NY Attorney General Announces Infomercial Settlements

This week, the New York Attorney General announced that it had settled investigations with two companies for deceptive sales practices related to infomercials. ​One company agreed to pay $700,000 to settle the investigation and the other agreed to pay $175,000.

According to the ​AG, both ​companies advertised attractive offers, but they failed to clearly disclose the fees associated with those offers. Moreover, when consumers placed orders, they were often subjected to confusing up-sells for additional products. tvadConsumers weren’t given an opportunity to review their orders before they were processed, and many ended up paying for products they didn’t intend to order. ​

​Among other things, the settlements require the companies to: (a) clearly and conspicuously disclose all material terms and fees associated with an offer; (b) provide consumers with an opportunity to confirm order details before the order is processed; (c) clearly label all links on their sites so that consumers know what’s on the landing page; (d) e-mail order details to consumers who order by phone; and (e) ensure that their customer service lines are adequately staffed so that consumers are not subjected to long hold times.

According to the press release, this appears to be part of a wider investigation into the direct marketing industry, so there may be more settlements to come. If you work in this industry and haven’t reviewed your offers lately, now may be a good time.

Clarity Coming Soon About What New Jersey’s Truth-in-Consumer Contract, Warranty and Notice Act (“TCCWNA”) Actually Requires

NJ

Remember that wave of class actions under New Jersey’s Truth-in-Consumer Contract, Warranty and Notice Act (“TCCWNA”), N.J.S.A. § 56:12-14 et seq., that hit New Jersey courts earlier this year, claiming that website terms of use contained unlawful provisions?  The motion to dismiss briefing is well underway, and online merchants should soon have some clarity about what the TCCWNA actually requires.

The TCCWNA, a 1981 New Jersey statute now having its moment in the spotlight after a recent Third Circuit decision called attention to it, bars businesses from including terms in consumer contracts or “notices” that are unenforceable because they violate “clearly established rights.” It also precludes use of statements that contractual disclaimers may be void in “some states,” without specifying exactly which are void in New Jersey.  “Aggrieved consumers,” whatever that means, can sue for $100 each, making the statute very attractive to the class action bar.

Defendants in these cases have hit back with powerful, but different, motions to dismiss. The motions soon will be fully briefed, and courts then will wrestle with questions like these:

Can TCCWNA claims be forced into individual (non-class) arbitration? At least one TCCWNA defendant is relying on an arbitration agreement in its terms of use, which has a class action waiver.  The agreement also has a California choice of law clause, which the defendant contends precludes New Jersey consumers from pursuing TCCWNA claims at all.  The plaintiff is challenging application of the arbitration agreement on several grounds.

What does “aggrieved consumer” mean? None of the recent TCCWNA defendants actually sought to enforce website terms of use to the plaintiffs’ detriment.  The plaintiffs do not contend that the defendants ever have argued for the aggressive construction of their terms of use that the plaintiffs contend might violate “clearly established rights.”  Some plaintiffs do not even allege that they ever read the terms of use they are challenging.  So, are they “aggrieved consumers” within the statute’s meaning?  Every defendant is asking its court to address that issue.

Is Spokeo available as a defense?  Some defendants are arguing that their plaintiffs, in addition to not being “aggrieved,” did not suffer a “concrete and particularized injury” sufficient to confer Article III standing under the Supreme Court’s recent decision in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016).  The plaintiffs respond that their injury is “informational,” in that the TCCWNA entitled them to receive “clean” contracts or notices, which the defendants denied them.

Are website terms of use “consumer contracts” under the TCCWNA? The TCCWNA applies only to what the statute terms “consumer contracts,” defined as “written agreement[s] in which an individual purchases real or personal property.”  If a website’s terms of use only govern use of the website, and not “purchases,” are they cognizable under the TCCWNA at all?  The plaintiffs confronting this argument so far have tried to claim that the website terms of use actually do govern purchases.  That is another dispute courts will have to untangle.

Can non-New Jersey residents sue New Jersey-based companies under the TCCWNA? The plaintiff suing one New Jersey-based defendant lives in and made his online purchases from Connecticut.  Will that court rule that New Jersey-headquartered corporations face potential nationwide liability under the TCCWNA?

