The FTC’s “Do Not Call” and “robocall” rules do not apply to political survey calls. So, if Hillary Clinton sought to “voice blast” a survey about international issues, she could do so without violating the Telemarketing Sales Rule (“TSR”). (Though under FCC rules she would have an issue calling wireless numbers). However, companies may not telemarket under the guise of exempt political calls. Caribbean Cruise Lines (CCL) and several other companies working with CCL recently learned this lesson the hard way. The FTC and a dozen state attorneys general sued CCL and others for offering cruises and vacation “add ons” following purported political calls. CCL settled, agreeing to pay $500,000 of a $7.2 million dollar penalty, and to comply with multiple compliance mechanisms.
CCL and the other defendants implemented an extensive calling campaign involving 12 to 15 million calls per day for approximately ten months offering a political survey. However, the survey calls invited consumers to “press one” to receive a “free” two-day cruise to the Bahamas (port taxes would apply). A live telemarketer working on behalf of CCL then offered consumers pre-cruise hotels, excursions, and other value packages.
While political calls remain exempt under the TSR’s robocall and Do Not Call provisions, if a caller offers a good, product or service during an otherwise exempt call, an “upsell” has occurred and the call is now telemarketing. FTC rules prohibit robocalls to telemarket except with prior express consent. Thus, the FTC asserted that CCL violated the TSR’s robocall provision since the called parties had not consented to the recorded sales calls. While the calls started as political survey calls, they were actually standard telemarketing, subject to all TSR telemarketing rules. The FTC also alleged violations of the Do Not Call rules, the caller identification rules, and the “company-specific Do Not Call requirements,” among other violations.
In addition to the reminder about “upsells” or “mixed messages,” this action highlights several important TSR enforcement lessons:
The TSR also bars third parties from providing “substantial assistance” to others who violate the rule. Here, the FTC’s complaint charged a group of five companies and their individual owner with assisting and facilitating the illegal cruise calls, by providing robocallers with telephone numbers to use in the caller ID field, to hide the robocallers’ identities.
The FTC will carefully review, and proceed against companies who violate other TSR provisions, including caller ID requirements, scrubbing of the federal Do Not Call database, and the company-specific Do Not Call list.
A settlement often requires ongoing recordkeeping. Here, the FTC required CCL to create records for ten years (and retain each one for 5 years), including records of consumer complaints and documentation of all lead generators.
* * *
While it should not come as a surprise that a “mixed message” call must comply with the TSR, the recent joint case against CCL and others serves as a potent reminder that the FTC and state attorneys general continue to monitor robocalling and other mass telemarketing campaigns. Further, the enforcers will use the full panoply of legal requirements and enforcement mechanisms to address telemarketing violations. The seller, the telemarketer, the lead generator, the caller ID provider, and any other party providing substantial assistance may find themselves at the receiving end of a call from the FTC if they fail to follow each of the TSR’s obligations or engage in activities that the TSR prohibits.
Health cleanses to lose unwanted weight in a matter of weeks! Images of beautiful jewelry to be purchased at great prices that you can even resell! Personalized handbags made to order! If you have a Facebook account, it is more than likely you have seen many of these and similar posts by “friends” in your news feeds or through sharing or commenting by your friends on others’ posts. Facebook has announced that it will filter out unpaid promotional materials in user news feeds starting in January 2015.
If you run a business that uses social media as an advertising platform, you will need to be aware of these changes. Alternatively, if you have ever wondered how to curb these marketing posts, which seem to increase daily, your wishes may have been heard.
Specifically, Facebook will utilize a new algorithm to filter out posts that advertise products, such as repurposing paid advertisements and promoting sweepstakes or special deals. At first glance, it would appear that this will make it more difficult for entrepreneurs and small businesses to attain new contacts and customers, promote their brand names, and pitch products. However, while this initial fear is legitimate, it may be unwarranted in the long term, as much of the benefit that this free advertising once provided has already started to dissipate.
Unpaid as well as paid promotional posts in social media have been widely and increasingly utilized for well over a decade. The Wall Street Journal recently stated that Facebook was used as the top promotional tool by more than 80% of small businesses utilizing social media. Small businesses have lost much of the glory and benefit that unpaid advertising once provided, as news feeds have been flooded by a plethora of entrepreneurial pitches. The unpaid posts have become less effective at building a marketing channel, as users have become desensitized to the promotional pitches. Increasingly, users scroll quickly through the incessant free marketing to read more personal feeds.
