Ad Law Access

Ad Law Access

Updates on consumer protection trends, issues, & developments

The Pleading Bar In False Advertising Cases Has Been Raised

Posted in Advertising, Food and Drug

The Fourth Circuit recently issued a decision affirming a district court’s order dismissing a false advertising claim against GNC and Rite Aid relating to several supplement products containing glucosamine and chondroitin, as well as other ingredients.  This case raises the bar for plaintiffs at the pleading stage because they now must allege that “all reasonable experts in the field agree that the representations are false.”  Without such an allegation, they face dismissal of their false advertising claims.

In 2014, a federal district court in Maryland dismissed a consolidated complaint containing claims for false advertising brought under the consumer protection laws of six different states.  The district court found that the plausibility standard established by Iqbal and Twombly required more than the conclusory allegations of falsity contained in the consolidated complaint.  Rejecting plaintiffs’ argument that the existence of a “battle of the experts” should permit their claims to survive, the district determined that, if one expert in the field would reasonably conclude glucosamine and chondroitin are effective for the treatment of non-arthritic consumers, plaintiffs’ complaint should be dismissed at the pleading stage.

Following the district court’s lead, the Fourth Circuit found that a plaintiff alleging false advertising must set forth a plausible claim for relief under the relevant state consumer protection statute and cannot simply recite the elements of the claim and then conclude that the representations are false.  The Fourth Circuit’s holding is worth noting: “[In order to state a false advertising claim on a theory that representations have been proven to be false, plaintiffs must allege that all reasonable experts in the field agree that the representations are false.  If plaintiffs cannot do so because the scientific evidence is equivocal, they have failed to plead that the representations based on this disputed scientific evidence are false.”

FTC Shuts Down a Risky Risk-Free Offer

Posted in Federal Trade Commission

This morning, the FTC announced that it had stopped a group of 15 companies and 7 individuals from using deceptive “risk-free trial” offers to sell skincare products online. At the Commission’s request, a federal court issued a temporary restraining order against the defendants, halting their marketing practices, freezing their assets, and appointing a receiver over their business. That’s pretty serious. So what went wrong?

According to the FTC’s complaint, the defendants used various online ads to tout “risk-free trial” offers. On their websites, the defendants advertised that consumers simply had to pay a nominal shipping and handling charge – typically under $5 – to receive a free trial of the skincare products. Most of the sites also advertised that satisfaction was guaranteed and that the companies enjoyed an A- rating from the BBB.

Risk-Free

The truth, according to the FTC, was much different. Consumers who didn’t return the products within 10 days were charged $98 and enrolled in a monthly subscription plan. Although this was disclosed on the order pages, the FTC alleges that the disclosures were not sufficiently prominent and that they omitted various important terms, including key deadlines and the existence of a restocking charge. To make things worse, the companies made returns difficult and they actually have F ratings from the BBB.

This isn’t the first time we’ve posted about companies getting in trouble over free trials or automatic renewals. State attorneys general and class action attorneys have also been active in this area, and companies have had to pay a lot of money to settle the cases. (Click here and here, for example.) If your company makes these types of offers, this case should serve as a reminder to check your marketing practices to ensure you are complying with applicable laws.

Nevada and Wyoming Expand Breach Notification Laws to Protect Account Credentials

Posted in Data Security, Privacy

On July 1, 2015, both Nevada and Wyoming’s breach notification law amendments come into force, expanding the definition of Personal Information (“PI”) to include account credentials such as a username or email address. With these amendments, the two states join California and Florida in a small but growing number of states that have overhauled breach notification laws to expand privacy protections for consumers.

Nevada’s breach notification laws will now define PI to include the following account information: “a user name, unique identifier or electronic mail address in combination with a password, access code or security question and answer that would permit access to an online account.” The change to the Nevada law also means that companies may have to ensure that account credentials are encrypted to comply with Nevada’s requirements to safeguard PI.

Under Wyoming’s law, login credentials will now be subsumed under the definition of PI along with several other broad categories of information including telephone number and address. Notably, Wyoming’s updated law will include one of broadest definitions of PI that may affect almost every consumer or employee record or profile maintained by a business.

These changes will expose industry to added compliance requirements. Companies doing business in these states should take stock of the information they collect and consider whether additional measures should be put in place to ensure compliance with the updated laws. We will continue to monitor updates to breach notification laws and how these changes will affect business compliance going forward.