Are forum choice provisions enforceable? One judge already has transferred a TCCWNA case to California pursuant to the defendant’s forum selection clause.

Before year-end, we should have clarity on all or most of these issues. Until then, online merchants remain well advised to carefully scrub their website terms of use.  Prior cases decided under the TCCWNA have ruled, for example, that a liability disclaimer beginning with “to the fullest extent provided by law” does not violate the statute.  It should be possible, therefore, to retain relatively broad-gauge liability disclaimers without running a TCCWNA risk, even in the current uncertain climate.

 

What You Need to Know About Privacy Shield: An Overview of the New Transatlantic Framework

Privacy Shield GOT

On July 12, 2016, the European Commission (“Commission”) formally adopted and released the Privacy Shield Adequacy decision, which will allow certified U.S. companies to transfer EU personal data to the United States.  The EU-U.S. Privacy Shield (“Privacy Shield”) replaces the U.S.-EU Safe Harbor framework (“Safe Harbor”), which was invalidated in October 2015 by the European Court of Justice (“ECJ”) in Maximillian Schrems v Data Protection Commissioner. The decision will immediately go into effect upon notification to the EU Member States.

The more than 4,400 U.S. companies that previously relied on the Safe Harbor and have been waiting for an alternative mechanism for data transfers can choose to self-certify to the Department of Commerce (“Commerce”) under the new Privacy Shield framework. Commerce will begin accepting Privacy Shield applications on August 1, 2016. This client advisory provides an overview of Privacy Shield, highlights key differences between Privacy Shield and Safe Harbor, and offers some key considerations given the forthcoming Global Data Protection Regulation and other data privacy developments.

Continue Reading

Connected Toys, Augmented Reality as the Next Big (Io)Thing

Pokemon

There has been an uptick in congressional inquiries regarding privacy concerns in the IoT space.  And most recently in the gaming world of augmented reality.  On Tuesday, Senator Al Franken (D-Minn.) initiated a congressional investigation into Niantic, Inc., maker of the Pokémon Go app that has taken the world by storm.  The app uses a smartphone’s GPS and clock to decide which Pokémon characters “appear” on smartphone screens for players to capture.  Franken’s letter cites to recent reports, as well as Pokémon GO’s own privacy policy, indicating that Niantic can collect a broad swath of personal information from its players, from general profile information to the users’ precise location data and device identifiers.  Media reports also have highlighted Pokémon GO’s apparent full access to some users’ Google accounts, including their Gmail.  This week, Niantic released a statement indicating that it had not intended to ask for such elevated permissions and would correct this error.  In light of unresolved privacy concerns, Franken asks that Niantic provide greater clarity on how it is addressing issues of user privacy and security, particularly with respect to its younger players.

This inquiry follows a week after Senator Mark Warner’s (D-VA) request to FTC Chairwoman Edith Ramirez that the FTC work with members of Congress to identify ways to better protect children in the era of connected toys.  Warner writes that the Children’s Online Privacy Protection Act was enacted in 1998 and may not have contemplated today’s evolving market of smart toys, for example, those connected devices that record children’s conversations and upload them to the cloud for all to hear and for hackers to exploit.  The recent proliferation of these connected toys, Warner states, makes congressional efforts to protect children’s data “even more imperative.”

These congressional inquiries underscore potentially serious privacy concerns in the evolving market of connected toys and augmented reality.  Since the publication of its January 2015 IoT Report, the FTC has encouraged companies to take three key steps in order to build consumer trust in IoT devices: (i) adopt “security by design”; (ii) engage in data minimization; and (iii) increase transparency and provide consumers with notice and choice for unexpected data uses.  The FTC recently stated its belief that IoT-specific federal legislation is not warranted at this time, and the FTC will continue to rely on its Section 5 authority to ensure companies do not engage in unfair or deceptive privacy and data security practices.

For more guidance, see our Mashable article, “Navigating the Legal Pitfalls of Augmented Reality.”