Additionally, the reach of unpaid posts on Facebook has fallen in recent years. Research supports the notion that simply racking up “likes” or posting ads repeatedly does not produce the sales that were initially anticipated. In a Forrester Research Report released in November, it was suggested that on average, fewer than .1% of people interact with each post. Rather than simply acquiring numbers of user “likes”, companies should look at the value of each fan and how to more fully connect with and engage the loyal fan base. Many also believe that there is still some value to having a direct Facebook page where users can access and like the page, take advantage of special promotions, and invite friends to like and partake in the offers.
While unpaid marketing posts will be filtered, Facebook will still offer “promoted posts,” that allows businesses to pay a certain amount, starting at $5 and reaching to several thousand dollars, in order to have posts on their pages viewed by a wider pool of users. Facebook is not the only platform to seek payment for wider distribution. For a fee, Google likewise offers businesses the opportunity to “boost their ranking” in search results. It is likely that if entities have to pay a small fee for advertising, they may take a longer look at the content of the business post or material being promoted to be sure it is interesting and grabs a user’s attention.
Although start-up companies with very little initial cash may take a hit as these rules begin to take effect, small business may not see a big difference in the long term. As the saying goes, nothing of value comes for free, and it seems that the value of unpaid advertising has already fallen dramatically. Social media paid advertising is still rather cost effective when compared to other methods of advertising. Although the quantity of posts by businesses may fall, one can also anticipate that small businesses will value the content in each post. In other words, if people are paying to advertise, the quality of each post will likely improve. Small businesses will also look to other social media platforms such as LinkedIn and Twitter or perhaps the next “hot” social media outlet that offers the benefit of unpaid marketing, at least until those platforms likewise become ineffective. Small businesses may still want to use Facebook for advertising, but in a more creative, targeted way and by means of engaging with their fan base. One thing is for certain, the world of social media is ever changing and evolving, and still offers entrepreneurs and small businesses tremendous benefits, which were not present two decades ago. Social media platforms will, however, continue to review and modify the types of advertisements and promotions permitted on their sites.
We’ve all heard the statistics showing obesity rates rising in the U.S. year after year. Most of us are well aware of the billion dollar diet and weight-loss supplement industry to which millions turn with the hope of finding that one “miracle pill” to help them lose that stubborn belly fat or get rid of those unsightly love-handles. Advertisers should be aware that the Federal Trade Commission has taken an interest in advertising involving weight loss claims. In a 2011 study, the FTC concluded that weight loss product false advertising is the most common type of consumer fraud. More recently, the agency testified on the issue during a June 17, 2014 hearing before the Senate Subcommittee on Consumer Protection, Product Safety, and Insurance, in addition to several witnesses from the advertising industry.
In addition to the FTC representative, witnesses who testified at the hearing included the CEO of a natural products non-profit organization, and the president of the nation’s advertising self-regulatory body. However, one witness received the most attention and the toughest questions from Subcommittee Chair, Senator Claire McCaskill, regarding the problem of deceptive advertising of weight-loss products: television personality, and Oprah-favorite, Dr. Mehmet Oz.
When asked who the most popular television personality known to talk about green coffee bean extract, raspberry ketones, pure garcinia cambogia, or just weight loss products in general, there’s a good chance that the majority of Americans would name Dr. Oz. Despite his former days as the go-to doctor of Oprah’s talk show, and the celebrity he has become through the popularity of his own daytime television show, Senator McCaskill’s tone revealed how unimpressed she is by Dr. Oz’s “flowery” language- an adjective he used at the hearing to defend his enthusiastic statements when promoting the use of unproven weight-loss products. The Senator expressed her concern with the overreaching statements often made by the doctor, specifically his use of the words “magic” and “miracle” to describe the products he endorses on his show.
To be fair, Dr. Oz is by no means the only source of flowery language when it comes to weight-loss products. Surf the web for five minutes and at least one advertisement for an all-natural weight-loss supplement that melts away fat in a matter of days will have flashed on your screen. And in his defense, Dr. Oz does not appear to promote specific product brands on his show. He also generally adds that any weight-loss enhancement product must be supplemented by a healthy diet and regular exercise. But to Senator McCaskill and the FTC, the problem is too serious to not to make an example out of Dr. Oz, especially in light of the fact that some advertisers misleadingly use the Dr. Oz name brand (among others) for product promotion. Voltaire’s saying that with great power comes great responsibility was used more than once at the hearing.
