Ad Law Access

Ad Law Access

Updates on consumer protection trends, issues, & developments

FCC Enforcement Advisory: Broadband Providers Must Take Reasonable, Good Faith Steps to Protect Consumer Privacy

Posted in Privacy and Information Security

On Wednesday, May 20, 2015, the FCC’s Enforcement Bureau issued its first enforcement advisory in the post-Open Internet Order  era.  Not surprisingly, the Bureau’s first advisory addressed the consumer privacy obligations of broadband providers.  In the Advisory, the Bureau reminded broadband Internet access service (“BIAS”) providers that they will need to take “reasonable, good faith steps to protect consumers’ privacy” pursuant to Section 222 of the Communications Act when the 2015 Open Internet Order goes into effect on June 12, 2015.  The Advisory also advises broadband providers to seek informal FCC guidance regarding particular practices during the initial implementation of the order.

In the 2015 Open Internet Order, the Commission applied the consumer privacy protections of Section 222 of the Communications Act to BIAS providers.  Section 222 regulates:

  • Proprietary Information. Section 222(a) establishes a duty of telecommunications carriers to protect the confidentiality of proprietary information of and relating to carriers, equipment manufacturers, and customers.
  • Carrier Proprietary Information. Section 222(b) prohibits carriers who receive proprietary information from other carriers for the purpose of providing telecommunications from using that proprietary information for other purposes, including marketing.
  • Customer Proprietary Network Information. Section 222(c) defines CPNI and establishes situations where carriers may use CPNI without obtaining additional consent.

As the Bureau noted in its Advisory, although the 2015 Open Internet Order applied Section 222’s substantive obligations to BIAS providers, it forbore from applying Section 222’s “telephone-centric” implementing rules.  In the coming months, the Commission will conduct a separate rulemaking to adopt CPNI rules for BIAS providers.  Until then, BIAS providers are subject to the obligations of Section 222, without any specific implementing rules.

In the Advisory, the Bureau warned that, during this gap period, BIAS providers should “employ effective privacy protections in line with their privacy policies and core tenets of basic privacy protections.”  Rather than focusing on what the Bureau referred to as the “technical details” of the provider’s practices, the Bureau announced that its focus will be on whether providers are taking “reasonable, good-faith steps” to comply with Section 222.  In other words, it seems, for now, the Bureau will be looking more at efforts and less at outcomes in its enforcement.

The Advisory also encourages BIAS providers to seek informal guidance from the Enforcement Bureau.  It stated that both informal guidance, and advisory opinions as provided in the Open Internet Order are available.  The Bureau cautioned that no provider “is in any way required to consult with the Enforcement Bureau,” but such consultations would, in and of themselves, “tend to show that the broadband provider is acting in good faith.”  This may prove to be a significant stance, particularly if the provider is operating or using customer information in ways that later prove to be controversial.  BIAS providers should carefully consider their options to obtain guidance in connection with a particular use of customer information once the rules take effect.

In light of this Enforcement Advisory and the 2015 Open Internet Order, all BIAS providers should conduct a review of their customer privacy practices and public-facing policies.  Such a review would be an important starting point in demonstrating “reasonable, good-faith steps” to comply with Section 222.

CPSC Bumps Up Litigation Strategies Another Notch

Posted in Consumer Product Safety

The Consumer Product Safety Commission (“CPSC”) continues its increased willingness to use litigation as a tool when targeted companies disagree with the CPSC’s position, recently initiating two lawsuits seeking civil penalties and injunctive relief.  Both indicate new strategies in litigation.

In the first lawsuit, the CPSC and the Department of Justice (“DOJ”) seek a civil penalty and injunctive relief from Michaels Stores Procurement Co. Inc. (“Michaels”). The lawsuit alleges Michaels failed to timely report that the glass walls of certain vases that Michaels sold and imported were too thin to withstand normal handling, posing a laceration hazard to consumers. Adding a new twist, the CPSC and DOJ also allege that, when Michaels did report, it conveyed the false impression that it had not imported the vases and had acted only as a retailer, avoiding responsibility for the recall of the vases.

