Comcast recently challenged a number of claims that AT&T made about its Wi-Fi services in two blog posts on the AT&T website. The posts claimed that the company provided the “best possible Wi-Fi experience,” the “best possible in-home connections,” and the “best possible home internet experience.”

Comcast argued that consumers would read the posts to suggest that AT&T’s Wi-Fi was superior to competing services WiFi Iconand that AT&T couldn’t support these claims. AT&T disagreed about how consumers would read the claims. It argued that consumers would understand them to refer to improvements over AT&T’s prior service, and the company provided evidence to support the narrower interpretations.

NAD noted that a “best” claim can either convey a self-referential message or a comparative message –even if a competitor isn’t named in the ad. Context is key. When read in the context of the blog posts, NAD determined that the claims focus on an internal change about how AT&T technicians install Wi-Fi for its own customers. Accordingly, consumers were unlikely to read them as comparisons against Comcast.

We’ve highlighted this case for two reasons. First, although most companies take steps to review the claims in “traditional ads,” not everyone realizes that blog posts also fall under the scope of advertising laws. They should be considered, too. Second, this is another reminder about the importance of context. Context can make a big difference in terms of what claims are conveyed in an ad (or blog post) and what substantiation is required.

This morning, the Supreme Court released its calendar for its January 2021 oral arguments. AMG Capital Management, LLC v. FTC is on the docket. Oral argument in AMG has been scheduled for January 13, 2020.

As we’ve noted in prior posts, the High Court in AMG will review the question of whether or not Section 13(b) of the FTC Act authorizes the FTC to seek monetary relief from the individuals and entities it pursues under that statutory provision. Signs to date point to a strong likelihood that the Court will disallow such monetary remedies, finding that such remedies run contrary to the statutory text. Based on questioning at January’s oral argument, we may have a better sense of which way the Court is leaning.

Kelley Drye ThanksgivingBarring an advertising or privacy law emergency, like you, we’ll be taking the next few days off to give thanks and spend time with family. Next week, please join us for:

  • Made in USA claims – navigating FTC’s ‘all or virtually all’ standard
    WebinarConsumers continue to demand goods manufactured in the United States and will pay a premium for such products. At the same time, the Federal Trade Commission (FTC) continues its high-profile focus on US origin claims, launching dozens of investigations, announcing various noteworthy settlements and advocating for a proposed rule that would include the possibility of civil penalties over $43,000 per violation. This webinar will explore Made in USA claims and discuss:

    • What types of claim have attracted regulatory attention;
    • How to comply with the FTC’s requirements; and
    • What to do if the FTC contacts you.

Register here to Join Christie Grymes Thompson on 3 December 2020 at 1:00pm EST (6:00pm GMT).

While we’re away:

Some of our post popular episodes include:

In this time of Thanksgiving, we express sincere appreciation for our clients and all friends of the firm. While holiday celebrations this year will be very different, without the usual gatherings and traditions, we are focused on the underlying spirit of giving thanks. Wishing you good health, time with family and friends (even if that’s FaceTime), and optimism for the future.

Advertising and Privacy Law Resource Center

Face covering and mask policies have caused unrest and inconvenience for many in-person shoppers since the beginning of the COVID-19 pandemic, and continue to provoke controversy. Some individuals believe that these policies infringe on their constitutional rights, while others allege such policies violate the American with Disabilities Act as applied to individuals who are unable to comply with these policies due to a variety of health conditions or disabilities.

In a recent decision, a Pennsylvania federal court refused to enjoin grocery store Giant Eagle’s mandatory face covering policy in light of a shopper’s claim that he suffers from anxiety and has trouble breathing when wearing a mask.  Despite previously denying Giant Eagle’s motion to dismiss, Judge Nora Barry Fischer in the Western District of Pennsylvania found a number of flaws with the plaintiff’s argument, leading her to conclude that the named plaintiff was unlikely to succeed on the merits of his claims and deny the requested preliminary injunction.

First, the plaintiff had failed to demonstrate that he had a disability preventing him from complying with Giant Eagle’s policy.  On its face, the policy permits consumers to wear a face mask, cloth face covering, or a full face shield, and the plaintiff failed to show that he was unable to wear a face shield.  The Court found that the plaintiff’s statements regarding his alleged inability to wear a mask was contradicted by his social media posts asserting that he was able to wear a mask, but has a right to refuse to comply with Giant Eagle’s policy.

Second, the plaintiff’s request for an accommodation to shop without a mask was not reasonable or necessary given the various alternatives provided to consumers.  In addition to permitting shoppers to wear face shields as an alternative to masks, Giant Eagle also offered various services to those unwilling or unable to shop in person, including personal shopping services, curbside pickup and home delivery.

