Ad Law Access

Ad Law Access

Updates on consumer protection trends, issues, & developments

CFPB Proposes Rule on Prepaid Products to Extend Certain Credit Requirements and Mandate Disclosures

Posted in Retail

The Consumer Financial Protection Bureau released last week a proposed rule that would impose an array of new requirements on prepaid accounts. The proposed new definition of “prepaid account” would include general purpose reloadable cards, electronic or mobile accounts that can store funds such as PayPal accounts, payroll cards, and certain government benefit cards, but not include closed-loop gift cards. Many of the new requirements are rooted in existing requirements for credit accounts under the Bureau’s Regulations E and Z. Additionally, the Bureau is proposing to require prepaid account issuers that offer overdraft services to consider the consumer’s ability to repay the debt before offering overdraft protection or other credit services.

Generally Applicable Requirements

The proposed rule would require all prepaid account issuers to comply with a multitude of new requirements, including:

  • Short form and long form disclosures. The Bureau proposes to require prepaid account issuers to provide both short form disclosures, which would highlight key fees that the Bureau believes to be the most important to consumers, and long form disclosures, which would list the entirety of fees and conditions related to a prepaid account. Both forms of disclosure would generally be required prior to the customer acquiring the account, with certain exceptions for sales over the phone or in retail stores. The Bureau also provided model forms for the disclosures that would provide a safe harbor for compliance with the disclosure requirements.
  • Provision of account and transaction information. The Bureau proposes to extend existing Regulation E requirements regarding the provision of transaction information to all prepaid accounts. The rule would require financial institutions to either provide periodic statements, or make available account balance and certain transaction history.
  • Error resolution and limited liability. The Bureau also proposes to extend requirements, with certain modifications for timing, that limit consumers’ liability for unauthorized transactions and require financial institutions to work with consumers to resolve account errors.

Requirements for Overdraft Services and Credit Features

The proposed rule would also extend certain requirements specifically to prepaid account issuers that offer overdraft services or credit features in connection with prepaid accounts. For example, an issuer offering overdraft services would be required to evaluate a consumer’s ability to repay a debt prior to offering overdraft protection or another credit feature in connection with a prepaid account. Additionally, issuers of these types of accounts would be required to give consumers at least 21 days to repay their debt before being charged a late fee, and would be subject to other limitations on interest and fees.

Comments

The proposed rule will be published in the Federal Register shortly. Comments are scheduled to be due 90 days after publication.

The Year of the Breach: California Attorney General Releases 2013 Data Breach Report

Posted in Privacy and Information Security, Retail

On Tuesday, the California Attorney General released the second annual data breach report, summarizing the 167 data breaches reported to the Attorney General’s office in 2013, and providing privacy and security recommendations for businesses. According to the report, the retail, finance, and healthcare industries reported over 60 percent of the 167 breaches, over half of which were the result of malware and hacking. The breaches affected 18.5 million California residents – a 600 percent increase over the 2.5 million records breached in 2012, and 84 percent of those records were the result of retail industry breaches.

The report provides several recommendations for businesses directed towards improving security and notification measures, including the following three non-sector-specific recommendations: (1) conduct risk assessments at least annually and update privacy and security practices based on the findings; (2) use strong encryption to protect personal information in transit; and (3) improve the readability of breach notices. Additionally, the report recommends that the healthcare industry consistently use strong encryption to protect medical information on laptops and other portable devices, and consider it for desktop computers. Importantly, the report also includes the following six recommendations specific to the retail industry, suggesting that the Attorney General considers the security measures and breach response actions of the retail industry, to date, inadequate:

  1. Update point-of-sale terminals so that they are chip-enabled and install the software necessary to operate this technology.
  2. Implement appropriate encryption solutions to devalue payment card data, including encrypting data from the point of capture until the completion of transaction authorization.
  3. Implement appropriate tokenization solutions to devalue payment card data, including in online and mobile transactions.
  4. Respond promptly to data breaches and notify affected individuals in the most expedient time possible and without unreasonable delay.
  5. Improve substitute notice, such as by placing a prominent and conspicuous link to the notice on the website homepage, leaving the link and notice up for at least 30 days, publishing the notice in the most expedient time possible and updating it as the business learns more, and telling consumers what they can do to protect themselves.
  6. Work with financial institutions to protect debit card holders in breaches of unencrypted payment card data.

