Ad Law Access

Ad Law Access

Updates on consumer protection trends, issues, & developments

FTC as Data Security Cop Affirmed

Posted in Data Security, Federal Trade Commission

The U.S. Court of Appeals for the Third Circuit this week affirmed the authority of the Federal Trade Commission (“FTC” or “Commission”) to enforce against companies that lack reasonable cybersecurity practices.  Prior to this ruling, no federal court had adjudicated whether the FTC had authority under 15 U.S.C. § 45(a) (“Section 45(a)”) of the Federal Trade Commission Act to bring actions against companies for allegedly deficient cybersecurity practices.  This posting discusses key elements of the decision and its implications going forward.

Summary of Wyndham Case

In June 2012, the FTC filed suit against global hospitality company Wyndham Worldwide Corporation and three of its subsidiaries (collectively, “Wyndham”).  The Commission alleged that Wyndham’s failure to implement reasonable data security safeguards at its franchisee locations allowed computer hackers to breach – on three separate occasions – franchisee computer systems and the company’s centralized property management center.  This resulted in the breach of financial account information for more than 600,000 hotel customers and a purported $10.6 million in fraud loss.  The FTC alleged the following deficiencies, among others, in the company’s cybersecurity practices: (i) storage of payment card information in clear readable text; (ii) failure to require strong passwords to access property management systems; (iii) failure to use “readily available security measures” – such as firewalls – to limit access between the property management systems, the corporate network, and the Internet; (iv) failure to employ reasonable measures to detect and prevent unauthorized access or to conduct security investigations; (v) failure to follow proper incident response procedures; and (iv) failure to adequately restrict the access of third-party vendors to its network and company servers.  Given the breadth of alleged deficiencies, the FTC claimed the company’s privacy policy deceptively misrepresented the extent to which Wyndham safeguarded consumer data.

Rather than challenge the complaint on the merits, Wyndham filed in New Jersey federal district court a motion to dismiss the FTC’s complaint.  The company argued dismissal was warranted on a number of grounds, including the following two which were considered by the Third Circuit on interlocutory appeal (click here for more complete discussion on the lower court’s ruling): whether the FTC had authority to regulate cybersecurity under the “unfairness” prong of the FTC Act; and if so, whether Wyndham had “fair notice” that its specific cybersecurity practices could fall short of that provision.  The district court denied the motion, and interlocutory appeal followed.

Third Circuit’s Ruling

A.  Unfairness

In challenging the FTC’s authority to bring an unfairness action against allegedly deficient cybersecurity practices, Wyndham advanced a novel theory: the familiar three elements of an unfairness claim that are codified at 15 U.S.C. § 45(n) – (i) substantial injury, (ii) that is not reasonably avoidable by consumers, and (iii) that is not outweighed by the benefits to consumers or to competition – were “necessary but insufficient conditions” of an unfair practice.  That is, Wyndham argued the plain meaning of the word “unfair” imposed independent requirements that the FTC had not satisfied.  For example, the company argued that conduct could only be unfair when it injured consumers “through unscrupulous or unethical behavior” or was otherwise “marked by injustice, partiality, or deception.”  Such requirements may have at one point played a role in the historical evolution of the unfairness doctrine, but the Third Circuit denounced their applicability within current FTC jurisprudence.

In rejecting Wyndham’s arguments, the court opined that the FTC Act contemplated a theory of liability based on tortious negligence.  The FTC Act expressly contemplated the possibility that conduct could be unfair before actual injury occurs.[1]  Further, “that a company’s conduct was not the most proximate cause of an injury generally does not immunize liability from foreseeable harm.”[2] Thus, companies may be liable under an unfairness theory for a reasonably foreseeable data breach – without evidence of actual injury.

