Ad Law Access : Washington D.C. Advertising Lawyer & Attorney : Kelley Drye & Warren Law Firm : New York, Chicago, Connecticut, New Jersey, Brussels

Kelley Drye partner Alysa Hutnik and associate Christopher Loeffler's article, “4 Legal Considerations for Building a Mobile App,” was recently featured on Mashable.com, a top source for news in social and digital media, technology and web culture. The Mobile Apps article explores the mobile app business and provides practical considerations for app developers (or for those partnering with app developers) to keep in mind to help reduce legal risk in this area.

For more information about this uncharted legal territory and emerging "rules for the road" for developing and marketing mobile apps, click here to view and listen to a recording of the Kelley Drye webinar, “Mobile Applications: Privacy and Data Security Considerations.”

• Email This
• Print
• Share Link

In an article published today in Mobile Marketer (@MobileMktrDaily), I was asked about the top legal challenges that mobile marketers face. The first on my list was the challenge of making effective disclosures in the context of a mobile campaign. Shortly after the article was published, the FTC announced that they planning to update their “Dot Com Disclosures” guidance document, and hinted that the update could address this very issue.

The FTC first published the Dot Com Disclosures in 2000 in an attempt to advise online marketers about how to disclose material terms in a “clear and conspicuous” manner. In today’s press release, the FTC notes that the online world has changed dramatically since 2000 and that the FTC is seeking input about how the guidelines should be changed to address changes in technology. Among other things, the FTC asks about how the guidance should be modified to address mobile marketing and the limitations of mobile screens. Public comments are due by July 11, 2011.

This isn’t the first time regulators have struggled with the issue mobile disclosures. For example, recent settlements between the Florida Attorney General and some wireless providers included requirements about how price information has to be disclosed. We can expect the FTC to take a broader approach and consider disclosures of all types of material terms. Thus, the revised Dot Com Disclosures will likely have an impact on a broad range of mobile campaigns, not just those that require a payment.

While we wait for the FTC to issue new guidance, marketers should work closely with their legal team to ensure that they make disclosures in a way that is likely to survive regulatory scrutiny. 

• Email This
• Print
• Share Link

Last week the FCC announced plans to hold a June 28, 2011 public education forum on consumer and privacy issues implicated by mobile Location Based Services (LBS) tracking. The FCC seeks input from consumers, industry, and academia on a variety of related topics, including industry best practices and the use of mobile devices by children.

The forum comes amid growing concerns over consumer mobile privacy, including recent disclosures that Apple and Google mobile devices collected geolocation information without consumer consent. Recent media coverage has drawn attention to the collection, use and disclosure of geolocation information and there is mounting Congressional interest in protecting consumer online and mobile privacy (see Kelley Drye Advisory and chart summarizing federal consumer privacy legislation).

The forum is being conducted in consultation with the FTC. The FCC’s March 2010 National Broadband Plan called for the two agencies to work together on privacy issues and in July 2010, a Joint FTC/FCC Privacy Task Force was formed. The forum will inform a forthcoming FCC staff report that may help shape the ongoing privacy debate and may clarify the role the FCC intends to play in this area. Comments on the LBS forum and the topics raised for inclusion in the proposed FCC staff report are due July 8, 2011.

For more information about this uncharted legal territory and emerging "rules for the road" for developing and marketing mobile apps, click here to view and listen to a recording of the Kelley Drye webinar, Mobile Applications: Privacy and Data Security Considerations.

Christopher S. Koves contributed to this post.

• Email This
• Print
• Share Link

Last week, Sen. Patrick Leahy (D-VT) introduced a bill to update the 25-year-old Electronic Communications Privacy Act (ECPA), by seeking enhanced privacy protections during government searches of electronic communications, cloud computing and location-based services. The ECPA Amendments Act of 2011 (S. 1011) would require a search warrant based on probable cause before service providers could disclose to federal authorities the contents of a customer’s electronic communications, whether stored or in transit – eliminating the “180-day rule.” However, the bill would require service providers to provide access to non-content communication records, such as subscriber name and address, in response to federal or state administrative or grand jury subpoenas. Federal authorities can also seek delayed notification to a service provider’s customers for investigative purposes.

The bill also implicates the mobile industry, proposing geolocation information privacy protections. If enacted, the bill would prohibit required disclsoure of contemporaneous or prospective geolocation information without a warrant or court order, with exceptions for emergency response and historical data. At a recent hearing (see Kelley Drye Adivsory), Sen. Leahy expressed his desire for broad application of ECPA to mobile providers and mobile applications. Notably, the bill would insulate electronic communication service providers from liability for providing geolocation information to federal authorities.

