Ad Law Access

Ad Law Access

Updates on consumer protection trends, issues, & developments

Kentucky Enacts Data Breach Notification Law

Posted in Privacy and Information Security

Last week, Kentucky enacted a data breach notification law, becoming the 47th state to require notice to consumers in the event of a breach of unencrypted personally identifiable information. The law’s author, Representative Steve Riggs (D-Louisville), stated that he drafted the bill in response to learning that his state was one of only four (including Alabama, New Mexico, and South Dakota) that did not have a data breach notification law on the books. The new law will become effective in July.

The law sets forth a high standard on whether a breach has occurred. Specifically, it requires a company to notify Kentucky residents any time that it reasonably believes there is an unauthorized acquisition of unencrypted personally identifiable information that actually causes, or leads the company to reasonably believe has caused or will cause, identity theft or fraud. The statute defines personally identifiable information as an individual’s first name or first initial and last name, in combination with their Social Security number, driver’s license number, or financial account information and the required access code/password. Regulator notice is not required, but credit reporting agency notice is required in the event the breach affects more than 1,000 Kentucky residents.

While there have been many calls for a federal data breach notification law, particularly in the wake of the recent high-profile retailer breaches, for the time being, companies will have to consider the various state laws (as well as those of D.C., Guam, Puerto Rico, and the Virgin Islands) in the event of a data breach.

Beretta Sued Over Elvis-Themed Ad Campaign

Posted in Advertising, Intellectual Property, Right of Publicity

Last week, we posted that White House had objected when Samsung used President Obama’s image in a tweet. And before that, we posted that Michael Jordan had objected when Jewel-Osco used his name and a picture of his iconic shoes in ad. Now, the estate of Elvis Presley has filed a new lawsuit alleging that Beretta used the name and image of the legendary singer (and gun enthusiast) to promote its new Beretta 692 competition shotgun.

The Italian gun-maker featured Elvis imagery in various ads, including the one below, and hired Elvis Elvisimpersonators to appear at various events. (Catch a video here before it’s taken down.) According to the complaint, Beretta’s unauthorized use of the Elvis imagery “falsely indicated to the purchasing public that Beretta, its business, and its goods were somehow sponsored, endorsed, or approved by plaintiff . . . .” This caused injury to the estate “by depriving the plaintiff of its right to control the usage of its property and to derive monetary benefit from authorized usage of such property.” The estate seeks an injunction and monetary damages.

This case serves as a reminder that a celebrity’s right of publicity can extend beyond the grave. A number of states — including Tennessee — have statutes that explicitly recognize a post-mortem right of publicity. Even in states without these types of statues, the estates of celebrities may have certain common law rights. If you want to use a celebrity in your ad campaign — regardless of whether that celebrity is dead or live — make sure you check with your legal team first.

Wyndham Hits a Wall in Challenge to FTC Data Breach Authority

Posted in Federal Trade Commission, Privacy and Information Security

Earlier this week, a federal district court in New Jersey issued an opinion ruling on Wyndham Worldwide Corporation’s and three of its subsidiaries’ (collectively “Wyndham’s”) motion to dismiss, finding for the FTC on all grounds.  While the court noted that the “decision does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked,” the opinion underscores the risk exposure for companies that incur a data breach (or otherwise collect/store consumer data), and face FTC scrutiny thereafter as to whether their information safeguard practices are consistent with FTC expectations.  While the FTC has reached over 50 data security settlements, this case represents the first time that the FTC is litigating its theory that a business’s privacy and data security practices may be unfair and/or deceptive under Section 5 of the FTC Act. Continue Reading

Senate Overwhelmingly Confirms Terrell McSweeny to FTC

Posted in Advertising, Federal Trade Commission

On Wednesday, the Senate, in a 95-1 vote (with Senator David Vitter (R-LA) abstaining), confirmed Terrell McSweeny as FTC Commissioner. Commissioner McSweeny testified before the Senate Commerce Committee in September 2013, but the Committee did not vote to present her nomination to the full Senate until November, due in part to the government shutdown. She will become the fifth Commissioner and third Democrat on the five-member Commission, giving the Democrats the majority once again.

As discussed in our client advisory, in her testimony before the Senate Commerce Committee, Commissioner McSweeny expressed an interest in protecting vulnerable populations (seniors, veterans, children, and the financially distressed) as well as teenagers who, because they are over age 13, fall outside of the protections of the Children’s Online Privacy Protection Act. Prior to her nomination, Commissioner McSweeny served as senior counsel of competition policy at the Department of Justice’s Antitrust Division and expressed an interest in privacy issues. With five members, votes split along party lines will now no longer result in Commission inaction because the Democrats would have the majority.