Besides the scolding of one celebrity voice, the FTC appears to have a three-fold strategy for cracking down on what it views as misleading advertising practices.
First, the agency’s law enforcement efforts have included more than 80 weight-loss enforcement actions over the last 10 years, in addition to over $100 million amassed in consumer restitution, and that’s just since 2010. In January of this year, the FTC had its own New Year’s resolution with regard to fighting back against newer fraudulent weight-loss fads, appropriately named “Operation Failed Resolution.”
Second, the FTC also recently delivered a “Gut Check” to respected media outlets: a reference guide containing a list of fraudulent claims often used by those advertising weight-loss products. The goal of the guide is to encourage media outlets to carefully consider whether or not the endorsement of such ads is advisable.
Third, the FTC has issued numerous consumer education resources to teach and inform the public about exaggerated weight-loss product claims. Also, the same day it testified at the Senate Subcommittee hearing, the agency launched an interactive “Challenge” video and game, with the goal of helping consumers understand what’s true and what’s not when it comes to weight-loss products claiming guaranteed results without the added components of diet and exercise.
The FTC’s extensive program to fight what it views as weight-loss scams and fraudulent advertising, in addition to the Subcommittee’s admonishment of “America’s Doctor,” demonstrate that truth in weight loss advertisements remain a top priority for federal regulators and legislators. Organizations offering weight loss products should review their advertisements – whether on the Internet, in print advertisements, or elsewhere – for any potentially unsubstantiated claims. The FTC will remain vigilant regarding health and fitness claims. Advertisers need to be similarly vigilant, because there’s no magic pill that prevents expensive enforcement actions and lawsuits.
The Internet Corporation for Assigned Names and Numbers (ICANN) continues to make significant progress with its implementation of the New generic Top–Level Domain (gTLD) Program. Under the new program, ICANN has added more than 250 new gTLDs to the Domain Name System (DNS) and could add hundreds more in the next several years.
ICANN is a nonprofit organization that was formed in 1998 to coordinate the internet’s address system, promote competition in the domain–name space, and ensure the security and stability of the Domain Name System. Back then, there were a dozen or so Country Code TLDs (ccTLDs) and just eight gTLDs, including the most common top–level domains: .com, .edu, .mil, .net, and .org. As the internet grew, so did the demand for top–level domains. ICANN responded by hosting two gTLD application rounds in 2000 and 2003. Those trial rounds resulted in ICANN’s delegation of 15 new gTLDs and laid the groundwork for greater expansion under the New gTLD Program.
The New gTLD program evolved in two phases: the policy development phase and the implementation phase. The policy development phase was overseen by one of ICANN’s supporting organizations, the Generic Names Supporting Organization (GNSO). For two years, GNSO sought input from various constituencies in ICANN’s global internet community, including government, business, technology, and intellectual–property stakeholders. Participants submitted comments on a range of topics, such as the demand for gTLDs, associated risks and benefits, selection criteria, and allocation. As a result of that process, GNSO issued a set of policy recommendations for implementing the New gTLD Program, and ICANN adopted them in June 2008.
During the subsequent implementation phase, ICANN worked with stakeholders to establish consensus on the application, evaluation and delegation process for the New gTLD Program. Drafts of an Applicant Guidebook were released for public comment and revised to address stakeholder concerns over the protection of intellectual property and community interests, consumer protection, and DNS stability. In June 2011, the ICANN Board adopted the Applicant Guidebook and launched the New gTLD Program.
During the four–month application period, ICANN received 1,930 applications for new generic Top Level Domains. These included submissions from Europe, Asia, Latin America and Africa. More than 100 applications were first–time requests for Top-Level Domains in non–Latin scripts, including Chinese, Greek and the Indian alphabet, Devanagari.
ICANN has already completed its initial evaluation of the submissions. Approved applications are now moving toward “delegation” on a rolling basis. Each applicant must finalize and execute the required contract with ICANN. Then, the applicant must undergo pre–delegation testing. If the applicant meets the relevant technical requirements, ICANN “delegates” the new gTLD by adding it to the root zone database and turning over management of related domain–name registrations to the new registry operator. After that, the registry operator is free to sell second–level domain names under the new gTLD.
As mentioned, ICANN has already delegated more than 250 new gTLDs, with hundreds more to follow. In April alone, the organization delegated more than 50 new gTLDs.