Communications providers need to be aware of their current and potential obligations under ECPA and the way in which they respond to requests for sensitive customer information from federal authorities. ECPA reform and the flood of recent privacy legislation (see Kelley Drye Chart) may impact mobile and Internet service providers’ responsibilities to protect customer privacy.

Christopher S. Koves contributed to this post.

• Email This
• Print
• Share Link

Last year, we posted about a lawsuit alleging that the NCAA’s method of distributing Final Four tickets was an unlawful lottery. According to the complaint, each person who applied for tickets could submit an application with up to ten entries and a non-refundable handling fee. People who didn’t win tickets would give up the handling fees they had paid. (A more complete description of the process appears in our first post.) The Seventh Circuit ruled that this could constitute an unlawful lottery, but later vacated the opinion and certified three questions to the Indiana Supreme Court.

Last month, the Indiana Supreme Court unanimously ruled in favor of the NCAA. At the outset, the Court determined that under Indiana law, a lottery is “a scheme for the distribution of prizes by lot or chance among those who provided or promised to provide consideration.” Under this definition, a promotion must include each of the following three elements for it to constitute a lottery: (1) a prize; (2) chance; and (3) consideration. In the decision, the Court focused only on the prize element.

The Court determined that a prize is something of more value than the amount invested. In this case, consumers invested the price of the tickets plus a handling fee, and would receive in exchange either the tickets minus the handling fee or the price of the tickets minus the handling fee. Thus, because those consumers who receive tickets would not get anything of greater value than those who receive refunds, the tickets were not prizes. Because there was no prize, there was also no lottery.

The decision is good news for the NCAA and other companies that run similar promotions. Nevertheless, companies should be careful any time they offer a promotion that requires people to pay money for an uncertain benefit. Indeed, the Court also noted that the decision “would not prevent a prosecutor or plaintiff from attacking a similarly structured scheme that is merely a ruse for a traditional lottery.”  

• Email This
• Print
• Share Link

On May 19, 2011, the Senate Commerce Subcommittee on Consumer Protection, Product Safety and Insurance held a hearing on protecting consumer privacy in the dynamic mobile marketplace created by smartphones and the advent of mobile applications or “apps.” The hearing, “Consumer Privacy and Protection in the Mobile Marketplace,” comes amid growing concerns for consumer mobile privacy in the wake of reports that mobile app providers collect personal information without privacy policies or consumer consent on data collection and usage.

Representatives from the FTC, Facebook, Google, Apple, the Association for Competitive Technology and Common Sense Media offered views on mobile privacy from the government, industry and consumer perspectives. The panelists addressed the Senator’s privacy concerns, focusing on FTC authority over privacy, behavioral advertising targeting children, and the specific mechanisms and procedures used to protect mobile privacy.

The hearing builds on a May 10, 2011 Senate Judiciary Subcommittee hearing that also focused on mobile privacy and a number of legislative proposals to address consumer online and mobile privacy concerns. Please click here for a summary of the hearing.

• Email This
• Print
• Share Link

It is no secret that marketers are striving for ways to legally and effectively educate consumers about the health benefits provided by food and dietary supplement products. In fact, Natasha Singer of the New York Times recently reported on the growth of "functional foods" marketed with health benefit claims -- a $37.3 billion market in the United States in 2009.

However, marketers must proceed with caution when considering advertising strategies that can sustain heightened regulatory scrutiny. Increased collaboration between FDA and the FTC is creating a notable shift in regulatory enforcement that blurs the jurisdictional lines between the agencies and requires a new assessment of potential liabilities for companies making health-benefit claims for their products.

For more information regarding this trend and important considerations for food and dietary supplement companies, please see the May 2011 article in Nutritional Outlook written by Kelley Drye attorneys John E. Villafranco, Raqiyyah R. Pippins, and Kristi L. Wolff entitled "Working Together: How Growing FDA and FTC Collaboration Changes the Regulatory Landscape for Food and Dietary Supplement Marketers."

• Email This
• Print
• Share Link

On May 16, 2011, Kelley Drye’s Privacy and Information Security practice hosted the webinar Mobile Applications: Privacy and Data Security Considerations, which is part of the practice group’s Cutting Edge Technology Series. More than 80 participants joined Kelley Drye partners Dana Rosenfeld, John Heitmann, and Alysa Hutnik to review key privacy and legal principles applicable to companies that develop, market, sell, or deliver mobile applications (“apps”).