Finally, the report suggests that the state consider legislation (1) to amend the breach notification statute to strengthen the substitute notice procedure, clarify the roles and responsibilities of data owners and maintainers, and require a final breach report to the Attorney General; and (2) to provide funding to support system upgrades for small California retailers. As it appears no longer a question of “if” but rather “when” a breach will occur, businesses should continue to evaluate and modify their privacy and security practices to ensure compliance with these recommendations and all legal obligations.

FTC Claims that AT&T Failed to Deliver on ‘Unlimited’ Data Promises

Posted in Federal Trade Commission

Yesterday, the Federal Trade Commission (“FTC”) filed a complaint in the U.S. District Court for the Northern District of California against AT&T Mobility, LLC (“AT&T”) over claims that AT&T violated Section 5 of the FTC Act by engaging in unfair and deceptive practices relating to the company’s “unlimited” data plans. The FTC asserts that AT&T has misled millions of its customers by marketing and selling “unlimited” data plans, while reducing data speeds for certain unlimited plan customers by up to 90 percent through a practice known as “throttling.”

The FTC’s complaint alleges that AT&T failed to adequately disclose to its customers who purchased unlimited data plans that, once a customer uses a certain amount of data (two gigabytes, in some cases) in a given billing cycle, AT&T reduces, or “throttles,” the customer’s data speeds so that popular smartphone applications such as GPS navigation and streaming video fail to function as intended. The FTC asserts that AT&T has been throttling data speeds for unlimited data customers since 2011, and has throttled at least 3.5 million customers a total of more than 25 million times.

According to the complaint, AT&T’s practices were unfair under Section 5 of the FTC Act because AT&T changed the terms of customers’ unlimited data plans while customers were still under contract, and then charged early termination fees (“ETFs”) to customers who attempted to cancel their unlimited plan as a result of the reduced data speeds. The FTC also argues that AT&T’s practices were deceptive under Section 5 because AT&T’s advertising and sales materials failed to adequately disclose the nature and scope of the throttling program.

A statement posted to the AT&T website calls the FTC’s allegations “baseless” and states that AT&T informed all unlimited data-plan customers about the data limits and throttling “via bill notices and a national press release that resulted in nearly 2,000 news stories, well before the program was implemented.”  The statement also indicates that the throttling program has affected about 3 percent of customers, and such customers are notified by text message before throttling is imposed.

The FTC’s lawsuit seeks to stop AT&T from using data throttling on customers who have been promised unlimited data plans. The FTC is also seeking refunds for customer who paid ETFs when they cancelled their unlimited data plans after their data was throttled. In its press release announcing the complaint, the FTC noted that FTC staff have worked closely on the matter with the staff of the Federal Communications Commission.

 

FTC Supports NHTSA’s Approach to Privacy in V2V Rulemaking

Posted in Uncategorized

Last week, the FTC stated support for the National Highway Traffic Safety Administration’s (“NHTSA’s”) approach to privacy and data security within the NHTSA’s proposed regulation relating to vehicle-to-vehicle (“V2V”) communications. The proposed rule, which would incorporate V2V technology into passenger cars and light trucks by 2019, is intended to enhance driver safety by aggregating and sharing data (such as a vehicle’s speed) from surrounding vehicles to generate safety warnings for drivers.

In a comment responding to the NHTSA’s proposed rule, the FTC noted three primary concerns relating to V2V communications, as described during the FTC’s “Internet of Things” workshop in November 2013:

  • The ability of connected car technology to track consumers’ precise geolocation over time;
  • Information about driving habits used to price insurance premiums or set prices for other auto-related products, without drivers’ knowledge or consent; and
  • The security of connected cars, including the ability for third-parties to remotely access a car’s internal computer network

According to the FTC, the NHTSA’s V2V proposed rulemaking appropriately addressed these concerns through a deliberative, process-based approach that included collaboration with multiple industry and consumer stakeholders. The FTC also noted that the NHTSA designed the proposed V2V system to limit the data collected and stored to that which serves the intended safety purposes, and to ensure that the collected data cannot be used to identify a particular individual or vehicle. Lastly, with respect to the security of the collected data, the FTC supports the NHTSA’s decision to help mitigate the potential for unauthorized access to data by keeping the V2V device separate from other onboard computers.