If the expansion “transform[s] the way people use the Internet,” as ICANN hopes, the impacts will probably be most profound for the non–English speaking world. Indeed, it seems difficult to overstate the New gTLD Program’s transformative potential given ICANN’s addition of gTLDs comprising at least twelve non-Latin scripts. If the rollout continues as expected, millions of people who speak Arabic, Chinese, Hindi, Japanese, Korean, and Russian, will—for the first time—be able to use the internet in their native language.
For a current list of approved gTLDs, visit ICANN’s website.
FDA Says Product Containing No Tobacco is a “Tobacco Product” – FDA Expands Authority to Include E-Puffing
In an effort that Food and Drug Administration (FDA) officials say was motivated by the (Big Brother?) desire “to correct a misperception by consumers that tobacco products not regulated by FDA are safe alternatives to currently regulated tobacco products,” the FDA released proposed regulations this morning that would regulate the rapidly growing e-cigarette market. (The regulations would also regulate cigars, pipe tobacco, nicotine gels, and hookahs.) The long-awaited proposal would subject the $2 billion industry to federal regulation for the first time. The full text of the proposed regulations are available here. A 75-day public comment period follows.
Calls for Regulation and Basis
Last September, 40 state attorneys general wrote to the FDA asking the agency to take all available measures to issue regulations on the advertising, ingredients, and sale to minors of e-cigs. There has been very little regulation of the industry since its inception– partially because the extent of the FDA’s authority to regulate e-cigarettes is not clearly defined. In 2010, the U.S. Court of Appeals for the D.C. Circuit issued an opinion in Sottera, Inc. v. Food & Drug Administration, affirming the district court’s decision that the FDA could not regulate e-cigarettes as a medical device under the Food, Drug & Cosmetic Act and finding that the FDA’s authority is limited to traditional tobacco products.. Specifically, the Tobacco Control Act authorizes the FDA to regulate “tobacco products,” giving the agency authority to impose restrictions on their sale, advertising and promotions, and establish other standards for their distribution and production. The term “tobacco product” means any product made or derived from tobacco that is intended for human consumption, including any component, part, or accessory of a tobacco product (except for raw materials other than tobacco used in manufacturing a component, part, or accessory of a tobacco product).
E-Cigarettes are Tobacco Products?
The FDA claims that e-cigarettes contain nicotine and thus derive from tobacco. However, the agency acknowledges in its proposed rules that “the health consequences of e-cigarettes are not well understood because of their relatively new entrance into the market.” Despite its questionable authority and a lack of evidence showing a need for regulation, the FDA nevertheless proposes to subject e-cigarettes to regulation similar to cigarettes and other regulated tobacco products. We expect commenters will urge the FDA to support its jurisdiction over the e-cigarette industry with a sufficient statutory basis. However laudable the FDA’s actions to protect the public may be, agencies may obviously only act pursuant to the specific statutory authority granted by Congress.
Under the proposed rules, companies offering e-cigarettes and the other products deemed tobacco products will now be required to register all their products and ingredients with the FDA, though they would not be required to adhere immediately to specific product or quality control standards. Companies would also be required to submit new and existing products to the FDA for approval. They would have two years from the time the rule goes into effect to submit an application to enable their products to continue to stay on the market or to submit a new product application.
The new regulations would require e-cigs to have health warnings on packaging, though initially the only health warning that will be required is a warning regarding the potential for addiction to nicotine. Manufacturers would be able to market new products only after a FDA review, and scientific evidence would need to be provided before any direct or indirect claim can be made of risk reduction associated with their product. Manufacturers would also be prohibited from selling their products at vending machines unless they are in adult-only venues. The proposed rules would prohibit the offering of free samples. The regulations would also require that the minimum age to buy the products be set at 18 years old.
FDA Showing Some Restraint?
Although the FDA proposal is not as broad as the regulations sought by tobacco-control advocates, FDA officials noted that further restrictions may come in the future. At this point the regulations do not seek to ban the use of flavored e-cigs or restrict online sales or advertising. However, the Federal Trade Commission (“FTC”) is closely monitoring marketing and advertisements from the industry and has the ability to take action against companies that it believes are engaging in deceptive advertising. The proposed rules note that the FDA would consult with the FTC to harmonize their requirements for health warnings.
The FDA proposal also leaves many unanswered questions regarding how new products would be regulated in the long term. Under current law, new tobacco products can be approved if they are “substantially equivalent” to a product that was sold prior to February 15, 2007. It is unclear whether any e-cigarettes were on sale prior to that date that can be used as a benchmark. An FDA official said that it would seek more information during the public comment period to determine whether the substantial equivalence test is valid for e-cigarettes.