FTC Charges with “Jerk-Like” Practices

Posted in Federal Trade Commission, Privacy and Information Security

Yesterday, the Federal Trade Commission (FTC) announced that it is charging the operators of the so-called social-networking personal reputation site “” for engaging in deceptive representations in violation of the FTC Act. According to the FTC’s administrative complaint, and its owner, Napster cofounder John Fanning, misled consumers into believing that profiles, labeling people a “jerk” or “not a jerk,” were created by other users of the site, when in fact and Fanning created the vast majority of profiles by improperly harvesting information through one of Facebook’s application programming interfaces (APIs), and downloading names and photographs of Facebook users.

Facebook permits third-party developers to integrate websites and applications with Facebook. Developers are also permitted to access data for all Facebook users through Facebook’s APIs. Developers that use the Facebook platform, however, must agree to Facebook’s polices. The FTC contends that and Fanning used Facebook’s platform in violation of Facebook’s policy terms, which include:

  1. obtaining users’ explicit consent to share certain Facebook data;
  2. deleting user information obtained through Facebook once Facebook disables the developer’s access;
  3. providing an easily accessible mechanism for consumers to request the deletion of their Facebook data; and
  4. deleting information obtained from Facebook upon a consumer’s request.

The FTC also asserts that and Fanning falsely claimed that consumers could revise their online profiles by paying a $30 membership fee. The complaint alleges that, in numerous instances, consumers who paid the membership fee received nothing in exchange. Consumers were also charged a $25 fee to email’s customer service department, making it difficult for consumers to contact with complaints and take-down demands. The complaint charges and Fanning with two counts of deceptive acts or practices in violation of Section 5(a) of the FTC Act. The first count is for deceptive representations regarding the source of’s content, and the second count is for deceptive representations regarding’s membership. The FTC is seeking an order barring the defendants’ deceptive practices, prohibiting them from using the personal information they improperly obtained, and requiring them to delete the information.

As companies increasingly integrate their websites and applications with Facebook’s APIs, this case is a good reminder that organizations should review Facebook’s policies, and confirm their business practices are consistent with such policies.

Jalyce Mangum contributed to this post. Ms. Mangum is practicing under the supervision of principals of the firm who are members of the D.C. Bar.

White House Objects to Commercial Use of President’s Photo

Posted in Right of Publicity

During a White House ceremony honoring the Boston Red Sox for the team’s recent World Series victory, David Ortiz took a picture of himself with President Obama. He later posted the picture on his Twitter feed. Samsung, who has an endorsement deal with Ortiz, re-tweeted the picture to its 5.26 million followers, and later noted that the picture was taken with a Samsung phone. Although the president may have been smiling broadly in the photo, his legal team certainly wasn’t smiling after Samsung’s tweet.

White House press secretary Jay Carney told reporters that the president’s legal team objects to the company’sOrtiz Selfie commercial use of the photograph. “As a rule, the White House objects to attempts to use the president’s likeness for commercial purposes. And we certainly object in this case.” (As we’ve posted before, this isn’t the first time the White House has objected to the use of the President’s image by a company.) Carney declined to say whether White House lawyers have officially asked the company to stop using the photo.

It may seem like re-tweeting a picture that features a celebrity, such as the President, is a fairly innocent activity. And it may be, if you’re tweeting as a consumer. But when a company does the same thing, the action could constitute a violation of the celebrity’s right of publicity. The risk can be even higher with elected politicians – especially with the President of the United States – because the false affiliation and endorsement claims are arguably stronger than for entertainers who are not in the business of endorsing causes and issues, as politicians do on a regular basis. As we noted last month, companies need to be careful about showing or mentioning celebrities in ads. This incident demonstrates that even using an image in your tweet could lead to complaints.


Mobile Enforcement Continues to be APPealing to the FTC

Posted in Federal Trade Commission, Mobile Marketing, Privacy and Information Security

On March 28, 2014, the FTC announced two new mobile app settlements – with Fandango and Credit Karma – based on allegations that the companies failed to secure the transmission of consumers’ sensitive personal information collected via their mobile apps and misrepresented the security precautions that the companies took for each app.

Specifically, the FTC alleged that Fandango and Credit Karma disabled the SSL (Secure Sockets Layer) certification validation procedure for each of their mobile apps.  By doing so, the FTC claims that the apps were open to attackers positioning themselves between the app and the online service by presenting an invalid SSL certificate to the app – i.e., “man-in-the-middle” attacks.  The FTC contends that Fandango and Credit Karma engaged in a number of practices that, when taken together, failed to provide reasonable and appropriate security in the development and maintenance of its mobile app, including:

  • Overriding the default SSL certificate validation settings provided by the iOS and Android application programming interfaces (APIs) without implementing other security measures to compensate for the lack of SSL certificate validation;
  • Failing to appropriately test, audit, assess, or review the apps, including failing to ensure that the transmission of sensitive personal information was secure;
  • Failing to maintain an adequate process for receiving and addressing security vulnerability reports from third parties (Fandango only); and
  • Failing to reasonably and appropriately oversee its service providers’ security practice (Credit Karma only).

