Imagine you are perusing the coffee aisle in the grocery store and see a product described as “freshly ground,” “100% Arabica Coffee,” “Hazelnut Crème,” “Medium Bodied,” and “Rich, Nutty Flavor.”  Would you think that the coffee contains hazelnuts?  Should consumers be expected to consult the ingredient list to clarify any confusion?  And what exactly is “Hazelnut Crème?”

The First Circuit addressed these issues in Dumont v. Reily Foods Co., in which a split panel concluded that a reasonable consumer could be deceived into thinking that the product contained hazelnuts when, in actuality, it contained only naturally and artificially flavored coffee.  The court reversed the District of Massachusetts’ dismissal of the plaintiff’s Massachusetts General Law Chapter 93A claim, and permitted the case to proceed into discovery.

Judge William J. Kayatta Jr., writing for the majority, explained that while some reasonable consumers might be motivated to consult the ingredient label on the reverse side of the package, others might “find in the product name sufficient assurance so as to see no need to search the fine print on the back of the package, much like one might easily buy a hazelnut cake without studying the ingredients list to confirm that the cake actually contains some hazelnut.”  As support for this, Judge Kayatta noted that the plaintiff’s complaint set forth that the industry practice—in large part due to federal labeling requirements—is to state on the front of a package containing a product that is nut flavored (but that contains no nuts) that the product is naturally or artificially flavored.

The majority also found ambiguity in the phrase “Hazelnut Crème,” with one judge believing that “‘crème’ was a fancy word for cream, with Hazelnut Crème being akin, for example, to hazelnut butter.”

Finally, the majority held that the plaintiff’s state-law consumer fraud claim was not preempted by the Federal Food, Drug, and Cosmetic Act (“FDCA”), which imposes specific labeling requirements for the coffee product at issue.  The court ruled that such a claim must fit within a “narrow gap” to avoid preemption:  the plaintiff must be suing for conduct that actually violates the FDCA (otherwise the claim would be expressly preempted by the FDCA), but the plaintiff must not be suing because the conduct violates the FDCA (which would be implicitly preempted).  Because the complaint sought “to vindicate the separate and independent right to be free from deceptive and unfair conduct” separate and apart from any alleged FDCA violations, the chapter 93A claim was not preempted.

Former Chief Judge Sandra L. Lynch dissented, reasoning that the package as a whole undermined any reasonable belief that the coffee actually contained hazelnuts:  “the front label plainly states that the package contains ‘100% Arabica Coffee.’  It does not say it contains anything other than coffee.  The package here did not contain any misstatement of its contents, did not feature any pictures or illustrations of hazelnuts, and did not have any error in the ingredient list.”

Judge Lynch then addressed the phrase “Hazelnut Crème,” differentiating between the definition of cream—the oily or butyraceous part of milk—and that of crème—a “‘cream or cream sauce as used in cookery’ or ‘a sweet liqueur.’”  In her opinion, “[i]n the context of a package of ground, dry coffee, . . . the two words, ‘Hazelnut Crème,’ together plainly state the flavoring of the coffee.”  Judge Lynch similarly rejected the majority’s analogy to a hazelnut cake which, presumably, contains multiple ingredients and could very well contain hazelnuts.  In contrast, she noted that reasonable consumers would not approach a package of ground coffee in the same manner, especially one that was prominently labeled as “100% Arabica Coffee.”  Judge Lynch concluded that any consumer who was confused by the label, or specifically concerned with the presence of hazelnuts, could simply consult the ingredient label on the reverse side of the package to confirm the absence of hazelnuts.

While the majority found the case to present a close question for the very reasons set forth in Judge Lynch’s dissent, it ruled that the complaint stated a plausible claim for relief and reversed the lower court’s grant of the defendants’ motion to dismiss.

The First Circuit’s analysis resembles a recent Second Circuit decision involving Cheez-It crackers labeled as “WHOLE GRAIN” or “Made With WHOLE GRAIN” when the predominant ingredient was enriched white flour.  In Mantikas v. Kellogg Co., the Second Circuit concluded that while the product did, indeed, contain some whole grains, a reasonable consumer could be misled into believing that it was the predominant ingredient in the crackers.