Australian Court Imposes $3 Million Penalty for Product Safety Violations

Earlier this month, the Australian Competition & Consumer Commission (ACCC) reminded businesses that, in February, the Federal Court of Australia ordered Woolworths to pay $3.057 million AUD for several violations of the Competition and Consumer Act 2010 (CCA). Specifically, the court found that Woolworths:

  • Over the course of three years, made false or misleading representations about the safety of its deep fryer, drain cleaner, safety matches, padded flop chair, and folding stool products; and
  • On eight occasions failed to report, within the required two days, that the products may have caused serious injuries.

According to the court, the products caused several serious injuries, including hot oil and chemical burns. Woolworths, however, did not remove the products from sale or recall them after becoming aware of these injuries and defects. In addition to the penalties, Woolworths is required (1) to implement an upgraded dedicated product safety compliance program; (2) to publish a notice on its website of the product safety requirements to which it is subject, how to report an incident, and recalls undertaken within the past year; and (3) to publish on its app the details of all products recalled within the last 12 months.

It is important to remember that businesses offering products for sale in Australia must comply with the CCA, which prohibits false or misleading representations about the safety of consumer goods, and requires reporting to the ACCC within two days any incidents of serious illness or injury caused by such goods. To that end, businesses should make sure that they have a working compliance program and reporting policy, worldwide.

Despite Early Challenges, European Commission Adopts EU-U.S. Privacy Shield

After months of negotiations, today the College of Commissioners formally adopted the EU-U.S. Privacy Shield (“Privacy Shield”). This is an encouraging development for the more than 4,400 U.S. companies that had previously relied on the U.S.-EU Safe Harbor framework and sought legal certainty regarding data transfers in its wake.

As we reported in a previous post, the Article 29 Working Party and European Parliament expressed concerns about a prior draft of the adequacy decision and recommended several key changes.  After revisiting the negotiating table, the European Commission and U.S. Department of Commerce incorporated the Article 29 Working Party recommendations in a revised draft that the Article 31 Committee EU Member State representatives approved on Friday. Today’s formal adoption of the decision by the College of Commissioners was the final step in the Privacy Shield approval process.

European Commission Vice-President Ansip stated that the new framework will “protect the personal data of our people and provide clarity for businesses”. Nevertheless, Privacy Shield will likely face its first legal challenges rather quickly to determine whether it will stand up to the claims that brought down the Safe Harbor.

In the meantime, the Department of Commerce has issued guidance on how to join Privacy Shield for interested companies. Companies will be able to self-certify to the Department of Commerce on August 1, 2016.

Associate Ilunga Kalala contributed to this post. Mr. Kalala is admitted only in Maryland. He is practicing under the supervision of principals of the firm who are members of the D.C. Bar.

Grab the Rings and Go For the Gold, At Your Own Risk

The 2016 Summer Olympic Games are about one month away, and as athletes are getting ready to compete for medals, companies are getting ready to compete for consumers. Many marketers think that including Olympics-related themes – ranging from the overt (like the rings) to the more subtle (like references to “going for the gold”) – are the best path to victory. Although it’s understandable for a marketer to want to link their company to the excitement of the Olympics, that can be risky, if the company isn’t an official sponsor.

Remember that the International Olympic Committee and the United States Olympic Committee have exclusive rights to Olympic marks and that the unauthorized use of those marks could constitute infringement. The protected marks include Olympic rings, the Olympic flame, “Team USA, and “Rio 2014.” Some companies pay a lot of money for the right to use these marks, so if you use them without paying that money – even on social media – it’s likely to get noticed, and you could get challenged.

For example, when the Olympic torch blew out in Sochi, a bystander with a Zippo lighter re-lit the flame. Zippo capitalized on that Zippo1event and posted pictures on social media with the hashtag #ZippoSavesOlympics. The company was quickly contacted by Olympic officials and it stopped using the hashtag soon after. (Revised ads referred more generically to “winter games.”) It could have been worse. The USOC can bring a civil action against any company who uses an Olympic trademark in a way that tends to cause confusion or falsely suggests an association between the Olympics and that company.

Feel free to cheer Team USA on from your personal social media accounts this summer. But remember that what may be called “patriotic” when done from your personal account could be called “infringement” when done from a business account.