In the second lawsuit, filed by DOJ, the government alleges that novelty magnet company Zen Magnets LLC offered for sale products that were subject to a voluntary recall and to a CPSC order. The suit alleges that Zen Magnets bought over 900,000 magnets from Star Networks USA LLC, which had previously agreed to recall its Magnicube sets in connection with a settlement with the CPSC, and rebranded and repacked the magnets. On May 14, a federal judge granted a preliminary injunction to halt the sale of the hazardous magnets. U.S. District Court Judge Christine M. Arguello of the District of Colorado found a strong likelihood that the defendants had violated the Consumer Product Safety Act and a cognizable danger of recurring violations in the future.

These cases demonstrate that companies subject to the CPSC’s laws and regulations should closely evaluate the veracity and extent of information submitted to the CPSC and should implement steps to avoid the resale, even if unintentional, of recalled products.

Wet Wipes Manufacturer Must Back Up Its Flushing Claims (And Not Consumers’ Plumbing)

Posted in Advertising, Federal Trade Commission, Green Marketing

On May 18, 2015, the FTC announced a settlement with Nice-Pak Products, Inc., concerning claims that its moist wipes are “flushable,” “break apart after being flushed,” and are “safe” for sewer and septic systems. Nice-Pak marketed and sold its flushable wipes primarily through private label brands, such as Costco’s Kirkland Signature Moist Flushable Wipes, CVS’s Flushable Cleansing Wipes, Target’s Up & Up Flushable Moist Wipes, and BJ’s Family & Toddler Moist Wipes.

The FTC complaint contends that, because of their composition, Nice-Pak’s non-woven fabric wipes did not break down in water in a reasonably short amount of time. Moreover, the complaint alleges that that Nice-Pak did not have substantiation for these performance claims because its tests did not accurately reflect the real-world conditions that Nice-Pak wipes would encounter after being flushed (i.e., conditions that exist in household toilets, plumbing, or septic systems, or in public sewer systems or public wastewater treatment facilities).

The FTC’s proposed consent order prohibits the company from making claims about any moist toilet tissue unless the company has competent and reliable evidence to support such claims. The order does not, however, define the period of time in which a product must break down in order to be considered “flushable” or “safe.” The order would require only that the substantiation: (1) demonstrate that the wipes disperse in a sufficiently short amount of time after flushing to avoid clogging or other operational problems in household and municipal sewage lines, septic systems, and other standard wastewater equipment; and (2) substantially replicate the physical conditions of the environment where the wipes are likely to be disposed.

The FTC began investigating products claimed to be “flushable” back in 2013. The issue gained media attention shortly after the Washington Post ran a story on ‘flushable’ personal wipes clogging sewer systems around the country. In December 2013, Consumer Reports followed up with testing showing that, although toilet paper breaks apart in seconds, several brands of flushable wipes took at least 10 minutes to break into small pieces. Often times, wipes can reach a pump within just a couple of minutes.

The moral of the story is – don’t just “take the plunge” when advertising your products; companies should make sure that they have “backed up” their claims with adequate substantiation that reflects real-world conditions. Companies should also track consumer complaints and media reports because those can often trigger regulatory investigations.

Kelley Drye to Host Seminar on Employee Privacy and Data Protection Issues in the Connected Workplace

Posted in Privacy and Information Security

On June 2, 2015, Kelley Drye will be hosting an afternoon seminar at its New York offices on the challenges employers face when balancing data security with employee privacy rights. The seminar will be presented by Barbara Hoey and Mark Konkel of Kelley Drye’s Labor and Employment practice, joined by Alysa Hutnik of Kelley Drye’s Privacy and Information Security practice.

While breaches of customer data have received most of the media scrutiny, employee data breaches also are causing company headaches. But there remain increasing pressures to also gather and utilize employee data through the monitoring of employee communications to measure productivity, maintain corporate image, and to deter or prevent wrongdoing.