While Dumont did not cite the Second Circuit’s opinion, it is based on the same premise that reasonable consumers should not be expected to consult an ingredient list to correct allegedly misleading information on the front label.  Judge Lynch’s dissent, however, cautioned that permitting “meritless labeling litigation” like this one to continue beyond the pleadings stage “will have the effect of driving up prices for consumers” and cause an entirely different type of “harm to the consumer.”  For now, the Dumont decision marks another plaintiff-friendly outcome sure to be relied on by class action plaintiffs in the First Circuit and elsewhere.

Effective January 1, 2020, New Hampshire’s new Insurance Data Security Law will impose certain information security requirements on entities that (1) are licensed under the state’s insurance laws and (2) handle “nonpublic information.” “Nonpublic information” is defined as information that is not publicly available and falls into one of the two following categories:

  1. Information that because of name, number, personal mark, or other identifier could identify a consumer when combined with the consumer’s Social Security number, driver’s license number, financial account number, credit or debit card number, security code or PIN that would permit access to the consumer’s financial account, or biometric records.
  2. Information or data, except age or gender, that can be used to identify a particular consumer and that relates to the past, present, or future physical, mental, or behavioral health or condition of any consumer or a member of the consumer’s family; the provision of health care to any consumer; or payment for the provision of health care to any consumer.

The law will require that licensees:

  • Conduct a Risk Assessment: Conduct risk assessments that identify and mitigate “reasonably foreseeable” internal or external threats to the business and its nonpublic information, including nonpublic information accessible to or held by third-party service providers.
  • Implement an Information Security Program: Use the results of the risk assessment to create an information security program. The program must be managed by the board and detail the licensee’s plan for responding to cybersecurity events (an event “resulting in the unauthorized access to, disruption or misuse of, an information system or nonpublic information stored” on an information system).
  • Respond to Cybersecurity Events: Conduct a “prompt investigation” of all cybersecurity events and, in most circumstances, notify the Insurance Commissioner, within three business days, of any cybersecurity event that has a “reasonable likelihood” of materially harming a New Hampshire consumer or any material part of the licensee’s normal business operations. This notice must include specific information, including a copy of the licensee’s privacy policy.

The law includes a limited safe harbor for companies that are in compliance with HIPAA if the licensees have established and maintained HIPAA-required privacy, security, and data breach notification programs and procedures to protect both “protected health information,” as defined by HIPAA, and any other nonpublic information. The companies must submit written statements indicating that they (1) are HIPAA-compliant; and (2) protect any other nonpublic information in the same way that they do protected health information. These companies are still required to comply with the Insurance Data Security Law’s cybersecurity event notification requirements.

The law provides for additional limited exemptions for companies complying with other laws, including the New York Cybersecurity Regulation.

Licensees have one year from the effective date to comply with the risk assessment and information security program requirements, and two years from the effective date to ensure that third-party service providers are implementing appropriate security measures.

We recommend that companies take steps now to assess the applicability of the statute and determine how to best integrate its requirements into existing business practices.

Amendments to the California Consumer Privacy Act (CCPA) continued to advance on Monday, as the California legislature returned from its summer recess.  With just five weeks to go until the September 13th deadline for the legislature to pass bills, and fewer than five months until the CCPA is set to take effect, the Senate Appropriations Committee gave the greenlight to six bills: AB 25, AB 846, AB 1564, AB 1146, AB 874, and AB 1355.  The bills were ordered to a “second reading,” meaning they head to the Senate floor for consideration without a further hearing in the Senate Appropriations Committee.  Two of those bills, AB 874 and AB 1355, will be placed on the Senate’s consent calendar, because they have not been opposed.

The Senate Appropriations Committee also voted to advance AB 1202, the data broker amendment, but placed the bill in the Committee’s suspense file.  This procedural action holds bills that will have a significant fiscal impact on the State of California’s budget for consideration all at once to ensure that fiscal impacts are considered as a whole.

