Subscription plans that automatically renew at the end of a term are becoming more popular with companies. They’re also getting more scrutiny from regulators. As we’ve posted before, some states regulate how these plans can be structured, and there have been both lawsuits and regulatory investigations targeting companies that have failed to comply. This week, Washington, DC joined the crowd by enacting a new law governing automatic renewals.

The law requires businesses that sell goods and services on a recurring basis to clearly and conspicuously disclose their automatic renewal provisions and cancelation procedures in their contracts. In addition, if a contract has an initial term of at least 12 months and will automatically renew for a term of at least one month, a business must take steps to notify consumers before renewal. This must be done by mail, e-mail, text message, or in-app notification. (For text messages, don’t forget the TCPA.) The reminder must be sent at least 30 – but no more than 60 – days before the deadline to cancel.

Businesses that offer free trials of at least one month that automatically renew must receive a consumer’s affirmative consent to sign up for the automatic renewal program one to seven days before the expiration of the free trial term.

Subject to narrow exceptions, violations of the law will constitute violations of the DC Consumer Protection Procedures Act and render the automatic renewal provision void.

The 2018 Farm Bill legalized cultivation and processing of industrial hemp and various by-products.  One hemp-based derivative of considerable interest to manufacturers of personal care products, dietary supplements, cosmetics, and OTC drugs is cannabidiol (“CBD”).  As industry races to commercialize and advertise CBD, it’s important to understand the regulatory hurdles that remain.  Ad law partner, Kristi Wolff, addresses several common misunderstandings in an article recently published online in Nutritional Outlook

Earlier this week, the Direct Selling Self-Regulatory Council (DS-SRC) opened its doors for business. Its objective is to provide independent, impartial, and comprehensive monitoring of direct selling companies on an industry-wide basis, address income misrepresentations (including unsubstantiated lifestyle claims) and false product claims by companies and salesforce members, and enhance the reputation of direct selling.

The DS-SRC will be administered by the Advertising Self-Regulatory Council (ASRC), which operates under the Council of Better Business Bureaus.   This should help the new self-regulatory body achieve its goals, considering the great success of ASRC and the programs it currently administers, including the National Advertising Division (NAD), Children’s Advertising Review Unit (CARU), National Advertising Review Board (NARB), Electronic Retailing Self-Regulation Program (ERSP) and Online Interest-Based Advertising Accountability Program (Accountability Program.).

Peter Marinello, Vice President of CBBB, will serve as Executive Director of the DS-SRC, and will oversee the program and its staff.  Additional staffing will include a senior legal analyst, and a staff attorney. DS-SRC may utilize monitoring services at its discretion, and in consultation with the Direct Selling Association (DSA).

DS-SRC’s will have jurisdiction over the following:

  • Independent monitoring of the direct selling marketplace;
  • Matters referred by the DSA Code Administrator based on a pattern and practice of complaints identified, or pursuant to media reports, or matters identified by consumers;
  • Matters raised by competitor challenges;
  • Inquiries received from distributors, customers and other users of direct selling companies products or services; and
  • Complaints from Better Business Bureaus directed to DS-SRC.

DS-SRC’s legal standards will be rooted in case decisions, FTC guidance, self-regulatory decisions of the National Advertising Division and the Electronic Retailing Self-Regulation Program, the DSA Code of Ethics, and the BBB Code of Advertising.

DS-SRC’s independent monitoring will allow for the review of relevant promotional content created by direct selling companies and their salesforces, including websites and social media.  Any problematic content will be identified, and companies will be provided an opportunity to address the issues.

When a matter is referred by the DSA Code Administrator, pursuant to media reports, or inquiries, DS-SRC will identify content of concern, and the company will be given an opportunity to address these concerns within 15 business days.  In the event that substantiation is not sufficient, DS-SRC may request additional information or recommend corrective measures or remedial instruction to the salesforce.  It will also issue a case report with a summary of issues.

With respect to competitor challenges, DS-SRC will allow companies to challenge the income representations and/or product claims of competitor companies, with a submission addressing the content with a reasonable level of specificity.  A company will also be given the opportunity to address content, and the DS-SRC will issue a decision which will then be reported publicly (so long as it has not been appealed).    DS-SRC reserves the right to not hear a case if the complaint is overly broad, if a party publicizes the case while pending, if the matter is the subject of litigation, or if the content has been withdrawn.

Companies that do not agree to implement corrective measures, ignore the inquiry, or do not participate, may be referred to the appropriate government agency, most likely the Federal Trade Commission.

