Ad Law Access

Ad Law Access

Updates on consumer protection trends, issues, & developments

The Year of the Breach: California Attorney General Releases 2013 Data Breach Report

Posted in Privacy and Information Security, Retail

On Tuesday, the California Attorney General released the second annual data breach report, summarizing the 167 data breaches reported to the Attorney General’s office in 2013, and providing privacy and security recommendations for businesses. According to the report, the retail, finance, and healthcare industries reported over 60 percent of the 167 breaches, over half of which were the result of malware and hacking. The breaches affected 18.5 million California residents – a 600 percent increase over the 2.5 million records breached in 2012, and 84 percent of those records were the result of retail industry breaches.

The report provides several recommendations for businesses directed towards improving security and notification measures, including the following three non-sector-specific recommendations: (1) conduct risk assessments at least annually and update privacy and security practices based on the findings; (2) use strong encryption to protect personal information in transit; and (3) improve the readability of breach notices. Additionally, the report recommends that the healthcare industry consistently use strong encryption to protect medical information on laptops and other portable devices, and consider it for desktop computers. Importantly, the report also includes the following six recommendations specific to the retail industry, suggesting that the Attorney General considers the security measures and breach response actions of the retail industry, to date, inadequate:

  1. Update point-of-sale terminals so that they are chip-enabled and install the software necessary to operate this technology.
  2. Implement appropriate encryption solutions to devalue payment card data, including encrypting data from the point of capture until the completion of transaction authorization.
  3. Implement appropriate tokenization solutions to devalue payment card data, including in online and mobile transactions.
  4. Respond promptly to data breaches and notify affected individuals in the most expedient time possible and without unreasonable delay.
  5. Improve substitute notice, such as by placing a prominent and conspicuous link to the notice on the website homepage, leaving the link and notice up for at least 30 days, publishing the notice in the most expedient time possible and updating it as the business learns more, and telling consumers what they can do to protect themselves.
  6. Work with financial institutions to protect debit card holders in breaches of unencrypted payment card data.

Finally, the report suggests that the state consider legislation (1) to amend the breach notification statute to strengthen the substitute notice procedure, clarify the roles and responsibilities of data owners and maintainers, and require a final breach report to the Attorney General; and (2) to provide funding to support system upgrades for small California retailers. As it appears no longer a question of “if” but rather “when” a breach will occur, businesses should continue to evaluate and modify their privacy and security practices to ensure compliance with these recommendations and all legal obligations.

FTC Claims that AT&T Failed to Deliver on ‘Unlimited’ Data Promises

Posted in Federal Trade Commission

Yesterday, the Federal Trade Commission (“FTC”) filed a complaint in the U.S. District Court for the Northern District of California against AT&T Mobility, LLC (“AT&T”) over claims that AT&T violated Section 5 of the FTC Act by engaging in unfair and deceptive practices relating to the company’s “unlimited” data plans. The FTC asserts that AT&T has misled millions of its customers by marketing and selling “unlimited” data plans, while reducing data speeds for certain unlimited plan customers by up to 90 percent through a practice known as “throttling.”

The FTC’s complaint alleges that AT&T failed to adequately disclose to its customers who purchased unlimited data plans that, once a customer uses a certain amount of data (two gigabytes, in some cases) in a given billing cycle, AT&T reduces, or “throttles,” the customer’s data speeds so that popular smartphone applications such as GPS navigation and streaming video fail to function as intended. The FTC asserts that AT&T has been throttling data speeds for unlimited data customers since 2011, and has throttled at least 3.5 million customers a total of more than 25 million times.

According to the complaint, AT&T’s practices were unfair under Section 5 of the FTC Act because AT&T changed the terms of customers’ unlimited data plans while customers were still under contract, and then charged early termination fees (“ETFs”) to customers who attempted to cancel their unlimited plan as a result of the reduced data speeds. The FTC also argues that AT&T’s practices were deceptive under Section 5 because AT&T’s advertising and sales materials failed to adequately disclose the nature and scope of the throttling program.

A statement posted to the AT&T website calls the FTC’s allegations “baseless” and states that AT&T informed all unlimited data-plan customers about the data limits and throttling “via bill notices and a national press release that resulted in nearly 2,000 news stories, well before the program was implemented.”  The statement also indicates that the throttling program has affected about 3 percent of customers, and such customers are notified by text message before throttling is imposed.

The FTC’s lawsuit seeks to stop AT&T from using data throttling on customers who have been promised unlimited data plans. The FTC is also seeking refunds for customer who paid ETFs when they cancelled their unlimited data plans after their data was throttled. In its press release announcing the complaint, the FTC noted that FTC staff have worked closely on the matter with the staff of the Federal Communications Commission.