The recommendations from the FDA that were released today will be followed by a 75-day public comment period after which the regulations will be finalized. The exact time frame for the regulations to be finalized is unclear and the final rulemaking process could alter the regulations that were proposed today. It may be more than a year before the final regulations take effect. Of course, parties are expected to challenge the FDA’s rules in court, which could further delay any new regulations.
We expect numerous, diverse parties will submit comments, including the scientific/medical community, public interest groups, and industry. The e-cigarette industry, representing a new product, would appear to have the most power to influence the outcome of the rules, because even the FDA acknowledges the product has yet to be studied in depth.
Congress enacted the Telephone Consumer Protection Act (“TCPA”) to protect consumers from unwanted telemarketing, fax marketing, and prerecorded/auto-dialed phone calls. Recently, there has been an explosion in TCPA litigation, including class action litigation. In response, several parties have asked the Federal Communications Commission (“FCC”) to clarify certain of the agency’s TCPA rules to provide relief from TCPA liability in certain enumerated circumstances. Two recent FCC rulings allow certain business communications under the TCPA.
The Cargo Airline Association (“CAA”), a trade association representing companies that deliver packages, filed a petition seeking clarification of the TCPA’s application to auto-dialed or prerecorded package delivery notification calls made to consumers’ wireless phones. The CAA asserted that the FCC should recognize the public interest in receiving time sensitive package notifications. Revised FCC rules that went into effect in October generally require that the sender of prerecorded or auto-dialed calls and text messages to mobile numbers have prior consent from the recipient to receive such calls and texts. If the calls or texts constitute telemarketing, prior express written consent is required.
The FCC granted the CAA’s request to exempt its notifications to consumers subject to certain conditions. In the order, the FCC observed that these notifications “are the types of normal, expedited communications the TCPA was not designed to hinder . . . we believe that consumers generally desire, expect, and benefit from, package delivery notifications.” The FCC order requires that the text messages must be sent only to the telephone number provided by the package recipient, and identify the name and include the contact information of the delivery company sending the message. Furthermore, the FCC’s order limits companies to sending one text message per package per delivery attempt. The notifications also cannot contain any advertising content and must provide consumers the ability and information on how to easily opt out of receiving future notifications.
In the second ruling, the FCC granted a petition by GroupMe concerning how consent is obtained. GroupMe is an app that allows users to create text message based group chats. A user who wants to create a group chat using GroupMe’s service must register with GroupMe and agree to its terms of service. The terms of service require the group creator to represent that each individual added to the group chat has consented to receive the text messages. In its petition to the FCC, GroupMe asked the FCC to clarify that consent to receive certain calls or text messages could be given through an intermediary, such as a group chat organizer.
The FCC granted GroupMe’s petition allowing for consent to be obtained through an intermediary. Interestingly, the FCC acknowledged in its order that “the TCPA is ambiguous as to how a consumer’s consent to receive an auto-dialed or prerecorded non-emergency call should be obtained.” However, the FCC stressed that this ruling does not mitigate the duty to obtain prior express consent of the called party. Further, a company can still be held liable even when relying on the assertion of an intermediary that a consumer has consented. The order states that, “[w]e further clarify that where the consumer has agreed to participate in a GroupMe group, agreed to receive associated calls and texts, and provided his or her wireless telephone number to the group organizer for that purpose, the TCPA’s prior express consent requirement is satisfied with respect to both GroupMe and the group members regarding that particular group, but only regarding that particular group.” Companies seeking to obtain consent through an intermediary should consider this potential liability when deciding if, or how to, rely on consent given by an intermediary. Companies may want to consider contractual representations and warranties and indemnifications where a third party obtains consent.
These two orders by the FCC represent positive news for businesses that utilize texts and prerecorded/auto-dialed communications. The orders eliminate some of the uncertainty surrounding compliance with the TCPA in the circumstances addressed by the FCC. While the agency has taken numerous enforcement actions against TCPA violators and promulgated strict rules, these recent rulings indicate that the FCC recognizes that there are circumstances in which strict interpretations of the TCPA and/or FCC rules do not comport with the realities of business communications. Companies should note, however, that these rulings are limited to the particular situations presented by the petitioners. Due to the enormous potential liability for violating the TCPA, companies should continue to review their policies and practices and make sure they are in compliance with all regulations before initiating any covered TCPA communications, including prerecorded and auto-dialed calls and texts to mobile phones, prerecorded telemarketing to residential lines, facsimile advertising, and live telemarketing.
