Ad Law Access

Ad Law Access

Updates on consumer protection trends, issues, & developments

Don Henley Settles Right of Publicity Suit with Retailer

Posted in Right of Publicity

Last year, Duluth Trading Company ran ads promoting its henley-style shirts that urged customers to “Don a Henley and take it easy.” (Readers of a different generation, take note: Don Henley was the lead singer of the Eagles, and Take it Easy was the band’s first single inHenley 1974.)

If you’ve read our previous posts on right of publicity issues, you may know that it’s usually not a good idea to use a celebrity’s name or image without their permission. In this case, Henley filed a lawsuit against Duluth, arguing that the retailer’s ads exploited his celebrity status, violated his publicity rights, and infringed his trademarks.

The parties agreed to settle the suit this week, and Duluth posted a public apology to Don Henley on its Facebook page. In the apology, the company noted that although it aims to keep its ads “fresh, interesting, and funny,” they had “pushed the advertising envelope too far.” “We have learned a valuable lesson and thank Mr. Henley for helping us appreciate the importance that he and other artists place in their publicity rights.”

Luckily, you don’t have to be sued by Don Henley to appreciate the importance of publicity rights. You can just read our blog. Or you can check out a recent series on right of publicity claims posted by our friends at Drye Wit.

NAD Finds DirecTV’s Rob Lowe Ads to be Misleading

Posted in Advertising, NAD

DirecTV has received a lot of attention for its ad campaign featuring Rob Lowe. Although many of the commercials are funny, not everyone is laughing. Comcast challenged the ads before the NAD, arguing that the ads make misleading comparisons between DirecTV and cable. The NAD largely sided with Comcast, and asked DirecTV to stop making various claims.

The ads start with Rob Lowe stating that he has DirecTV. Then, a creepy or dysfunctional version of the actor Loweappears and announces that he has cable. The ads close with Rob Lowe pointing to his alter-ego, saying: “Don’t be like this me. Get rid of cable and upgrade to DirecTV.” Comcast argued that the ads convey the misleading impression that DirecTV is superior to cable on a number of attributes, including signal reliability, picture quality, and customer service.

The case involved a number of issues, but one of the key questions was whether the ads made any claims that required proof, in the first place. DirecTV argued that because the ads were so outlandish, consumers wouldn’t take the comparisons seriously. Sometimes this type of argument can work, and an advertiser won’t have to provide proof. But the NAD noted that the use of humor and hyperbole doesn’t automatically mean that consumers won’t take away objective claims from an ad.

The NAD determined that the discussion of specific attributes — such as signal reliability, picture quality, and customer service — coupled with the tagline encouraging people not to be like the creepy version of Rob Lowe by upgrading from cable to DirecTV could reasonably convey that DirecTV was superior in each of the attributes mentioned. Because DirecTV did not provide proof of superiority, the NAD found many of the ads to be misleading.

Humor and hyperbole can be effective advertising techniques. In some cases, they can even get a message across without requiring an advertiser to have proof for that message. But the NAD has often held that denigrating claims “must be truthful, accurate, and narrowly drawn so that they do not falsely disparage a competitor’s product.”

AT&T To Pay $25 Million to Resolve FCC Data Breach Claims

Posted in Privacy and Information Security

On April 8, 2015, the Federal Communications Commission (FCC) Enforcement Bureau announced that AT&T has agreed to a $25 million consent decree to resolve an FCC investigation into alleged consumer privacy violations at AT&T call centers in Mexico, Columbia, and the Philippines. According to the FCC, AT&T violated Section 222 of the Communications Act (the “Act”) by failing to reasonably secure its customers’ personal information, including customers’ names and at least the last four digits of their Social Security numbers, as well as account-related data known as customer proprietary network information (CPNI). The agency further alleged that AT&T’s data security practices at the three call centers were unjust and unreasonable in violation of Section 201 of the Act. The settlement is the FCC’s largest data security enforcement action to date.