Associate Ilunga Kalala contributed to this post. Mr. Kalala is admitted only in Maryland. He is practicing under the supervision of principals of the firm who are members of the D.C. Bar.

FTC Announces First Action Involving Crowdfunding

Posted in Federal Trade Commission

Last week, the FTC announced its first legal action involving crowdfunding. For those of you who don’t know, crowdfunding is the practice of raising money for a project by seeking contributions from a large number of people, usually through online platforms like Kickstarter or Indiegogo. In this case, the FTC alleged that a creator who sought money to produce a board game failed to deliver on his promises.

The creator represented that if he raised $35,000, backers would get certain rewards, such as a copy of the game and specially-designed game figurines. ​Even though the creator​ raised more than $122,000​, ​he announced that he was canceling the project and refunding his backers’ money.​ ​According to the FTC complaint, though, the creator failed to refund the money or provide any of the promised rewards. Instead, the FTC alleged that he spent most of the money on personal expenses such as rent, moving ​costs​, ​and ​personal equipment.

Under the settlement order, the creator is prohibited from making misrepresentations about any crowdfunding campaign and from failing to honor his refund policies. He is also barred from disclosing or otherwise benefiting from customers’ personal information, and failing to dispose of such information properly. The order imposes a judgment of almost $112,000 that will be suspended due to the creator’s inability to pay. (The full amount will become due immediately if he is found to have misrepresented his financial condition.)

This FTC announced that this case is part of the their ongoing work to protect consumers taking advantage of new and emerging financial technology. As technological advances expand the ways consumers can store, share, and spend money, the FTC is paying close attention to ensure that companies comply with the laws and keep their promises.

FTC Updates FAQs for Endorsement Guides, Offers More Guidance on Social Media and Video Endorsements

Posted in Federal Trade Commission, Promotions Marketing, Social Media

The FTC recently revised its “What People are Asking” page, a source of informal guidance relating to the FTC’s Endorsement Guides.  The Endorsement Guides were last revised in 2009.  The FAQ revisions are intended to address current advertising and marketing trends, such as the use of Twitter endorsements, “like” buttons, and uploaded videos.

The revisions do not change any underlying principles or policies relating to endorsements.  Endorsements still must be truthful and not misleading.  If there’s a connection between an endorser and the marketer of the product that would affect how people evaluate the endorsement, that connection must be clearly and conspicuously disclosed.  And if the advertiser doesn’t have proof that an endorser’s experience is typical, it must clearly and conspicuously disclose the generally expected results.

To help advertisers navigate their specific obligations under the Endorsement Guides, the new FAQs offer expanded guidance on the following topics:

  1. Disclosure Language. The FTC requires that a connection between the endorser and marketer should be disclosed if that connection would be relevant for consumers evaluating the endorsement.  The FTC does not mandate specific language for disclosing a paid endorsement or an endorsement where the endorser was given the product for free.  But the revised FAQs do suggest that a simple disclosure, such as “Company X gave me this product to try . . .” will usually be effective.  The revised guidance also states that a disclosure such as “Company X gave me a sneak peek of its new product” is insufficient to disclose a paid relationship.
  2. Twitter and Social Media Disclosures. In the revised guidance, consistent with its Dot Com Disclosures guidance, the FTC indicates that starting a tweet with “Ad:” or “#ad” would likely be an effective disclosure.  The FTC also suggests the terms “Sponsored,” “Promotion,” or “Paid ad” to disclose a sponsorship on social media.  In addition, businesses holding contests or sweepstakes on social media must clearly disclose that the post is being made as part of a contest or sweepstakes.  Encouraging consumers to participate in the contest by using a general hashtag (“#XYZ_Rocks”) is insufficient, but making the word “contest” or “sweepstakes” part of the hashtag should be enough under the revised guidance.
  3. Affiliate Marketing. Affiliate marketers who are paid a commission for purchases made through their links must clearly and conspicuously disclose their relationship with retailers.  Under the updated guidance, using the term “affiliate link” or “buy now” is not sufficient to explain the relationship.
  4. Employee Endorsements. When an employee endorses his or her employer’s products on social media, the employee should also disclose the relationship with the employer.  The guidance is clear that “[l]isting your employer on your profile page isn’t enough.”  Companies should periodically remind their employees not to post positive reviews online without disclosing the relationship between the employee and employer.  If a company learns that an employee has made a post in conflict with that policy, the company should ask the employee to remove the review or disclose the relationship.
  5. “Like” Buttons. The FTC understands that sites such as Facebook and Instagram do not allow users to disclose a relationship with advertisers when they “like” a company or a social media post by the company.  And the FTC isn’t sure at this time how much weight consumers put into “likes” when deciding to patronize the business.  However, the FTC draws a distinction between an advertiser that buys fake “likes” and an advertiser offering incentives for “likes” from actual consumers.  The former, according to the FTC, is “clearly deceptive,” and both the purchaser and seller of the fake “likes” could face enforcement action.
  6. Uploaded Videos. The FTC’s guidance explains that disclosing a relationship only in the description of a YouTube video is not sufficient to meet the FTC’s standards.  Rather, the disclosure “has the most chance of being effective” if it is made clearly and prominently in the video itself.   Disclosures may be made in both the video and the description.  In the case of a short video, a brief disclosure at the outset of the video that some of the products were provided by the manufacturer may be sufficient.  For a longer video, multiple disclosures during the video may be appropriate.  The FAQs caution against promoting a link to a video that bypasses the beginning of the video and thus skips over the disclosure.  If YouTube has been enabled to run ads during the video, a disclosure that is obscured by ads is not clear and conspicuous.