Here’s the full list of amendments as of August 12, 2019:

Ordered to Second Reading in the California Senate

  • EMPLOYEE EXEMPTION: Assembly Bill 25changes the CCPA so that the law does not cover collection of personal information from job applicants, employees, business owners, directors, officers, medical staff, or contractors.
  • LOYALTY PROGRAMS:Assembly Bill 846 provides certainty to businesses that certain prohibitions in the CCPA would not apply to loyalty or rewards programs.
  • CONSUMER REQUEST FOR DISCLOSURE METHODS:Assembly Bill 1564 requires businesses to provide two methods for consumers to submit requests for information, including, at a minimum, a toll-free telephone number.  A business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information is only required to provide an email address for submitting CCPA requests.
  • VEHICLE WARRANTIES & RECALLS: Assembly Bill 1146 exempts vehicle information retained or shared for purposes of a warranty or recall-related vehicle repair.
  • PUBLICLY AVAILABLE INFORMATION: Assembly Bill 874streamlines the definition of “publicly available” to mean information that is lawfully made available from federal, state, or local government records. The bill also seeks to amend the definition of “personal information” to exclude deidentified or aggregate consumer information.
  • CLARIFYING AMENDMENTS:Assembly Bill 1355 exempts deidentified or aggregate consumer information from the definition of personal information, among other clarifying amendments.

Placed on Suspense File of the Senate Committee on Appropriations

  • DATA BROKER REGISTRATION: Assembly Bill 1202requires data brokers to register with the California Attorney General.

CBD marketers can learn something from the food industry.  And it has nothing to do with the regulatory morass around whether CBD can be legally added to foods.  It’s about managing the risk of consumer false advertising litigation.  Lawsuits filed in California and New York help illustrate what kinds of cases are already being brought and suggest that broader food and beverage litigation trends are likely to be instructive.

In Horn v. Medical Marijuana, Inc., plaintiffs, a truck driver and his wife, purchased and consumed a hemp-based cannabidiol (CBD) oil manufactured and distributed by defendants.  Plaintiffs claimed that the CBD oil product caused the truck driver to fail a drug test administered by his employer, which in turn resulted in him losing his job.  Plaintiffs attempted to recover from defendants on several claims, including false advertising and deceptive business practices.  Plaintiffs relied on four sources of information from defendants: (1) an article in High Times magazine, (2) YouTube videos, (3) the seller’s website, and (4) a call to the seller’s 1-800 number.  The last three sources stated that CBD did not contain THC, and the magazine article stated that the hemp used to extract CBD from contained less than 0.3% THC in accordance with federal definition of “hemp”.

Under New York law, the “false advertising” and “deceptive business practices” statutes are limited in their territorial reach, and to qualify as a prohibited act under the statutes, the consumer deception must occur in New York.  Interestingly, despite the fact that plaintiffs viewed all of defendants’ sources of information while in New York and the CBD product was shipped to and consumed in New York, the court held that the statutes did not apply because the transaction was out-of-state.  Defendants were not located in New York and no part of the online transaction took place in New York. The case is now on appeal.

In a similar California case, Thurston v. Koi CBD, LLC, plaintiff Thurston purchased CBD vape juices from defendant believing that the products could help treat or mitigate her knee pain.  She also believed she would not fail her employer’s drug test because the products were labeled and promoted as having 0% THC and as being THC FREE.  After using defendant’s products, Thurston was given a random drug test by her employer, which came back positive for cannabinoids, and she lost her job as a result.  On April 8, 2019, Thurston filed a class action lawsuit against defendant claiming violations of the “Unlawful” and “Unfair” prongs of the California State Unfair Competition Law, the California Consumer Legal Remedies Laws, and the Pennsylvania Unfair Trade Practices and Consumer Protection Law.  The case is currently pending in the Superior Court of the State of California for the County of Los Angeles.

The lesson for CBD marketers is this:  Setting aside the employment issues in these cases, the plaintiffs’ bar is likely to scrutinize CBD labels with the same skeptical eye they have taken to the food and beverage industry in recent years.  While we do not know whether the products at issue in these cases were accurately or falsely advertised, it’s fair to say that scrutiny on the advertising claims at issue were foreseeable based on what we’ve seen in the food and beverage space.  Terms such as “free,” “0%,” health claims, “free from”-type claims, and processing claims such as “organic” have been frequent targets in consumer class litigation.  As the CBD industry grows, marketers will want to understand and follow these trends to fully evaluate risk.


