Judge Upholds FTC Staff Opinion that Avatar Calls are Prerecorded Messages under TSR

Yesterday, a D.C. district court upheld a recent opinion letter issued by FTC staff that extended robocalling restrictions to telemarketing calls that use so-called soundboard technology or “avatars.”  This technology generally allows a live agent to communicate with a call recipient by playing recorded audio snippets instead of using his or her own live voice.

In September 2009, the FTC staff had taken the position that avatar calls were not considered prerecorded messages under the Telemarketing Sales Rule (TSR).  See FTC Staff Opinion Letter to Call Assistant LLC (Sept. 11, 2009).  In November 2016, however, the FTC decided to revoke its previous letter, explaining that it is now the FTC staff’s opinion that outbound telemarketing calls that utilize avatars are subject to the TSR’s prerecorded call provisions. See FTC Staff Opinion Letter to Call Assistant LLC (Nov. 10, 2016).

The 2016 opinion letter explained that the staff’s change in position is due to the increasing volume of consumer complaints, the increase in how this technology has allegedly been abused by using it to conduct multiple calls at the same time without giving appropriate responses to consumers, and that the soundboard technology does “deliver a prerecorded message” under the statutory language used in the TSR.  The staff said that, even with a 1-to-1 limitation in place (i.e., using the technology to place one call at a time), this would not change the staff’s analysis.

A trade group representing companies that manufacture and use soundboard technology had challenged the FTC staff’s opinion letter, stating that the FTC: (1) circumvented the Administrative Procedures Act’s (APA) notice-and-comment requirements, and (2) violated the First Amendment by exempting pre-recorded solicitation calls between a non-profit charitable organization and its existing donors, but failing to exempt such calls to potential first-time contributors.  The court rejected both claims in Soundboard Ass’n v. FTC, No. 1:17-cv-00150 (D.D.C. Apr. 24, 2017).

First, the court found that, although the November 2016 letter is a final, reviewable agency action, it was at most an interpretive rule that the FTC was not required to issue through notice and comment under the APA.  Second, the court concluded that the letter did no more than subject soundboard calls to valid time, place, and manner restrictions. The court explained that the exemption provided to pre-recorded calls on behalf of charitable organizations to existing donors, but not to charitable organizations’ calls to potential, first-time donors, is a content-neutral regulation of speech that easily satisfies the requisite intermediate scrutiny.

Bottom Line: Companies that use soundboard technology will need prior written consent and will need to comply with the prerecorded message requirements under the TSR effective May 12, 2017, per the FTC’s grace period for compliance (as well as the TSR’s abandoned call provisions, as applicable).

“Geofencing” and Health-Related Targeted Advertising: Massachusetts AG Has Something to Say

Earlier this month, the Massachusetts Attorney General announced that her office had reached a settlement with a digital advertising company, Copley Advertising, Inc. (Copley), prohibiting the company from using mobile geofencing technology to target women at or near Massachusetts healthcare facilities to infer the health status, medical condition, or medical treatment of an individual.

Geofencing technology, as the name implies, takes account of a mobile user’s geolocation and enables advertising companies to tag smartphones within a geographic virtual fence and push targeted messages to consumers. Mobile advertisers can place targeted ads within the apps and browsers of these tagged consumer smartphones when users are in the virtual fence and, in some cases, for up to a month after the user has left the virtual fence.

In the advertising campaign at issue, Copley set mobile geofences at or near healthcare facilities to “abortion-minded women” who were sitting in waiting rooms at health clinics in a number of cities around the country.  The potentially unwanted ads included prompts such as “Pregnancy Help,” “You Have Choices,” and “You’re Not Alone,” that, when clicked, took the consumer to a webpage with abortion alternatives. According to Copley’s representations, the advertising company had not yet engaged in geofencing campaigns near Massachusetts clinics.

