclose the nature of the marketing arrangement. Bottom Line: Paid advertising must be identifiable as advertising.
The FTC’s December 2015 memorandum provides a variety of tips on how to appropriately disclose native advertising. The disclosures should be three things: (1) placed near the advertising; (2) prominent; and (3) clear. By ensuring that native advertising follows these disclosure guidelines, companies will avoid misleading consumers into thinking their native advertisement is non-sponsored, publisher content.
Finally, the memorandum specifically notes who is affected by these disclosure rules. The enforcement is not limited to just the sponsoring advertiser. Advertising agencies and operators of affiliate advertising networks are also obligated to adhere to the FTC’s disclosure requirements.
Put simply, if a reasonable consumer might see your native advertising and believe it to be non-advertising content, the FTC will likely take issue with your native advertising tactics. This is exactly what we saw in the Lord & Taylor settlement.
Despite not being explicitly mentioned in the Constitution, the Supreme Court has firmly held that a right to privacy for all Americans is found in several amendments to the Constitution, with almost 100 years of case law providing precedent for many personal privacy rights that have become a cornerstone of American culture. However, in this new digital age of rapid technology change, with real-time access to information and the global exchange of information at the push of a button, new privacy protection questions arise almost daily. The extent to which an individual’s private information shared online is subject to privacy protection varies depending on which side of the pond you stand.
European nations generally take a more restrictive approach than the U.S. as to how companies can use personal data. EU nations often go head-to-head with U.S. digital companies over differing interpretations of privacy rights. Both Google and Microsoft have faced multiple investigations outside the United States.
Facebook seems to be a particularly popular target. As the world’s largest social network with 1.6 billion monthly users, Facebook earns its revenues from advertising aimed at users, after gathering information from the users’ social connections and activities in their posts. Late last month, a German court fined Facebook 100,000 Euros for failing to follow an order issued by a German court four years ago that required the social media site to revise a clause in its terms regarding any intellectual property content posted by users on or in connection with Facebook. The German court had found that the clause in the terms violated consumer rights. While Facebook modified the wording slightly for German users, the German court found that the revised wording still maintains the same underlying message as the original wording. Europe’s highest court also recently successfully challenged Facebook as to the way that data was transferred between the European Union and the United States. And just yesterday, a German court ruled that domestic websites could not transfer user data to Facebook via its “like” button without the specific consent of the user.
In a novel link between privacy protection and antitrust, the German competition authority known as the Federal Cartel Office (BKA) opened an investigation on March 2 into whether Facebook abused its dominant position in social networking in order to collect its users’ digital information, including placing unfair constraints on the users, who were forced to sign complicated terms and conditions in order to use the network. The investigation seeks to discover whether Facebook users were properly informed about how their personal data would be obtained through the site, including the type of data collected, as well as the extent of the data collected.
One might ask why the BKA would get involved with this novel approach to linking privacy protection to antitrust law. First, under antitrust law, the maximum fines are much greater than those under privacy law. For a company tech giant like Facebook, the fines imposed by data protection authorities can seem negligible, even for the most egregious cases, while antitrust fines pose a much more significant deterrent. Second, Facebook has claimed that it falls only within the jurisdiction of the data protection authority in Ireland, where its international headquarters are situated. By bringing the investigation under the auspice of the antitrust authority, this argument is avoided. The President of the BKA, Andreas Mundt, remarked that, “[d]ominant companies are subject to special obligations,” and he went on to say that such obligations include adequate terms of service, as far as they are relevant to the market. He also noted the importance of user data where Internet services are financed by advertising. The BKA noted, “. . . if there is a connection between infringement and market dominance, it could constitute an abusive practice under competition law.”
While some question the BKA’s position as ambitious and vague, others fear that this case could open the door to other investigations and cases using data protection violations to claim antitrust violations. Whether the BKA is successful or not, this should be a forewarning to other big U.S. technology companies: it is probably not enough to rely on U.S. privacy rules when playing in a global arena.
In 2015, Amazon filed suit against over 1,000 unnamed individuals for allegedly offering to sell fake online reviews (positive or negative) on Fiverr.com (“Fiverr”). The unnamed defendants offer to provide 5-star reviews and some defendants even encourage sellers to provide their own text to use in the review. In order to avoid detection, defendants offer to submit reviews from multiple IP addresses, utilize multiple Amazon accounts, and to complete a Verified Review (which means the reviewed has purchased the product, even though they don’t always require the actual product to be shipped for review). In short, the allegations are that these reviews for sale violate Amazon’s Customer Review Guidelines (which prohibit paid reviews), Fiverr’s own Terms of Service (which requires compliance with third party guidelines), and deceptively provides false reviews to consumers (which violates consumer protection laws).