If a review site ranks your product as the top in a category, can you advertise that you’re “number 1” in that category? Not necessarily. A recent NAD decision explains why.

A competitor challenged TaxSlayer’s claim that it was “#1 Rated in the Tax Prep Software Category on Trustpilot.” NAD started its decision with a reminder that “a TaxSlayer Adclaim that is expressly truthful can still be misleading” if it conveys a message an advertiser can’t support. Here, NAD found that the claim suggested that the “rating was based on a reliable and representative survey of consumers using products across the entire tax preparation software category.”

NAD found that the survey did not meet this standard for a number of reasons. Here are some of the highlights:

  • To support a claim that a product “number 1” within a category, an advertiser should generally compare itself to at least 85% of the relevant market. There was no evidence to suggest that happened here.
  • Customers who are surveyed should be representative of the broad base of customers who use the product. NAD determined that the survey failed in this regard because Trustpilot collects reviews for programs sold by companies with whom it has a relationship at much higher rates than for those with whom it does not. Indeed, the market leader in tax preparation software – who does not have a relationship with Trustpilot – had only 15 reviews, compared to over 2,500 reviews for TaxSlayer.
  • NAD was not convinced by TaxSlayer’s argument that consumers could simply visit the Trustpilot website to clarify any confusion about the ranking. “If a claim needs to be qualified to prevent it from being misleading, any disclosure should be clear and conspicuous and found within the four corners of the advertising in which the claim appears.” Consumers should not be forced to search for information.
  • Trustpilot lacked various controls that are needed for a reliable survey. For example, Trustpilot could not verify that all reviews were submitted by consumers who actually purchased the products, and it did not have a mechanism to prevent consumers from submitting multiple reviews. Moreover, because Trustpilot used a proprietary system to weight reviews, NAD couldn’t fully evaluate the rankings.

After the challenge was filed, TaxSlayer changed its claim to read that it was “rated #1 in the tax prep software category on Trustpilot among companies with 3,500+ reviews.” Although this was arguably true – indeed, TaxSlayer was the only company with over 3,500 reviews – NAD found the claim to be misleading because consumers will reasonably assume that there is more than one company in that category.

Advertisers should be careful about making comparative claims based on review data from third-party sites. Even if a claim is literally true, it could be deemed misleading if an advertiser can’t prove that the site’s mechanisms for compiling and reporting reviews meets NAD’s high standards.

Last year, we posted that Snapchat’s public relations firm had filed a lawsuit against an influencer who allegedly failed to comply with the terms of his agreement.

According to the agreement, Luka Sabbat was required to make four unique posts, get those posts approved beforehand, send analytics to the firm, and be Lukaphotographed wearing the Spectacles in public at Paris and Milan Fashion Weeks. In exchange for all of this, PR Consulting agreed to pay $45,000 up front, plus another $15,000 later. According to the complaint, Sabbat did not comply with all of the requirements and refused to return the $45,000.

The case settled this week, with Sabbat agreeing to pay $15,000. Sabbat’s troubles aren’t over, though, because he is facing a separate lawsuit from another company that similarly claims he failed to live up to an agreement.

Streetwear brand Konus entered into a deal with Sabbat in 2017, under which it paid him $30,090 to participate in a photo shoot for its Fall/Winter Look Book, and to post two images on Instagram. Although Sabbat participated in the photoshoot, Konus alleges that he did not post the images on Instagram. The company is seeking $40,000 in damages.

Payment terms are often negotiated in influencer agreements. Influencers obviously want more up-front, while companies prefer the opposite. While the parties usually end up somewhere in the middle, these cases illustrate the risks companies face by paying too much before key milestones have been reached. If the influencer breaches the agreement, it can become difficult to get the money back.

A label contains an accurate net weight of the amount of product inside.  The packaging is clear, allowing consumers to view a pump mechanism common in the cosmetics world.  So, where’s the deception?