In the alternative, Wyndham argued that Congress intended to exclude cybersecurity from the FTC’s unfairness authority by enacting more “tailored grants” of substantive authority through more targeted federal privacy legislation (i.e., COPPA and Gramm-Leach-Bliley).  Again, this novel theory was summarily rejected.  The Third Circuit held the various federal privacy laws were enacted to expand the FTC’s authority over corporate cybersecurity, not merely to establish the FTC’s authority in the first instance.

B.  Fair Notice

Wyndham argued that, notwithstanding whether its conduct was unfair under Section 45(a), the Commission failed to give fair notice of the specific cybersecurity standards that the company was required to follow.  Wyndham claimed that a court could not defer to an agency’s interpretation of its own regulations unless private parties had “ascertainable certainty” as to those interpretations.  Because the company was not made aware with “ascertainable certainty” of the specific cybersecurity standards on which it would be held accountable, Wyndham asserted that the FTC’s interpretation of what constituted minimum security standards was not entitled to deference.

The court rejected this argument, noting that the FTC was not relying on an agency interpretation, rule, or adjudication of minimum cybersecurity standards under Section 45(a).  Rather, no such precedence exists because the FTC had not yet declared that cybersecurity practices could be unfair (i.e., its numerous cybersecurity related administrative settlements could not be considered precedential).  Thus, the appellate court held the company was not entitled to “ascertainable certainty” of the FTC’s interpretation of the specific cybersecurity practices required by Section 45(a).  As a result, the relevant question was not if Wyndham had fair notice of the FTC’s interpretation of the statute, but whether it had fair notice of what the statute itself required.

The Third Circuit concluded that Wyndham did not lack fair notice that cybersecurity practices could, as a general matter, form the basis of an unfair practice under Section 45(a).  Further, the company had adequate notice as to the importance of conducting a cost-benefit analysis to determine the sufficiency of its cybersecurity measures, including relevant factors, such as:

The probability and expected size of reasonably unavoidable harms to consumers
given a certain level of cybersecurity and the costs to consumers that would arise
from investment in stronger cybersecurity.

The Court concluded that Wyndham’s argument failed for not arguing (and demonstrating) that its cybersecurity practice would have survived a reasonable interpretation of the cost-benefit analysis required by Section 45(n).

Implications Going Forward

The Third Circuit’s Wyndham decision is significant for several reasons.  The decision provides some support that companies may be liable under an FTC unfairness theory for deficient cybersecurity measures on the basis of likely — rather than actual – injury to consumers. Further, the decision underscores that companies have “fair notice” that a cybersecurity program may fall within the FTC’s jurisdictional scope of Section 45(a), and whether such program is reasonable will turn on the extent to which the program survives a cost-benefit analysis.  Thus, a company’s data security practices may be reasonable (even if not perfect, and even within the context of a breach), if the company can demonstrate that the potential costs of more robust data security measures would offset any benefit to consumers in the aggregate and to competition.

It also is noteworthy that one of the main themes of Wyndham’s allegations in this case is that the FTC has not provided sufficient guidance to businesses on the particular data security measures that businesses should have in place to avoid FTC scrutiny.  Perhaps, in part, in response to this allegation, over the past several years, the FTC has made a more pronounced public stamp on such matters, through updated data security publications, practical guidance on data security through blogs, and data security conferences around the country.  While cyber threats will continue to evolve, and thus require continually-updated security programs to match such threats, having more FTC guidance on point is a positive trend, regardless of the outcome of the Third Circuit’s decision.

[1]              Citing Int’l Harvester, 104 F.T.C. 949, 1061 (1984) (holding unfairness claims could be brought on the basis of likely rather than actual injury).

[2]              Citing Restatement (Second) of Torts § 449 (1965).

Jordan $8.9M – Dominick’s 0: Star Wins Over Unauthorized Use of Name

Posted in Right of Publicity

For years, Michael Jordan dominated opponents on the basketball court. Now, he seems to be doing the same in legal courts. Last week, a jury ordered Chicago grocery chain Dominick’s (now owned by Safeway) to pay the former NBA star $8.9 million for the unapproved use of his name in an ad.