Interestingly, Amazon did not name Fiverr as a party to the complaint. Instead, Amazon went after the individual sellers and indeed explicitly stated in the complaint that “Amazon will amend this complaint to allege their true names and capacities when ascertained.”
In contrast to Amazon’s approach, the Metallica Plaintiffs in a previously filed case against Napster, sued Napster directly and not the individual users (and eventually obtained their desired result). Indeed, Amazon has not always omitted operators from its case captions. Last April, Amazon filed a similar lawsuit against a number of companies that operated websites to promote the sale of Amazon reviews. That lawsuit contained very similar allegations to this recent suit against individuals and alleged selling positive reviews, offering a Verified Review, a slow posting of reviews to avoid detection by Amazon, etc. Similar as well to the Napster case, the first Amazon lawsuit also yielded a successful result because the websites targeted in that case were all closed down.
So why is Amazon now going after the individual sellers? And why did Amazon omit Fiverr in this lawsuit?
One possible explanation is that Amazon, like Napster, first attempted to take down the providers (i.e. the website owners) that enabled the fraudulent review process. While that was successful, Amazon likely realized that it was insufficient because the individual reviewers would easily migrate to sites like Fiverr to continue their activities. So, Amazon was forced to file suit against the individual users.
At the same time, Amazon did not include Fiverr as a named defendant because it is more likely to get Fiverr’s cooperation in providing the identities of the unnamed defendants, and, because Fiverr is a legitimate global online marketplace offering tasks and services- in sharp contrast to the defendants in the prior Amazon lawsuit that operated sites and companies for the sole purpose of providing fraudulent Amazon reviews (and further antagonized Amazon by utilizing the Amazon logo on their sites). Additionally, as noted in the current Amazon complaint, Fiverr itself prohibits paid reviews and has tried to prevent them- again in sharp contrast to the companies in the first Amazon lawsuit, whose entire business was selling Amazon reviews.
Or it may be that Amazon has embarked on a process to stop paid reviews and these are the first steps in that ongoing process. As noted in this complaint against the Fiverr sellers, the lawsuit is “the next step in a long-term effort to ensure these providers of fraudulent reviews do not offer their illicit services through other channels.” Thus, Amazon may have simply first pursued the enablers (i.e. the company websites dedicated to fraudulent reviews) and then it pursued the individual reviewers on Fiverr.
The extent to which Amazon will continue to pursue questionable reviews remains to be seen. In 2015, Amazon limited its lawsuits regarding fraudulent reviewers to paid reviewers. In 2016, we may see an assault on the groups of independent people who exchange positive reviews on Amazon (i.e. each party agrees to submit a positive review of the other’s product). This type of arrangement also violates Amazon terms and poses similar concerns to the reliance of consumers on Amazon reviews. Amazon may also question whether this prohibited practice merits attention.
Every e-mail user receives them, some days in numbers hitting the triple digit mark – those targeted, often annoying and unsolicited e-mails that clog our inboxes, originating from any of a multitude of establishments, including retailers, service establishments, and even our own social media. Regulation over unwanted e-mails has been limited mostly to the federal Can Spam Act of 2003, which doesn’t prohibit the deluge of e-mails, but rather protects against misleading and deceptive ones and requires the sender to comply with certain requirements, including offering a clear opt-out. A private consumer has limited retribution to enforce the Act, however, and must rely on the FTC, as well as other government entities and Internet service providers, to bring suit to stop the unwanted e-mails. It seems that consumers in recent years are ever more fed up and frustrated with “spam” messages and desire change. However, as evidenced by a recent class action lawsuit by certain LinkedIn members against the social media giant, consumers may utilize other legal maneuvers to get relief from new marketing tactics employing spam.
LinkedIn is often referred to as the “Facebook of the Professional World.” With over 300 million+ users, LinkedIn has become the world’s largest professional network since it launched in 2003. One feature of the network allows a member to import his or her e-mail contacts list and send invitations to connect with others on LinkedIn. A user is prompted by LinkedIn to click an “Add Connections” link, which then allows LinkedIn to import the list from external e-mail accounts. LinkedIn uses this feature to grow its number of members.
