Ad Law Access : Washington D.C. Advertising Lawyer & Attorney : Kelley Drye & Warren Law Firm : New York, Chicago, Connecticut, New Jersey, Brussels

A few days ago, a Kansas state court entered a default judgment against Bullseye Target Marketing, a Missouri telemarketing company that solicited roofing business in Kansas, in an action brought by the Kansas Attorney General alleging violations of the Kansas No-Call Act (the state analogue to the federal Telemarketing Sales Rule). The court ordered the company to pay $600,000 in penalties. The action was filed after the Attorney General received complaints from Kansas consumers that they received unsolicited calls offering to schedule roof inspections in areas that had experienced storm damage, despite their numbers being registered on the state do-not-call list. The Kansas No-Call Act generally prohibits businesses from placing telemarketing calls to consumers registered on the state do-not-call list.

This Attorney General action should serve as a reminder that do-not-call compliance is not only being monitored and enforced by the Federal Trade Commission, but states, too, are active in the area.

• Email This
• Print
• Share Link

All states prohibit companies from requiring people to pay money or make a purchase to enter a sweepstakes. Although most states allow companies more flexibility to require a payment or purchase in a skill contest, some states prohibit those requirements, too. Up until now, Vermont was in the latter category.

Effective April 26, 2013, nothing in the Vermont statute “shall be construed to prohibit a person from requiring or paying any kind of entry fee, service charge, purchase, or similar consideration in order to enter, or continue to remain eligible for, a game of skill or other promotion that is not based on chance.”

The line between chance and skill isn’t always clear, but if companies can get on the right side of that line, they’ll soon have more options for running promotions in Vermont.

• Email This
• Print
• Share Link

On May 15, 2013, the Federal Trade Commission sent letters to more than 90 U.S. and foreign-based companies that may be affected by amendments to the Children’s Online Privacy Protection Rule (“COPPA” or the “Rule”), which go into effect on July 1, 2013. The letters, which do not reflect an official evaluation of the recipients’ privacy practices, were targeted to online services and mobile applications that collect “personal information” from children under age 13, as defined by the Rule.

The primary purpose of the letters was to highlight the significant changes to the COPPA Rule definition of personal information, which, under the current Rule, includes user names, a home or physical address, contact information (e-mail address or telephone number), and social security numbers. As described in the letters, the amended Rule expands the definition of personal information to include persistent identifiers, such as cookies, IP addresses, and mobile device IDs, that can recognize users over time and across different websites or online services. Online operators that collect such information must provide notice and obtain parental consent, unless they use the identifiers to support internal operations, such as for user authentication or network analysis. Under the revised Rule, personal information also includes photographs or video with a child’s image, or an audio file with a child’s voice.

In addition to describing changes to the definition of personal information, the letters also highlighted the following “musts” for developers of child-directed online or mobile apps:

• Notice and parental consent for personal information collected on applications from third parties, such as ad networks;
• Reasonable steps to release children’s personal information only to companies that will keep it secure and confidential;
• New data retention and deletion requirements.

The letters are the latest step by the Commission to generate awareness about how the COPPA Rule changes may affect online operators’ current business practices. As we described last month, FTC Staff also issued an updated Frequently Asked Questions (“FAQ”) document, Complying with COPPA: Frequently Asked Questions, that includes a number of questions (and answers) that directly address how the amended COPPA Rule differs from the current Rule.
 

• Email This
• Print
• Share Link

On May 9, 2013, the Federal Communications Commission ruled that sellers may be held vicariously liable under the Telephone Consumer Protection Act (“TCPA”) for unlawful telemarketing by third parties under certain circumstances. The FCC’s Declaratory Ruling addresses third-party liability for violations of the Do Not Call and prerecorded message restrictions of the Communications Act. The Commission ruled that, under both provisions, a seller may be held vicariously liable for violative calls placed by third-party marketing agents under principles of the federal common law of agency.

The Declaratory Ruling thus resolves a central question that is raised in a number of TCPA lawsuits: sellers may only be held liable for actions of those third party telemarketers that are determined to be agents, applying the federal common law of agency. Moreover, a manufacturer that simply puts a product in the chain of commerce that is later resold by a seller is not likely to be affected by this Ruling, provided that it does not otherwise trigger the TCPA’s seller definition.