According to the Southern District of New York – there is none.  In Critcher et al. v. L’Oreal USA, Inc., et al., 1:18-cv-05639 (S.D.N.Y.), the Court recently held that reasonable consumers would not be deceived by a cosmetics bottle utilizing a pump dispense mechanism.

The plaintiffs claimed that the pump mechanism prevented them from being able to access the entire product inside of the bottle.  But Judge Koeltl was not swayed.  He held that consumers are familiar with pump dispensers on personal care products such as soaps, shampoos and lotions, and are therefore aware that “they will not be able to extract every bit of product from such containers.”  Accordingly, the court held that a “reasonable consumer” would not be deceived by the packaging of the products, and that plaintiffs’ alleged “disappointment” did not “establish deception” or “transform [L’Oreal’s] accurate labeling of the product’s net weight into fraud by omission.”

The Court also found that plaintiffs’ claims were preempted by the Federal Food, Drug and Cosmetics Act (FDCA).  Because federal law permits – and requires – L’Oreal to label its cosmetics products with the net quantity of the containers’ contents irrespective of the amount accessible through the pumps, the labels followed the “federal regulatory scheme [that] addresses measurement and labeling of product quantity head-on.”  And since plaintiffs were seeking labeling that was different from the labeling requirements set forth in the FDCA, their claims were expressly pre-empted.

The Critcher decision comes on the heels of two recent dismissals of slack fill class actions in the Southern District.  Last year, Ad Law Access covered Daniel, et al. v. Tootsie Roll Industries LLC, Case No. 1:17-cv-07541, 2018 WL 3650015 (S.D.N.Y. Aug. 2, 2018), in which plaintiffs claimed that different-sized boxes of Junior Mints contained between 35 to 43 percent of empty air.  Judge Buchwald rejected these allegations, finding that no reasonable consumer would have been deceived because the Junior Mints boxes “provide more than adequate information for a consumer to determine the amount of product contained therein” and that the weight of the candy was “prominently displayed on the front” of each box.  Id. at *11-12.  Judge Buchwald then questioned the validity of slack fill cases more generally where the product’s label accurately reflects the weight of the product:  “[C]onsumers are not operating on a tabula rasa with respect to their expectations of product fill.  To the contrary,…‘no reasonable consumer expects the weight or overall size of the packaging to reflect directly the quantity of product contained therein.’….The law simply does not provide the level of coddling plaintiffs seek, [and] the Court declines to enshrine into the law an embarrassing level of mathematical illiteracy.”  Id. at *13.

Similarly, in Hu v. Iovate Health Sciences, U.S.A., Inc., 2018 WL 4954105 (S.D.N.Y. Oct. 12, 2018), plaintiff alleged that a protein powder sold by the defendant was packaged in containers that were not adequately filled, yielding a slack fill of 41 percent, but conceded that the package accurately disclosed the amount of protein powder inside.  Citing Daniel, Judge Ramos stated that “generally, courts within this District have found that labels on packages that clearly indicate the product’s weight prevent plaintiffs from succeeding on non-functional slack-fill claims.”  Id. at *2.  Given the accuracy and prominence of the label’s statement of net weight, Judge Ramos concluded “that the allegedly nonfunctional slack fill would not mislead a reasonable consumer acting reasonably under the circumstances.”  Id. at *3.

*                      *                      *

The Critcher decision marks another welcome victory for cosmetics and consumer product companies, and demonstrates that judges (at least those in the Southern District) are viewing slack fill claims with increasing skepticism and willing to dismiss them at the pleadings stage.

Make a product that could break? On July 16, 2019, the FTC hosted a workshop to examine repair restrictions on consumer goods and the “Right to Repair” bills proposed in a number of states. Panelists included representatives from trade associations, the repair and technology industries, and state senators. The Nixing the Fix workshop discussed some of the issues that arise when a manufacturer restricts access or makes it impossible for a consumer or an independent repair shop to make product repairs, and whether such restrictions infringe consumers’ rights. 

