NY AG Enters Mobile Health App Enforcement Arena with Settlements Targeting Health Claims and Privacy Practices

New York Attorney General Eric Schneiderman recently announced settlements with three mobile health app developers resolving allegations that they made deceptive advertisements and had irresponsible privacy practices. The Attorney General alleged that the developers sold and advertised mobile apps that purported to measure vital signs or other indicators of health using just a smartphone. The apps had over a million downloads, giving these concerns considerable consumer reach. The Attorney General’s office reportedly became aware of the apps through consumer complaints and reports to the Health Care Bureau.

Failure to Properly Substantiate Health Benefit Claims

The NY AG’s core concerns regarding the advertising claims were as follows:

  • Runtastic created “Heart Rate Monitor, Heartbeat & Pulse Tracker”. The NY AG alleged that Runtastic promoted its app as a product that purports to measure heart rate and cardiovascular performance under stress but had not tested the app with users engaged in vigorous exercise.
  • Cardiio created and sold the “Cardiio Heart Rate Monitor”. Cardiio allegedly also marketed its app as a means of monitoring heart rate following vigorous movement but had not tested the app under those conditions. In addition, the NY AG alleged that Cardiio’s representations that its product was endorsed by MIT were deceptive.

Representations Consistent with a Regulated Medical Device

  • Matis’s “My Baby’s Beat-Baby Heart Monitor App” raised slightly different concerns. Matis allegedly promoted the app with statements such as “Turn your smartphone into a fetal monitor with My Baby’s Beat app” and language that encouraged consumers to use the app as an alternative to more conventional fetal heart monitoring tools.  The app allegedly had not undergone proper review by the FDA to be marketed as such, however.

As readers of this blog and our sister blog, Food and Drug Law Access, know, the FDA has authority to regulate medical devices and has taken a risk-based approach to consumer-directed mobile health products.  The FTC has been even more active than the FDA in bringing health-related enforcement actions, as we have written about here, here, and here.  As these federal agencies transition into a new administration, the NY AG is making clear with these settlements that regulators are still watching for potentially misleading health claims.

The NY AG also alleged several problematic privacy practices, including the following:

  • Failing to disclose the risk that third parties could re-identify de-identified user information,
  • Issuing conflicting statements on data sharing under the Privacy Policy and under the Privacy Settings,
  • Failing to disclose that the company collected and provided to third parties consumer’s unique device identifiers,
  • Employing a practice of consent by default, where a consumer is deemed to have consented to a privacy policy just by using the website, and
  • Failing to disclose that protected health information collected, stored, and shared by the company may not be protected under the Health Insurance Portability and Accountability Act.

As we noted in a previous post on privacy and data security in mobile health apps, legal compliance is all too often an afterthought when it comes to app development. These allegations underscore the importance of understanding and reconciling data collection and use practices with the statements companies make to consumers.

NetSpend Settles FTC Charges, Resolving Allegations that it Deceived Consumers over Access to Prepaid Funds

Last week the FTC announced that it had reached a settlement with NetSpend over allegations that NetSpend deceived consumers by promising “immediate access” with “guaranteed approval” to money loaded on its general purpose reloadable cards.  Approved 2-1 with a vote by then-Commissioner Ramirez before her resignation, the order prohibits NetSpend from making misrepresentations about the length of time or conditions necessary before its prepaid products will be ready for use, the comparative benefits of its prepaid products to debit cards and other payment methods, and the protections consumers have in the event of account errors.  The order also requires NetSpend to pay $53 million in monetary relief and to provide notices to third-party advertisers directing them to discontinue any claims stating that NetSpend’s cards “provide immediate or instant access to funds, are ready to use today, or provide guaranteed approval.”

Initially filed in November 2016, the complaint alleged that NetSpend targets the “unbanked” or “underbanked,” as well as low-income and Spanish-speaking consumers, and deceptively represents that NetSpend cards will be ready for use immediately without any approval process.  The complaint suggests that because, “in all cases consumers must contact NetSpend and provide personal identification information to activate the card” (e.g., name, address, birthday and SSN), the claims of “immediate access” are misleading and create false expectations for consumers.  The complaint further alleges that NetSpend did not always activate consumer accounts even though consumers sent the requested information and that NetSpend placed blocks on card accounts and made it difficult for consumers to resolve the blocks through poor customer service.

