Ad Law Access

Ad Law Access

Updates on consumer protection trends, issues, & developments

Privacy Groups Ask FTC to Investigate Contest Sponsor for Alleged COPPA Violations

Posted in Federal Trade Commission, Privacy and Information Security, Promotions Marketing, Social Media

Last week, ten privacy groups requested that the FTC open an investigation into a Topps Co. online contest, which they allege violated the Children’s Online Privacy Protection Act (COPPA). Specifically, the groups claim that Topps’s #RockThatRock contest collected photos of children under age 13 without obtaining their parents’ consent.

Last spring, Topps invited its Facebook, Twitter, and Instagram followers to post photos of themselves “rocking” a Ring Pop (the company’s edible candy lollipop) using the hashtag #RockThatRock for a chance to have their photo featured in a music video for a popular tween band. In addition to social media, Topps promoted the contest on Candymania.com – its allegedly child-directed website that features content such as candy-related games. Entrants’ photos were posted on Candymania.com, and the music video, which has appeared on YouTube since June, has received over 900,000 views.

COPPA requires that businesses provide parental notice and obtain parental consent prior to collecting the personal information of children under age 13. The definition of “personal information” was updated in July 2013 to explicitly include photographs. COPPA violations carry a hefty fine – up to $16,000 per affected child – so it’s important to always consider a promotion’s potential audience, as well as the types of information collected.

False Advertising Class Action Says Maker’s Mark Whisky is Not “Handmade”

Posted in Advertising Litigation, Class Action Litigation

Two purchasers of Maker’s Mark whisky have sued the company, accusing it of falsely advertising the whisky as “handmade”. The lawsuit, filed as a putative statewide class action in California, alleges that Maker’s Mark “promotes its whisky as being ‘Handmade’ when in fact Defendant’s whisky is manufactured using mechanized and/or automated processes, which involves little to no human supervision, assistance or involvement.” The complaint alleges that because consumers generally associate the term “handmade” “with higher quality manufacturing and high-end products” and because “manufacturers charge a premium” for those products, consumers who purchased Maker’s Mark whisky were misled to believe that the whisky was of superior quality and overpaid for the product as a result. The plaintiffs bolster their allegation that the manufacturing process is mechanized with photos and images from two YouTube videos of the Maker’s Mark distillery and factory. The class action includes anyone who purchased the product in the last four years and seeks at least $5 million in damages.

This is one of several false advertising lawsuits filed in the last two years against the food and beverage industry, which reflects a trend toward scrutiny of companies for claims about how their products are made. Just this year alone, a number of similar lawsuits to the one against Maker’s Mark were filed. For example, Tito’s Handmade Vodka was sued for false advertising based on its claim of “handmade”. Interestingly, the plaintiff in that case cited a Forbes article to describe the manufacturing process as mechanized. Additionally, Templeton Rye was sued in September for advertising its whiskey as “craft” or “small-batch”.

Alcohol products are not the only targets of these lawsuits. Two years ago, Dunkin’ Donuts was hit with false advertising complaints filed with the FTC, New York Attorney General, and the Better Business Bureau based on its claims that its bagels are “artisan”.

Companies making claims about their products’ craftsmanship and manufacturing should be prepared to substantiate and defend those claims, especially if the claims earn them a price premium.

BBB Accountability Program Warns Native Advertisers

Posted in Advertising, Privacy and Information Security

Earlier this week, the BBB’s Online Interest-Based Advertising Accountability Program announced its first compliance warning concerning the use of interest-based advertising in native advertising. “Native advertising” generally includes ads presented in the native format of the website, publication, or platform on which they appear. Although the BBB declined to mention the identity of the recipient, the warning reminds interest-based advertisers of their obligation to comply with the Self-Regulatory Principles for Online Behavioral Advertising, particularly the Principles of transparency and consumer control, even when using native advertising. Enforcement of the compliance warning will begin January 1, 2015.

The compliance warning explains that native, interest-based advertisers should provide consumers with transparency through “enhanced notice” in or around the native ad that, like the AdChoices Icon, alerts consumers that they are viewing an ad and links to more information about interest-based advertising and consumers’ ability to exercise choice by opting out. While the BBB appears to favor the AdChoices Icon, the warning notes that a clear phrase alerting consumers that they are viewing an ad may be used instead. Additionally, the warning reminds advertisers that they must give consumers control over the collection and use of their data and must honor the choices made.