 

FTC Supports NHTSA’s Approach to Privacy in V2V Rulemaking

Posted in Uncategorized

Last week, the FTC stated support for the National Highway Traffic Safety Administration’s (“NHTSA’s”) approach to privacy and data security within the NHTSA’s proposed regulation relating to vehicle-to-vehicle (“V2V”) communications. The proposed rule, which would incorporate V2V technology into passenger cars and light trucks by 2019, is intended to enhance driver safety by aggregating and sharing data (such as a vehicle’s speed) from surrounding vehicles to generate safety warnings for drivers.

In a comment responding to the NHTSA’s proposed rule, the FTC noted three primary concerns relating to V2V communications, as described during the FTC’s “Internet of Things” workshop in November 2013:

  • The ability of connected car technology to track consumers’ precise geolocation over time;
  • Information about driving habits used to price insurance premiums or set prices for other auto-related products, without drivers’ knowledge or consent; and
  • The security of connected cars, including the ability for third-parties to remotely access a car’s internal computer network

According to the FTC, the NHTSA’s V2V proposed rulemaking appropriately addressed these concerns through a deliberative, process-based approach that included collaboration with multiple industry and consumer stakeholders. The FTC also noted that the NHTSA designed the proposed V2V system to limit the data collected and stored to that which serves the intended safety purposes, and to ensure that the collected data cannot be used to identify a particular individual or vehicle. Lastly, with respect to the security of the collected data, the FTC supports the NHTSA’s decision to help mitigate the potential for unauthorized access to data by keeping the V2V device separate from other onboard computers.

 

FTC Continues Green Guides Enforcement with Warning Letters

Posted in Federal Trade Commission

The Federal Trade Commission announced this week that it recently sent warning letters to 15 marketers of plastic waste bags advertised as being “oxodegradable,” “oxo biodegradable,” or “biodegradable.”  “Oxodegradable” and similar terms refer to an additive applied to the bag to enhance biodegradability in the presence of oxygen.  The letters, which are not available publicly, express concern that such claims convey to consumers that the bags will break down quicker than standard plastic bags.  In fact, the FTC alleges that many such products will not biodegrade any faster than standard plastic bags given the lack of oxygen in many disposal environments.  As such, staff is concerned that the products would not meet the standard required for “biodegradable” claims per the FTC’s Green Guides, which is total decomposition under normal disposal conditions, i.e., landfill, within in one year.  The recipients of the letters have not been disclosed, however the FTC has stated that they had until October 21 to respond.

For those companies that received the letters, close examination of the claims and supporting evidence is paramount.  Companies that fail to sufficiently respond to the warning letters create risk of follow up enforcement.  Companies making environmental benefit claims that did not receive a warning letter should also take notice, however.  The FTC has been actively enforcing its Green Guides this past year – which we have covered here, here, and here – and there is no guarantee that a warning letter will precede initiation of a more formal investigation.

Retailers Face Legal Challenges Over Advertising Prices

Posted in Retail

Retailers have had a tough year when it comes to advertising prices. In January, a California court issued a multimillion dollar penalty against Overstock.com, after determining that the company advertised discounts in a misleading manner. Since then, retailers across a range of industries have been dragged into costly lawsuits and regulatory investigations involving similar issues. If you’re wondering how something as mundane as advertising the price of an item could lead to so much trouble, it’s because the issue is more complicated than most people think.

To learn more, read my article in RetailingToday.

Call Me, Maybe? – A Webinar on Key TCPA Developments

Posted in Telemarketing and Call Center Operations

As companies draw on mobile delivery platforms, cloud-based technologies, and third-party vendors to become more sophisticated in their use of telemarketing, autodialer, and text message campaigns, the business risks and potential for class action lawsuits have greatly increased. The Telephone Consumer Protection Act of 1991 (TCPA) has emerged as a cottage industry with plaintiffs’ attorneys routinely filing class action lawsuits seeking multi-million dollar claims and settlements. The FTC also has not shied away from rigorous telemarketing enforcement under its rules against major big brands and calling platforms, including with theories that are based upon an expansive third party liability interpretation of the agency’s enforcement powers.

Yesterday my litigation partner Lauri Mazzuchetti and I teamed up with Ken Sponsler of CompliancePoint to cover the latest developments and hot topics related to TCPA compliance and litigation, and strategies to consider when defending such matters.  If you missed this 2-hour deep dive into the issues, you can listen to the recording here. And if you would like to stay up to date on this topic, you may also wish to sign up for our TCPA Tracker newsletter so you can receive monthly updates on the latest happenings related to TCPA litigation and compliance.

FTC Sends Warning Letters on Disclosures

Posted in Advertising, Federal Trade Commission

This week, the FTC announced that the agency had sent warning letters to more than 60 companies — including 20 of the 100 largest advertisers in the country — addressing how the companies make disclosures in ads. According to the letters, FTC staff “recently reviewed more than a thousand national magazine and television advertisements to identify advertisements that raise disclosure issues and to share [its] concerns with the companies responsible for the ads.”