The Assurance of Discontinuance resolves the Massachusetts Attorney General Office’s allegations that Copley’s advertising practices would violate consumer protection laws  by:

  • Tracking consumers’ geolocation near or within medical facilities,
  • Disclosing that information to third-party advertisers, and
  • Targeting consumers with potentially unwanted advertising based on inferences about a private and sensitive health condition without the consumer’s consent.

The settlement is a good reminder for both advertisers and ad tech to consider the privacy implications of targeted advertising, whether in geofencing or other digital marketing strategies, and how privacy and broader consumer protection laws may apply.

FTC Staff Reminds Brands and Influencers About Disclosure Requirements

In November, we posted that four consumer groups had sent letters to FTC, encouraging the agency to investigate and bring enforcement actions regarding the use of influencers on secretsInstagram. In what may be a response to that encouragement, the FTC just announced that it had sent more than 90 letters to companies and influencers, reminding the recipients of their legal obligations.

The letters state that consumers need to know if there is a material connection between a company and an influencer who promotes the company’s products or services. Unless the connection is otherwise evident from the context, the influencer is required “clearly and conspicuously” disclose the connection.

There are at least four noteworthy aspects to these letters:

  • Thus far, the FTC’s enforcement efforts have been focused primarily on companies. Some of these letters, though, were sent to celebrities, athletes, and other influencers. This could signal broader enforcement in the future.
  • The letters address some issues that are unique to Instagram. Consumers who view Instagram posts on mobile devices typically see only the first three lines of a longer post, unless they click “more.” When making endorsements on Instagram, influencers should generally disclose any material connection above the “more” button, so that the disclosure is less likely to be missed.
  • The letters also noted that when posts include multiple tags, hashtags, or links, readers may just skip over them, especially when they appear at the end of a long post. It’s important to ensure that important disclosures don’t get lost in the mix. This might require leading with the important disclosures or making sure that they otherwise stand out.
  • Some of the letters addressed particular disclosures that the staff believes are not sufficiently clear. For example, some letters pointed out that consumers may not understand a disclosure like “#sp,” “Thanks [Brand],” or “#partner” in an Instagram post to mean that the post is sponsored. Although there’s no one-size-fits-all way to make that disclosure, a term that is subject to multiple interpretations may not be sufficient.

These types of letters are often a precursor to more formal action, so this might be a good time to revisit your influencer agreements and campaigns.

California Last State to Join Multistate Settlement of Western Union Fraud Schemes

Western UnionLast week, California became the 50th state to join the multistate settlement with Western Union over its alleged complicity in fraud-induced wire transfers.  This followed Western Union’s $5 million agreement with 49 state and the District of Columbia for costs and fees in January, not to mention a whopping $586 million in settlement agreements with the United States DOJ and FTC.  While DOJ brought wire fraud and anti-money laundering charges against Western Union, and the FTC alleged violations of Section 5 of the FTC Act, and the Telemarketing Sales Rule, the states raised violations of their respective consumer protection laws.  California brought its complaint pursuant to the Unfair Competition Law, Cal. Bus. & Prof. Code §§ 17200-17209 (“UCL”), its analog to the FTC Act.

Some quick background on the UCL:

  • Traditionally, the UCL is thought to prohibit unfair competition, which includes unfair, deceptive, misleading, or false advertising.  § 17200; see Lavie v. Procter & Gamble Co., 105 Cal. App. 4th 496, 512 (2003) (whether “the ordinary consumer acting reasonably under the circumstances” is likely to be deceived).
  • But the UCL also forbids business activity unconnected with advertising when such activity constitutes an “unlawful” or “unfair” business practice that either violates another law or violates an established public policy.  § 17200; see e.g., In re Anthem Data Breach Litig., 162 F. Supp. 3d 953, 990 (N.D. Cal. 2016); Ballard v. Equifax Check Servs., Inc., 158 F. Supp. 2d 1163, 1176 (E.D. Cal. 2001).  Some common defenses to these claims include compliance with the underlying law, the practice is not unfair or is justified, and federal preemption.
  • The UCL provides private plaintiffs with the ability to bring claims for restitution and injunctive relief, while the government can also impose civil penalties of up to $2,500 per violation.  §§ 17203, 17206; see e.g., People v. JTH Tax, Inc., 212 Cal. App. 4th 1219, 1254 (2013) (“[T]he court could have imposed penalties of over $9 million, but only imposed penalties of $715,344 for these advertisements.”).