The FTC also asserts that the apps made deceptive privacy and security representations, including that the deception occurred in the companies’ in-app representations.

As mobile privacy and security continues to be at the forefront of the FTC’s enforcement priorities, companies should keep abreast of developments in this area and regularly evaluate their mobile products and services.  Stay tuned for a Kelley Drye client advisory discussing the enforcement trends for mobile and “red flags” that companies should watch out for.

CPSC Executive Director Elliot F. Kaye Nominated as Chair

Posted in Advertising, Consumer Product Safety

On Thursday, the White House announced the nomination of CPSC Executive Director Elliot F. Kaye to chair the agency. If confirmed by the Senate, Mr. Kaye would fill former Chairwoman Inez Tenenbaum’s position, which has been vacant since she left at the expiration of her term in October 2013. Mr. Kaye’s term would end in October 2020.

Mr. Kaye would join Democrat Commissioners Bob Adler (currently serving as Acting Chairman) and Marietta Robinson, and Republican Commissioner Ann Marie Buerkle. It is likely that his nomination would get approved concurrently with Joe Mohorovic’s, and complete the five-Commissioner agency. Mr. Mohorovic was nominated in November 2013, but has not yet received a confirmation hearing; however, the Senate typically considers nominees in pairs. Interestingly, both Mr. Mohorovic and Acting Chairman Adler are also former CPSC staffers, making three of the President’s last four nominees CPSC insiders. Commission veteran Gib Mullan also returned last month to serve as Commissioner Buerkle’s Chief Counsel; he had served as the CPSC’s General Counsel and Director of Compliance previously.

Mr. Kaye joined the Commission in 2010 as senior counsel to former Chairwoman Tenenbaum, rising up the ranks to become Deputy Chief of Staff and then Chief of Staff in April 2012 and May 2013, respectively. Since the former Chairwoman’s departure last October, he has served as the CPSC’s Executive Director. Prior to joining the CPSC, Mr. Kaye was in private practice, and also spent time working in the public sector in New York City, as well as on Capitol Hill. During his time at the CPSC, Mr. Kaye has worked with industry on brain safety issues in youth sports, helping found the Youth Football Brain Safety Initiative in 2012, as well as focused on injuries from coin cell battery ingestion and carbon monoxide poisoning.

When Developing an Ad, Don’t Flush Safety Considerations down the Toilet

Posted in Advertising, Consumer Product Safety

At our recent seminar, Views from Congress, Enforcers and Advocates: Special Advertising and Marketing Considerations Designed to Protect Children, we discussed the importance of safety considerations when developing an ad. These considerations can take many forms and are not limited to advertising for children’s products – the claims may be about the safety benefits of the product or may depict the product in a safe or unsafe way. Some of these issues may never cross the minds of the marketers.

For example, Any Hour Services, an electric, heating, and plumbing service based in Utah, recently sent a mailer depicting a child playing with a rubber ducky next to an open toilet. AnyhourservicesThe ad featured special pricing for services like drain clearance and air conditioning inspection, not products or services intended for children. Nonetheless, the ad caught the attention of several local television stations and the parents of a 14-month-old boy who had died from massive brain damage after his head became submerged in a toilet bowl. The company reacted quickly, replacing the mailer with a revised one featuring a child next to a closed toilet. The company also announced a campaign to install a free child-proof latch with any plumbing purchase over $50.

This ad serves as a reminder that, even when a marketer is not making a performance statement about its product and even when the product is not intended for children, safety concerns can get triggered, often creating public relations and even legal problems.

Hulu Hit with Class Action Over Automatic Renewals

Posted in Advertising, Advertising Litigation, Class Action Litigation

In 2010, California enacted a law governing automatic renewals. As we previously posted, the law generally requires that companies: (1) clearly disclose the material offer terms before a consumers subscribes; (2) obtain affirmative consent to the terms before the consumer is charged; (3) provide a confirmation to the consumer that includes the terms, a description of the cancellation policy, information on how to cancel, and, if the offer includes a free trial, that the consumer may cancel before being charged; and (4) provide an easy-to-use method for canceling.

This month, Hulu was hit with a proposed class action for allegedly violating that law. The suit alleges that Hulu’s website doesn’t clearly disclose the material offer terms. Moreover, although free trial registration flow on a mobile phone includes a mechanism to obtain affirmative consent, the registration flow on desktop computers allegedly fails to include that mechanism. The plaintiffs also allege that the confirmation e-mails Hulu sends don’t sufficiently disclose that the service will automatically renew, the company’s cancellation policy, or how to cancel.

As we’ve mentioned in previous posts, companies that offer automatic renewals and free trials have come under increased scrutiny by states, the FTC, and class action attorneys. Most complaints arise when consumers don’t realize that the plans are going to automatically renew or consumers are impeded from canceling. Accordingly, it is important to ensure that consumers understand the offer terms and have an opportunity to cancel.