With respect to how and under what circumstances the federal common law of agency will be applied to find a seller vicariously liable for the acts of third parties, the future is unclear – particularly with respect to claims based on alleged apparent authority and whether the FCC’s “illustrative examples” of such apparent authority set forth in the Ruling will influence courts in interpreting how the federal common law of agency should apply to the specific facts of a particular case.

For more on this decision, please reference the Kelley Drye client advisory.

• Email This
• Print
• Share Link

On Thursday, May 9, Rep. Hank Johnson (D-GA), and co-sponsor Rep. Steve Chabot (R-OH) introduced the “Application Privacy, Protection, and Security (APPS) Act of 2013,” (H.R. 1913). The bill, which is aimed at increasing consumer privacy within applications (“apps”) available through smartphones and other mobile devices, retains the provisions included in the discussion draft of the legislation circulated by Rep. Johnson in January 2013.

Among its key provisions, the APPS Act would require app developers to make a privacy statement available to consumers before they purchase an app, obtain consent from consumers before collecting data, and securely maintain the data that they collect. A developer’s privacy statement would have to disclose the categories of personal information collected by the app, and how such information is used, including whether it is shared with any third parties. App developers also would be required to include within their privacy statement a data retention policy that describes how long information is retained, and how consumers can access and seek the removal of such information. Under the bill, the Federal Trade Commission would be tasked with drafting regulations to implement the law, including defining the term “personal data,” as well as enforcing such regulations.

The APPS Act is the product of Rep. Johnson’s AppRights initiative, which is a web-based legislative project launched in July 2012 to address the privacy and security of mobile device users, and follows other recent federal and state efforts to enhance privacy protections for mobile app users. For example, we posted last week about the latest developments regarding the California Attorney General’s efforts to require all app developers to include a privacy policy in their mobile app.
 

• Email This
• Print
• Share Link

In December 2012, the California Attorney General filed a lawsuit against Delta Airlines, Inc. (“Delta”) alleging that Delta violated California’s Online Privacy Protection Act by failing to post a privacy policy within its Fly Delta mobile app.  It was the first mobile app enforcement action brought by the California Attorney General and closely followed the Attorney General’s warning campaign in which it sent out letters to approximately 100 app developers and companies notifying them that they were not in compliance with California’s law.  Our previous coverage of the complaint is here.

Yesterday, the California Superior Court dismissed the claim, holding that the state action is pre-empted by the federal Airline Deregulation Act, which prohibits states from applying regulations on airlines related to price, routes, or services.  Judge Miller stated: “In this instances it’s services. . . . I think that this case is, in effect, an attempt to apply a state law designed to prevent unfair competition, which regulates an airline’s communications with consumers, and I think it’s pre-empted.”  Press coverage is available here.

This is an interesting result for the first Attorney General app enforcement action and it’s too soon to tell whether the Attorney General will appeal the decision.  Unfortunately, the ruling doesn’t provide any substantive guidance, or give much comfort, to companies that can’t make similar federal pre-emption arguments.  Companies with mobile apps will want to keep their seatbacks and tray tables in their upright and locked positions as we watch for the Attorney General’s next activities in the mobile privacy space.

• Email This
• Print
• Share Link

Most marketers know they are legally required to get permission before sending text messages to consumers. Despite this, the number of lawsuits involving (allegedly) unsolicited text messages keeps growing, as does the cost of settling these suits. Although the first cases in this area involved practices that were clearly unlawful — such as sending text messages to people who hadn’t signed up — now, companies are getting sued over much less. Fortunately, many courts have taken a common sense approach to these cases.

During a Lakers game last year, the team invited fans to text a message for a chance to have it appear on the scoreboard. A fan texted a message, and received the following confirmation from the Lakers in return: “Thnx! Txt as many times as u like. Not all msgs go on screen. Txt ALERTS for Lakers News alerts Msg&Data Rates May Apply. Txt STOP to quit. Txt INFO for info.” Shortly thereafter, the plaintiff filed a lawsuit against the Lakers arguing that the team had sent that message without consent, in violation of the Telephone Consumer Protection Act.

