FCC and FTC Announce Consumer Protection Memorandum of Understanding

On Monday, the FCC and FTC published a Memorandum of Understanding in which the two agencies agreed to engage in greater coordination and collaboration on consumer protection issues, with greater respect for each agency’s jurisdiction. The MOU comes at a time when both agencies are seeking to position themselves as protectors of consumers in the digital economy.

In the MOU, the agencies agreed to coordinate with one another “to protect consumers from acts and practices that are deceptive, unfair, unjust and/or unreasonable” and, specifically, to:

  • Coordinate on initiatives where one agency’s action will have a significant effect on the other agency’s authority or programs;
  • Consult on investigations or actions that implicate the jurisdiction of the other agency;
  • Meet regularly to review current marketplace practices, to share each agency’s work on consumer protection matters of common interest, and to exchange information about “the evolution of communications markets”;
  • Share enforcement techniques, tools, intelligence, expertise, and best practices in response to reasonable requests for assistance;
  • Collaborate on consumer and industry outreach and education efforts;
  • Engage in joint enforcement actions, where appropriate, and coordinate public statements; and
  • Share data regarding consumer complaints to the extent feasible, including through the FTC’s Consumer Sentinel Network.

The agencies also addressed the scope of the common carrier exemption, which exempts from the FTC’s jurisdiction common carriers subject to the Communications Act. Specifically, the FCC and FTC “expressed their belief” that the exemption does not extend to non-common carrier activities engaged in by common carriers, and that exercise of enforcement authority within one agency’s jurisdiction should not be taken to limit the authority of the other. While approaching jurisdictional issues more gingerly will certainly promote better relations between the agencies in the near term, ultimately, the scope of the “common carrier exemption” is an issue for the courts and Congress, and is unlikely to be solved soon.

Continue Reading

Cookies, Promises, and California: Why the 3rd Circuit Revived Privacy Claims Against Google

Gogle Cookies

Last week, the U.S. Court of Appeals for the Third Circuit revived several privacy claims against Google pertaining to the Internet company’s practice of side-stepping “cookie blockers” on Microsoft’s Internet Explorer and Apple’s Safari browsers.

The Third Circuit found that Google intentionally circumvented “cookie blockers” on Internet browsers by exploiting loopholes found in the cookie blockers and that Google was actually tracking users’ browsing habits without these users’ knowledge.  Meanwhile, Google’s privacy policy as well as a number of other public statements indicated that the company was abiding by the browsers’ cookie-blocking settings.

“Cookie blockers” are features built in to web browsers that allow a user to prevent the installation of cookies by third-party servers.  Internet users have grown wary of Internet “cookies” because cookies can track visits to webpages and clicks throughout the site.  Information collected from cookies is often sold to third-party advertisers or marketers.

The case, In re: Google Cookie Placement Consumer Privacy Litigation, consists of 24 consolidated suits alleging violations of California state law and federal statutes, specifically, the Computer Fraud and Abuse Act (CFAA), the Stored Communications Act (SCA) and the Wiretap Act.  While the Third Circuit decision affirmed the dismissal of claims pertaining to the CFAA, SCA and the Wiretap Act, the Court vacated the trial court’s dismissal of claims under California tort law and the state’s constitutional right to privacy, reviving the suit.

The Third Circuit noted that Google’s actions amounted to “deceit and disregard” as the Company “not only contravened the cookie blockers – it held itself out as respecting the cookie blockers.”  The Court concluded that a reasonable jury could find that Google’s conduct was “highly offensive” or “an egregious breach of social norms” as the Company’s actions touched millions of unsuspecting internet users over an indeterminable amount of time.  Accordingly, the Third Circuit vacated the trial court’s dismissal of the plaintiffs’ claims under the California constitution and California tort law.

While Google’s “cookie blocking” practices sparked both the instant lawsuits and settlements with the FTC and 38 state attorneys general, Google isn’t the only company to come under fire for the use of cookie-blocking technology.  Earlier this week, MoPub Inc., a mobile ad server owned by Twitter, was sued in California court for using “super cookies” to track and store the Internet browsing history of anyone accessing the web through their Verizon smartphone.  The suit alleges that MoPub then used this information to build a personal profile which it then used to send targeted advertising, without subscribers’ knowledge or consent.  Similar to the Google litigation, MoPub is accused of misleading subscribers who believed that their browser’s “opt-out” mechanism would stop MoPub’s tracking.