The discussion during the workshop coalesced around three themes: what is broken, the nature of the repair, and who will conduct the repair. Manufacturer representatives argued that products are getting more sophisticated and therefore more dangerous to fix. They also stated that third party replacement parts and services may be of lower quality and could affect the safety, security, and performance of the product. Manufacturers could face increased liability in connection with the third party parts and services. In addition, requiring reparability of devices could stymie innovative features such as the slim battery.

Consumer advocates urged that manufacturers should sell legitimate parts to repair shops and factor reparability into the design of the product. They asserted that some manufacturing changes (such as gluing in a battery, or epoxying an entire product shut) have limited or no innovative advantages and are done in large part to prevent consumers from fixing their own devices. As a result, consumers are forced to purchase new products.

Panelists proposed a few approaches to address these issues:

  • Require manufacturers to release their product information. Many manufacturers already provide their certified repair shops with information on their products and how to repair and replace defective parts. Consumer and repair shop advocates believe that this information should be shared with everyone.  
  • Allow consumers to pay for reparability. One panelist argued for a federally mandated repair score, which would indicate how much of the product is reparable. Consumers could then choose between a repairable and a non-repairable device, and that the products should be priced accordingly. 
  • Right to Repair bills.  Twenty states have considered right to repair legislation, though some of these bills are no longer active.

In opening and closing remarks, the FTC thanked all in attendance for their participation on this issue and urged all interested stakeholders to submit comments on this issue for agency review. Comments may be filed until September 16, 2019, electronically or in written form. The FTC will consider the comments to inform potential next steps, such as issuing federal guidance on the right to repair standard.

Even in her extensive dissent, FTC Commissioner Rebecca Slaughter labeled the Order “exceptional.”

And it is.  The terms of the Federal Trade Commission’s (FTC) $5 billion, twenty-year settlement Order reached with Facebook on Wednesday is the agency’s most prescriptive privacy and data security agreement ever.  The Order comes just three days shy of the seventh anniversary of the FTC’s original 2012 settlement with Facebook, where the FTC ordered Facebook to comply with its privacy commitments.

This week, the FTC confirmed what was already widely reported – from the Cambridge Analytica scandal to a series of other press reports on privacy mishaps – the agency’s determination that Facebook’s data practices did not comply with the FTC’s 2012 Order.

Almost immediately, the Order was attacked by critics insisting that the Commission let Facebook off the hook too easily, for, among other reasons, not obtaining an admission of guilt or liability, not restricting data flows or integration among its companies, and not obtaining an even higher monetary penalty.  Commissioner Slaughter wrote that although the Order is exceptional, the “facts and defendant before us are exceptional as well,” and that she did not believe the “combined terms would effectively deter Facebook from engaging in future law violations and send the message that order violations are not worth the risk.”  Supporters of this view are likely to point to Facebook’s second quarter earnings results indicating a 28 percent revenue increase compared with 2018.

In contrast, Commissioner Noah Phillips, who supported the settlement, defended the outcome.  “I am absolutely certain that the deal we struck today is better than the relief that we might have achieved had we gone to court,” Commissioner Phillips told CNN.  In particular, Phillips and other Republican Commissioners point to extensive, precedent-setting monetary relief, as well as injunctive relief that dictates a new detailed accountability process for how Facebook’s privacy (and information security) decisions and oversight will function for the next twenty years.

Here’s a rundown of key terms in the Order:

#1:  Liability Limitations

  • Terms:  Facebook neither admits nor denies any of the allegations against it.  In exchange for agreeing to the Order and paying $5 billion in civil penalties, the FTC agrees that the Order resolves “any and all claims that Defendant, its officers, and directors” violated the 2012 settlement order and Section 5 of the FTC Act.
  • Context:  In his dissent, Commissioner Rohit Chopra criticized the liability terms because Facebook received what he characterized as a “legal shield” covering a wide range of conduct not addressed in the Complaint or Order.  “I have not been able to find a single Commission order – certainly not one against a repeat offender – that contains a release as broad as this one,” Chopra wrote.
  • Exceptional?  In 2012, Commissioner J. Thomas Rosch dissented because the FTC’s 2012 settlement allowed Facebook to expressly deny the allegations in the Complaint.  In the 2019 Order, Facebook neither admitted nor denied the allegations.  Kelley Drye View: Not exceptional.