The case stems from the ad below, which ran in Sports Illustrated in 2009. When Jordan was inducted into the Basketball Hall of Fame, Dominick’s ran the ad congratulating Jordan on his accomplishment, calling him a “cut above.” In an apparent attempt at wit, the ad ran above a picture of a cut of steak, and a $2 coupon. Jordan didn’t get the joke. Instead, he sued the chain, arguing that the ad violated his right of publicity. (For a primer on right of publicity issues, click here.)Jordan Ad

A federal judge had previously determined that the ad violated Jordan’s rights under the Illinois Right of Publicity Act. At this stage of the trial, the jury was asked to determine how much money the grocery chain owed Jordan for the violation. During the trial, Dominick’s lawyers argued that Jordan should be paid $126,900. Jordan’s attorneys, however, argued that the star does not take less than $10 million for sponsorships, pointing to deals he has with companies like Nike and Gatorade. The jury sided with Jordan’s team, and came back with the $8.9 million number.

This case should serve as a reminder about the dangers of using a celebrity image without permission. We’ve blogged about this issue before. In fact, last year, we wrote about a similar right of publicity lawsuit that Jordan filed against Jewel Food Stores over another ad in that same issue of Sports Illustrated. That case goes to trial for damages in December. The Jewel legal team is likely revisiting its playbook after Jordan’s latest victory.

FTC Urges FDA to Reconsider Homeopathic Regulatory Framework

Posted in FDA, Federal Trade Commission, Food and Drug

In a comment filed last Friday, the Federal Trade Commission (FTC) responded to its sister-agency’s request for comments by urging the Food and Drug Administration (FDA) to reconsider how homeopathic drugs are regulated.  As we discussed here, both agencies recently signaled interest in the homeopathic area with the FDA hosting a two-day public hearing last April and the FTC announcing a workshop on September 21.

FTC workshops tend to be listening sessions in which FTC staff attorneys moderate panels of industry stakeholders to learn more about a particular topic in advance of announcing a specific position.  In this instance, however, the FTC’s comments to FDA make known their starting position and potentially offer valuable insights.  FTC’s main points were as follows:

  • Conflicting Regulatory Frameworks:  The FTC staff is concerned that FDA’s existing homeopathic regulatory framework may conflict with the FTC’s advertising substantiation policy, which requires competent and reliable scientific evidence for health benefit claims.  The FTC points out that FDA’s Compliance Policy Guide 400.400 (CPG), which allows for homeopathic marketing under certain conditions, requires manufacturers to list indications for use but that FDA has not reviewed homeopathic products for safety or efficacy.  As a result, the FTC is concerned that some products or claims may not meet the “competent and reliable evidence” standard.
  • Industry and Consumer Confusion:  The FTC provides some evidence of industry and consumer confusion with regard to how homeopathic products are regulated.  Regarding industry confusion, the FTC points to a National Advertising Division (NAD) matter in which one company argued – incorrectly in the FTC’s view – that the NAD’s requirement that the company have competent and reliable scientific evidence to support its ear pain relief claims was not required by either FDA or the FTC.  Regarding consumer confusion, the FTC relies on a 16-person focus group of adults and parents performed in late 2010 as well as a larger online consumer copy test from 2012.  Based on these exercises, the staff asserts that consumers do not understand the evidentiary or approval requirements for conventional versus homeopathic products and do not understand homeopathic principles.
  • Additional Points of Confusion:  The FTC also expresses concern that homeopathic products are shelved side-by-side with conventional medicines, which may lead consumers to believe that the products are subject to the same approval standards.  In addition, the FTC noted that labeling terminology used to express concentration and dilution levels, e.g., 2X, is difficult for even sophisticated consumers to understand.

To address this confusion, the FTC calls on FDA to either withdraw the CPG, to eliminate the requirement that homeopathic products be labeled with a specific indication for use (which would violate FTC law if not properly substantiated), or require that any indication appearing on labeling be supported by competent and reliable scientific evidence.