Companies that use tracking cookies or similar technologies should pay close attention to Google’s current litigation.  Companies should also be aware of their own privacy practices, specifically, what data is being collected, how that data is used, and with whom the company may be sharing that data.  When it comes to privacy policies, companies should clearly communicate their practices to users and then live up to those commitments.

The FTC Pressures Press Interactions, Defies Commercial Speech Doctrine

On Tuesday, the FTC joined the Department of Justice and several other federal agencies in announcing numerous recent and ongoing actions against dietary supplement marketers. The FTC, in its discussions, highlighted a case that it filed earlier this year against marketers of green coffee products. That case is closely related to another case involving the unpaid appearance of a health foods commentator, Lindsay Duncan, on the Dr. Oz show. The FTC has alleged that the appearance by Duncan on the television program constituted commercial speech that is subject to the FTC’s advertising jurisdiction. That allegation appears to be part of a growing trend at the FTC to attempt to reach unpaid media interviews and appearances. This trend is troubling in that it is at odds with Supreme Court precedent and threatens companies’ ability to participate in news interviews, talk shows, or other media interactions.

Four main principles emanate from the Supreme Court precedent defining commercial speech.

  1. Early cases like Virginia Bd. of Pharmacy and Bates provided the foundation that commercial speech is “speech proposing a commercial transaction.”
  2. Cases like Bolger and Zauderer built on that foundation, finding that whether a publication “proposes a commercial transaction” depends on circumstances such as the speaker’s potential economic motivations and whether a specific product is identified.
  3. Cases like Bolger and Zauderer also found that if speech  proposes a commercial transaction, it will normally remain commercial speech even if it touches on matters of public debate. In Zauderer, for example, the Court held that a print advertisement by a law firm remained commercial speech even though it discussed the potential hazards of an intrauterine device.
  4. Finally, two later cases, Riley and Fox provided the caveat that if commercial speech is “inextricably intertwined” with fully protected speech, it will be treated as fully protected. The “inextricably intertwined” standard will likely not be met by an advertiser voluntarily choosing to mix product information and discussions of matters of public debate. Rather, the mixing of types of speech likely must be something more akin to the facts of Riley in which a state law interjected a mandatory commercial disclosure into charitable solicitations, which are otherwise fully protected speech. The Court, in that instance, treated the whole of the speech as fully protected.

Continue Reading

Weight-Loss Claims: How Many Studies Does the FTC Really Think It Takes?

On Tuesday, the FTC announced that it has sent warning letters to 20 marketers of weight-loss dietary supplements. The letters question whether the companies possess adequate support for claims and describe the scientific evidence required to support such claims. The Commission is asking the companies to review all product claims, including endorsements and testimonials, to ensure they are adequately supported, and to revise the claims as necessary.

The letters state that weight-loss claims must be supported by “well-controlled human clinical studies of the product, or a substantially similar product” and that such studies “must be randomized, double-blind, and placebo-controlled and conducted by researchers who are qualified by training and experience to conduct such studies.” The Commission does not, however, specify how many studies are needed. In POM v. FTC, the D.C. Circuit rejected an FTC order provision requiring “at least two randomized and controlled human clinical trials” for future claims to treat or prevent prostate cancer and other diseases. The court found, instead, that one clinical study may be adequate and revised the order accordingly. Since that decision, FTC orders on health-related claims have generally required only one, rather than two studies. The only exception has been in the realm of weight loss. An open question has been whether the FTC might still revise its position and expect only one study, rather than two, for weight loss claims.  The warning letters do not provide much clarity other than using the plural, “studies.”

As these warning letters indicate, weight-loss and dietary supplement advertising remain a priority for the FTC, and it is important to be prepared to defend your product claims with adequate substantiation should the FTC come calling.

Webinar: Preparing for the Worst: A Step by Step Guide to Understanding how the FTC Advertising Claims Enforcement Process Works

Industry scored an important victory in the recent DOJ vs. Bayer case.  But, despite that outcome, health claim enforcement will remain a key priority for the FTC going forward.  This presentation is a practical discussion of how the FTC enforcement process works and advocacy steps that companies should consider along the way, including selecting and utilizing scientific experts.  Kelley Drye & Warren LLP special counsel Kristi L. Wolff and Dr. Steven Weisman, Head of Clinical and Regulatory Support at Innovative Science Solutions, will discuss the advertising enforcement process and provide key takeaways that companies can use to advocate their position before the agency.