The mobile apps market, which is projected to reach nearly $4 billion in 2011, is attracting increased legislative and regulatory scrutiny, along with substantial litigation exposure, due, in part, to recent high-profile investigative news stories highlighting consumer privacy and data protection issues and omissions in consumer disclosures. During the webinar, the Kelley Drye partners reviewed the mobile app ecosystem and the current legal landscape. The partners then discussed emerging best practices and due diligence measures that can be used by all entities in the mobile app delivery chain to help minimize their legal risks. The plan encourages ongoing collaboration between a company’s legal, business, and technical stakeholders, and offers practical considerations relating to app design, the consumer experience, and contractual protections.

Please contact any of the partners noted above with questions concerning the privacy and data security principles applicable to the mobile apps space.
 

Click here to view and listen to a recording of the webinar.

• Email This
• Print
• Share Link

On May 12, 2011, the FTC announced that it reached a $3 million settlement with online “virtual worlds” website provider Playdom, Inc., a Disney subsidiary, for allegedly violating its own privacy policies and collecting and disclosing personal information on hundreds of thousands of children without parental consent – potential violations of the Children’s Online Privacy Protection Act (COPPA).

Playdom owns and operates a number of online “virtual world” websites, including sites geared for children such as Pony Stars, where users can play online games, post profile pages and engage in other online activities. In the process, between 2006 and 2010, Playdom’s websites collected personal information on over 400,000 children under the age of 13. In July 2010, Playdom was acquired by a subsidiary of The Walt Disney Company.

COPPA requires website operators to maintain clear privacy policies and obtain parental consent prior to the collection, use or disclosure of personal information – such as name, address, email, and telephone number – for children under the age of 13. Playdom allegedly violated COPPA by collecting children’s ages and email addresses during online registration and enabling children-users to post personal information – their names, email addresses, instant messenger names and location information – on profile pages without first obtaining parental consent. Further, Playdom allegedly violated the FTC Act by misrepresenting on their privacy policies that children could not post profile pages, when in fact they could.

On May 11, 2011, the Department of Justice (on behalf of the FTC) formally filed a Complaint and entered the proposed $3 million Consent Decree and Order in the U.S. District Court for the Central District of California in Los Angeles. The $3 million Consent Decree marks the largest civil penalty doled out by the FTC under COPPA. This case and the growing list of cases involving online consumer privacy rights highlight the due diligence required when website operators and other companies collect, use and disclose consumer information (or acquire a company that does).

Christopher S. Koves contributed to this post.

• Email This
• Print
• Share Link

Yesterday, Facebook modified the Guidelines that govern how companies can run or advertise sweepstakes, contests, and other promotions on the Facebook platform. Following is a summary of the key provisions:

• Promotions on Facebook must be administered within Apps on Facebook.com, either on a Canvas Page or an app on a Page Tab. You cannot use Facebook features or functionality as an entry mechanism. For example, you cannot give people entries simply by liking a page.
• You must make certain disclosures. For example, you must disclose that the promotion is not sponsored by Facebook, that entrants are not providing information to Facebook, and that entrants release Facebook of liability. You cannot use Facebook’s name or trademarks other than to make those disclosures.
• You cannot condition entry upon a person taking any action using Facebook features or functionality, other than liking a Page, checking in to a Place, or connecting to your app. For example, you cannot condition entry upon a person uploading a photo on a Wall.
• You cannot notify winners through Facebook, such as through Facebook messages, chat, or posts on profiles or Pages.

The complete Guidelines are available here. Keep in mind that complying with the Guidelines does not guarantee that a promotion will be lawful. As Facebook points out, “promotions are subject to many regulations and if you are not certain that your promotion complies with applicable law, please consult with an expert.”

• Email This
• Print
• Share Link

On May 10, 2011, the U.S. Senate Judiciary Subcommittee on Privacy, Technology and the Law held a hearing to examine industry practices concerning the collection, retention, and use of consumer mobile device location information. The hearing, “Protecting Mobile Privacy: Your Smartphones, Tablets, Cell Phones and Your Privacy,” was spurred by recent investigative news reports that Apple and Google have been secretly collecting and storing users’ mobile device location information. Two panels of witnesses, including representatives from the FTC, Department of Justice, Apple, and Google, briefed subcommittee members on the legal, enforcement, and technological aspects of the mobile location data issue.

The Senate hearing is the latest event during a particularly active period for consumer privacy and data security-related Congressional activity. In addition to hearings, a growing number of federal bills have been introduced in response to privacy and data security concerns.

Click here for a summary of the hearing, as well as a chart summarizing the various federal bills on point.

If this topic is of interest, don't miss the Kelley Drye & Warren LLP webinar, "Mobile Applications: Privacy and Data Security Considerations," on May 16 at 12:00pm Eastern.

• Email This
• Print
• Share Link

Do you know what kind of data your smartphone apps are collecting?