The seminar will focus on key questions employers face when balancing obligations to their business and employees such as:

  • What are HR best practices in these areas?
  • What are the lessons learned from past employee data breaches?
  • What are employees’ electronic privacy rights in the workplace?
  • How should a business strike the right balance between an employee’s privacy rights and protection of the business?
  • Can employees use companies’ email systems for personal reasons?
  • Can employers monitor employee email use? Do they have to let employees know if they are doing so?
  • Can employers sanction employees for comments made on social media? What constitutes private behavior vs. behavior that can adversely affect a company’s image?
  • Can employers monitor data on personal devices that are also used for business reasons?

Click here for more information. Click here to register for the event.

California Enforces Transparency in Supply Chains Act

Posted in Retail

The Attorney General of California has recently sent letters to more than 1,700 companies notifying them that the State is enforcing the California Transparency in Supply Chains Act, which became effective in 2012.  The Act requires large retailers and manufacturers doing business in California to disclose “conspicuously” on its websites “efforts to eradicate slavery and human trafficking from [their] direct supply chain for tangible goods offered for sale.”  The law applies to any company doing business in California, having annual worldwide gross receipts in excess of $100 million, and identifying itself as manufacturers or retailers on its California state tax returns.

Companies subject to the Act must post disclosures on its websites stating at a minimum that the company is:

  • Engaging in verification of product supply chains to evaluate and address risks of human trafficking and slavery and disclosing whether the verification is being done by a third party
  • Auditing suppliers to evaluate compliance with company standards for trafficking and slavery
  • Requiring direct suppliers to certify that materials used comply with trafficking and slavery laws
  • Maintaining internal accountability standards for suppliers failing to meet company trafficking and slavery standards
  • Providing company employees with training particularly to mitigate risks within product supply chains.

All companies to whom the Act applies, must post a disclosure – even if the disclosure states that the company has not taken any action with regard to the five areas above. In light of the recent letters by the California’s AG’s office, there could be civil actions brought for injunctive relief.

For more information, please contact:

David E. Fink
(310) 712-6170

Laura Siegel Rabinowitz
(212) 808-7706

Decision Highlights Questions Over Substantiation for Weight Loss Claims

Posted in Advertising, Federal Trade Commission, Food and Drug

The Eleventh Circuit recently issued a decision in an contempt proceeding against Hi-Tech Pharmaceuticals and several individuals. The case highlights the ongoing debate over whether clinical trials are required for weight loss claims and, if so, whether the clinical trials must be on the full product formulation rather than active ingredients.

In 2008, a federal district court in Georgia held the Hi-Tech defendants liable for disseminating deceptive advertising for several products, including two weight loss products, Thermalean and Lipodrene. The court found that the defendants’ advertising for Thermalean and Lipodrene conveyed that the full product formulations had been clinically tested. In the absence of such testing, the court found that the defendants lacked adequate substantiation. The injunctive order issued by the court against the defendants, however, did not require any sort of clinical testing for future weight loss claims. Rather, the order simply required the defendants to possess “competent and reliable scientific evidence,” defined as “tests, analyses, research, studies, or other evidence based on the expertise of professionals in the relevant area, that has been conducted and evaluated in an objective manner by persons qualified to do so, using procedures generally accepted in the profession to yield accurate and reliable results.”

In 2011, the FTC initiated contempt proceedings against the Hi-Tech defendants in the same federal district court. The FTC alleged that the defendants had violated the 2008 order by disseminating unsubstantiated advertising for three new weight loss products and a reformulated version of Lipodrene. In support of their advertising, the defendants offered evidence, including an expert report. The court, however, refused to consider the evidence given that none of the materials offered were clinical trials on the full product formulations. The court held that its prior decision on product testing collaterally estopped the defendants from offering any lesser forms of evidence in the contempt proceeding. The Eleventh Circuit reversed this holding. It found that the lower court reviewing the new evidence would not create successive, identical litigations. It observed that both the products and the particular claims at issue in the contempt proceeding differed from the products and claims at issue in the original litigation. The lower court will now hear the case again on remand.