In a dissenting statement, Acting Chair Ohlhausen raised two primary objections.  First, Ohlhausen argues that the majority fails to consider the phrase “immediate access” in context, which describes the benefits of NetSpend cards as a direct deposit vehicle that could provide access to funds quicker than other forms of deposits.  Ohlhausen reasons that, when considered in context, consumers would understand the claim “immediate access” to mean access to funds on the date when the payer made funds available for transfer to the account, not necessarily the day the consumer opens the account.  Second, Ohlhausen asserts that, even assuming the claims were deceptive, the $53 million monetary relief “is not sufficiently related to that claim” because there was insufficient evidence to conclude that consumers abandoned funds because of NetSpend’s allegedly deceptive advertising.

Commissioner McSweeny also issued a statement that responded to the Acting Chair’s arguments, noting that “[t]hese claims were not limited to situations involving direct deposit” and that “[m]any NetSpend card users load funds onto their cards at the time of purchase or otherwise have funds deposited before activation.”   McSweeny also noted that some consumers allegedly never received their funds even after they provided the information requested by NetSpend to verify their identity.

The case is notable both substantively – as one of few cases addressing representations for prepaid access cards, and procedurally – since it could not be entered if the vote took place today given the conflicting views of the two current Commissioners.  (The settlement announcement was delayed because Commissioner McSweeny did not vote to support the settlement until March 8, about a month after then-Commissioner Ramirez had voted in favor of the settlement.)

FTC Highlights Deep-Sixing of FCC Privacy Rules in Bid for 9th Circuit Rehearing


In support of its request for an en banc rehearing of a Ninth Circuit Court of Appeals panel decision in FTC v. AT&T over the jurisdictional boundaries between the Federal Trade Commission’s (FTC) and Federal Communications Commission’s (FCC) authority over phone companies, broadband providers, and other common carriers, the FTC sent a letter to the Court yesterday highlighting the Congressional joint resolution signed into law by President Trump that eliminates the broadband and voice privacy rules in a November 2016 FCC order.

The FTC argues in its letter to the Ninth Circuit that because “the FCC privacy rules never became effective and are now null and void, they cannot mitigate the regulatory gap discussed by the FTC in its petition.”  The FTC suggests that the regulatory gap is unlikely to be filled by the FCC in the future because the Congressional Review Act prevents “reissu[ing] the privacy rules in ‘substantially the same form’ or issu[ing] new rules that are ‘substantially the same’ as the disapproved rule unless such action is authorized by a newly enacted law. 5 U.S.C. § 801(b)(2).”

Whether this argument is likely to help persuade the Ninth Circuit to grant the FTC’s request for an en banc rehearing is unclear.  This filing also follows an op-ed earlier this week by the FTC’s acting Chairman, Maureen Ohlhausen and FCC Chairman Ajit Pai, stating that the FCC’s prior party-line vote to strip the Federal Trade Commission of its jurisdiction over Internet broadband providers was a mistake,” and that the two agencies would work together to “restore the FTC’s authority to police ISP’s privacy practices.”  We will keep you posted on updates.

NAD Gives Bill of Good Health to Dietary Supplement Immunity Claims

The National Advertising Division of the Better Business Bureaus, a self-regulatory body that polices national advertising, recently gave an a-OK to certain dietary supplement immunity claims. The action was initiated under NAD’s partnership with the Council for Responsible Nutrition against dietary supplement maker Olly Public Benefit Corporation.  CRN requested that NAD determine whether Olly had a reasonable basis for the message that its Kids Mighty Immunity product helps support immune health.  In particular, NAD assessed four immunity-related claims made on the product website:

  • “Formulated to help support little immune systems in the biggest way to help keep kids healthy and happy year-round.”
  • “Wellmune. These beta glucans support immune health by helping to promote built-in cellular defense mechanisms.”
  • “Elderberry. Respect your elders – this super food has been used for centuries to support the immune systems.”
  • “Zinc. An essential mineral that helps keep immune cells functioning in tip-top shape.”