DS-SRC will issue case decisions within 30 days of the last document received, prepare a case decision, and invite the company to provide a responsive statement.  Should the DS-SRC find that the content at issue is not adequately substantiated, the company will have to submit a response indicating whether it (1) agrees to comply with DS-SRC’s recommendations; (2) will not comply with DS-SRC’s recommendations; or (3) will appeal all or part of DS-SRC’s decision.

Once a case decision has been made, they will be published in Case Reports.  The decision will include a summary of the content at issue, a summary of each party’s position, and the ultimate resolution (including whether a party complied or was unresponsive).

The formation of the DS-SRC responds directly to statements made by FTC commissioners, bureau directors, and senior staff over the years, and should be viewed as a very positive step for an industry that is frequently the subject of regulatory attention.  Expect greater self-regulatory focus on income misrepresentations and lavish lifestyle claims in the months ahead, with the objective of promoting truthful and accurate advertising among direct selling companies and, in turn, raising the credibility of the industry.

43 State Attorneys General and the District of Columbia announced yesterday a settlement with Neiman Marcus Group LLC resolving the states’ investigation into the company’s 2013 data breach and its security practices. Over a three-month period in 2013, a breach of the Dallas-based retailer exposed customer credit card data at 77 Neiman Marcus stores nationwide. The data breach, discovered in 2014, resulted in access to over 370,000 Neiman Marcus credit cards, at least 9,200 of which the states alleged were used fraudulently.

In addition to a monetary settlement of $1.5 million, Neiman Marcus has agreed to implement a number of security-relatedinjunctive terms, including:

  • Complying with Payment Card Industry Data Security Standard (PCI DSS) requirements;
  • Maintaining an appropriate system to collect and monitor its network activity, and ensuring logs are regularly reviewed and monitored;
  • Maintaining working agreements with two separate, qualified Payment Card Industry forensic investigators;
  • Updating all software associated with maintaining and safeguarding personal information, and creating written plans for replacement or maintenance of software that is reaching its end-of-life or end-of-support date;
  • Implementing appropriate steps to review industry-accepted payment security technologies relevant to the company’s business; and
  • Devaluing payment card information, using technologies like encryption and tokenization, to obscure payment card data.

Neiman Marcus must also obtain an information security assessment and report from a qualified third-party professional and detail any corrective actions that it takes. The full settlement report is available here.

This settlement follows another multistate resolution with Adobe (here), highlighting the interest and monitoring by State Attorneys General on companies’ data security programs and steps taken to prevent, detect, and remediate data breaches. This most recent case is a good reminder to take steps to make sure you have an appropriate data security program in place, and that your records meaningfully reflect the comprehensive steps taken to address cyber incidents that may arise.

The Federal Trade Commission has long supported advertising industry self-regulation as a means of promoting truthfulness and accuracy in advertising. One of the key aspects of this success has been threat of referral to the FTC: Advertisers that refuse to participate in the self-regulatory process or refuse to comply with recommendations after participating are referred to the appropriate government entity, usually the FTC’s Division of Advertising Practices, which will review the claims at issue. Over the years, the specter of a National Advertising Division referral to the FTC has prompted most advertisers to participate in the self-regulatory process and comply with the final decision.

Law360 published the article “NAD Referrals To FTC: How Big Is That Stick?,” co-authored by partner John Villafranco and senior associate Donnelly McDowell.  The article provides an analysis of recent NAD cases that suggests referrals to the FTC are on the rise over the past two years and discusses advertiser commitment to the self-regulatory process. Are advertisers turning their back on self-regulation and rolling the dice at the FTC? And are they doing so based on an assessment of the risk that a referral could result in a major FTC investigation or enforcement action?

To read the article, please click here.

While many today returned to work after the Holiday season, things remained quieter than usual here in the nation’s capital – with many federal workers furloughed until further notice as the federal government continues to be in a partial shutdown.  President Trump is reportedly meeting with congressional leaders today ahead of Thursday’s start to a new congressional session but, at least for now, there’s no immediate end to the shutdown in sight.

Here’s how the shutdown is affecting federal agencies responsible for overseeing and enforcing advertising and privacy laws:

  • The FTC closed as of midnight December 28, 2018.  All events are postponed and website information and social media will not be updated until further notice.  While some FTC online services are available, others are not.  More information here.
  • The CPSC is also closed, although a December 18, 2018 CPSC memorandum summarizing shutdown procedures indicates that certain employees “necessary to protect against imminent threats to human safety” will be excepted employees and continue work during the shutdown.  The CPSC consumer hotline also continues to operate. Companies should remember that obligations to report potential safety hazards are not furloughed, so the mantra of “when in doubt, report” still applies, even if public announcement of a recall may be delayed.
  • Roughly 40% of FDA is furloughed according to numbers released by its parent agency, the Department of Health and Human Services.  In a post on its website, the agency explained that it will be continuing vital activities, to the extent permitted by law, including monitoring for and responding to public health issues related to the food and medical product supply.  The agency is also continuing work on activities funded by carryover user fee balances, although it is unable to accept any regulatory submissions for FY 2019 that require a fee payment.
  • Because the CFPB is funded through the Federal Reserve and not Congress, it remains in operation.