Developed in 2009 by leading industry associations, the seven OBA Principles are intended to make online behavioral advertising more consumer-friendly, giving consumers knowledge of and control over the information collected about them. The Principles are (1) education, (2) transparency, (3) consumer control, (4) data security, (5) material changes, (6) sensitive data, and (7) accountability. It is important for advertisers engaged in online behavioral advertising to ensure compliance with these Principles, regardless of the technology and platform or device used.

New Jersey Offers Legislation Designed to Address Energy Supply Companies’ Variable Rate Disclosure Practices

Posted in Advertising Litigation, Class Action Litigation

In the wake of the unexpected polar vortices and extreme weather that struck the East Coast in early 2014, many state public utility commissions and attorneys general were inundated with consumer complaints relating to increases in energy supply companies’ variable rates.  Regulators took notice, opening investigations and convening public conferences in an effort to understand how suppliers advertise, market, and telemarket their various variable rate energy offerings, and to ensure that such practices do not violate state law or regulations.  Recently, the plaintiff’s bar has also taken notice and a number of class actions raising false advertising and consumer protection claims have been filed against energy suppliers.

The core allegation in these suits generally is that the suppliers’ variable rates simply were too high (although the claims are couched in terms of unfair and deceptive acts and practices, false advertising, breach of contract, etc.).  Forecasters are predicting that Winter 2014 will be as cold as the previous one, making it unlikely that the level of regulatory scrutiny and civil litigation against energy suppliers will ebb any time soon.

Continue Reading

DOJ Continues Aggressive Enforcement Relating to Website and App Accessibility Under ADA

Posted in ADA

The DOJ recently announced a settlement to remedy allegations that the website, www.peapod.com, and corresponding mobile app are inaccessible to those with disabilities in violation of Title III of the Americans with Disabilities Act (“ADA”).  Consumers use the Peapod website and app for online grocery shopping and delivery services.  Peapod does not have any physical place of public accommodation and its services are available solely through the internet.

Specifically, the DOJ alleged that individuals who are blind or have low vision and use screen reader software may not be able to properly use the website or app for various reasons.  For example, the images, buttons, and form fields were unlabeled or had inaccurate alternative text; pop-ups were not being reported to screen readers; tables contained missing header information and proper mark-ups; and boldface type was used to show which fields are required.  The DOJ also alleged that individuals who are deaf or hard of hearing could not understand videos presented on the website because the captioning is inaccurate; and individuals who had physical disabilities affecting manual dexterity faced barriers on the website because Java script throughout the website was not available to users who are unable to use a mouse.

The settlement with Ahold U.S.A., Inc. and Peapod, LLC, the owners and operators of www.peapod.com, requires the companies to ensure that the website and mobile app conform to the World Wide Web Consortium’s Web Content Accessibility Guidelines 2.0 Level AA (“WCAG 2.0 AA”).  The settlement also requires the companies to ensure that any new content added to the site or app is also in conformance with the requirements of the WCAG 2.0 AA.   In addition, the companies must ensure that any vendors providing third-party content on the site or app provide content in a format that conforms to WCAG 2.0 AA or can be made to conform to WCAG 2.0 AA by Peapod.

The DOJ continues to aggressively pursue its enforcement agenda when it comes to ensuring that websites are accessible to persons with disabilities under the ADA.  The Agency intends to issue a Notice of Proposed Rulemaking in June 2015 to provide guidance on website accessibility to private parties covered under Title III.  Although the DOJ has yet to issue proposed regulations, it is clear from its enforcement efforts that the DOJ views the ADA to apply to both online and in-store places of public accommodations.   

FTC Clarifies Standard for Clear and Conspicuous Disclosures

Posted in Advertising, Federal Trade Commission

In late September 2014, the FTC announced its “Operation Full Disclosure” initiative, during which the agency sent warning letters to more than 60 companies addressing how the companies made disclosures in their respective ads.  Our blog entry about Operation Full Disclosure is available here.  The warning letters generally recommended that, among other things, disclosures be in a in a font size that is easy to read and at least as large as other fonts the advertiser uses to convey the claim.  That recommendation appeared to be a departure from the “flexible performance standard” for disclosures traditionally embraced by the Commission under the FTC Act.