To register for this webinar, please click here.

November 17, 2015 2:00 PM – 3:00 PM


CFPB Obtains $13M FCRA Settlement with Employee Background Screening Providers

The CFPB recently initiated an enforcement action against General Information Services (GIS) and its affiliate, e-Background-checks.com, Inc. (BGC) for allegedly violating the Fair Credit Reporting Act (FCRA) by failing to implement required safeguards while providing background screening reports to employers about job applicants. The CFPB found that certain background screening reports provided by GIS and BGC contained inaccurate information and that the entities failed to adequately protect against those inaccuracies as required under FCRA.

The CFPB made three primary allegations:

  • Failure to employ reasonable procedures to assure maximum possible accuracy. The CFPB alleged that GIS and BGC failed to follow reasonable procedures to assure maximum accuracy, including by failing to have written procedures for researching public records information for consumers with common names or who use nicknames, allowing employees to exercise discretion in determining whether a record matched the consumer in question, and failing to use consumer dispute data to identify the root causes of accuracy errors.
  • Failure to meet the requirements of section 1681k of FCRA. The CFPB alleged that GIS and BGC failed to comply with FCRA section 1681k, which requires furnishers of consumer reports for employment purposes to either: (1) notify the consumer at the time the information is reported, or (2) maintain “strict procedures” designed to ensure that the information is complete and up to date. The CFPB alleged that the procedures employed by respondents did not even meet the “reasonable” standard under section 1681e(b), much less the “strict” standard required for providers of consumer reports for employment purposes.
  • Failure to exclude non-reportable information from background checks. The CFPB additionally alleged that respondents failed to take sufficient steps to exclude certain dated information that cannot be included in consumer reports under FCRA. Specifically, GIS and BGC allegedly failed to ensure that civil suits and judgments and records older than seven years were excluded from reports, thus illegally including such information in the consumer reports. The order requires the companies to pay $10.5 million in redress to affected consumers and a $2.5 million civil monetary penalty. Respondents are also required to implement a comprehensive audit program, revise their compliance procedures, and retain an independent consultant to review and assess the companies’ policies and procedures for ensuring compliance with FCRA.

The order requires the companies to pay $10.5 million in redress to affected consumers and a $2.5 million civil monetary penalty. Respondents are also required to implement a comprehensive audit program, revise their compliance procedures, and retain an independent consultant to review and assess the companies’ policies and procedures for ensuring compliance with FCRA.

Highlights from the FTC’s Second “Start With Security” Initiative

FTC Start with Security

On November 5, the FTC hosted its second “Start With Security” event in Austin, Texas in an effort to provide companies with practical tips and strategies for implementing effective data security.

FTC Commissioner Terrell McSweeny opened the event discussing the FTC’s “Start With Security” business initiative and guidance document, which provides “best practices” (and not so best practices) in the 50+ data security cases brought by the FTC.  A few key takeaways from the Commissioner’s opening remarks –  (1) ensure products live up to advertised claims and promised privacy practices; (2) even in the rush to innovate, privacy and security should not be overlooked; and (3) from the FTC’s perspective, the standard is not “perfect” security, but “reasonable” security.

The event continued with a series of panels providing information on security by design, common security vulnerabilities, strategies for secure development, and vulnerability response. Continue Reading

Safe Harbor Update: The European Commission Issues Guidance on the Schrems Decision

This past Friday, the European Commission (“the Commission”) issued guidance addressing transatlantic data transfers after the European Court of Justice (“ECJ”) decision in the Schrems case. As we noted in an earlier post, the ECJ Schrems decision invalidated the U.S.-EU Safe Harbor framework, the mechanism that enabled self-certifying corporations to transfer personal data from EU countries to the United States. The Commission’s recent guidance sets forth its top priorities and identifies viable and available transfer mechanisms for companies now that Safe Harbor is no longer valid.