A California court ruled earlier this month that Overstock must pay a roughly $6.8 million penalty to settle claims that the retailer “routinely and systematically” made false and misleading claims about the prices of its products on its website. If upheld, this ruling could have significant effects on how companies use price comparisons in advertisements in the future.
A group of California District Attorneys sued Overstock in 2010 for $15 million, alleging that Overstock was deceptive in the way it determined and displayed price comparisons on its website. Overstock used a comparative advertising method based on price, which is commonly referred to as “advertised references prices” or “ARPs” that showed the price of a certain product on Overstock compared to the price of the same product from a different retailer. The lawsuit alleged that the ARPs that Overstock used were false or misleading because Overstock employees chose the highest price that they could find as an ARP or constructed ARPs using arbitrary formulas. The lawsuit alleged that as a result of Overstock’s method of constructing its ARPs, its savings comparisons were inflated.
A California state judge’s tentative ruling earlier this month levied civil penalties against Overstock of just over $6.8 million. The court dismissed some of the claims in the lawsuit, but found that Overstock’s pricing comparison violated the state’s laws on unfair competition and false advertising.
The court also issued an injunction that prohibits Overstock from comparison price advertising unless it is done in conformity with a lengthy set of court mandated practices outlined in the opinion. Among those requirements, the court ordered that Overstock explain its pricing more clearly on its website, including a disclosure of how it computes the price comparisons. The ruling also prohibits Overstock from setting average retail prices based on anything other than the actual retail price offered in the marketplace.
Overstock has said that they plan to appeal the court’s ruling by arguing that the court’s decision is misreading California law and is holding the company to a higher standard than other e-commerce sites. If this ruling is upheld, this could have a significant ripple effect on retail advertising for both online and brick-and-mortar businesses. Almost every state has a law regarding deceptive pricing in advertisement, and the Federal Trade Commission also has jurisdiction to pursue claims against deceptive advertising in price comparisons. Companies need to be aware if they are using comparative price advertising that those advertisements, and the formulas for determining the prices on those advertisements, will be scrutinized by government agencies.
By Michelle Cohen, CIPP-US
On January 28th, in an effort raise awareness of privacy and data privacy, the United States, Canada and 27 countries of the European Union celebrate International Data Privacy Day. Many organizations use Data Privacy Day as an opportunity to educate their employees and stakeholders about privacy-related topics. With the recent, high-profile data breaches as Target, Neiman Marcus, and potentially, Michaels, the need for training and instruction on data security is more critical than ever before. In this vein, we’ve set forth our views on what we see as the year ahead in legal developments relating to data security and what companies can do to prepare.
Legislation Introduced but on the Move?
Data security and data breaches will continue to be the focus of regulators and Congress through 2014. In fact, Congress summoned Target’s Chief Financial Officer to appear before the Senate Judiciary Committee on February 4th and a House committee is seeking extensive documents from Target about its security program. Meanwhile, Senator Leahy re-introduced data breach legislation which would set a federal standard for data breach notifications (most states now require notifications, though the requirements differ state-to-state).
Senators Carper and Blunt introduced a separate bipartisan bill intended to establish national data security standards, set a federal breach notification requirement, and also require notification to federal agencies, police, and consumer reporting agencies when breaches affect more than 5,000 persons. Many companies have suffered data breaches and then faced civil lawsuits under various causes of actions, including allegations that they did not notify customers promptly. As a result, there may be strong support for federal standards rather than facing a patchwork of state laws. While the Target breach has certainly renewed interest in data security, and we expect Congress will conduct numerous hearings, ultimate passage of data breach legislation this Congress is still probably a longshot.
Watching Wyndham Take on FTC
As covered in this blog, various Wyndham entities have struck back at the FTC, challenging the FTC’s authority to bring an action against Wyndham for alleged data security failures. The Wyndham entities claim that the FTC may not set data security standards absent specific authority from Congress. Yet, with Congress having not set data security standards thus far, the court in oral arguments seemed concerned about leaving a void in the data security area. Wyndham’s motion to dismiss remains pending in federal court in New Jersey. Most observers think the court will be hard pressed to limit the FTC’s authority under Section 5 of the FTC Act, which broadly prohibits ”unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce” and provides the FTC with administrative and civil litigation enforcement authority. The agency has used this administrative authority with great success, bringing numerous data privacy actions that usually result in settlements by companies rather than risk further litigation expenses, penalties, and reputational damage. We think the FTC will remain vigilant in this space, including attention on the security of mobile apps.