The FTC’s comment and supporting evidence are available here.  Industry stakeholders will want to carefully consider it as they prepare for the September 21 workshop.

Scandal Serves as a Reminder of the Importance of Morals Clauses

Posted in Advertising

This week, long-time Subway spokesperson Jared Fogle reached a plea agreement on charges of child pornography and having sex with minors.​ ​Although the sandwich shop noted that it no longer has a relationship with Fogle, that relationship will remain etched in the minds of consumers for years to come. Many marketers are saying silent prayers for the victims, while hoping that their celebrity spokespeople stay on the right side of the law. And that brings to mind the topic of morals clauses.

Morals clauses generally give companies the right to terminate an endorsement agreement or obtain a reduction in fees, if the endorser commits an act that falls with the scope of the clause. Given what’s at stake, the scope of that clause is often one of the most-negotiated provisions in these agreements. Endorsers naturally want the clauses to be as narrow and specific as possible. (For example, a clause might only kick in if an endorser is convicted of, or pleads guilty to, a felony.) Companies, on the other hand, want more flexibility. (For example, they may push for a clause that allows termination if the endorser’s actions would subject the company to ridicule, contempt, controversy, embarrassment, or scandal.) There isn’t a one-size-fits-all approach, but recent events demonstrate that companies should give serious thought to this provision whenever they negotiate with an endorser.

Although termination rights in morals clauses can help curtail future losses, they won’t help the companies recoup the money they’ve already invested in the relationship. To help companies deal with those losses, at least one insurance company has offered a product  “designed to help customers respond to risks from a celebrity endorser’s public fall from grace, scandal, or unexpected death.” Our friends at Drye Wit wrote about this in January, but the post is worth revising now.

FTC Resolves Case Against “Melanoma Detective” App Marketer

Posted in Federal Trade Commission, Food and Drug, Telehealth

The FTC announced late last week that it resolved its case against the final defendant, Avrom Lasarow, in the “Melanoma Detective” app matters.  The FTC alleged that claims that the apps could detect and diagnose melanoma in its early stages were not supported by competent and reliable scientific evidence.  As we discussed here, the FTC settled charges against other defendants named in the complaint in February 2015.

Under the proposed settlement order, Lasarow is prohibited from making any misleading or unsubstantiated claims about the health benefits or efficacy of any product or service, including that a device detects or diagnoses melanoma. It also includes data and recordkeeping provisions to help ensure his compliance with the order. Finally, the proposed order imposes a $58,623.42 judgment, which is suspended based on Lasarow’s inability to pay. If he is later found to have misrepresented his finances, the full amount will immediately become due.

Health claims are a consistent source of enforcement for the FTC and the agency has stated that mobile health apps are likely to be focus of scrutiny going forward.  This is particularly true for products that may play a key role in a consumer’s decision whether or not to seek professional medical care, such as determining whether or not that spot on your arm is merely a freckle or something more.  Given this, app marketers need to be sure that their claims – even if not expressly marketed for medical diagnosis or treatment – are supported by competent and reliable scientific evidence.

FTC Closing Letter Provides Good Data Security Reminder

Posted in Data Security, Federal Trade Commission, Privacy, Privacy and Information Security

Last week, the FTC sent a closing letter to Morgan Stanley Smith Barney LLC (“Morgan  Stanley”) relating to the agency’s investigation over whether Morgan Stanley engaged in unfair or deceptive acts or practices by failing to secure certain account information related to its Wealth Management clients.

The investigation examined allegations that a Morgan Stanley employee misappropriated client information by transferring data from the Morgan Stanley computer network to a personal website accessed at work, and then onto other personal devices.  The exported data subsequently appeared on multiple Internet websites, causing the potential for misuse of the data.

The agency, however, decided to informally close the case without taking further action because Morgan Stanley had established and implemented comprehensive policies and access controls designed to protect against insider theft of personal information.  Despite having such policies and controls in place, the FTC found that certain controls applicable to a narrow set of client reports were improperly configured.  This allowed the employee to access and misappropriate the data.