 

FTC Continues Green Guides Enforcement with Warning Letters

Posted in Federal Trade Commission

The Federal Trade Commission announced this week that it recently sent warning letters to 15 marketers of plastic waste bags advertised as being “oxodegradable,” “oxo biodegradable,” or “biodegradable.”  “Oxodegradable” and similar terms refer to an additive applied to the bag to enhance biodegradability in the presence of oxygen.  The letters, which are not available publicly, express concern that such claims convey to consumers that the bags will break down quicker than standard plastic bags.  In fact, the FTC alleges that many such products will not biodegrade any faster than standard plastic bags given the lack of oxygen in many disposal environments.  As such, staff is concerned that the products would not meet the standard required for “biodegradable” claims per the FTC’s Green Guides, which is total decomposition under normal disposal conditions, i.e., landfill, within in one year.  The recipients of the letters have not been disclosed, however the FTC has stated that they had until October 21 to respond.

For those companies that received the letters, close examination of the claims and supporting evidence is paramount.  Companies that fail to sufficiently respond to the warning letters create risk of follow up enforcement.  Companies making environmental benefit claims that did not receive a warning letter should also take notice, however.  The FTC has been actively enforcing its Green Guides this past year – which we have covered here, here, and here – and there is no guarantee that a warning letter will precede initiation of a more formal investigation.

Retailers Face Legal Challenges Over Advertising Prices

Posted in Retail

Retailers have had a tough year when it comes to advertising prices. In January, a California court issued a multimillion dollar penalty against Overstock.com, after determining that the company advertised discounts in a misleading manner. Since then, retailers across a range of industries have been dragged into costly lawsuits and regulatory investigations involving similar issues. If you’re wondering how something as mundane as advertising the price of an item could lead to so much trouble, it’s because the issue is more complicated than most people think.

To learn more, read my article in RetailingToday.

Call Me, Maybe? – A Webinar on Key TCPA Developments

Posted in Telemarketing and Call Center Operations

As companies draw on mobile delivery platforms, cloud-based technologies, and third-party vendors to become more sophisticated in their use of telemarketing, autodialer, and text message campaigns, the business risks and potential for class action lawsuits have greatly increased. The Telephone Consumer Protection Act of 1991 (TCPA) has emerged as a cottage industry with plaintiffs’ attorneys routinely filing class action lawsuits seeking multi-million dollar claims and settlements. The FTC also has not shied away from rigorous telemarketing enforcement under its rules against major big brands and calling platforms, including with theories that are based upon an expansive third party liability interpretation of the agency’s enforcement powers.

Yesterday my litigation partner Lauri Mazzuchetti and I teamed up with Ken Sponsler of CompliancePoint to cover the latest developments and hot topics related to TCPA compliance and litigation, and strategies to consider when defending such matters.  If you missed this 2-hour deep dive into the issues, you can listen to the recording here. And if you would like to stay up to date on this topic, you may also wish to sign up for our TCPA Tracker newsletter so you can receive monthly updates on the latest happenings related to TCPA litigation and compliance.

FTC Sends Warning Letters on Disclosures

Posted in Advertising, Federal Trade Commission

This week, the FTC announced that the agency had sent warning letters to more than 60 companies — including 20 of the 100 largest advertisers in the country — addressing how the companies make disclosures in ads. According to the letters, FTC staff “recently reviewed more than a thousand national magazine and television advertisements to identify advertisements that raise disclosure issues and to share [its] concerns with the companies responsible for the ads.”