The FCC launched its investigation into AT&T in May 2014 after AT&T reported a data breach to the Commission’s CPNI Data Breach Portal. The breach occurred between November 2013 and April 2014 at a third-party call center facility in Mexico under contract with AT&T. According to the FCC, while AT&T did not operate the call center where the breach occurred, AT&T maintained and operated the systems that certain employees at the Mexico call center used to access AT&T customer records, and such systems were governed by AT&T’s data security measures. The FCC asserted that AT&T’s measures failed to prevent or timely detect the breach that lasted 168 days and resulted in the unauthorized access of more than 68,000 customer accounts. The employees as issue sold the data from the customer accounts to an unauthorized third-party who used the information to submit up to 290,000 handset unlock requests through AT&T’s website as part of what appeared to be a fraudulent used or stolen phone trafficking operation. AT&T terminated its relationship with the Mexico call center in September 2014.

In March 2015, AT&T disclosed to the FCC that it was investigating separate data breaches at call centers in Columbia and the Philippines, in which call center employees accessed account data for at least 211,000 customer accounts to obtain unlock codes for AT&T mobile phones. The unauthorized access exposed certain customer CPNI including bill amount and rate plan information, though AT&T’s investigation found no evidence that the CPNI was used or sold to third-parties.

To read more about the terms of the FCC consent decree with AT&T, visit our sister blog here.

The consent decree with AT&T comes six months after the FCC’s first data security enforcement action. In that case, the FCC issued a Notice of Apparent Liability (or NAL) seeking to impose $10 million in fines against TerraCom, Inc. and YourTel America, Inc. for allegedly violating Sections 222 and 201 of the Act by maintaining the sensitive personal data of 300,000 consumers on unencrypted Internet servers. These actions underscore the FCC’s heightened and growing emphasis on consumer privacy and data security, areas that traditionally have been the focus of the Federal Trade Commission, which has brought more than 50 privacy and data security actions across a number of industries during the past 10 years.

Claiming Safe Harbor on Your Website? Recent FTC Enforcements Provide Some Lessons About Certification Lapses

Posted in Federal Trade Commission, Privacy and Information Security

The Federal Trade Commission (“FTC”) announced on Monday two more Safe Harbor-related settlements with two companies for misrepresenting their participation in the U.S.-EU Safe Harbor framework, which is subject to the FTC’s deception authority under Section 5 of the FTC Act.  The U.S.-EU Safe Harbor framework is a method whereby U.S. companies can comply with EU data protection requirements for the transfer of consumer data from the European Union to the United States. To obtain Safe Harbor status, companies must file a self-certification annually with the U.S. Department of Commerce agreeing to comply with seven Privacy Principles, including notice, choice, onward transfer, access, security, data integrity and enforcement.  The organization must likewise declare in its published privacy policy statement that it adheres to the Safe Harbor Privacy Principles.

The companies involved – TES Franchising, LLC (“TES”) and American International Mailing, Inc. (“AIM”) — claimed in privacy policies and statements on their company webpages that they were current U.S.-EU Safe Harbor framework participants. However, TES and AIM had not renewed their self-certification since March 2013 and May 2010, respectively. TES also misrepresented its participation in the U.S.-Swiss Safe Harbor framework. Identical to the U.S.-EU Safe Harbor framework, the U.S.-Swiss Safe Harbor framework permits U.S. companies to comply with requirements for the transfer of consumer data from Switzerland to the United States under the Swiss Federal Act on Data Protection. TES represented on its company webpage that it was current with this framework even though it had not self-certified since March 2013.

The settlement with TES also touched on the importance of making truthful representations about the mechanism available for dispute resolutions under Safe Harbor frameworks. According to the TES Safe Harbor certification, European data protection authorities were the authorized mechanism to resolve Safe Harbor-related disputes. These authorities performed this function at no cost to the consumer and without an in-person hearing. The FTC alleged that TES made false and misleading statements when it represented to its customers that Safe Harbor-related disputes would be resolved in Connecticut with the costs of arbitration equally divided amongst the parties.

With these two settlements, the FTC has now brought 26 enforcement actions regarding Safe Harbor compliance. The lesson for companies here is to (1) if participating, timely re-certify Safe Harbor each year to the U.S. Department of Commerce; and (2) before filing such recertification, confirm the accuracy and consistency of privacy policies and publicly facing statements to ensure that Safe Harbor claims are truthful and supported by the facts.