Here, the California Attorney General alleged that Western Union, during the course of its money transferring services, failed to scrutinize and stop complicit agents that did not comply with anti-money laundering policies, inadequately trained, vetted and reported agents, and overall did not “prevent fraudulent telemarketers, sellers, and con artists from using Western Union’s money transfer system to perpetrate their frauds.”  In other words, Western Union exposed its customers to fraud in violation of the UCL.

As part of the global settlement, Western Union agreed to implement a comprehensive anti-fraud program to detect and prevent future incidents.  California consumers who made a wire transfer through Western Union are entitled to a share of the DOJ restitution fund and may be eligible for more than $65 million in refunds.  The California Department of Justice also may recoup costs and fees from the $5 million multistate fund.

Bottom line: the UCL is a dynamic enforcement mechanism with the potential to curtail many different types of business activities that seemingly harm consumers, and provides the Attorney General with the ability to inflict stiff penalties for violations.

Privacy Certification Program Settles COPPA Violations with NYAG

state-attorney

Last week, True Ultimate Standards Everywhere, Inc. (“TRUSTe”) agreed to pay the New York Attorney General (“NYAG”) a $100,000 penalty, and beef up privacy measures, to settle alleged violations of the Children’s Online Privacy Protection Act of 1998, 15 U.S.C. §§ 6501-6506 (“COPPA”). The Federal Trade Commission (“FTC”) is authorized to issue rules under COPPA, § 6502(b), and, along with the State Attorneys General, enforces it, §§ 6504(a), 6505(a).  Generally, the FTC’s “COPPA Rule” mandates that operators of websites directed to children under the age of 13, or website operators that knowingly collect personal information from children under 13, must provide parents with notice of their information practices, make the collected information available upon request, limit the collection of such information, and secure it. See generally 16 C.F.R. pt. 312.  Additionally, and relevant to this settlement, “collection” includes the passive tracking of children’s personal information through a persistent identifier, and not just its active collection.  16 C.F.R. § 312.2.  Failure to comply may subject an operator to a penalty up to $40,654 per violation and a permanent injunction. See 15 U.S.C. §§ 45(a)(1), 45(m), 53(b), 57a(d)(3), 6502(c); 16 C.F.R. §§ 1.98, 312.9.

TRUSTe offers a privacy compliance certification solution to website and app operators. The FTC approved TRUSTe (along with six other organizations to date) as a self-regulatory, safe harbor program that subjects its operators to the same or greater protections for children as the COPPA Rule. See 16 C.F.R. § 312.11. Once certified, TRUSTe’s members may display the “TRUSTe Kids Privacy” seal on digital properties (and possibly avoid being the subject of government enforcement).  According to the NYAG, however, TRUSTe failed to scan its members’ web sites for third-party tracking practices prohibited by COPPA during annual recertification assessments required of any safe harbor program.  In other instances, TRUSTe failed to notify members about the detection of prohibited tracking, or accepted member representations about the legality of such tracking.  These accusations came on the heels of TRUSTe’s settlement with the FTC a few years ago for similar concerns. See True Ultimate Standards Everywhere, Inc., Doing Business as TRUSTe, Inc.; Analysis To Aid Public Comment, 79 Fed. Reg. 69850 (Nov. 24, 2014).  Similar to its settlement with the FTC, TRUSTe must improve the scanning, assessment, and reporting of any third-party tracking on its members’ sites in addition to its penalty to the NYAG.