The FTC’s initiation of this investigation (and subsequent decision to close the case) provides a few key takeaways for companies that would prefer not to face the FTC:

  • Employ reasonable and appropriate safeguards to protect against unauthorized misuse of all sensitive consumer information;
  • Establish and implement comprehensive policies designed to protect against employee theft of personal information;
  • Have controls in place to ensure that company employees and/or contractors have access to sensitive personal information only on a “need to know” basis;
  • Monitor the size and frequency of data transfers by employees;
  • Prohibit employee use of USB or other devices to exfiltrate data;
  • Block employee access to certain high-risk Web applications and websites; and
  • Train employees regularly in meaningful data security practices.

Implementing and maintaining data security is a never-ending challenge, prompting organizations to have programs in place to match the ever evolving tactics by cybercriminals and rogue employees.  The FTC closing letter provides a valuable lesson: While companies should implement and maintain policies, procedures, and controls to protect against outside threats, they should also consider and protect against data security threats arising much closer to home.

Contributory False Advertising Liability Is Officially a Thing in the Eleventh Circuit

Posted in Advertising, Advertising Litigation

On August 7, the Eleventh Circuit Court of Appeals, ruling on a question that the Court determined to be one of first impression, has ruled that a cause of action for contributory false advertising can be maintained under Section 43(a) of the Lanham Act.

In Duty Free Americas, Inc. v. Estée Lauder Companies, Inc., No. 14–11853 (11th Cir. Aug. 7, 2015) (opinion available here), Duty Free Americas (DFA), an operator of airport duty-free shops that had ceased doing carrying Estée Lauder products, contended that Estée Lauder supported false and disparaging representations by DFA’s competitors about the consequences of DFA’s non-carriage of Estée Lauder for DFA’s likely performance as a shop operator in competitive bidding to airports.  Among Estée Lauder’s defenses was that no “derivative” cause of action for false advertising exists.  The Court rejected this argument, although it affirmed dismissal of the count for insufficiently pled supporting allegations.

Key to the Court’s reasoning was that contributory liability is well established under the Lanham Act as applied to trademark infringement, where manufacturers and distributors are routinely held liable for intentionally inducing infringement by others, including by continuing to supply product to customers that they know or should know to be infringers.  This doctrine has no precise boundary and has been defined as covering anyone who “knowingly participates in furthering” infringement.  Bauer Lamp Co. v. Shaffer, 941 F.2d 1165, 1171 (11th Cir. 1991).  The causes of action for trademark infringement and for false advertising are physically close neighbors in the Lanham Act, located in Sections 43(a)(1)(A) and 43(a)(1)(B) respectively, and the Court saw this statutory structure as supporting the suggestion that they were intended to have similar scope.  The Court also cited cases suggesting that the two Lanham Act theories were “motivated by a unitary purpose” to protect businesses against two strains of “unfair competition.”  Contributory liability also struck the Court as consistent with the Supreme Court’s rationale in recognizing the doctrine in trademark cases in Inwood Labs., Inc. v. Ives Labs., Inc., 456 U.S. 844 (1982).  The Eleventh Circuit concluded, “It would be odd indeed for us to narrow the scope of the false advertising provision — a cause of action plainly intended to encompass a broader spectrum of protection — and hold that it could be enforced only against a smaller class of defendants.”

Having established the existence of the cause of action, the Court went on to consider the sufficiency of DFA’s allegations in support of its theory, providing useful guidance into how contributory false advertising would be analyzed.  It ruled that a plaintiff alleging contributory Section 43(a) false advertising liability must show

(1) “a third party … directly engaged in false advertising that injured the plaintiff” and
(2) “the defendant contributed to that conduct either by knowingly inducing or causing the conduct, or by materially participating in it.”