Class Actions Jump on Breaches
Whether breaches affect Sony Playstation, Adobe, Target, or some other company, the class action firms have been busy filing lawsuits based upon data breaches. For example, by year end, at least 40 suits had already been filed against Target, with seven filed the day Target disclosed the breach. The plaintiffs use various theories – including violations of consumer protection statutes, negligence, fraud, breach of contract, breach of fiduciary duty, invasion of privacy and conversion. But, if a consumer’s information was potentially breached, yet nothing happened to the consumer as a result, does that consumer have cognizable damages? That has been a huge sticking point for these lawsuits. Yet, the class action lawyers will continue to file these suits and some companies will settle to avoid further reputational damages and litigation expenses.
Don’t Count out the States
States have taken the lead in setting data breach notification standards, and in some cases data security requirements. For instance, in March 2010, Massachusetts enacted strict data security regulations. Organizations that own or license personal information of Massachusetts residents are required to develop and implement a written comprehensive information security program (“CISP”) to protect that information. Almost all of the states have standards setting forth what types of information are covered by data breaches, who gets notified, what content goes in the notifications and, the timing of the notifications. Multiple states are investigating the Target breach; certainly less well known breaches get state regulators’ attention as well. We predict the states will continue to be active regulators and enforcers of data security and data breaches, and will likely continue to “rule the roost” while federal legislation lags behind.
Preparation and Training Still Key
We’ve said before that, unfortunately, no company is immune from data breaches. Companies cannot assume that they have the best anti-malware or security features and that these other newsworthy breaches resulted from lapses that would not apply to them. Whether it is a sophisticated hacker or, more commonly, a well-meaning but negligent employee, data loss and data breaches will occur. All organizations should have procedures in place NOW to prevent data loss and to prepare for a breach. This includes IT, human resources, legal, and communications resources. Companies should designate a “data security/data breach” team with representatives from these key departments (working with outside counsel and other privacy breach specialists when needed). The team should meet periodically to review procedures, recommend improvements, and engage in periodic training on data security.
We can’t stress here enough about employee training. An employee who, for instance, wants to finish a project at home after stopping by the gym might download information that contains sensitive personal information onto a flash drive. Let’s say the gym bag gets stolen, along with the flash drive. Well, the employee’s unlucky company may now have a huge data breach situation on its hands requiring notices to customers, state attorneys general, and potential litigation and other expenses (such as paying for creditor monitoring, now industry standard). Employees need training about securing sensitive information – from shredding documents instead of putting them in the dumpster, to encrypting information that is being taken offsite, to avoiding “phishing” scams, to having unique passwords they change periodically. According to recent reports, “password” and “123456” are still among the most popular passwords. While data breaches cannot be avoided completely, we can ameliorate some risks with better practices in our organizations.
FTC Clamps Down on EU Safe Harbor Compliance: If Your Company Says It Is Certified, Keep Your Certification Current
Once again using its administrative litigation process, the Federal Trade Commission (“FTC”) announced settlements with twelve large businesses, including the Atlanta Falcons and Denver Broncos football teams, the Baker Tilly accounting firm, BitTorrent, Inc., a peer-to-peer file sharing protocol, Level 3 Communications (one of the largest Internet service providers in the world), and Reynolds Consumer Products, all relating to alleged deceptive claims of U.S.-E.U Safe harbor certifications.
The “Safe Harbor” certification, overseen by the U.S. Department of Commerce, is a voluntary privacy certification; however, it requires an annual reaffirmation to maintain “current” certification status. The FTC filed complaints against these companies alleging that the organizations made statements in their privacy policies or displayed the Safe Harbor certification mark indicating that they held current Safe Harbor certifications, even though these companies had allowed their certifications to lapse. The European Commission has recently criticized what it views as lax enforcement of the Safe Harbor process in the U.S., and issued a report with recommendations for improvements. The European Commission will review its participation in the Safe Harbor framework in a decision to be issued by summer 2014.
The process is entirely voluntary. Once a company self-certifies to the Department of Commerce and Commerce reviews and accepts the filing, a company may state that it has certified compliance with the Safe Harbor. Most companies state this certification in their privacy policies. Organizations may use the Safe Harbor “seal” on their websites and elsewhere. Annually, by the anniversary of its original filing date, a company must “reaffirm” its compliance in order for its certification to remain current.