According to the class action lawsuit filed against LinkedIn, if a connection invitation was not accepted within a certain period of time, up to two “reminder’ spam e-mail messages would be sent to the prospects, without the LinkedIn member’s consent to do so. In Perkins v. LinkedIn Corp., the federal district court in the Northern District of California determined that the motion to dismiss filed by LinkedIn would be granted in part and denied in part, thereby allowing the suit to move forward. In its partial denial of the motion to dismiss, the court reasoned that although the members consented to importing their contacts and sending the invitation to connect, they did not consent to sending the reminder messages on their behalf. In her Order, Judge Lucy Koh explains,
“Nothing in LinkedIn’s disclosures alerts users to the possibility that their contacts will receive not just one invitation, but three. In fact, by stating a mere three screens before the disclosure regarding the first invitation that ‘We will not . . . email anyone without your permission,’ LinkedIn may have actively led users astray.”
(Order Granting in Part and Denying in Part Defendant’s Motion to Dismiss with Leave to Amend *30). The plaintiffs also contended that LinkedIn members did not consent to the use of their names and likenesses in the reminder e-mails and were embarrassed and felt that the unwanted e-mails sent to personal contacts affected their professional reputations.
Following the court’s Order, the parties agreed to settle the suit. The settlement requires the social media giant to pay at least $13 million, as well as $2.25 million in legal fees, to LinkedIn members who had accounts between Sept. 17, 2011 and Oct. 31, 2014 and sent e-mails through the Add Connections feature. Although LinkedIn did not admit any wrongdoing in the settlement, it agreed to revise its disclosures and clarify that the reminder e-mails would be sent as part of the “Add Connections” service. LinkedIn also indicated its intent to provide an option to cancel the connection invitation, and thereby the reminders, by the end of the calendar year.
Interestingly, with perhaps the fear of a lawsuit on the horizon, Mark Zuckerberg preemptively announced at a recent town hall meeting held in Delhi, India, that Facebook will be reducing the number of invitations it sends to outside contacts of players of the game Candy Crush Saga. Facebook often sends the invitations to contacts who have never used a game and never played games on Facebook, suggesting that they join their friends in a Candy Crush Saga game. Zuckerberg noted that reducing the number of invitations received was the most upvoted question in an online thread, and he has promised to reduce the number of these unwanted requests. After the recent LinkedIn settlement, we advise Mr. Zuckerberg to take action swiftly or we may see other unhappy consumers following suit. . . . with their own suit!
These developments should offer welcomed relief for consumers and our busy delete buttons. However, this may be the tip of the iceberg with regard to the use of the courts and unwanted e-mails. Is the broad Can-Spam Act sufficient to deter spammers? Does the Can-Spam Act do enough to filter out unwanted e-mails? New scenarios have arisen since the enactment of the Act in 2003 and consumers seem to desire more regulation to deter the deluge of e-mails. If swift action isn’t taken by Congress and other regulators, it seems that consumers may take to the courts to set precedent in this ever-changing arena.
Exploiting consumers and exploiting consumer data were popular themes in the FTC’s October 30th workshop on lead generation, “Follow the Lead.” The day-long workshop explored the mechanics of lead generation and its role in the online marketplace. With a focus on the lending and education spaces, panelists discussed the many layers of marketing involved in lead generation—and importantly—how those many layers can add confusion to how consumer data gets collected, sold, used … and misused.
Panelists of the five workshop sessions hailed from industry, government, advocacy groups, and research institutions. They offered insights into both the vulnerabilities and opportunities flowing from the extensive “behind the scenes” market of lead generation. But unsurprisingly, the benefits of lead generation were overshadowed largely by attendant concerns: why is so much consumer data collected, what is done with it, and are consumers aware of how their personal information is being traded and used?
The workshop included two “case study” panels on lending and education. For the panel on lead generation in lending, Tim Madsen of PartnerWeekly provided an overview of how the “ping tree” model works. Connecting prospective borrowers with lenders through a reverse auction of borrower leads, the “ping tree” model may be an efficient way of matching borrowers and lenders. However, Pam Dixon, Executive Director of World Privacy Forum, highlighted her concerns that lenders are receiving consumer data that would otherwise be protected under the Equal Credit Opportunity Act and therefore that the online process is circumventing important consumer protection laws. For instance, the online lending process may require certain personal information from borrowers in order filter fraudulent requests. But that personal information (e.g., gender or marital status) otherwise could not be part of the loan application process. Dixon felt the disclosure of protected information was one that needed to be addressed from both a technical and a policy standpoint. And it is an issue she raised on subsequent panels during the conference, indicating a possible pressure point for future regulatory action.
The panel on lead generation in education was highly charged, due to the controversial nature of marketing higher education and due to the negative attention on for-profit education. Despite many people’s assumption that online marketing in education is largely a tool of the for-profit education industry, Amy Sheridan, CEO of Blue Phoenix Media, provided some surprising statistics: state and private institutions represent roughly forty percent of her business in the education vertical. Even renowned schools like Harvard and Yale are employing lead generation to gain students in their programs.