In the first prong, all elements that would have enabled the plaintiff to sue the actual advertiser must be established.  In the second, the defendant must be shown to have intended to participate in or actually know of the false advertising (including that it was false), and “actively and materially furthered the unlawful conduct — either by inducing it, causing it, or in some other way working to bring it about.”  Analogizing from contributory trademark liability theories that have been successful in the past, the Court suggested that such activities might include directly controlling or “monitoring” the third party’s false advertising or providing a product or service necessary to support the false advertising.

These standards may seem disconcertingly vague and broad, but it was here that DFA’s case actually failed.  It alleged that Estée Lauder made it possible for DFA’s competitors to misrepresent their advantage in carrying Estée Lauder products simply by continuing to supply them with Estée Lauder products, while refusing to re-enter a business relationship with DFA.  The Court found this activity too attenuated to amount to providing a product or service necessary to support the false advertising.  There was no allegation that Estée Lauder monitored or controlled the advertising of its customers to airports.

The Duty Free Americas decision may not expand the scope of false advertising liability beyond what existed previously, for the Court noted that “district courts routinely assume that contributory liability claims are available,” citing past opinions in several districts and that one Second Circuit decision, Societé des Hotels Meridien v. LaSalle Operation P’ship, L.P., 380 F.3d 126 (2d Cir. 2004), “recognized the possibility.”  This decision, however, as the first federal appellate decision to have “explicitly considered and resolved the question,” solidifies and clarifies the doctrine and should serve as a wake-up call to occupants of various links in the marketing chain that have some level of involvement with the development and dissemination of advertising claims.  This is especially true in the era of online advertising and social media campaigns, where many hands can touch an advertisement before it reaches consumers.

DirecTV’s Rob Lowe Ads Found to be Misleading

Posted in Advertising, NAD

Last week, we posted about the FDA’s objections to Kim Kardashian’s promotion of a morning sickness drug on social media. In our effort to keep you up-to-date on celebrity advertising law issues, this week we turn our attention back to Rob Lowe’s DirecTV ads. As we noted in April, the NAD had determined that some of the ads included unsupported superiority claims. DirecTV later appealed the decision to the National Advertising Review Board. Last week, the NARB largely agreed with the original decision.

The ads start with Rob Lowe stating that he has DirecTV. Then, a creepy or dysfunctional version of the actor appears and announces that he has cable. The ads close with Rob Lowe pointing to his alter-ego, saying: “Don’t be like this me. Get rid of cable and upgrade to Rob LoweDirecTV.” In its decision, the NAD found that the ads implied DirecTV was superior to cable with respect to signal reliability, picture and sound quality, sports programming, and service wait times. DirecTV didn’t submit any substantiation for these claims, and NAD recommended that the company stop making them.

One of the key questions was whether the ads made any claims that required proof, in the first place. DirecTV argued that because the ads were so outlandish, consumers wouldn’t take the comparisons seriously. The NARB agreed that the commercials were funny. “However, depending on context, even humorous advertisements can convey messages that require substantiation.” The NARB noted that its decision was based on its “determination of the net impression reasonably created” by the ads. Although the ads were couched in humor and consumers might not take everything seriously, the ads still conveyed that DirecTV was superior in certain regards.

As we noted before, humor and hyperbole can be effective advertising techniques. In some cases, they can even get a message across without requiring an advertiser to have proof for that message. But the NAD has often held that denigrating claims “must be truthful, accurate, and narrowly drawn so that they do not falsely disparage a competitor’s product.” If a funny ad makes specific comparisons to a competitor, the advertiser may be responsible for substantiating those comparisons.

Those saddened by the end of the Rob Lowe campaign may want to look for new spots featuring NFL stars Eli Manning and Tony Romo.

Consumer Product Safety Commission Approves Test Program: Electronic Filing of Certificates of Compliance

Posted in Consumer Product Safety

This week the Consumer Product Safety Commission voted to approve a test program to assess the electronic filing of certificates of compliance at entry in coordination with U.S. Customs and Border Protection.  With the idea of better coordination among partner government agencies to facilitate electronic data collection and sharing of import data, the CPSC endorsed the test program to begin sometime after July, 2016 and run for approximately six months.