#2:  Privacy Prohibitions / Restrictions

  • Terms:  Facebook may not make misrepresentations about privacy and information security in connection with its products and services.  The Order sets limits and rules around how Facebook may use telephone numbers provided for account authentication, facial recognition templates, and private user information.  Facebook is required to ensure that when a consumer deletes information or content, the data are in fact deleted and not accessible to third parties.
  • Context:  These are familiar terms.  When the FTC identifies a violation of its Act or a prior Order, the FTC seeks settlement terms that directly prohibit a company from re-engaging in the offending activity.  In its statement in support of the settlement, the majority of commissioners led by Chairman Joe Simons wrote, “Collectively, these requirements will not only alter the way Facebook does business, but also send an important signal to the marketplace about privacy and security best practices.”  The majority also pointed out that this is “the first FTC order to address biometric information, requiring Facebook to get consumers’ opt-in consent before using or sharing” facial recognition templates.
  • Exceptional?  The 2012 settlement mirrored many of these terms, especially with regard to misrepresentations in privacy statements and deletion of personal information. The FTC has also conveyed its expectations that when collecting and using sensitive personal information (such as biometric information) in a manner that may surprise consumers, a company should obtain an opt-in. Kelley Drye View: Not exceptional.

#3:  New Data Security Terms

  • Terms:  Facebook will be required to maintain an information security program to protect the security of user information, including passwords.  The company will be required to scan for plaintext files with user passwords, and report to the government any data breaches impacting 500 or more users.
  • Exceptional?  The FTC regularly mandates information security programs, especially in cases involving data breaches.  Earlier this year, in the Lightyear Dealer Technologies case involving exposure of personal information, the FTC mandated a detailed information security program complete with regular independent evaluations, internal assessments, and annual certifications. What is exceptional here is that, now, every Facebook data compromise involving 500 or more users’ information will be closely reviewed by both the DOJ and FTC. Kelley Drye View:  Exceptional.

#4:  Oversight agencies (DOJ & FTC)

  • Terms:  The Order indicates that aside from providing documents to the FTC, Facebook must provide copies of reports, assessments, notifications, certifications, and other mandated filings to the Department of Justice.
  • Context:  The FTC has limited manpower and staff (and more importantly, a constrained budget) to address every concerning privacy and data security matter.  Adding a second government agency increases oversight (and enforcement) potential.  Kelley Drye View:  Neutral (and potentially Exceptional if the settlement were to motivate Congress to increase allotted FTC Budget, in which case extra oversight and resources likely would translate to more active enforcement).

#5:  Safeguards

  • Terms:  The FTC mandates that Facebook implement safeguards to ensure protection of user information.  These safeguards require Facebook to conduct extensive privacy reviews prior to rolling out new services, with a more in-depth review required for services that present a “material risk to the privacy, confidentiality, or Integrity of” user information.  The settlement also requires Facebook to develop safeguards regarding facial recognition technology and affiliate sharing.
  • Context:  The terms respond to ongoing concerns that Facebook rolls out new products or services without sufficiently considering the impact on privacy.  These safeguards do not restrict Facebook from taking actions with new, material privacy implications, but slows down and opens the process to a deliberative review.  Kelley Drye View:  Neutral.

#6:  Third Party Monitoring

  • Terms:  Facebook is required to design and implement safeguards that require vetting, monitoring and enforcement against third parties that use Facebook user information for their own consumer applications and websites.  These safeguards include mandating each such party to provide a self-certification on compliance with Facebook’s terms. They also require Facebook to conduct ongoing compliance monitoring and to enforce compliance terms, including by restricting access to Facebook data if there are instances of non-compliance, and to take other appropriate disciplinary measures that are commensurate with the violation gravity and prior history of compliance.
  • Exceptional?  The extent and specificity of the FTC’s third party vetting terms are unique to this case and go beyond the FTC’s prior examples.  It remains to be seen if these are more robust “fencing-in relief,” or if they are a preview of what FTC will demand in other cases involving third party compliance, including with respect to telemarketing and lead generation. Kelley Drye View:  Exceptional.