In support of its general immunity message, Olly argued that the product is a good or excellent source of vitamins C, D, and zinc and also contains Wellmune beta glucan yeast. The advertiser presented studies and literature explaining the support roles played by vitamin C, vitamin D, and zinc in the immune system.  This evidence indicated that the nutrients – when taken in sufficient doses – “help form a physical and chemical barrier to keep out pathogens, and also support specialized adaptive immune system cells that work as part of the body’s natural processes to eliminate pathogens.”  NAD found that this data was sufficient, and Olly did not need to present a clinical study on its product, because the context of the webpage and the product packaging conveyed the message that these claims were based on the supplement’s individual ingredients and not testing of the final product.

In addition, Olly provided evidence in both adults and children demonstrating that, after oral digestion, Wellmune is bioavailable and binds to immune cells. NAD found this was a reasonable basis for the Wellmune claim.  Likewise, NAD found that the elderberry claim, supported by historical accounts citing elderberry for immune support, was sufficiently limited.

Importantly, NAD appreciated that the advertiser did not make any express or implied claims regarding the common cold or other illnesses and avoided imagery that implied cold prevention or cure, such as depictions of sick children, worried parents, or visits with health care professionals. It noted that evidence presented in other NAD proceedings failed to show a relationship between regular vitamin C supplementation and the reduction in the incidence of colds.

We have seen other examples of cases where immunity claims for foods and dietary supplements have been problematic for companies. However, as shown in this NAD matter, it is possible to effectively tailor claims to the available evidence so that they withstand regulatory scrutiny.

Congress Repeals FCC 2016 Privacy Order via Congressional Review Act

On April 3, 2017, President Trump signed into law a Congressional joint resolution eliminating new broadband and voice privacy rules set forth in a November 2016 order (the 2016 Privacy Order) by the Federal Communications Commission (FCC) (the Joint Resolution).  Members of Congress largely voted along partisan lines. The House approved the Joint Resolution by a 215-205 vote and the Senate approved it by a 50-48 vote.

The repeal occurred via Congressional Review Act (CRA) procedures, which enable Congress to rescind recently adopted agency rules.  The Joint Resolution will have a modest impact on the status quo with respect to both broadband Internet access service (BIAS) providers and traditional voice providers, since few of the new rules in the 2016 Privacy Order had gone into effect when the Joint Resolution was passed into law.  However, a less aggressive privacy posture at the FCC is likely to have ripple effects on privacy enforcement at both the federal and state level, as the Federal Trade Commission (FTC) and state attorneys general may attempt to step in to fill the gap, despite potential jurisdictional challenges.  Moreover, unless and until the FCC finds otherwise, Section 201(b) (bars unjust and unreasonable practices) and Section 222 (requirements applicable to broadband are unclear) still apply to BIAS.  As a result, BIAS providers and voice carriers should maintain reasonable privacy and data security policies and procedures to mitigate risks of enforcement intended to mind the gap in some way.

Our client advisory, available here, provides an overview of the repealed order, the CRA, and the steps providers should take to protect themselves during this period of uncertainty.

V-I-C-T-O-R-Y for the Fashion Industry: SCOTUS Establishes Uniform Test for Protection of Artistic Works Applied to Apparel

The overall design (such as the shape and cut) of a garment, bag or shoe is not protectable under current U.S. Copyright law because such items are considered “useful articles.” However, Section 101 of the Copyright Act provides protection for the “pictorial, graphic or sculptural features [of a useful article] that can be identified separately from, and are capable of existing independently of, the utilitarian aspects of the [useful] article.”[1]

In the fashion world, this provision of the Copyright Act allows companies to protect original pictorial, graphic or sculptural features that are applied to garments, bags and other accessories.  Examples include: fabric designs like a floral pattern; graphic art like an artistic rendition of a snake or tiger; and sculptural 3-D hardware adornments like belt buckles or buttons.  Copyright protection only covers the artwork itself, not the overall configuration of the garment or other product to which it is applied.[2]

For decades, courts and commentators have struggled to fashion a suitable test to determine when a pictorial, graphic or sculptural feature of a useful article (such as a garment) is protectable under § 101 of the U.S. Copyright Act.  On March 22, 2017, in a 6-2 decision written by Justice Thomas, the Supreme Court provided long-awaited clarificationMuch to the relief of the fashion industry, the Court adopted a test that preserves copyright protection for applied art to apparel and fashion accessories.