Currently Section 14(a) of the Consumer Product Safety Act, as amended by section 102(b) of the Consumer Product Safety Improvement Act of 2008 requires manufacturers (including importers) and private labelers of regulated consumer products manufactured outside of the U.S. to test and certify such products are compliant with all regulations prior to importation.  The CPSC also voted to extend the test program to certain products that do not currently require certificates, but are considered substantial product hazards.  The products added are hand-supported hair dryers, extension cords, and seasonal and decorative lighting products.

The test program will assess two options for the electronic filing of the certificates at entry.  An importer will have the option of either fling the data elements at time of entry or filing a reference to data stored in a registry maintained by CPSC.  Use of the Data Registry is voluntary. Once in effect, CPSC will have targeting and enforcement data available for validation, risk assessment and admissibility determinations at entry.  The goal is to review the data for earlier risk based admissibility decisions.

Notable and a change from the proposed rule on the test program is that the CPSC voted to require five data elements rather than the proposed ten.  Those data elements are the following:

  • Identification of the finished product
  • Each consumer product safety rule to which the finished product has been certified
  • Place where the finished product was manufactured including the name and address of the manufacturer
  • Parties on whose testing the certificate depends
  • A check box indicating that a required certificate currently exists for the finished product.

Should you have any questions, please do not hesitate to contact us.

FDA Recalls Kim Kardashian’s Post

Posted in Advertising, Food and Drug, Social Media
KK-150x148

Last month, Kim Kardashian praised Diclegis, a drug for morning sickness, on her social media accounts. Since Kim doesn’t follow us on social media, we don’t always keep tabs on her. But when her posts raise regulatory issues, we like to stay on top of those. In this case, the posts promoting Diclegis caught the attention of the FDA, who warned the drug manufacturer that the posts may have been misleading.

“OMG.” Kim posted, “have you heard about this? As you guys
know my #morningsickness has been pretty bad.” She then went on to explain the Diclegis cured her morning sickness and, “most importantly, it’s been studied and there was no increased risk to the baby. I’m so excited and happy with my results that I’m partnering with Duchesnay USA to raise awareness about treating morning sickness. If you have morning sickness, be safe and sure to ask your doctor about the pill . . . .”

The FDA, which regulates prescription drug advertising, and the FTC, which regulates advertising for non-prescription and non-FDA regulated products, have issued separate guidance documents regarding advertising in social media, available here and here. The agencies’ positions are markedly consistent, however:  The rules for advertising in social media are the same as those that apply to traditional media.  Whether it is the “fair balance” between the benefits and risk information required for prescription drugs, or disclosures material to a consumer’s understanding of the advertisement, space and format constraints do not excuse advertisers from providing necessary information and doing so in a clear and conspicuous manner.

As we’ve posted before, the FTC requires endorsers to disclose any connections they have to the companies whose products they endorse. Kim got that right, but the FDA alleged that the post failed to comply with prescription drug advertising requirements. In its letter to the manufacturer, the FDA stated that posts can be misleading if they fail to disclose certain materials facts, including those related to “consequences that may result from the use of the drug as recommended.” In this case, the FDA found the posts to be misleading because they included efficacy claims without any risk information. Moreover, FDA stated that the posts failed to provide material information regarding the drug’s full approved indication, including important limitations of use.  FDA requested that the manufacturer remove the post at issue and Duchesnay has already announced that they will create “corrective messaging” to remedy any misimpressions.

This case should serve as a reminder that companies can get in trouble when celebrity endorsers do things on social media that fall short of legal requirements (even when it’s hard to comply with those requirements). It’s important to have good contracts with endorsers, provide them with guidance about the legal requirements, and monitor to ensure they comply. To the extent a company helps endorsers write posts, the company should also remember that those posts will be subject to the same laws as ads in other media.