Understanding the flow of data, how it is shared, and whether your apps collect sensitive information such as mobile payments or location-based data is critical to avoiding regulatory scrutiny and litigation risks.

Join Kelley Drye on May 16 from 12 noon – 1:00pm EST for a webinar exploring this uncharted legal territory, “Mobile Applications: Privacy and Data Security Considerations.” Topics of discussion will include:

• The mobile ecosystem, including data flows and parties involved.
• Privacy and security considerations, including unintended data uses.
• Current issues in the legal landscape, including media coverage; inquiries and actions from Congress, the FTC, and FCC; litigation risks; and industry activity.
• Emerging “rules for the road” for developing and marketing mobile apps.

This webinar will address the privacy and information security questions that are top of mind for anyone involved in developing, marketing, selling, or serving mobile apps.

Kelley Drye Speakers:

Dana B. Rosenfeld
Chair, Privacy & Information Security Practice and Partner, Advertising & Marketing Practice

Alysa Z. Hutnik
Partner, Privacy & Information Security and Advertising & Marketing Practices

John J. Heitmann
Partner, Telecommunications and Privacy & Information Security Practices

Email dcevents@kelleydrye.com to register.

• Email This
• Print
• Share Link

Today, the FTC announced data security settlements with two companies based on allegations that the companies failed to employ reasonable data security measures. The twist in these cases, compared to prior FTC cases, is the focus on companies who act as service providers to businesses related to their employee data (as opposed to customer data).

The FTC settlements underscore:

1. that reasonably protecting employee/HR data is within the FTC's scope of enforcement under Section 5 of the FTC Act, and
2. the importance for all businesses to (a) exercise due diligence in selecting vendors that will have access to their employee/human resources data, and (b) confirm via contract and otherwise that the vendors have reasonable security measures in place (as to both the products being offered and the vendor's own business where the HR data will be maintained).

The Charges: In the two cases at issue, the HR service providers both incurred data breaches resulting in compromised employee information (e.g., employee names, addresses, social security numbers, dates of birth, direct deposit information). According to the FTC complaints:

• Ceridian (a payroll and human resource services provider) operated a web-based payroll processing service for small business customers. The FTC's allegations focused on the vendor's practice of storing the HR PII in plain text and indefinitely without a business need, remaining vulnerable to predictable SQL injection attacks, and not employing measures to detect and prevent unauthorized access to the PII. As a result, the FTC alleged the company lacked adequate network protections and mishandled its customers' employee information, resulting in a data breach that affected 28,000 employees of its small business customers.
• Lookout Services, Inc. markets a web-based compliance product for employers who need to maintain citizenship information about its employees. The FTC's allegations charged that the vendor failed to implement reasonable security safeguards, including the absence of reasonable security policies, inadequate passwords and user credentials, and an insecure web application, resulting in a data breach to the company's database that retained 37,000 social security numbers.

The Settlements: Under the settlements, Ceridian and Lookout Services must implement comprehensive information security programs that need to be independently audited every other year for 20 years. Additionally, the companies are barred from misrepresenting the privacy, confidentiality, and integrity of the personal information that they maintain in their systems. Violations of an FTC Order can subject a company to up to $16,000 per violation.

• Email This
• Print
• Share Link

Two men recently filed a class action lawsuit against Twitter, alleging that Twitter engaged in unlawful conduct by sending messages to their mobile phones without consent, in violation of the Telephone Consumer Protection Act.

In the past few years, there have been a number of cases in which companies sent unsolicited text messages to consumers, and courts have ruled that those messages violated the TCPA. The twist in this case is that the plaintiffs actually opted-in to receive messages from Twitter. Later, the plaintiffs opted-out of receiving messages, and Twitter sent them one final message to confirm the opt-out request had been processed. According to the plaintiffs, this confirmation message violates the TCPA.

This lawsuit impacts virtually all SMS campaigns. Most agreements in the mobile space require companies to comply with the Mobile Marketing Association’s Consumer Best Practices Guidelines. Those Guidelines state, in part: “When STOP, or any of the opt-out keywords above, is sent to a program, the program must respond with a [mobile terminated] message, whether or not the subscriber is subscribed to the program.” In other words, the Guidelines require companies to send a confirmation message.

Although companies can usually assume that complying with industry standard guidelines, such as the MMA Guidelines, means they will also be in compliance with the law, this lawsuit demonstrates that doing things right isn’t always a guarantee that plaintiffs’ attorneys won’t file a lawsuit in an attempt to force a settlement and payments. Companies should check with their counsel to determine whether they need to modify their practices in response to this lawsuit.
 

• Email This
• Print
• Share Link