If, on remand, the FTC argues once again that full product testing is required for weight loss claims, it will have an uphill fight. Its orders issued since mid-2010 have allowed weight loss claims to be substantiated with testing on either the full product or active ingredients. Although one other district court has also held that full product testing is required, allowing active ingredient testing is consistent with the greater weight of relevant precedent, including First Amendment cases. The FTC orders since 2010 appear to acknowledge that. Whether some sort of clinical testing is nevertheless required – either on the full product or actives – will likely involve a battle of experts. In prior litigations, the FTC has offered reports in which scientific experts have opined that some type of well-controlled clinical testing is required to substantiate weight loss claims.

FTC Settles with Retail Tracking Company that Made Privacy Policy Promises It Couldn’t Keep

Posted in Federal Trade Commission, Privacy and Information Security, Retail

Last week, the Federal Trade Commission announced its first settlement with a retail tracking company, resolving allegations that Nomi Technologies, Inc., a micro-location platform that provides analytics services to retailers through its product “Listen,” failed to abide by several promises it made in its privacy policy. Under the terms of the agreement, Nomi is prohibited from misrepresenting the options it provides to consumers to control whether and how their information is collected, used, disclosed, or shared.

Listen, which serves approximately 45 retailer clients, uses a retailer’s in-store Wi-Fi to collect statistical information from customers’ mobile devices and provide aggregate customer traffic pattern reports to the retailer. According to the FTC’s complaint, Nomi’s privacy policy represented that the company would provide an opt-out mechanism for customers on the Nomi website and at any retail location, implying that customers would be notified when stores were using the technology. The FTC alleges, however, that, not only did Nomi and the retailers fail to notify customers when stores were using Listen, but no in-store opt-out mechanism was ever available. As a result, Nomi allegedly tracked customers both inside and outside of stores by their MAC address, device type, date and time, and signal strength, and provided aggregate information to its clients, such as the percentage of repeat customers and the average duration of customer visits. In particular, the complaint alleges that Nomi collected information on approximately nine million mobile devices within its first year of operation.

This consent order reminds companies that they have a responsibility to abide by the promises made in their privacy policies, even when dealing with new and emerging technology such as retail tracking. One way to avoid making this mistake is to evaluate and confirm how data are collected and likewise confirm that the privacy policy representations are consistent with practices. Additionally, mindful that business practices evolve, companies should periodically review and consider revising privacy policy statements to keep those statements accurate.

Associate Ilunga Kalala contributed to this post. Mr. Kalala is admitted only in Maryland. He is practicing under the supervision of principals of the firm who are members of the D.C. Bar.

Washington State Amends Data Breach Notification Statute

Posted in Privacy and Information Security

Last week, the Washington Governor signed into law amendments to the state’s data breach notification statute. Importantly, the amendments, which take effect July 24, 2015, (1) expand the statute to cover breaches of non-computerized data; (2) mandate that businesses notify the Washington Attorney General of a breach affecting more than 500 Washington residents; and (3) require that notification to consumers and to the Attorney General occur no later than 45 days after the date of discovery of the breach. The amendments were requested by Washington Attorney General Bob Ferguson.

Washington now joins only a handful of states whose breach notification statutes require notice of a breach of non-computerized data containing consumer personal information. The amendments clarify, however, that notice is only required – both for computerized and non-computerized data – if the breach is reasonably likely to subject consumers to a risk of harm. Risk of harm is assumed, though, if the data is not secured, or if the means to decipher the secured information (e.g., the encryption key) is also compromised. “Secured” is defined as “encrypted in a manner that meets or exceeds the National Institute of Standards and Technology (NIST) standard or is otherwise modified so that the personal information is rendered unreadable, unusable, or undecipherable.”