California Attorney General Xavier Becerra announced yesterday that the California Department of Justice will hold a series of six public forums on the California Consumer Privacy Act (CCPA).  The hearings will take place during January and February of this year and will give the public an initial opportunity to comment on the requirements set forth by the CCPA and the regulations the Attorney General must adopt on or before July 1, 2020.

The CCPA was passed in June of this year, and gives California residents specific privacy rights related to their online activities. Starting January 1, 2020, businesses will be required to comply with a number of provisions including requirements to disclose data collection and sharing practices to consumers, grant consumers a right to request deletion of their data, grant consumers a right to opt out of the sale of their personal information, and a prohibition on selling personal information of consumers under the age of 16 without explicit consent.

The CCPA requires the Attorney General to “solicit broad public participation” and adopt regulations regarding issues such as the definition of personal information, considering changes in technology and data collection practices, procedures for how a consumer can submit a request to opt out of the sale of his or her personal information, and procedures for businesses to determine whether a consumer’s request for information is verifiable.

The Attorney General’s announcement is particularly important because CCPA enforcement will not begin until six months after the promulgation of these regulations, or July 1, 2020, whichever is sooner.  These public forums indicate that Attorney General Becerra’s office is taking steps to adopt these rules, meaning CCPA enforcement may come sooner rather than later.

These hearings will serve as the first public forum in which businesses and members of the public can voice their thoughts or concerns about the required regulations. Members of the public who would like to speak at the forums can, but are not required to, register online. Comments may also be submitted via mail or email. A full schedule of the forums can be found here.

Kelley Drye is happy to assist if your business is considering whether to submit comments concerning the CCPA regulations or enforcement.  These forums present a critical opportunity for any stakeholder interested in California privacy law and enforcement to have their voices heard.  For more information on the CCPA and how it may affect your business, please visit our past blog posts here and here.

Last week, Gonzalo wrote about the letter Truth in Advertising sent to the FTC, urging the Commission to investigate Diageo’s use of influencers to market Ciroc vodka on Instagram. We also learned last week that the Humane Society sent a similar letter to the FTC requesting that Commission initiate an investigation of Pilgrim’s Pride for its treatment of chickens.  These complaints got us thinking – how often are third parties successful in instigating regulatory activity?

Of course, without knowing the facts, it is impossible to know whether the complaint allegations have merit.  We do know, however, that many similar complaints have been filed asking the FTC to look into a company’s practices.  For example, with regard to the subject of animal welfare, we have seen complaints that include allegations of deceptive advertising relating to puppy sellers and pork producers. Similar claims have also been filed by PETA (example here) and Mercy for Animals (example here). These complaints have not usually led to litigation or negotiated consent orders.

That is not to say that these complaints do not result in some action. For example, last year, after four consumer groups urged the FTC to investigate and bring enforcement actions regarding the use of influencers on Instagram, the FTC sent more than 90 letters to companies and influencers, reminding the recipients of their legal obligations. And in 2016, after HSUS urged the FTC to take action against companies claiming “faux fur” (example here), the FTC released a blog post warning consumers about the risks (details here).

Even without FTC action, complaints themselves may have an effect on the company involved. As another example, in 2013, Tyson Foods announced a commitment to the humane treatment of animals and formed an independent advisory panel to help them pursue this mission after the Humane Society and the Animal Legal Defense Fund both filed FTC complaints against them. Full story here.

Also, in the area of dietary supplement advertising, the FTC has maintained a strong interest in the crackdown against false advertising of health claims, and they have taken action when urged to do so by third parties.  CSPI filed a complaint asking for the FTC and FDA to file claims against dietary supplements holding themselves out as opioid withdrawal aids and were successful in getting the action pursued (here).

So, while third party complaints don’t always (or even usually) lead to formal enforcement action, they do often result in action.

Defendants have had a nice run recently in winning pleading-stage dismissal of “reasonable consumer” false advertising cases.  That run came to an end yesterday, however, when the Second Circuit Court of Appeals in New York reversed the dismissal of claims regarding Kellogg’s “Cheez-It” crackers.  The front of the “Cheez-It” package prominently describes the crackers as “Whole Grain,” but as a quick look at the Nutrition Facts panel on the side label would confirm, the crackers’ main ingredient is enriched white flour, not whole grain.