COPPA remains a powerful tool in the arsenal of the FTC and State Attorneys General to curtail the ever-increasing marketing by online businesses to children under the age of 13. Failure to adequately prevent illegal tracking technology, or any other enumerated prohibition of COPPA, opens the door to regulatory scrutiny and enormous monetary penalties.  The increasing enforcement of COPPA by states signifies that the welfare of children online is a top priority for federal and state authorities alike.

NY AG Enters Mobile Health App Enforcement Arena with Settlements Targeting Health Claims and Privacy Practices

New York Attorney General Eric Schneiderman recently announced settlements with three mobile health app developers resolving allegations that they made deceptive advertisements and had irresponsible privacy practices. The Attorney General alleged that the developers sold and advertised mobile apps that purported to measure vital signs or other indicators of health using just a smartphone. The apps had over a million downloads, giving these concerns considerable consumer reach. The Attorney General’s office reportedly became aware of the apps through consumer complaints and reports to the Health Care Bureau.

Failure to Properly Substantiate Health Benefit Claims

The NY AG’s core concerns regarding the advertising claims were as follows:

  • Runtastic created “Heart Rate Monitor, Heartbeat & Pulse Tracker”. The NY AG alleged that Runtastic promoted its app as a product that purports to measure heart rate and cardiovascular performance under stress but had not tested the app with users engaged in vigorous exercise.
  • Cardiio created and sold the “Cardiio Heart Rate Monitor”. Cardiio allegedly also marketed its app as a means of monitoring heart rate following vigorous movement but had not tested the app under those conditions. In addition, the NY AG alleged that Cardiio’s representations that its product was endorsed by MIT were deceptive.

Representations Consistent with a Regulated Medical Device

  • Matis’s “My Baby’s Beat-Baby Heart Monitor App” raised slightly different concerns. Matis allegedly promoted the app with statements such as “Turn your smartphone into a fetal monitor with My Baby’s Beat app” and language that encouraged consumers to use the app as an alternative to more conventional fetal heart monitoring tools.  The app allegedly had not undergone proper review by the FDA to be marketed as such, however.

As readers of this blog and our sister blog, Food and Drug Law Access, know, the FDA has authority to regulate medical devices and has taken a risk-based approach to consumer-directed mobile health products.  The FTC has been even more active than the FDA in bringing health-related enforcement actions, as we have written about here, here, and here.  As these federal agencies transition into a new administration, the NY AG is making clear with these settlements that regulators are still watching for potentially misleading health claims.

The NY AG also alleged several problematic privacy practices, including the following:

  • Failing to disclose the risk that third parties could re-identify de-identified user information,
  • Issuing conflicting statements on data sharing under the Privacy Policy and under the Privacy Settings,
  • Failing to disclose that the company collected and provided to third parties consumer’s unique device identifiers,
  • Employing a practice of consent by default, where a consumer is deemed to have consented to a privacy policy just by using the website, and
  • Failing to disclose that protected health information collected, stored, and shared by the company may not be protected under the Health Insurance Portability and Accountability Act.

As we noted in a previous post on privacy and data security in mobile health apps, legal compliance is all too often an afterthought when it comes to app development. These allegations underscore the importance of understanding and reconciling data collection and use practices with the statements companies make to consumers.

NetSpend Settles FTC Charges, Resolving Allegations that it Deceived Consumers over Access to Prepaid Funds

Last week the FTC announced that it had reached a settlement with NetSpend over allegations that NetSpend deceived consumers by promising “immediate access” with “guaranteed approval” to money loaded on its general purpose reloadable cards.  Approved 2-1 with a vote by then-Commissioner Ramirez before her resignation, the order prohibits NetSpend from making misrepresentations about the length of time or conditions necessary before its prepaid products will be ready for use, the comparative benefits of its prepaid products to debit cards and other payment methods, and the protections consumers have in the event of account errors.  The order also requires NetSpend to pay $53 million in monetary relief and to provide notices to third-party advertisers directing them to discontinue any claims stating that NetSpend’s cards “provide immediate or instant access to funds, are ready to use today, or provide guaranteed approval.”