Although not entirely comprehensive, the FTC has provided helpful insight on endorsements and related disclosures through its Endorsement Guides and Dot Com Disclosures guidance.  Informal guidance, such as the What People are Asking FAQs discussed here, is also an important resource for understanding the FTC’s views on new marketing tools and trends.  We will continue to monitor such guidance from the FTC and provide updates.

Q: What’s Different About the FTC’s New Endorsement Q&As? A: Lots.

Posted in Advertising, Federal Trade Commission, Regulatory Developments

The FTC recently released a new version of its Q&As on the Endorsement Guides. The old Q&As, released in 2010, were about seven pages long. The new ones just about double that. The revisions and additions reflect many of the positions that the FTC has taken in the course of its enforcement over the past five years. Below is a summary of what’s new.

  • “Likes.” The FTC questions “how much stock social network users put into ‘likes’ when deciding to patronize a business.” Nevertheless, the FTC states that, as a part of advertising campaigns, “[a]dvertisers shouldn’t encourage [use of] features [such as ‘like’ buttons] that don’t allow for clear and conspicuous disclosures.”
  • Contests. When a company asks a consumer to post something (e.g., “#CompanyX4Evs”) in order to enter a contest, the FTC will normally consider the post to be an endorsement. Additionally, according to the FTC, entry into the contest is an incentive that should be disclosed – especially if a significant prize is at stake.
  • Talk Shows. If a talk show host is paid to promote a product, the FTC will usually expect disclosure of the connection.  Similar promotions by a paid expert in non-traditional media will also normally constitute an endorsement and require appropriate disclosures, according to the FTC.
  • Gifts for Honest Feedback. In the FTC’s view, it doesn’t matter if a company expressly tells people to be honest in their reviews. Any gifts or incentives for reviews should still be disclosed. Continue Reading

All Eyes on Homeopathics: FTC Workshop Signals Targeted Regulatory Scrutiny of Homeopathic Products

Posted in FDA, Federal Trade Commission, Food and Drug

On Tuesday, the Federal Trade Commission “FTC” announced it will be hosting a workshop in September to evaluate advertising for over-the-counter homeopathic products. Homeopathy is an alternative medicine practice dating back centuries that incorporates the principle of “like cures like,” which holds that a given disease’s symptoms are “healing responses” that can be replicated by the appropriate medicine to cure that very same disease. Although homeopathic drugs are regulated by the Food and Drug Administration (“FDA”), advertising in the now multibillion dollar homeopathic drug market is also regulated by the FTC.   Given the agencies’ prior collaborations on the promotion of FDA-regulated products (e.g., caffeinated alcoholic beverages, health-benefit claims for conventional food products, and anti-aging clams for personal care products), it is not surprising that the two agencies are now working together to consider the sale and marketing of homeopathic products.