“Throttled” Motion to Dismiss; FTC Case Against AT&T for “Unlimited” Data Promises Continues

Posted in Federal Trade Commission

On March 31st, a federal judge in California District Court issued an Order denying AT&T’s motion to dismiss the Federal Trade Commission’s (FTC’s) lawsuit against the company concerning its advertising and business practices for its mobile wireless data plans. The FTC’s case against AT&T will now move forward on the merits.

The FTC initiated the suit in October 2014, accusing AT&T of misleading millions of its customers by marketing and selling “unlimited” data plans, while reducing data speeds for certain unlimited plan customers by up to 90 percent through a practice known as “throttling.” The FTC alleged that AT&T failed to adequately disclose to its customers who purchased unlimited data plans that, once a customer uses a certain amount of data (two gigabytes, in some cases) in a given billing cycle, AT&T reduces, or “throttles,” the customer’s data speeds so that popular smartphone applications such as GPS navigation and streaming video fail to function as intended. The FTC asserts that AT&T has been throttling data speeds for unlimited data customers since 2011, and has throttled at least 3.5 million customers a total of more than 25 million times.

The FTC further alleged that AT&T’s practices were unfair under Section 5 of the FTC Act because AT&T changed the terms of customers’ unlimited data plans while customers were still under contract, and then charged early termination fees (ETFs) to customers who attempted to cancel their unlimited plan as a result of the reduced data speeds.

AT&T denied the allegations, arguing its practices are not uncommon for the industry and it has been transparent with customers from the beginning, and filed a motion to dismiss the case, claiming that AT&T’s business is regulated as a common carrier under the Communications Act and therefore is exempt from FTC jurisdiction.

Unfortunately for AT&T, Judge Edward Chen disagreed. The Order denying AT&T’s motion stated, “Contrary to what AT&T argues, the common carrier exception applies only where the entity has the status of common carrier and is actually engaging in common carrier activity.” This is the “activity-based” test advocated by the FTC.

This case is further complicated by the FCC’s March 12 Open Internet Order, released the same day as AT&T and FTC’s oral arguments on the motion, which classifies mobile broadband internet access service as common carriage service under Title II of the Communications Act.  AT&T argued that once the Title II reclassification takes effect, the FTC will no longer have jurisdiction.  Again, the California court disagreed, finding that the FCC’s Order does not prevent the FTC from pursuing past actions that were under its jurisdiction before the Title II reclassification.

Senate Unanimously Approves “Internet of Things” Resolution

Posted in Federal Trade Commission, Privacy and Information Security

While the broader issues of consumer privacy and data security remain hot topics,  Congress and government enforcers have focused particular zeal on emerging technologies.  Just this week, the Senate unanimously passed a bipartisan resolution calling for the development of “a strategy to incentivize the development of the Internet of Things.”  The resolution recognizes that the Internet of Things “has the potential to generate trillions of dollars in economic opportunity,” and that “increased connectivity can empower consumers.”  It then suggests stimulating the development of the Internet of Things “in a way that recognizes its benefits and allows for future innovation, and responsibly protects against misuse.”  The resolution also acknowledges the importance of industry-developed best practices and calls on innovators to “commit to improving the quality of life for future generations by developing safe, new technologies aimed at tackling the most challenging societal issues facing the world.”

Sens. Deb Fischer (R-Neb.), Cory Booker (D-N.J.), Kelly Ayotte (R-N.H.), and Brian Schatz (D-Hawaii) introduced the resolution in early March following a recent hearing on Internet of Things issues before the Senate Commerce Committee, as well as the release of the FTC’s Internet of Things report in January.  The resolution is not legislation and does not carry the force of law.  However, the continued focus and activity on this issue could suggest that new legislation to promote and/or regulate the Internet of Things is forthcoming.  We will post any new updates on this blog, so be sure to check back regularly.

Jennifer Rodden, a law clerk with Kelley Drye & Warren, assisted in the drafting of this post.

FTC Enforcement Targets BMW Warranties

Posted in Federal Trade Commission

Note: Ilunga Kalala assisted in drafting this post.