#7:  Overlapping Channels of Compliance

  • Terms:  The FTC has implemented overlapping “channels of compliance” to hold Facebook accountable for privacy and data security related decisions and practices.  First, Facebook must create an independent privacy committee.  Second, Facebook’s CEO and compliance officers will be required to submit quarterly compliance certifications vouching for the company’s compliance with the Order.  Third, Facebook will face monitoring by independent assessors (who Facebook cannot claim privilege over their work product) and the FTC.
  • Exceptional?  The FTC’s majority statement emphasizes the overlapping channels of compliance, and they are no small feat.  Facebook has agreed to twenty years of extensive auditing at multiple levels.  While many FTC decisions may include some of these compliance checks, the Order’s inclusion of all of these is significant.  Kelley Drye View:  Exceptional.
  • Caveat:  Earlier this week, the FTC settled charges with Equifax over a data breach that impacted 147 million people.  That agreement included yet another channel of compliance: it set up its own FTC email hotline for Equifax employees to submit complaints or concerns about the company’s information security practices to the FTC, and a process for reviewing, addressing, and escalating those complaints.  This type of process is notably absent from the Facebook settlement.

#8:  Heavy Handed Corporate Governance Terms

  • Terms:  In a remarkable example of government intervention in a public company’s operations, the FTC includes as Exhibit 1 to the Order a new article to be inserted into the Facebook corporate charter.  The article states that no director serving on the independent privacy committee may be removed for reasons related to their duties on that committee.
  • Exceptional?  This is a unique provision designed to protect the integrity of the independent privacy review process that is a cornerstone of the settlement agreement.  Kelley Drye View:  Exceptional.

Whether precedent setting or a one-off, the Facebook settlement sets a new standard in the United States for privacy accountability and government oversight of a company’s data practices.  Given the third-party monitoring and enforcement program that is part of this settlement, its effects also may be felt by many others in the online space.  On the day of the settlement’s announcement, public reports also noted that Facebook is the subject of a current FTC antitrust investigation.  While it may be many months (or longer) to know how that matter resolves, its outcome too will be of great interest and could materially affect the digital ecosystem.

At bottom, there is no longer a status quo in the United States when it comes to data practices and standards.  This settlement, the California Consumer Privacy Act’s looming compliance deadline, and the ongoing debate over whether there should be a comprehensive federal privacy law are all developments that underscore one take-away:  most companies’ data practices can benefit from a fresh review and consideration for how to plan for the future.

To discuss how the settlement could impact your business, please contact attorneys in the Privacy and Information Security practice at Kelley Drye.

Over the past few years, a number of retailers have been challenged over their promotional pricing practices. Those challenges have been brought, primarily, by plaintiffs’ attorneys in class action suits and, occasionally, by regulators. This month, though, NAD issued a decision in a challenge that was brought by a company’s competitor.

According to the challenger, Nectar had advertised a “limited offer” of $125 off the price of a mattress continuously since October 2017. Pointing Saleto the FTC’s guides on deceptive pricing, the challenger argued that a price at which an item was never offered at all – or a price that was used at some remote period in the past – is a fictitious price. Although Nectar claimed that it had offered mattresses for sale at the regular price for a “substantial period of time,” it did not present any evidence of that. NAD sated that when an item is marked down from a “regular” price, “the advertiser must demonstrate that the regular price is a bona fide price, rather than one that has been artificially inflated for the sole purpose of producing dramatic markdowns that exaggerate the actual value of the sale and savings to consumers.” Because Nectar did not do that, NAD recommended that it stop advertising the “limited time” offer.

The challenger also raised concerns about Nectar’s long-running “2 free pillows” offer. The challenger pointed to the FTC’s guides on the word “free” which, among other things, advise that an item should not be advertised as “free” for more than six months in any 12-month period. Although there was a disagreement about how many pillows had been sold a the regular price, Nectar did not present any evidence of sales at the regular price or that the “free” offer was made for a limited amount of time. Again, NAD recommended that Nectar stop advertising the “2 free pillows” offer.

Although the consequences of losing this type of case could have been worse if it had been brought as a class action or by a regulator, this decision demonstrates that retailers can also face challenges from their competitors.