The letters outline the FTC’s position on what it believes is required for a disclosure to be clear and conspicuous. Among other things, the letters state that “advertisers should use clear and unambiguous language and make the disclosures stand out. Consumers should be able to notice the disclosure easily; they should not have to look for it.” The FTC also discussed factors that advertisers should consider when evaluating disclosures, including where the disclosures are placed, the font size, and how well they contrast against the background.

In the warning letters, the staff identified problematic ads, recommended that advertisers review their ads to ensure that any necessary disclosures are truly “clear and conspicuous,” and asked them to notify the staff “of what actions you have taken or intend to take in response to this letter to ensure your company’s compliance with the FTC Act.” According to the FTC’s press release, the “response to staff’s letters has been extremely positive.”

If you received a letter from the FTC, you’ve likely already told the agency of what you plan to do ensure your disclosures comply with the law. If you didn’t receive a letter, you should nevertheless use this as an opportunity to review your own disclosure practices. The FTC is clearly focused on this issue, and these types of warning letters can often be a signal that enforcement lies ahead.

Marketing Consultant May Be Held Liable Under TCPA for Its Third-Party Marketer’s Unsolicited Text Messages

Posted in Advertising Litigation, Telemarketing and Call Center Operations

Last Friday, the U.S. Court of Appeals for the Ninth Circuit held that a marketing consultant for the United States Navy – the Campbell-Ewald Company – could be held liable for a third-party marketer’s violations of the Telephone Consumer Protection Act (“TCPA”) arising out of the transmittal of unsolicited text messages.

The Navy hired Campbell-Ewald to develop and execute a multimedia recruiting campaign and the parties agreed that, as part of the marketing campaign, Campbell-Ewald would send text messages to cellular users that had consented to receive the recruitment solicitation.  Campbell-Ewald outsourced the text message dialing to a company called Mindmatics which was responsible both for generating the list of phone numbers to be dialed and for physically transmitting the text messages.  In the suit, the plaintiff claimed that he did not consent to receipt of the message and alleged that Campbell-Ewald violated the TCPA.  The plaintiff did not name the Navy or Mindmatics as a defendant.

Continue Reading

CPSC Tags Retailer With $2M Civil Penalty and Enhanced Compliance Program for Allegedly Distributing Recalled Products

Posted in Consumer Product Safety

Retailer superstore Meijer Inc. is on the hook for allegedly distributing recalled consumer products. In a press release dated September 17, 2014, the Consumer Product Safety Commission (“CPSC”) announced the hypermarket operating 24-hour stores and gas stations in various Midwestern states has agreed to settle charges that it knowingly sold and distributed recalled consumer products. Meijer has agreed to pay a $2 million civil penalty and to implement an enhanced “reverse logistics” compliance program. This settlement signals heightened scrutiny and new channels of enforcement for retailers.

Between April 2010 and April 2011, Meijer allegedly distributed at least twelve separate recalled consumer products, totaling approximately 1,692 individual units of recalled products. The recalled products consisted of various household items and children’s products, including oscillating ceramic heaters, toddler tricycles, vacuum cleaners, and baby rattles. According to the settlement agreement, Meijer claimed the sale and distribution of the recalled items was inadvertent and occurred without Meijer’s knowledge. Meijer had outsourced the disposition of recalled products to a reverse logistics system operated by a third party, and believed that adequate safeguard had been in place to prevent recalled products from being distributed into commerce.

The CPSC thought otherwise. In addition to the $2 million civil penalty, the CPSC is requiring that Meijer implement an enhanced reverse logistics compliance program with the following components:

  • Written standards, policies, and procedures for the appropriate disposition of recalled goods;
  • Mechanisms to communicate product safety policies and procedures to employees;
  • Management oversight of the program, including a mechanism for confidential reporting to a Meijer official;
  • A policy to retain reverse logistics records related to recalled product collection and disposition for at least 5 years after the recall date; and
  • Availability of such records to the CPSC upon request.

This settlement follows the CPSC’s announcement last July of recalled products that were continuing to be sold or resold by Best Buy and certain affiliated entities. The CPSC did not impose a civil penalty against Best Buy or require an enhanced compliance program. In light of these two announcements, retailers should carefully review their compliance protocols to ensure recalled products are not reentering the stream of commerce.