The Federal Trade Commission  (“FTC”) announced last week that it reached a settlement with BMW of North America, LLC, (“BMW”) regarding the maintenance and repair warranty that BMW’s MINI Division provided consumers.

Under the Magnuson-Moss Warranty Act (“Act”), a company that provides a warranty cannot condition that warranty on the purchase of parts or services from a particular company.  According to the FTC’s complaint, the MINI Division warranty violated the Act because (1) it was conditioned on whether consumers used genuine MINI parts and dealers to perform maintenance and repair work and (2) there was a charge for the parts and services.

The proposed consent order prohibits BMW from requiring that car owners have maintenance performed by MINI Division dealers or with MINI parts as a condition of the warranty, unless BMW provides the part or service without charge. The agreement also prohibits BMW from indicating that car owners must have maintenance performed by MINI Division dealers or with MINI parts so that their vehicles operate safely or maintain their value.

This is the first auto warranty related enforcement action by the FTC in several years and a reminder to all companies offering a warranty to revisit their terms to ensure they do not impose similar conditions.

One-A-Day Keeps the Plaintiff’s Lawyers Away: FDA Determinations on Disease Claims Preempt Class Action Allegations

Posted in Advertising, Class Action Litigation, Food and Drug

A California court recently dismissed, in part, a consumer class action against labeling and advertising claims for twenty different Bayer One-A-Day multivitamins. The plaintiffs had alleged that the claims, “supports heart health” and “supports immunity” – which Bayer used for many of the products – were impermissible disease claims. The court rejected these allegations. It found, first, that FDA has determined that such claims are permissible, non-disease “structure/function” claims. It pointed to FDA guidance providing that similar claims, such as “helps maintain a healthy circulatory system” and “supports the immune system,” are permissible structure/function claims. The court, next, found that, under an express pre-emption provision in the federal Food, Drug, and Cosmetic Act, a litigant cannot upset FDA’s prior determination. The FDCA pre-emption provision provides that state law cannot impose a labeling requirement that conflicts with or adds to FDA requirements. In contrast to its holding regarding the heart health and immunity claims, the court refused to dismiss allegations against the claim, “supports physical energy.” The difference is that while the plaintiffs challenged the substantiation for the energy claim, they did not allege that the claim was an impermissible disease claim.

The lawsuit, which was filed with the support of the Center for Science in the Public Interest, is a clear winner for industry. The specter of a court finding that a clear structure/function claim, like “supports heart health,” is a disease claim loomed large and could have affected the types of claims that dietary supplement and food companies choose to make. This decision, we hope, will discourage future litigants from picking fights over what is and isn’t a disease claim. We wonder, too, if this decision or others like it could eventually affect the FTC’s position on disease claims. In 2010, the FTC began including in many of its orders specific requirements for any future claims that a food or supplement “treats, prevents, or cures any disease.” With the duty to enforce the new provisions, the FTC effectively entered the business of disease claim determination. The FTC orders neither define what constitutes a disease nor refer to FDA regulations on the matter. An open question, thus, has been how exactly is the FTC defining what is and isn’t a disease claim? And, should the FTC really be the agency making such determinations?

Jennifer Rodden, a law clerk with Kelley Drye & Warren, assisted in the drafting of this post.

Obama Administration Receives Little Support for the Consumer Privacy Bill of Rights Act

Posted in Privacy and Information Security

Following up on his historic visit to the FTC in January during which President Obama laid out his privacy and data security agenda, the administration released a discussion draft of the Consumer Privacy Bill of Rights Act (the “Act”) on February 27, 2015. The Act lays out a number of privacy and security requirements for with which entities subject to the Act would be required to comply. Chief among them are requirements to disclose privacy and data use policies to affected individuals, allow individuals to have greater control over their personal data, and identify and take steps to mitigate data security risks. The Act also provides a basic overview for enforcement mechanisms and establishes some “safe harbors” that would allow otherwise covered entities to avoid liability for violations of the Act under certain limited circumstances. Finally, the Act gives the Federal Trade Commission rulemaking and civil penalty authority to assist in the implementation and enforcement of the Act.