But given the extensive access to federal funds through higher education, consumer advocates highlighted concerns over students being preyed upon by unscrupulous educators. Jeff Appel, Deputy Undersecretary of Education at the Department of Education, attributed the problem in part to the lack of underwriting in federal student loans. [Query: Wouldn’t it make sense to add underwriting to the federal student loan process? Statistically, private student loan repayment fares much better thanks to this preliminary screening.]
In support of responsible advertising for educational programs, Jonathan Gillman, CEO of Omniangle Technologies, identified the need for clear guidance on appropriate marketing tactics, which may better address problems than resorting to law enforcement. He pointed out the adverse consequences of clamping down on educators’ online advertising: educators are now afraid to advertise online and that space is being filled by affiliates who are more apt to cross the line into deceptive advertising.
Appel provided some general guidance for schools working with lead generators. Schools should (1) monitor how lead generators are representing programs and ensure their ads are not deceptive, (2) make sure payment for advertising does not implicate regulations against incentive-based compensation, and (3) be aware that the actions of lead generators may come under the Education Department’s purview if they are providing additional assistance (e.g., processing student applications).
Both Appel and consumer advocates seemed to agree, though, that laws and regulations already in place were sufficient to address consumer protection concerns in the education marketing space. It is only a matter of having the resources to enforce those laws and regulations. Appel also suggested that state regulators could curb issues by better screening schools.
Throughout the day and across the panels, FTC representatives turned to the concept of “remnant information,” i.e. consumer information that is longer being used. FTC attorney Katherine Worthman asked panelists various questions about what ultimately happens to this information. R. Michael Waller, another FTC attorney and panelist, noted his concern that companies have an economic interest in maintaining and possibly selling remnant information, and that such information is increasingly vulnerable to fraudsters. These FTC attorneys thus pressed about policies on consumer data retention. Aaron Rieke of Upturn supported the FTC concerns and noted that nothing in the company privacy policies (that he’s reviewed) prevents the sale of consumer data: “privacy policies are shockingly permissive when you look at how much information is being provided.”
Another popular issue was whether and to what extent disclosures to consumers are sufficient: are consumers aware of how their information is being traded? The general consensus among panelists was that consumers remained ignorant to the sale and use of the personal information they provide online.
Upshot from the workshop: Lead generators, and the companies using them, should be aware of the growing interest by federal regulators in (1) how consumer data is being collected, retained, and sold and (2) the extent to which people up and down the online marketing supply chain are vetting the buyers and sellers of consumer data. Other takeaways from the conference: Companies should ensure their data collection and retention policies comply with applicable state and federal law. Finally, it is important for companies to ensure their practices comply with both their policies and their disclosures.
In e-commerce, user reviews can make or break a business. Review sites such as Yelp are a double edged sword for merchants and service providers: on one hand satisfied customers can generate buzz about the company and bring in new customers, and on the other hand dissatisfied customers can use it as a very public platform to air their grievances and discourage new business.
Review sites such as Yelp maintain policies protecting users’ anonymity, a major source of frustration among business owners. By remaining anonymous, users can make potentially defamatory statements and leave the businesses with little recourse to hold the individuals accountable. A recent ruling by the Virginia Supreme Court has demonstrated the long and tortured road that businesses must take to challenge the anonymity of these unnamed users.
In 2012 a small Virginia company, Hadeed Carpet Cleaning Inc., brought suit against unnamed Doe defendants for allegedly defamatory statements published about Hadeed on the Yelp review website. According to Hadeed, a number of negative reviews did not match up to records of the company’s existing customers, and therefore the company suspected that the false statements were published by individuals who had never used the company’s services. The Circuit Court for the City of Alexandria, Virginia, issued a subpoena to Yelp requiring it to provide identifying information about the anonymous users. Yelp refused to comply, and the Circuit Court held Yelp in contempt.
Yelp appealed, arguing that the court’s order violated the First Amendment by forcing the company to identify the anonymous users. In January 2014 the Court of Appeals upheld the Circuit Court’s order, applying a six-prong procedure Virginia’s “unmasking statute,” which provides that the court may issue a subpoena to unveil the identity of an individual speaking anonymously over the internet where (1) notice of the subpoena was served on the anonymous speaker through his internet service provider, (2) the plaintiff has a legitimate, good faith basis to contend that communications may be tortious or illegal, (3) other efforts to identify the speaker have been fruitless, (4) the identity of the communicator is important, (5) there is no pending motion challenging the viability of the lawsuit, and (6) the entity to whom the subpoena is addressed is likely to have responsive information.