Continue Reading

Court Dismisses Website Accessibility Suit Over Lack of Connection to Store

As we noted earlier this week, a handful of law firms have filed hundreds of lawsuits – and sent many hundreds of letters threatening lawsuits – over website accessibility issues. This has been a lucrative business for these firms. Many of these suits and letters are essentially cut-and-paste jobs, and the recipients often decide to quickly settle, rather than face the uncertainties and costs of litigation. But a new decision in Florida may give defendants something to think about.

A plaintiff filed a lawsuit against Bang and Olufsen in Florida, alleging that the retailer violated the ADA because its website is not compatible with screen reader software. The sole issue before the court was whether the website was a place of public accommodation, subject to the ADA.

The court concluded that “a website that is wholly unconnected to a physical location is generally not a place of public ADA Keyboardaccommodation under the ADA.” In order to survive a motion to dismiss, a plaintiff must generally establish that there is some nexus between a website and a physical location, and demonstrate that the website’s inaccessibility impedes his access to that location.

Importantly, the court held that the “ADA does not require places of public accommodations to create full-service websites for disabled persons. In fact, the ADA does not require a place of public accommodation to have a website at all. All the ADA requires is that, if a retailer chooses to have a website, the website cannot impede a disabled person’s full use and enjoyment of the brick-and-mortar store.”

As we noted in our previous post, it’s too early to predict how this decision will affect the wave of lawsuits in this area. Other courts have come to different conclusions on this issue, so a company’s chances of winning with this type of argument may depend on where the suit is filed. But this case may still be welcome precedent for companies thinking about litigating one of these cases.

For more information, you can attend our webinar on March 30.

Court Relies on Due Process Argument to Dismiss Website Accessibility Suit

Over the past few years, a handful of law firms have filed hundreds of lawsuits – and sent many hundreds of letters threatening lawsuits – over website accessibility issues. This has been a lucrative business for these firms. Many of these suits and letters are essentially cut-and-paste jobs, and the recipients often decide to quickly settle, rather than face the uncertainties and costs of litigation. But a new decision in California may give defendants something to think about.

Last year, a plaintiff filed a lawsuit against Domino’s complaining that he could not order pizza from the ADA Keyboardcompany’s website using his screen reader. Domino’s argued that websites are not places of public accommodation under the ADA, but the court didn’t agree. Nevertheless, Domino’s argued that the court should dismiss or stay the action because the Department of Justice has not promulgated concrete guidance regarding the accessibility standards.

As we’ve noted before, the DOJ issued a Notice of Proposed Rulemaking in 2010 regarding regulations on website accessibility. In the Notice, the DOJ acknowledged that “clear guidance on what is required under the ADA does not exist.” Dominos argued that, in the absence of clear guidance, the plaintiff’s “request to impose liability under the ADA for Defendant’s alleged failure to abide by certain accessibility standards would violate Defendant’s constitutional right to due process.” The court agreed, and dismissed the action without prejudice.

Although the DOJ has issued several “Statements of Interest” and has entered into settlements obligating companies to abide by certain standards, the court held that those statements and settlements still do not provide companies with concrete guidance regarding their requirements. Moreover, the Statements of Interest “even suggest that Domino’s provision of a telephone number for disabled customers satisfies its obligations under the ADA.”

It’s too early to predict how this decision will affect the wave of lawsuits in this area, but the decision does suggest at least two things. First, if your company’s site isn’t fully compatible with a screen reader, you should at least consider an alternate method – such as a toll-free telephone number – through which you can enable people with visual impairments to enjoy the benefits of what is on your website. Second, if you are considering fighting a threatened lawsuit, you may want to consider a due process argument.