In response to a question raised during a December 1, 2014, American Bar Association webinar devoted to what advertisers need to know about making disclosures, however, the Commission clarified that, in fact, a disclosure made in print smaller than the size of the corresponding claim could be “clear and conspicuous.”  In other words, using the same size font as the claim may be one way to make a disclosure clear and conspicuous, but it is not the only way.  The traditional FTC flexible performance standard still applies.

CFPB Proposes Rule on Prepaid Products to Extend Certain Credit Requirements and Mandate Disclosures

Posted in Retail

The Consumer Financial Protection Bureau released last week a proposed rule that would impose an array of new requirements on prepaid accounts. The proposed new definition of “prepaid account” would include general purpose reloadable cards, electronic or mobile accounts that can store funds such as PayPal accounts, payroll cards, and certain government benefit cards, but not include closed-loop gift cards. Many of the new requirements are rooted in existing requirements for credit accounts under the Bureau’s Regulations E and Z. Additionally, the Bureau is proposing to require prepaid account issuers that offer overdraft services to consider the consumer’s ability to repay the debt before offering overdraft protection or other credit services.

Generally Applicable Requirements

The proposed rule would require all prepaid account issuers to comply with a multitude of new requirements, including:

  • Short form and long form disclosures. The Bureau proposes to require prepaid account issuers to provide both short form disclosures, which would highlight key fees that the Bureau believes to be the most important to consumers, and long form disclosures, which would list the entirety of fees and conditions related to a prepaid account. Both forms of disclosure would generally be required prior to the customer acquiring the account, with certain exceptions for sales over the phone or in retail stores. The Bureau also provided model forms for the disclosures that would provide a safe harbor for compliance with the disclosure requirements.
  • Provision of account and transaction information. The Bureau proposes to extend existing Regulation E requirements regarding the provision of transaction information to all prepaid accounts. The rule would require financial institutions to either provide periodic statements, or make available account balance and certain transaction history.
  • Error resolution and limited liability. The Bureau also proposes to extend requirements, with certain modifications for timing, that limit consumers’ liability for unauthorized transactions and require financial institutions to work with consumers to resolve account errors.

Requirements for Overdraft Services and Credit Features

The proposed rule would also extend certain requirements specifically to prepaid account issuers that offer overdraft services or credit features in connection with prepaid accounts. For example, an issuer offering overdraft services would be required to evaluate a consumer’s ability to repay a debt prior to offering overdraft protection or another credit feature in connection with a prepaid account. Additionally, issuers of these types of accounts would be required to give consumers at least 21 days to repay their debt before being charged a late fee, and would be subject to other limitations on interest and fees.

Comments

The proposed rule will be published in the Federal Register shortly. Comments are scheduled to be due 90 days after publication.

The Year of the Breach: California Attorney General Releases 2013 Data Breach Report

Posted in Privacy and Information Security, Retail

On Tuesday, the California Attorney General released the second annual data breach report, summarizing the 167 data breaches reported to the Attorney General’s office in 2013, and providing privacy and security recommendations for businesses. According to the report, the retail, finance, and healthcare industries reported over 60 percent of the 167 breaches, over half of which were the result of malware and hacking. The breaches affected 18.5 million California residents – a 600 percent increase over the 2.5 million records breached in 2012, and 84 percent of those records were the result of retail industry breaches.

The report provides several recommendations for businesses directed towards improving security and notification measures, including the following three non-sector-specific recommendations: (1) conduct risk assessments at least annually and update privacy and security practices based on the findings; (2) use strong encryption to protect personal information in transit; and (3) improve the readability of breach notices. Additionally, the report recommends that the healthcare industry consistently use strong encryption to protect medical information on laptops and other portable devices, and consider it for desktop computers. Importantly, the report also includes the following six recommendations specific to the retail industry, suggesting that the Attorney General considers the security measures and breach response actions of the retail industry, to date, inadequate:

  1. Update point-of-sale terminals so that they are chip-enabled and install the software necessary to operate this technology.
  2. Implement appropriate encryption solutions to devalue payment card data, including encrypting data from the point of capture until the completion of transaction authorization.
  3. Implement appropriate tokenization solutions to devalue payment card data, including in online and mobile transactions.
  4. Respond promptly to data breaches and notify affected individuals in the most expedient time possible and without unreasonable delay.
  5. Improve substitute notice, such as by placing a prominent and conspicuous link to the notice on the website homepage, leaving the link and notice up for at least 30 days, publishing the notice in the most expedient time possible and updating it as the business learns more, and telling consumers what they can do to protect themselves.
  6. Work with financial institutions to protect debit card holders in breaches of unencrypted payment card data.