In addition to mandating that notification occur within 45 days of discovery of a breach, the amendments prescribe the content of the notice to both consumers and the Attorney General (if more than 500 Washington residents are affected). Specifically, the consumer notice must be written in plain language and include (1) the business’s name and contact information, (2) a list of the types of personal information reasonably believed to have been the subject of the breach, and (3) the toll-free telephone numbers and addresses of the major credit reporting agencies. The notice to the Attorney General must include the number of Washington residents affected and a sample copy of the consumer notice, provided electronically.

Despite pending federal legislation, which contains broad federal preemption provisions, state legislatures, often at the request of the Attorney General, are strengthening existing notification requirements, likely in response to the several high-profile breaches that have occurred over the last few years, to attempt to safeguard consumer personal information and prevent identity theft. We continue to track such legislation in several states, including Indiana and New Jersey, as well as the goals of state attorneys general, such as those in New York and Oregon requesting such legislation.

Don Henley Settles Right of Publicity Suit with Retailer

Posted in Right of Publicity

Last year, Duluth Trading Company ran ads promoting its henley-style shirts that urged customers to “Don a Henley and take it easy.” (Readers of a different generation, take note: Don Henley is one of the singers in the Eagles, and Take it Easy was the band’s first single inHenley 1974.)

If you’ve read our previous posts on right of publicity issues, you may know that it’s usually not a good idea to use a celebrity’s name or image without their permission. In this case, Henley filed a lawsuit against Duluth, arguing that the retailer’s ads exploited his celebrity status, violated his publicity rights, and infringed his trademarks.

The parties agreed to settle the suit this week, and Duluth posted a public apology to Don Henley on its Facebook page. In the apology, the company noted that although it aims to keep its ads “fresh, interesting, and funny,” they had “pushed the advertising envelope too far.” “We have learned a valuable lesson and thank Mr. Henley for helping us appreciate the importance that he and other artists place in their publicity rights.”

Luckily, you don’t have to be sued by Don Henley to appreciate the importance of publicity rights. You can just read our blog. Or you can check out a recent series on right of publicity claims posted by our friends at Drye Wit.

NAD Finds DirecTV’s Rob Lowe Ads to be Misleading

Posted in Advertising, NAD

DirecTV has received a lot of attention for its ad campaign featuring Rob Lowe. Although many of the commercials are funny, not everyone is laughing. Comcast challenged the ads before the NAD, arguing that the ads make misleading comparisons between DirecTV and cable. The NAD largely sided with Comcast, and asked DirecTV to stop making various claims.

The ads start with Rob Lowe stating that he has DirecTV. Then, a creepy or dysfunctional version of the actor Loweappears and announces that he has cable. The ads close with Rob Lowe pointing to his alter-ego, saying: “Don’t be like this me. Get rid of cable and upgrade to DirecTV.” Comcast argued that the ads convey the misleading impression that DirecTV is superior to cable on a number of attributes, including signal reliability, picture quality, and customer service.

The case involved a number of issues, but one of the key questions was whether the ads made any claims that required proof, in the first place. DirecTV argued that because the ads were so outlandish, consumers wouldn’t take the comparisons seriously. Sometimes this type of argument can work, and an advertiser won’t have to provide proof. But the NAD noted that the use of humor and hyperbole doesn’t automatically mean that consumers won’t take away objective claims from an ad.

The NAD determined that the discussion of specific attributes — such as signal reliability, picture quality, and customer service — coupled with the tagline encouraging people not to be like the creepy version of Rob Lowe by upgrading from cable to DirecTV could reasonably convey that DirecTV was superior in each of the attributes mentioned. Because DirecTV did not provide proof of superiority, the NAD found many of the ads to be misleading.

Humor and hyperbole can be effective advertising techniques. In some cases, they can even get a message across without requiring an advertiser to have proof for that message. But the NAD has often held that denigrating claims “must be truthful, accurate, and narrowly drawn so that they do not falsely disparage a competitor’s product.”