Initially filed in November 2016, the complaint alleged that NetSpend targets the “unbanked” or “underbanked,” as well as low-income and Spanish-speaking consumers, and deceptively represents that NetSpend cards will be ready for use immediately without any approval process.  The complaint suggests that because, “in all cases consumers must contact NetSpend and provide personal identification information to activate the card” (e.g., name, address, birthday and SSN), the claims of “immediate access” are misleading and create false expectations for consumers.  The complaint further alleges that NetSpend did not always activate consumer accounts even though consumers sent the requested information and that NetSpend placed blocks on card accounts and made it difficult for consumers to resolve the blocks through poor customer service.

In a dissenting statement, Acting Chair Ohlhausen raised two primary objections.  First, Ohlhausen argues that the majority fails to consider the phrase “immediate access” in context, which describes the benefits of NetSpend cards as a direct deposit vehicle that could provide access to funds quicker than other forms of deposits.  Ohlhausen reasons that, when considered in context, consumers would understand the claim “immediate access” to mean access to funds on the date when the payer made funds available for transfer to the account, not necessarily the day the consumer opens the account.  Second, Ohlhausen asserts that, even assuming the claims were deceptive, the $53 million monetary relief “is not sufficiently related to that claim” because there was insufficient evidence to conclude that consumers abandoned funds because of NetSpend’s allegedly deceptive advertising.

Commissioner McSweeny also issued a statement that responded to the Acting Chair’s arguments, noting that “[t]hese claims were not limited to situations involving direct deposit” and that “[m]any NetSpend card users load funds onto their cards at the time of purchase or otherwise have funds deposited before activation.”   McSweeny also noted that some consumers allegedly never received their funds even after they provided the information requested by NetSpend to verify their identity.

The case is notable both substantively – as one of few cases addressing representations for prepaid access cards, and procedurally – since it could not be entered if the vote took place today given the conflicting views of the two current Commissioners.  (The settlement announcement was delayed because Commissioner McSweeny did not vote to support the settlement until March 8, about a month after then-Commissioner Ramirez had voted in favor of the settlement.)

FTC Highlights Deep-Sixing of FCC Privacy Rules in Bid for 9th Circuit Rehearing

FTC - FCC

In support of its request for an en banc rehearing of a Ninth Circuit Court of Appeals panel decision in FTC v. AT&T over the jurisdictional boundaries between the Federal Trade Commission’s (FTC) and Federal Communications Commission’s (FCC) authority over phone companies, broadband providers, and other common carriers, the FTC sent a letter to the Court yesterday highlighting the Congressional joint resolution signed into law by President Trump that eliminates the broadband and voice privacy rules in a November 2016 FCC order.

The FTC argues in its letter to the Ninth Circuit that because “the FCC privacy rules never became effective and are now null and void, they cannot mitigate the regulatory gap discussed by the FTC in its petition.”  The FTC suggests that the regulatory gap is unlikely to be filled by the FCC in the future because the Congressional Review Act prevents “reissu[ing] the privacy rules in ‘substantially the same form’ or issu[ing] new rules that are ‘substantially the same’ as the disapproved rule unless such action is authorized by a newly enacted law. 5 U.S.C. § 801(b)(2).”

Whether this argument is likely to help persuade the Ninth Circuit to grant the FTC’s request for an en banc rehearing is unclear.  This filing also follows an op-ed earlier this week by the FTC’s acting Chairman, Maureen Ohlhausen and FCC Chairman Ajit Pai, stating that the FCC’s prior party-line vote to strip the Federal Trade Commission of its jurisdiction over Internet broadband providers was a mistake,” and that the two agencies would work together to “restore the FTC’s authority to police ISP’s privacy practices.”  We will keep you posted on updates.