Although the bill was not formally introduced for consideration in Congress, its release has jumpstarted a discussion among industry stakeholders and consumer and privacy advocacy organizations on various legislative approaches to mandating privacy and data security protections for consumers. And while the future of the Act is far from certain, any private entity that engages in personal data processing should be aware of the discussion draft and its potential impact on business practices.

Reactions from the FTC

Several FTC officials have expressed significant reservations about the proposed legislation and its ability to effectively protect consumers. While acknowledging the proposal’s usefulness in moving forward the current international debate over how data protection should be regulated in the U.S., FTC Chairwoman Edith Ramirez also raised concerns about a number of potentially problematic loopholes and a lack of clarity in certain areas, such as the authority of privacy review boards to set industry specific best practices. Commissioner Julie Brill and Bureau of Consumer Protection Director Jessica Rich also have expressed concerns, with Commissioner Brill saying “we need to put the consumer back in the consumer privacy bill of rights.” Director Rich has asserted that the proposal creates exceptions that would allow companies to maintain control over data and limit consumer choice about how their information is used. Officials also are worried about the bill’s potential to restrict the FTC’s enforcement capabilities – this is a hot button for the FTC right now because of the recent decision by the Federal Communications Commission to reclassify broadband as a Title II service in its Open Internet order, which limits FTC jurisdiction over those service providers.

Other Reactions

Senators Ed Markey (D-Mass.) and Al Franken (D-Miss) both issued statements opposing the bill on the basis that it does not do enough to protect consumer privacy. Mr. Markey subsequently introduced his own privacy bill (S.668) that he claims will provide more comprehensive consumer privacy protection, particularly with respect to data brokers. On the House side, Reps. Peter Welch (D-Vt.) and Marsha Blackburn (R-Tenn.) on March 12 released draft legislation focused on data breach prevention and notification requirements. The Commerce, Manufacturing & Trade Subcommittee for the House Energy and Commerce Committee held a hearing on March 18 to discuss the draft of the legislation.

Several consumer groups likewise came out against the President’s bill due to concerns that it would not adequately protect consumers due to lack of clarity about what types of information are covered and the range of exemptions for covered entities.

Not surprisingly, many private entities and trade associations also have opposed the legislation because of the potential for enhanced oversight and regulation, which they argue could lead to a chilling effect on consumer product innovation.

What to Expect Going Forward

In light of the initial reactions to the White House proposal, and in the absence of support from the majority in Congress, it is unlikely that the draft proposal will be introduced in the House or Senate without substantial revisions. If introduced, any bill would require strong bipartisan support to move forward, and it is difficult to see how the present draft could come close to achieving this objective. In any event, the release of this draft legislation should serve as a reminder that privacy issues will remain paramount in the Administration’s agenda and the FTC is likely to continue to vigorously enforce existing privacy and data security laws until such time as a new law comes to fruition.

Reauthorization of MOU Between CFPB and FTC Promotes Regulatory “Harmony”

Posted in Consumer Financial Services, Federal Trade Commission

The Federal Trade Commission (“FTC”) and the Consumer Financial Protection Bureau (“CFPB”) announced on March 12 the reauthorization of the Memorandum of Understanding (“MOU”) entered into by the two agencies on January 20, 2012.  As in the original, the new MOU addresses coordinated efforts in the areas of law enforcement, rulemaking and guidelines, research, consumer education, operational planning, and information sharing and confidentiality.  Notably, the provisions with respect to inter-agency information sharing remain unchanged.  The FTC can request that the CFPB turn over examination reports and confidential supervisory information pertaining to any entity subject to the FTC’s jurisdiction.

The FTC affectionately has characterized the reauthorization by reference to lyrics by Elvis Costello:  “What’s so funny ‘bout peace, love, and understanding?”  The FTC then croons that “when it comes to protecting consumers, ensuring a vibrant marketplace for financial products and services, and using resources efficiently,” the two agencies are “in harmony.”  Given the breadth of information sharing between the two agencies, companies subject to joint jurisdiction should monitor closely any developments that result from the reauthorized MOU.