The FTC’s action this week alleges that the twelve companies stated that they held current certifications under the U.S.-E.U. (and in three cases, the similar U.S. –Swiss) Safe Harbor frameworks, when in fact the certifications were not current. Companies which have self-certified compliance with the Safe Harbor framework should check their certifications to ensure they are up-to-date with their annual reaffirmations. The Department of Commerce maintains a public database listing the status of every self-certifying company. While the annual reaffirmation is not an overly taxing task, the FTC’s settlements with these companies demonstrate that the agency is taking its Safe Harbor enforcement role seriously and that it is monitoring compliance.
While the proposed settlements do not contain monetary penalties, the companies are barred from any further misrepresentations about their participation in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization. The organizations must also maintain relevant advertisements and promotional materials for five years, and the consent order (once approved) would be in place for 20 years. The proposed settlements are subject to public comment for 30 days and then require final approval of the FTC commissioners.
In privacy law and FTC enforcement, in particular, a guiding principle is “if you say it, do it, and if you don’t do it, don’t say it.” The FTC’s action on Safe Harbor enforcement is a good lesson – companies should review their privacy policies to make sure they are up-to-date, accurate, and reflect current practices, including ensuring any certifications are up-to-date. While the U.S.-EU Safe Harbor certification is voluntary, companies must complete their annual reaffirmations on time or risk enforcement.
On October 16, 2013, two changes will go into effect in the rules implementing the federal Telephone Consumer Protection Act (TCPA). Importantly, these rules impose stricter requirements on mobile messaging and prerecorded telemarketing calls. The rule changes, announced back in February 2012, may spur further litigation concerning the scope of the TCPA. All businesses should review the new requirements to ensure compliance or risk significant potential litigation expenses and negative publicity.
TCPA litigation has been increasing significantly in recent years. The number of TCPA-related cases filed in 2012 increased by 34 percent compared to 2011 and was more than three times the number of cases brought in 2010. Part of the reason fueling the uptick in TCPA litigation is the increasing use of mobile messaging, combined with the enormous potential damages possible under the statute. Every individual text, call or fax that is found to be in violation of the TCPA can result in damages from $500 to $1,500 and there is no limit on the number of violations that can be included in an individual suit. The Federal Communications Commission (FCC) and state attorney generals, as well as private litigants, may also enforce the TCPA.
Some major companies have been hit with significant penalties under the TCPA. In May, Papa John’s International agreed to pay $16.5 million as part of a settlement of a TCPA class action stemming from claims that the company sent unsolicited text messages to more than 200,000 people through a third-party marketer. Steve Madden and Domino’s Pizza have also both reached settlements this year agreeing to fines of nearly $10 million to settle TCPA claims.
The two changes going into effect in October are as follows. One exception from liability under the TCPA for phone calls or text messages using an autodialer or a prerecorded message is for those that are made with “prior express consent.” Under the new interpretation from the FCC of the prior consent exception, with limited exceptions, a business can only invoke the prior express consent exception for autodialed or prerecorded calls to a mobile phone or for prerecorded telemarketing calls to a residential line if the called party has physically or electronically signed an agreement that clearly authorizes calls or texts to be made to their phone number by that particular sender. Additionally, a recipient’s signing the agreement must be optional and cannot be tied to the purchase of any goods or services.
The other significant change to the TCPA rules is the elimination of the “established business relationship” exception for prerecorded telemarketing calls to residences. Previously, businesses could avoid TCPA liability for prerecorded telemarketing calls that otherwise were prohibited by claiming that they had an established business relationship with the consumer by virtue of a previous purchase or other business interactions. The new regulations have eliminated this exemption, meaning businesses are now required to obtain written consent for all prerecorded telemarketing to residential phone numbers, even those that are for previous customers. With this change, the FCC followed the Federal Trade Commission (FTC), which made a similar express consent requirement under the Telemarketing Sales Rule for prerecorded telemarketing calls a few years ago.
As some of the recent cases have shown, businesses can face enormous potential liability under the TCPA, including liability for actions of third-party marketers acting on behalf of them. The statistics demonstrate that plaintiffs’ lawyers are aggressively pursuing TCPA actions, and the changes in the rules may lead to yet more TCPA cases. Given the changes that will go into effect in October, businesses should review their TCPA policies to ensure that they are in compliance, so that they can avoid the possibility of paying onerous penalties.