The letters outline the FTC’s position on what it believes is required for a disclosure to be clear and conspicuous. Among other things, the letters state that “advertisers should use clear and unambiguous language and make the disclosures stand out. Consumers should be able to notice the disclosure easily; they should not have to look for it.” The FTC also discussed factors that advertisers should consider when evaluating disclosures, including where the disclosures are placed, the font size, and how well they contrast against the background.

In the warning letters, the staff identified problematic ads, recommended that advertisers review their ads to ensure that any necessary disclosures are truly “clear and conspicuous,” and asked them to notify the staff “of what actions you have taken or intend to take in response to this letter to ensure your company’s compliance with the FTC Act.” According to the FTC’s press release, the “response to staff’s letters has been extremely positive.”

If you received a letter from the FTC, you’ve likely already told the agency of what you plan to do ensure your disclosures comply with the law. If you didn’t receive a letter, you should nevertheless use this as an opportunity to review your own disclosure practices. The FTC is clearly focused on this issue, and these types of warning letters can often be a signal that enforcement lies ahead.

Marketing Consultant May Be Held Liable Under TCPA for Its Third-Party Marketer’s Unsolicited Text Messages

Posted in Advertising Litigation, Telemarketing and Call Center Operations

Last Friday, the U.S. Court of Appeals for the Ninth Circuit held that a marketing consultant for the United States Navy – the Campbell-Ewald Company – could be held liable for a third-party marketer’s violations of the Telephone Consumer Protection Act (“TCPA”) arising out of the transmittal of unsolicited text messages.

The Navy hired Campbell-Ewald to develop and execute a multimedia recruiting campaign and the parties agreed that, as part of the marketing campaign, Campbell-Ewald would send text messages to cellular users that had consented to receive the recruitment solicitation.  Campbell-Ewald outsourced the text message dialing to a company called Mindmatics which was responsible both for generating the list of phone numbers to be dialed and for physically transmitting the text messages.  In the suit, the plaintiff claimed that he did not consent to receipt of the message and alleged that Campbell-Ewald violated the TCPA.  The plaintiff did not name the Navy or Mindmatics as a defendant.

Continue Reading

CPSC Tags Retailer With $2M Civil Penalty and Enhanced Compliance Program for Allegedly Distributing Recalled Products

Posted in Consumer Product Safety

Retailer superstore Meijer Inc. is on the hook for allegedly distributing recalled consumer products. In a press release dated September 17, 2014, the Consumer Product Safety Commission (“CPSC”) announced the hypermarket operating 24-hour stores and gas stations in various Midwestern states has agreed to settle charges that it knowingly sold and distributed recalled consumer products. Meijer has agreed to pay a $2 million civil penalty and to implement an enhanced “reverse logistics” compliance program. This settlement signals heightened scrutiny and new channels of enforcement for retailers.

Between April 2010 and April 2011, Meijer allegedly distributed at least twelve separate recalled consumer products, totaling approximately 1,692 individual units of recalled products. The recalled products consisted of various household items and children’s products, including oscillating ceramic heaters, toddler tricycles, vacuum cleaners, and baby rattles. According to the settlement agreement, Meijer claimed the sale and distribution of the recalled items was inadvertent and occurred without Meijer’s knowledge. Meijer had outsourced the disposition of recalled products to a reverse logistics system operated by a third party, and believed that adequate safeguard had been in place to prevent recalled products from being distributed into commerce.

The CPSC thought otherwise. In addition to the $2 million civil penalty, the CPSC is requiring that Meijer implement an enhanced reverse logistics compliance program with the following components:

  • Written standards, policies, and procedures for the appropriate disposition of recalled goods;
  • Mechanisms to communicate product safety policies and procedures to employees;
  • Management oversight of the program, including a mechanism for confidential reporting to a Meijer official;
  • A policy to retain reverse logistics records related to recalled product collection and disposition for at least 5 years after the recall date; and
  • Availability of such records to the CPSC upon request.

This settlement follows the CPSC’s announcement last July of recalled products that were continuing to be sold or resold by Best Buy and certain affiliated entities. The CPSC did not impose a civil penalty against Best Buy or require an enhanced compliance program. In light of these two announcements, retailers should carefully review their compliance protocols to ensure recalled products are not reentering the stream of commerce.

FTC v. Bayer: The Good News

Posted in Advertising, Federal Trade Commission, Food and Drug

The Department of Justice recently filed a motion in federal court against Bayer Corporation over advertising for its probiotic supplement, Phillips’ Colon Health.  The DOJ alleges that Bayer lacks the “competent and reliable scientific evidence” that a prior 2007 order requires the company to possess for any efficacy or benefit claim for a dietary supplement. According to the government’s medical expert – a gastroenterologist and professor at Yale medical school – appropriate science for constipation, diarrhea, gas, and bloating claims for Phillips’ Colon Health should consist of randomized, double-blind, placebo-controlled studies on the product or “a product comprised of the same combination of the same strains of bacteria.”  Without such evidence, the government alleges that Bayer’s claims are not properly supported.  The FTC is assisting DOJ with the case. Continue Reading