New York, California, and numerous other states apply a “reasonable consumer” test to false advertising claims.  The test is meant to be objective, with courts asking whether an advertisement would mislead an objectively reasonable consumer, not whether the actual plaintiff was or was not misled.  Federal courts regularly, and rightly, dismiss false advertising claims at the pleading stage where, as one court put it in a “slack fill” case involving an over-the-counter pain reliever, “the[] failure to read an unambiguous tablet count does not pass the proverbial laugh test.”

Courts have been much less likely to see the humor, though, in cases where a food package includes statements that plaintiffs contend are affirmatively misleading.  In yesterday’s case of Mantikas v. Kellogg Co., the Second Circuit agreed with the plaintiffs, at least at the pleading stage.  In the Court’s view, “the large, bold-faced claims of ‘WHOLE GRAIN’” on the front of the package could be construed as “misleading because they falsely imply that the grain content is entirely or at least predominantly whole grain.”  Quoting an oft-cited Ninth Circuit case, the Court wrote that the Nutrition Facts panel did not “cure[] the deceptive quality of the ‘WHOLE GRAIN’ claims because “reasonable consumers should not be expected to look beyond misleading representations on the front of the box to discover the truth from the ingredient list in small print on the side of the box.”

The main good news in this bad outcome for the defendant is that the Second Circuit reiterated another core principle in cases like this:  When ruling on an advertising claim, courts must “consider the challenged advertisements as a whole, including disclaimers and qualifying language.”  Plaintiffs, in other words, cannot just include snippets of a package in their complaint and hope to avoid judicial scrutiny of the entire package at the pleading stage.

A second good sign is that the Second Circuit distinguished—and thus impliedly blessed—other district court decisions dismissing similar claims on “reasonable consumer” grounds.  In one case the Court examined, for example, the plaintiffs claimed to have believed that crackers advertised as “made with real vegetables” contained a larger amount of vegetables than they actually did.  The district court in that other case thought reasonable consumers know “the fact of life that a cracker is not composed of primarily fresh vegetables.”  In the Cheez-It case, by contrast, reasonable consumers “understand that crackers are typically made predominantly of grain” and “look to the bold assertions on the packaging to discern what type of grain.”  The case survived, therefore, only because the alleged affirmative misrepresentation went to a central and material fact about the food product’s nature.

Because of these limitations, the Second Circuit’s decision should not be viewed as anything other than the reaffirmation of an established principle:  Food product manufacturers cannot expect to win dismissal of a false advertising case at the pleading stage by claiming that an accurate ingredient label cures an affirmatively misleading material statement on the front of a package.  If, by contrast, a plaintiff’s purported read of an advertisement is objectively unreasonable, courts still can and should examine the entire package and dismiss claims that fail the “laugh test.”

Earlier this week, Truth in Advertising (or “TINA.org”) sent a letter to the FTC urging the Commission to investigate Diageo’s use of influencers to market Ciroc vodka on Instagram. According to the letter, TINA.org collected more than 1,700 Instagram posts across 50 different influencers — including Ciroc brand manager and CMO Sean “Diddy” Combs — in which the influencers allegedly failed to disclose their connection to the company in a clear and conspicuous manner.

This is not the first time that consumer groups have pushed the FTC to investigate influencer campaigns. And if this is like any of the previous pushes, it’s likely that some of the posts don’t actually violate the law. For example, some groups have misstated the legal requirements in this area and have identified posts that didn’t violate the law. That led the FTC to send warning letters to individuals who actually had no connections to the brands mentioned in their posts. Nevertheless, there are various examples in this letter that may be Ciroc Postproblematic and potential targets for enforcement.

Apart from the endorsement issues, the letter goes on to describe other problems with the content of the posts, including “kids in Ciroc ads, Ciroc-fueled misogynistic ads, a recipe for cannabis-infused strawberry lemonade with Ciroc, and even a booze-drinking Santa who needs to spread the ‘liquid love.’” (There is also an image of a toddler holding a baby bottle of Ciroc.) To make matters worse, the influencers did not use age-gating features, so that minors were able to view the ads. As TINA.org points out, these practices are likely to violate the Distilled Spirits Council’s Code of Responsible Practices for alcohol ads.

TINA.org has asked the FTC to investigate Diageo and to take appropriate enforcement action.

It’s too early to tell what will happen here, but it will be interesting to see how the FTC reacts. Although companies that market age-restricted items should pay particular attention, this action holds lessons for any company that works with influencers. If you haven’t evaluated how your company manages influencer campaigns recently, now may be a good time to do that.