Applying a “common sense” reading of the TCPA, a California court determined that, by sending his original message, the plaintiff “expressly consented” to receiving a confirmatory text message from the Lakers. Indeed, the court noted that when the plaintiff sought to display his message on the scoreboard, “it is difficult to imagine how he could have been certain that the Lakers received his message without a confirmative response.” Accordingly, the court granted the Laker’s motion to dismiss the case.

There are still a number of legal risks associated with text message campaigns, but this decision — as well as other recent developments — suggests that companies now have a better shot at prevailing in these types of nuisance suits.

• Email This
• Print
• Share Link

The tide continues to rise for Consumer Product Safety Commission (“CPSC”) civil penalties as the Commission announces a $987,000 penalty against Williams-Sonoma, Inc. and the company’s agreement to implement an extensive compliance program. On Monday, the CPSC announced that Williams-Sonoma has agreed to pay the civil penalty to resolve allegations that the company knowingly failed to report a defect in its Pottery Barn wooden hammocks. Williams-Sonoma also agreed to implement a comprehensive compliance program that arguably encompasses far more than the company’s alleged failure to report in a timely manner. 

According to the settlement agreement, the wood in the hammock stands allegedly deteriorated over time, and Williams-Sonoma had received notice of a consumer injury resulting from the failure of the hammock as early as November 2004 and had received its eighth incident report by the end of October 2006. The company, however, did not report to the Commission until September 2008, when it knew of 45 incidents. In October 2008, Williams-Sonoma and the CPSC announced the recall of 30,000 hammock stands. Because the alleged failure to report occurred prior to September 2008, it was subject to the CPSC’s previous civil penalty cap of $1.825 million instead of the current cap of $15 million.

In addition to the civil penalty, Williams-Sonoma agreed: (1) to implement and maintain a comprehensive compliance program designed to ensure compliance with all safety statutes and regulations enforced by the Commission (not just the Consumer Product Safety Act, which was the subject of the penalty); and (2) to maintain and enforce a system of internal controls and procedures designed to ensure timely and accurate reporting to the CPSC. The comprehensive compliance program is the same as that imposed in the settlement agreement entered with Kolcraft Enterprises, Inc. earlier this year. In a statement issued in connection with the Williams-Sonoma settlement, Commissioner Nord expressed concern that, for a second time, the CPSC had insisted on a comprehensive compliance program absent evidence of widespread noncompliance and that “the compliance program language in [the] settlement is another step toward just such a de facto rule.” She also noted that using recalls to justify imposing mandates unrelated to the problem (in this case, timely reporting) discourages participation in the voluntary recall process.

Companies with products subject to the CPSC’s jurisdiction should note that mandated compliance programs appear to be the new normal for civil penalty agreements, regardless of a company's history with the Commission as civil penalty demands continue to increase.

Associate Katherine E. Riley contributed to this post.  Ms. Riley is admitted only in Massachusetts.  She is practicing under the supervision of principals of the firm who are members of the D.C. Bar.

• Email This
• Print
• Share Link

Today, the Federal Trade Commission (“FTC”) announced that it sent letters to 10 data brokers warning them that their practices may be subject to the Fair Credit Reporting Act (“FCRA”).  A sample letter is available here.  Among other things, the FCRA governs the sale and use of consumer information which may be used to make decisions about consumers’ creditworthiness, eligibility for insurance, or suitability for employment.

As part of  a global privacy sweep conducted by the Global Privacy Enforcement Network (“GPEN”), the FTC conducted test-shopping with 45 data brokers.  Based on the sweep, 10 data brokers indicated a willingness to sell consumer information in a manner that may violate the FCRA.

As we’ve previously noted here and here, the FTC continues to use its authority under FCRA through enforcement actions—which include civil penalties—and warning letters.  Last month, the FTC warned 6 websites that their sharing of consumers’ rental history information with landlords may be subject to the FCRA.

While the warning letters are not a formal complaint alleging FCRA violations, they are an important reminder for all companies that sell consumer information to closely examine whether these practices fall under the FCRA and, if so, to ensure proper compliance.

• Email This
• Print
• Share Link