For more information, you can attend our webinar on March 30.

Oregon Attorney General Announces $545,000 Settlement with Retailer


The Oregon AG recently announced a $545,000 settlement with the Vitamin Shoppe over allegations that the store violated Oregon state law by selling dietary supplements containing ingredients that FDA has deemed unsafe or unlawful. The new settlement agreement places significant burdens on the Vitamin Shoppe to monitor developments on ingredient status. The burdens are the same regardless of whether the Vitamin Shoppe sells a product under one of its own brands – or if it sells a product that was manufactured, labeled, and sold to it by a third party vendor.

Under the terms of the agreement, if the Vitamin Shoppe “receives or learns of” a “written notice” from FDA that an ingredient may be unsafe or unlawful, it must “take immediate action to suspend the sale of such products or products known to contain the ingredients.” If the Vitamin Shoppe becomes aware of any other “public announcement, warning, alert, publication, notice, or report” suggesting that the U.S. government, Australia, Canada, Britain, or the EU might consider a dietary ingredient unsafe or unlawful under the FDCA, then the Vitamin Shoppe must conduct a “reasonable due diligence review,” which may result in a decision not to sell any products containing the ingredient.

This settlement is notable for at least two reasons:

  1. It identifies FDA warning letters sent to the Vitamin Shoppe or anyone else as “written notice” that FDA has deemed an ingredient unsafe or unlawful.  Warning letters, however, state only allegations and are not considered “guidance” under FDA’s rule on “good guidance practices.”  Well after a warning letter is issued, the lawfulness of a particular dietary ingredient can be the subject of much ongoing debate, and even the FDA’s official guidance document on ingredient status remains in flux after years of debate.
  2. The settlement represents an aggressive stance by Oregon on a retailer’s liability for product formulation and labeling by third parties.  As we’ve discussed before, there isn’t a whole lot of precedent for regulators going after the retailer, rather than the product seller.

The Oregon Attorney General is currently in litigation against another retailer over similar allegations related to the legal status and safety of a dietary ingredient.

Kelley Drye Ad Law publishes News & Views: Dietary Supplement Advertising, which covers developments ranging from FTC and FDA regulation, class actions, Customs developments, and Prop 65. Subscribe to future issues by filling out your information and checking the Dietary Supplements Practice Group box here.

New Mexico Set to Become 48th State To Enact Data Breach and Safeguards Law


Last week, the New Mexico Legislature passed The Data Breach Notification Act (“Act”). Once the Act is signed by Governor Susana Martinez, New Mexico will join 47 other U.S. states (along with D.C., Guam, Puerto Rico, and the Virgin Islands) who have enacted a data breach notification law, leaving South Dakota and Alabama as the two hold-out states without a breach notification law.

In most material respects, this legislation tracks the common provisions of other states’ breach notification laws.  A few notable points:  notification of a data breach would be required, within 45 days of discovery, to New Mexico residents if their personal information is breached. Personal information is defined as an individual’s first name or first initial and last name, in combination with their social security number, driver’s license number, government issued identification number, unique biometric data, or financial account information and the required access code/password. If more than 1,000 residents are affected, the data holder must also notify the New Mexico Office of the Attorney General within this same timeframe. Notice is not required if the data holder determines the breach does not give rise to a significant risk of identity theft or fraud.  The law provides for civil penalties for knowing or reckless violations.

Other notable provisions:

  • Disposal of Records Containing PII Requirement. Data holders must arrange for secure disposal of records containing personal identifying information (“PII”) when records are no longer needed for business purposes.
  • Security Measures for Storage of PII Requirement. Data holders must implement and maintain reasonable security procedures and practices to protect PII from unauthorized access, destruction, use, modification or disclosure.
  • Service Provider Security Measures Agreed to by Contract Requirement.  Service provider data processing contracts concerning PII must have provisions requiring service providers to:
    • implement and maintain reasonable security procedures and practices and
    • protect PII from unauthorized access, destruction, use, modification or disclosure.

The legislation exempts data holders subject to the Health Insurance Portability and Accountability Act or the Gramm-Leach-Bliley Act.