The Court of Appeals noted that Hadeed had followed the proper procedure in requesting the subpoena. The court found that the company’s evidence that the reviews did not match customer records was sufficient to establish they were not published by actual customers of the company, and were therefore likely to be false.
Yelp appealed the Circuit Court decision to Virginia’s Supreme Court. Last month, the Virginia Supreme Court issued an anticlimactic ruling dismissing the case on jurisdictional grounds, stating that the case should have been brought in California where Yelp is headquartered and where the responsive records are located.
If Hadeed chooses to resume the case in California, if will face a somewhat higher burden in obtaining the names of the users. Notably, Virginia is the only state in the country to have enacted an unmasking statute. In most states, the courts will no issue a subpoena until the plaintiff has established a prima facie case for defamation—significantly more than the “legitimate, good faith basis” used in Virginia.
Ifrah Law is a proud member the Brand Activation Association (“BAA”). This week, we attended the BAA’s 36th annual BAA Marketing Law Conference in Chicago. Just as “Mad Men” reflects the 1960’s era advertising business, this year’s BAA conference demonstrated this generation’s marketing dynamic – where mobile is key, privacy concerns abound, and the Federal Trade Commission (“FTC”) and other agencies are watching and enforcing. Other key “take aways” from the conference are that sweepstakes, contests, and other promotions remain hugely popular via mobile devices and social networks.
Advertisers representing top brand names made clear that companies must reach consumers through various digital devices. Smartphones, tablets, and wearable technologies each represent ways to advertise a product or service. Today’s consumers, especially younger consumers, rely extensively mobile devices. Many actually welcome behavioral and other advertising. Consumers in the U.S. and abroad have shown receptiveness to “flash sales,” instant coupons and other deals, including those geared to their geo-location.
Emerging Privacy and Consumer Protection Trends
While advertisers interact with consumers and many consumers welcome offers and information, regulators’ and individuals’ concerns with the privacy of personal information dominate the landscape. Almost a year after the notorious Target data breach, and with the holiday shopping season approaching, all stakeholders are understandably cautious about how to utilize various methods of marketing while securing consumer information. Even assuming a network is secure, the FTC, state attorney generals, foreign regulators, consumer advocacy groups and consumers want to know how personal data is being collected, utilized and shared. In the consumer protection context, the FTC actively enforces the Federal Trade Commission Act’s prohibition on “deceptive acts and practices,” requiring that advertisers have substantiation for product claims.
Two Significant Forces – the FTC and California’s Attorney General
Top representatives from the FTC and the California Attorney General presented at the conference. Both representatives asserted their agencies remain active in enforcing their consumer protection and privacy laws, especially as to certain areas. Jessica Rich, Director, Bureau of Consumer Protection at the FTC, discussed the agency’s focus on advertising substantiation, particularly as to claims involving disease prevention and cure, weight loss, and learning enrichment (such as the “Your Baby Can Read “ case).
On the privacy side, Ms. Rich also noted the FTC’s specialized role in enforcing the Children’s Online Privacy Protection Act (“COPPA”). The FTC’s recent action against Yelp demonstrates that the FTC will not hesitate to enforce COPPA even where a website is not a child-focused website, per se. If a website or online service (such as a mobile app) collects personal information from children under 13, it must comply with COPPA’s notice and consent requirements. The agency is also exploring the privacy and consumer protection concerns associated with interconnected devices, known as “the Internet of Things.”
Promotions – Sweepstakes, Contests, Games
While some may think sweepstakes and contests are outdated, the opposite is true. Companies are utilizing mobile and social networks to engage with consumers through promotions. Facebook and Pinterest-based sweepstakes and contests continue to grow in popularity. Advertisers also increasingly look to “text-based” offerings.
These promotions can generate great marketing visibility and grow consumer relationships. However, advertisers need to be aware of many legal minefields. First and foremost is the federal Telephone Consumer Protection Act (“TCPA”), which requires prior express “written” consent for advertisements sent to mobile phones via text or calls utilizing an autodialer or prerecorded message. Plaintiffs’ lawyers continue to file hundreds of TCPA class actions based on texts without consent. Second, the social networks have their own policies. For instance, Facebook now bars advertisers from requiring consumers to “like” a company Facebook page in order to participate in a promotion.
BAA conference sessions were packed – many standing room only. The popularity of programs about comparative advertising, native advertising, sweepstakes and contests, and enforcement trends demonstrates that advertisers are finding innovative ways to reach consumers across devices. These marketing initiatives face a host of federal, state, and international laws and regulations, as well as restrictions imposed by social networks and providers. It’s an exciting and complex juncture in global marketing.