Key takeaways from the guidance include:

  • The Commission will continue to work with data protection authorities to ensure uniform application of the Schrems ruling
  • The Commission will continue to work in earnest to negotiate a safer and more comprehensive framework for future transatlantic data transfers
  • The guidance identifies standard contractual clauses and Binding Corporate Rules as viable temporary alternative transfer mechanisms
  • The guidance notes that data protection rules provide for certain exemptions, which may permit the transfer of data in specific circumstances

The Commission’s guidance should be somewhat reassuring for companies impacted by the recent Safe Harbor ruling and concerned by recent posturing of national data protection authorities. For example, this past October Germany’s Data Protection Authorities (which includes the federal DPA and 16 state DPAs) issued a 14-point position paper addressing transfer mechanisms post-Safe Harbor and suspending Binding Corporate Rules approvals and ad hoc export agreements to the US for the foreseeable future.The Commission’s guidance suggests that the Commission recognizes the urgency for a new Safe Harbor, which the EU and US are working to try and achieve by early 2016. We will continue to provide further updates as we follow these developments.

Associate Ilunga Kalala contributed to this post. Mr. Kalala is admitted only in Maryland. He is practicing under the supervision of principals of the firm who are members of the D.C. Bar.

FTC Hosts Workshop on Lead Generation

On October 30, 2015, the FTC held a workshop on lead generation to explore online lead generation in various industries.  Lead generation, also called performance marketing, is the process of identifying or cultivating consumer interest in a product or service, and distributing this information to third parties.  Lead generation can facilitate comparison shopping and promote efficient connection of brands and consumers.  But the FTC is concerned when lead generation involves deceptive practices and misuse of consumers’ personal data.

The workshop brought together a variety of stakeholders, including industry representatives, consumer advocates, and government regulators. Although the opinions represented at the workshop were varied, a few themes recurred across the panels.

First, selling data for purposes beyond the initial consumer inquiry can be beneficial to consumers but also poses risks. Panelists agreed that leads must be accompanied by valid consent, and that consent is limited by the context of data collection and the consumer’s expectations.  Although cross-selling may connect consumers to products in an efficient way, that benefit needs to be balanced against the risk that the consumer will be bombarded with unwanted inquiries or will be unsettled by the scope of data sharing that has occurred (both of which would reflect poorly on the brand associated with the lead).  It is important to clearly disclose to the consumer what the information collected will be used for and how it will be shared, but some panelists questioned whether even strong disclosure language provides adequate warning when data will be widely shared.

Second, companies should prioritize a privacy analysis in their data collection practices. In some industries, it is common for leads to contain sensitive personal and financial information.  Panelists questioned whether any efficiencies of collecting this data at the outset were outweighed by the risk of consumer harm.  Some panelists encouraged companies to consider a two-step data collection process, where a lead contains only contact information that an advertiser can use to follow up with an interested consumer.  Relatedly, panelists discussed particular risks associated with holding sensitive remnant data, not only because of data security risks, but also because market pressures may drive a company to monetize that data by selling it.

Third, companies should make efforts to know and monitor their data sources and data buyers. Panelists were nearly unanimous in stressing the importance of monitoring upstream buyers of leads and downstream sellers of leads.  Multiple efforts are underway to promote best practices in the lead generation and online lending industries.  Representatives from LeadsCouncil and the Online Lenders Alliance served as panelists and explained their organizations’ goals for self-regulation.  In addition, panelists promoted tools aimed at helping companies verify lead information, prevent fraud, track sales of data outside of agreed-upon parameters, and monitor and audit affiliate marketers.  Although contract terms may establish compliance responsibilities, contract provisions likely will not fully insulate a company that acts without conducting the proper due diligence and monitoring.  And ultimately, good lead generation practices can benefit a brand, while questionable lead generation practices will result in lower quality leads and may reflect poorly on a brand.

Several panelists called for additional guidance from the FTC regarding lead generation practices even as the industry begins to develop its own standards and ethics. We will continue to monitor regulatory developments and industry trends.

Lawsuit Over Website Accessibility Highlights Importance of Compliance

ADA Blog

Last month, Reebok was hit with a proposed class action alleging that the company’s website violates the Americans with Disabilities Act because it is not accessible to the blind. The plaintiffs argue that Reebok.com contains “thousands of access barriers” that make it difficult —if not impossible — for blind customers to use the site. Because of this, the plaintiff is asking the court to require Reebok to fix its site and pay damages.

Although these types of cases have been on the rise in recent years, they still come as a surprise to many people who think of the ADA only in terms of physical barriers, like wheel chair ramps and handicapped parking spaces.  In many instances, potential plaintiffs are reaching out to companies directly in lieu of filing a class action to effectuate a confidential settlement and revisions to the website to provide for ADA accessibility.

Read our article in Retailing Today for more information.