NAD Gives Bill of Good Health to Dietary Supplement Immunity Claims

The National Advertising Division of the Better Business Bureaus, a self-regulatory body that polices national advertising, recently gave an a-OK to certain dietary supplement immunity claims. The action was initiated under NAD’s partnership with the Council for Responsible Nutrition against dietary supplement maker Olly Public Benefit Corporation.  CRN requested that NAD determine whether Olly had a reasonable basis for the message that its Kids Mighty Immunity product helps support immune health.  In particular, NAD assessed four immunity-related claims made on the product website:

  • “Formulated to help support little immune systems in the biggest way to help keep kids healthy and happy year-round.”
  • “Wellmune. These beta glucans support immune health by helping to promote built-in cellular defense mechanisms.”
  • “Elderberry. Respect your elders – this super food has been used for centuries to support the immune systems.”
  • “Zinc. An essential mineral that helps keep immune cells functioning in tip-top shape.”

In support of its general immunity message, Olly argued that the product is a good or excellent source of vitamins C, D, and zinc and also contains Wellmune beta glucan yeast. The advertiser presented studies and literature explaining the support roles played by vitamin C, vitamin D, and zinc in the immune system.  This evidence indicated that the nutrients – when taken in sufficient doses – “help form a physical and chemical barrier to keep out pathogens, and also support specialized adaptive immune system cells that work as part of the body’s natural processes to eliminate pathogens.”  NAD found that this data was sufficient, and Olly did not need to present a clinical study on its product, because the context of the webpage and the product packaging conveyed the message that these claims were based on the supplement’s individual ingredients and not testing of the final product.

In addition, Olly provided evidence in both adults and children demonstrating that, after oral digestion, Wellmune is bioavailable and binds to immune cells. NAD found this was a reasonable basis for the Wellmune claim.  Likewise, NAD found that the elderberry claim, supported by historical accounts citing elderberry for immune support, was sufficiently limited.

Importantly, NAD appreciated that the advertiser did not make any express or implied claims regarding the common cold or other illnesses and avoided imagery that implied cold prevention or cure, such as depictions of sick children, worried parents, or visits with health care professionals. It noted that evidence presented in other NAD proceedings failed to show a relationship between regular vitamin C supplementation and the reduction in the incidence of colds.

We have seen other examples of cases where immunity claims for foods and dietary supplements have been problematic for companies. However, as shown in this NAD matter, it is possible to effectively tailor claims to the available evidence so that they withstand regulatory scrutiny.

Congress Repeals FCC 2016 Privacy Order via Congressional Review Act

On April 3, 2017, President Trump signed into law a Congressional joint resolution eliminating new broadband and voice privacy rules set forth in a November 2016 order (the 2016 Privacy Order) by the Federal Communications Commission (FCC) (the Joint Resolution).  Members of Congress largely voted along partisan lines. The House approved the Joint Resolution by a 215-205 vote and the Senate approved it by a 50-48 vote.

The repeal occurred via Congressional Review Act (CRA) procedures, which enable Congress to rescind recently adopted agency rules.  The Joint Resolution will have a modest impact on the status quo with respect to both broadband Internet access service (BIAS) providers and traditional voice providers, since few of the new rules in the 2016 Privacy Order had gone into effect when the Joint Resolution was passed into law.  However, a less aggressive privacy posture at the FCC is likely to have ripple effects on privacy enforcement at both the federal and state level, as the Federal Trade Commission (FTC) and state attorneys general may attempt to step in to fill the gap, despite potential jurisdictional challenges.  Moreover, unless and until the FCC finds otherwise, Section 201(b) (bars unjust and unreasonable practices) and Section 222 (requirements applicable to broadband are unclear) still apply to BIAS.  As a result, BIAS providers and voice carriers should maintain reasonable privacy and data security policies and procedures to mitigate risks of enforcement intended to mind the gap in some way.

Our client advisory, available here, provides an overview of the repealed order, the CRA, and the steps providers should take to protect themselves during this period of uncertainty.

LexBlog