The FTC workshop comes at the heels of a two-day FDA public hearing this past April, entitled “Homeopathic Product Regulation: Evaluating FDA’s Regulatory Framework After a Quarter-Century,” where the FDA sought insight from homeopathy industry leaders and stakeholders on homeopathic drugs and FDA’s regulatory framework.  Speakers at the hearing included representatives from the Homeopathic Pharmacopoeia Convention of the United States, the Consumer Healthcare Products Association,  the American Institute of Homeopathy, and the American Association of Homeopathic Pharmacists.  While the FDA workshop focused primarily on the regulatory status of homeopathics and their appropriate placement in FDA’s regulatory framework, it appears that the FTC workshop will focus on the requisite competent and reliable scientific evidence to substantiate advertising claims for the products..

While we will continue to monitor developments in this area and provide updates via AdLawAccess, more information about the FTC’s workshop and how to participate can be found here.  FDA will continue to accept written or emailed comments until June 22, 2015. A full transcript of the FDA hearing is available at http://www.regulations.gov.

Associate Ilunga Kalala contributed to this post. Mr. Kalala is admitted only in Maryland. He is practicing under the supervision of principals of the firm who are members of the D.C. Bar

Connecticut Data Breach Law About To Get Tougher

Posted in Data Security, Legislative Developments, Privacy and Information Security

This past Monday, Connecticut legislators voted unanimously to approve two new changes to Connecticut’s breach notification law. Senate Bill 949 will require businesses to (1) provide at least one year of identity theft protection to Connecticut residents affected by a data breach, and (2) report all data breaches to impacted residents and the Connecticut Attorney General within 90 days of discovery. The bill is now before Connecticut Governor Dannel P. Malloy who can either sign the bill or take no action for it to become law. If the bill becomes law, it is expected to take effect October 1, 2015.

While complimentary identity theft protection is often provided to affected consumers by companies following a breach, Connecticut’s amendment, if it becomes law, would make it the first state to require companies to provide it.  In addition, the amendment would make Connecticut one of only six states (joining Florida, Iowa, Louisiana, Vermont, and Washington) to set a fixed time frame for regulator notification.

Connecticut will join four other states who have made significant updates to breach notification laws this year. Montana, North Dakota, Nevada, and Washington have all enhanced protections for consumers by enacting new breach notification laws slated to take effect before the fall. This trend suggests that legislatures will continue to modify data breach notification laws as more and more states enact robust data breach legislation.

Associate Ilunga Kalala contributed to this post. Mr. Kalala is admitted only in Maryland. He is practicing under the supervision of principals of the firm who are members of the D.C. Bar.

Office Depot Agrees to Pay $3.4 Million CPSC Civil Penalty

Posted in Consumer Product Safety, Retail

On May 27th, the Consumer Product Safety Commission (“CPSC”) announced that Office Depot agreed to pay a $3.4 million civil penalty for allegedly failing to report potential safety issues for two models of office chairs. According to the CPSC, Office Depot received 33 reports concerning the Quantum model and 153 concerning the Gibson model, with reports alleging that the backs of the chairs would break off.  There were a total of 39 reported injuries, some of which required medical attention.  Office Depot sold roughly 150,000 units of the Quantum chairs and 1.4 million units of the Gibson chairs during the relevant period.  The CPSC alleges that Office Depot never reported any issues with the Quantum model and only reported issues with the Gibson model after receiving a request for such information from CPSC staff, although the Consumer Product Safety Act requires companies to report product defects that could create a substantial product hazard or serious risk of injury within 24 hours.

In a colorful dissenting statement, Commissioner Mohorovic took issue with the civil penalty amount.  The Commissioner referenced the 2008 Consumer Product Safety Improvement Act (“CPSIA”), which provided a ten-fold increase in the size of the maximum penalties the CPSC can impose.  Paraphrasing the Spider-Man comics, he observed that “[W]ith great power comes great responsibility.  The CPSIA gave us more power, but we have not fulfilled our responsibility to use it prudently… [which] led to … an inappropriate penalty demand, resulting in an excessive settlement.”  Commissioner Mohorovic believed that the penalty was disproportionately large in light of the relatively small number of reported injuries, the lack of severity of most of the reported injuries, and the general audience that uses the product (the chairs are not specifically used by vulnerable populations such as children or the elderly).  He also noted that “there is little coherence in our approach to penalties.”