Finally, the report suggests that the state consider legislation (1) to amend the breach notification statute to strengthen the substitute notice procedure, clarify the roles and responsibilities of data owners and maintainers, and require a final breach report to the Attorney General; and (2) to provide funding to support system upgrades for small California retailers. As it appears no longer a question of “if” but rather “when” a breach will occur, businesses should continue to evaluate and modify their privacy and security practices to ensure compliance with these recommendations and all legal obligations.

FTC Claims that AT&T Failed to Deliver on ‘Unlimited’ Data Promises

Posted in Federal Trade Commission

Yesterday, the Federal Trade Commission (“FTC”) filed a complaint in the U.S. District Court for the Northern District of California against AT&T Mobility, LLC (“AT&T”) over claims that AT&T violated Section 5 of the FTC Act by engaging in unfair and deceptive practices relating to the company’s “unlimited” data plans. The FTC asserts that AT&T has misled millions of its customers by marketing and selling “unlimited” data plans, while reducing data speeds for certain unlimited plan customers by up to 90 percent through a practice known as “throttling.”

The FTC’s complaint alleges that AT&T failed to adequately disclose to its customers who purchased unlimited data plans that, once a customer uses a certain amount of data (two gigabytes, in some cases) in a given billing cycle, AT&T reduces, or “throttles,” the customer’s data speeds so that popular smartphone applications such as GPS navigation and streaming video fail to function as intended. The FTC asserts that AT&T has been throttling data speeds for unlimited data customers since 2011, and has throttled at least 3.5 million customers a total of more than 25 million times.

According to the complaint, AT&T’s practices were unfair under Section 5 of the FTC Act because AT&T changed the terms of customers’ unlimited data plans while customers were still under contract, and then charged early termination fees (“ETFs”) to customers who attempted to cancel their unlimited plan as a result of the reduced data speeds. The FTC also argues that AT&T’s practices were deceptive under Section 5 because AT&T’s advertising and sales materials failed to adequately disclose the nature and scope of the throttling program.

A statement posted to the AT&T website calls the FTC’s allegations “baseless” and states that AT&T informed all unlimited data-plan customers about the data limits and throttling “via bill notices and a national press release that resulted in nearly 2,000 news stories, well before the program was implemented.”  The statement also indicates that the throttling program has affected about 3 percent of customers, and such customers are notified by text message before throttling is imposed.

The FTC’s lawsuit seeks to stop AT&T from using data throttling on customers who have been promised unlimited data plans. The FTC is also seeking refunds for customer who paid ETFs when they cancelled their unlimited data plans after their data was throttled. In its press release announcing the complaint, the FTC noted that FTC staff have worked closely on the matter with the staff of the Federal Communications Commission.

 

FTC Supports NHTSA’s Approach to Privacy in V2V Rulemaking

Posted in Uncategorized

Last week, the FTC stated support for the National Highway Traffic Safety Administration’s (“NHTSA’s”) approach to privacy and data security within the NHTSA’s proposed regulation relating to vehicle-to-vehicle (“V2V”) communications. The proposed rule, which would incorporate V2V technology into passenger cars and light trucks by 2019, is intended to enhance driver safety by aggregating and sharing data (such as a vehicle’s speed) from surrounding vehicles to generate safety warnings for drivers.

In a comment responding to the NHTSA’s proposed rule, the FTC noted three primary concerns relating to V2V communications, as described during the FTC’s “Internet of Things” workshop in November 2013:

  • The ability of connected car technology to track consumers’ precise geolocation over time;
  • Information about driving habits used to price insurance premiums or set prices for other auto-related products, without drivers’ knowledge or consent; and
  • The security of connected cars, including the ability for third-parties to remotely access a car’s internal computer network

According to the FTC, the NHTSA’s V2V proposed rulemaking appropriately addressed these concerns through a deliberative, process-based approach that included collaboration with multiple industry and consumer stakeholders. The FTC also noted that the NHTSA designed the proposed V2V system to limit the data collected and stored to that which serves the intended safety purposes, and to ensure that the collected data cannot be used to identify a particular individual or vehicle. Lastly, with respect to the security of the collected data, the FTC supports the NHTSA’s decision to help mitigate the potential for unauthorized access to data by keeping the V2V device separate from other onboard computers.