Who’s Still “Standing” Following Spokeo, Inc. v. Robins?

spokeo_logo

From the first month of district court decisions issued since the United States Supreme Court decided Spokeo, Inc. v. Robins, No. 13-1339, 2016 WL 2842447, *3 (U.S. May 16, 2016), it appears the needle on Article III standing has moved slightly, but so far only slightly, in favor of the defense. Spokeo held that (i) in order to establish Article III standing, a plaintiff must allege an injury-in-fact that is both “concrete and particularized,” and (ii) the plaintiff cannot “automatically satisf[y] the injury-in-fact requirement whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right.” Courts have begun to give that requirement teeth, dismissing claims where a defendant may have violated a statute’s technical requirements, but where the plaintiff suffered no adverse consequence as a result. At the same time, however, courts have recognized Spokeo’s other holding that a “concrete” injury is not necessarily synonymous with a “tangible” injury, and that the “risk of real harm” counts as such an injury (even when such harm has not materialized). Dismissals on Spokeo grounds, therefore, have been sparse. Continue Reading

FTC Updates Consumer Guidance for Online Tracking

FTC Consumer Information LogoOn June 23, the FTC updated its consumer information page to provide updated guidance on “Online Tracking.”  The updated guidance is intended to provide consumers with information on different methods of tracking, how they work, and how consumers can control such tracking.  While directed to consumers, updates to this page can also help businesses understand how these online tracking technologies work, and identify what the FTC expects businesses to do.

The previous guidance, titled “Cookies: Leaving a Trail on the Web” (last updated in November 2011), primarily addressed cookies (including first-party cookies, third-party cookies, and flash cookies), provided consumers with general information on how to control cookies, identified how consumers can opt-out of receiving targeted ads, provided a brief overview of “Do Not Track,” and identified that new technologies were constantly emerging.

The updated guidance document updates and expands upon this information to address new forms of online tracking (e.g., device fingerprinting, cross-device tracking), new tracking technologies (e.g., use of unique device identifiers or HTML 5 cookies), how tracking in mobile apps occurs, and how consumers can generally limit or block tracking online, in apps, or across devices.

So what is the big-picture takeaway for businesses? Consumers may not fully understand online tracking, including their options for minimizing or preventing such tracking from occurring.  Businesses can help educate consumers concerning their online tracking by providing clearly identifiable ways in which consumers can review information about the company’s collection, use, and disclosure practices, and ways to limit cookies and other tracking technology.  This may include a clearly written privacy policy or other consumer facing document, or in the device settings as suggested by the FTC.  Lessons learned from past FTC enforcement actions (including the FTC’s action announced yesterday against InMobi) also illustrate the risks associated with business practices that appear to circumvent a user’s privacy decisions or a device’s privacy settings.

Airbnb Faces Suit for Using Julia Child’s Name in a Contest

Earlier this year, Airbnb ran a contest in which one winner could “come stay in the former home of Julia Child.” The company LaPitchouneadvertised that entrants could imagine themselves “walking the halls of Julia Child’s former home,” and “channeling the culinary genius of Julia Child,” while “combing over the knick knacks in her kitchen exactly as she left them.” Although the contest may have been a hit with travelers and fans of the original celebrity chef, the chef’s estate was less enthused. This week, The Julia Child Foundation for Gastronomy and the Culinary Arts sued Airbnb and its publicity firm, arguing that contest violated Child’s right of publicity.

According to the complaint, Airbnb contacted the Foundation in April, and sought permission to use Child’s name and likeness in connection with the contest. Consistent with Child’s longstanding policy of refusing requests to associate her name or image with commercial products or brands, the Foundation expressly declined the request. Nevertheless, Airbnb moved forward with the promotion, and used Child’s name on its website, on social media, and in an e-mail campaign. As a result, Airbnb won a trip to the California court system, where it can walk the same halls that many celebrities have walked.

As we’ve noted before, the risks of using a celebrities name in ads without permission can be significant. And although there may be cases in which a company can argue that it doesn’t need permission – such as when the use is protected by the First Amendment – it can be hard for a company to argue that permission isn’t necessary, when it had previously asked for it. For a more detailed analysis of this case, please see this post from our friends at Drye Wit. And, while you’re there, be sure to read their three-part series on Right of Publicity claims.

LexBlog