This settlement is the latest in a series of CPSC settlements imposing significantly higher penalty amounts. Although Commissioner Mohorovic’s statement indicates some recognition at the Commission of disparities among those amounts, companies should expect the trend of higher amounts to continue and consider reviewing existing compliance programs and reporting policies.

Ross Slutsky, a law clerk with Kelley Drye & Warren, assisted in the drafting of this post.

Applying the Video Privacy Protection Act to Online Streaming

Posted in Privacy, Uncategorized

With the rise of online content and big data, courts are beginning to define streaming media companies’ obligations under the Video Privacy Protection Act (“VPPA”) 18 U.S.C § 2710.

Passed in 1988, the VPPA prohibits a “video tape service provider” from “knowingly” disclosing a consumer’s “personally identifiable information” (“PII”) to third parties without his or her consent. The VPPA defines a “video tape service provider,” in part, as any person “engaged in the business . . . of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials.” A “consumer” under the statute includes a renter, purchaser or subscriber of goods or services, while PII is “information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.” Notably, the VPPA creates a private right of action and allows a court to award statutory damages upwards of $2,500 per violation (as well as attorney fees).

Three recent cases illustrate how the VPPA, a law designed for video tapes, may apply to digital video or online streaming services:

The VPPA requires a “knowing” disclosure. In a class action against Hulu, plaintiffs alleged that Hulu was disclosing user identities and viewing selections to Facebook when a user clicked Facebook’s “Like” button in their browser from the Hulu site. Once a Hulu user clicked the “Like” button, Hulu automatically sent user data to Facebook using a “c_user” cookie which contained that user’s Facebook ID. In a separate transmission, Hulu also sent URLs of a user’s “watch pages” that identified the user’s video requests. The main purpose of this data was to tell Facebook where to send code related to its “Like” button. Without Hulu’s knowledge, Facebook combined the two sets of information, allowing Facebook to piece together a user’s identity and viewing history. Hulu argued that it did not violate the VPPA because it did not “knowingly” send Facebook any information that could identify Hulu users and wasn’t aware that Facebook might combine the two streams of data. On March 31, 2015, a district court in the Northern District of California agreed with Hulu on this basis. The plaintiffs have appealed the decision. (In Re Hulu Privacy Litigation)

Non-Registered online viewers are not “consumers”/”subscribers.” Plaintiff Austin-Spearman alleged that the TV network AMC violated the VPPA because it disclosed PII to Facebook when Austin-Spearman watched the “Walking Dead” on AMC’s website. Since Austin-Spearman did not pay AMC for the online content, register for an account, create a user ID/password for the site, or download an app or program to view the content, the court found that Austin-Spearman did not fit the VPPA’s definition of a “consumer” or “subscriber.” On April 7, 2015, a district court in the Southern District of New York granted AMC’s motion to dismiss but also granted Austin-Spearman leave to amend, providing her with an opportunity to prove that she should be considered a “subscriber” under the VPPA. Last month, Austin-Spearman informed AMC that she would not file an Amended Complaint and does not intend to pursue her claim. (Austin-Spearman v. AMC Network Entertainment)

Unique device identification numbers are not PII. Using a Roku device, plaintiff Eichenberger downloaded the “WatchESPN Channel.” His unique Roku device serial number and video history were then sent to a third party, Adobe Analytics, which Eichenberger argued was a violation of the VPPA. Adobe then combined Eichenberger’s Roku device information with other existing user information including his Facebook and email accounts. Similar to the Hulu litigation, this allowed Adobe to identify the plaintiff as having watched specific videos. On May 7, 2015, a district court in the Western District of Washington found that ESPN did not violate the VPPA when it sent Adobe Eichenberger’s Roku device serial number because the device’s serial number (as well as any viewing records) were not PII under the law. The court’s decision is in line with Locklear v. Dow Jones & Co. where a district court dismissed a VPPA claim that had alleged that a Roku serial number, in and of itself, constituted PII. (Eichenberger v. ESPN, Inc.)

While the outcomes of these cases are largely favorable for online streaming services under the VPPA, this area of the law continues to evolve. There are also other privacy laws that may apply to a given streaming service. We will continue to track these and related developments.