Given these two findings, the court did not even need to consider Giant Eagle’s “well-taken defenses that its face covering policy is a legitimate safety requirement during the COVID-19 pandemic and that [the named plaintiff] presented a direct threat to the health and safety of others, including customers and employees.”

With the impending second wave of the pandemic, more retailers are adopting (and state and local governments are imposing) mandatory face covering policies.  While litigation is inevitable, this decision provides helpful guidance to consumer-facing businesses to ensure that their policies are sufficiently flexible and provide alternatives for those who are unable to wear a face mask.

* * *

Subscribe to Kelley Drye’s Ad Law Acces blog here.

Advertising and Privacy Law Resource Center

 

Peloton Interactive sells exercise bikes and treadmills that can stream live and on-demand fitness classes. For a while, the company advertised that its library of classes was “ever-growing.” Although that may have been true when the company first made the claim, things changed. In response to a lawsuit related to the music used in some classes, Peloton cut more than half of its content in 2019. Soon after, plaintiffs filed a class action lawsuit against the company, arguing that the “ever-growing” claim was false.

The case is on-going, but the New York court’s recent ruling on Peloton’s motion to dismiss touches on at least two issues Mountain Bike Climbing Scenethat frequently come up when we talk to clients.

Peloton argued that although it advertised that its library was “ever-growing,” the Terms of Service to which the plaintiffs agreed clearly explained that the company reserved the right to remove content from its library at any time. The court wasn’t sympathetic and relied on a principle that we’ve blogged about before. A consumer who sees an ad shouldn’t be expected to search in other places to learn about important limitations. (Click here for a different example.)

After dismissing Peloton’s argument that the “ever-growing” claim was puffery, the court considered Peloton’s argument that the claim is true because the company consistently adds new content to its library. In other words, “ever-growing” was a representation about updates, not a representation about the aggregate size of the library. The court didn’t buy it. Looking at the plain meaning of the words, the court determined Peloton arguably communicated a claim about the total size of the library.

We’ll continue to watch this case as it develops but will leave you with two key points for now. First, although language in Terms of Service may protect a company against a breach of contract claim, it’s less likely to offer protection against a false advertising claim. Second, be careful about claims that suggest promises about the future. Those claims could come back to haunt you if things later change.

Seven months after being called upon by members of Congress to investigate Zoom’s data security practices, a divided FTC announced on November 9 a settlement with the videoconferencing platform.

The FTC’s five-count administrative complaint alleges that Zoom deceived users about several of its security features and harmed users by circumventing security and privacy controls provided by their operating systems and browsers.  The proposed consent order requires Zoom to make changes to its data security practices, implement a comprehensive information security program, and obtain independent assessments of its program for 20 years after entry of the order – but does not require the company to pay monetary relief.  In separate dissents, Commissioners Chopra and Slaughter argue that the proposed relief does not go far enough.

Companies watching the FTC’s data security enforcement trends will want to take note of two main takeaways: claims about the strength of security protections in products and services warrant close scrutiny, and software deployments that weaken or circumvent other security controls on users’ devices will likely receive a tough reception from the FTC.

Allegations in the FTC’s Complaint

Deception.  Although Zoom has grown rapidly during the coronavirus pandemic, much of the FTC’s complaint focuses on conduct that predates the massive shift to videoconferencing as a substitute for in-person family, business, social, and religious gatherings.  Specifically, the FTC alleges that Zoom misrepresented several features of its service through blog posts, user documentation, and other publicly available statements:

  • End-to-end encryption: Zoom asserted that it used end-to-end encryption (i.e., encryption that only the parties to a communication can decipher) but did not disclose that, for most versions of its service, Zoom stored encryption keys that would also allow Zoom to decrypt users’ communications.
  • Level of encryption: Zoom claimed to use 256-bit encryption keys but apparently used 128-bit keys.
  • Unencrypted storage: Zoom stored meeting recordings in unencrypted form for 60 days before moving them to encrypted storage.
  • Disguised updates: A software update billed as providing “minor bug fixes” did not disclose that it would install a web server on users’ devices.

Unfairness.  In addition, the FTC alleges that Zoom unfairly harmed users’ privacy and security interests by installing a “secret” web server as part of a 2018 update to its app for Apple Mac computers.  According to the complaint, this update worked around privacy and security protections in the Safari browser and exposed Zoom users to potential phishing, denial of service, and remote code execution vulnerabilities.  The complaint notes that Zoom users share health, financial, proprietary and other sensitive information but does not describe actual breaches involving such information.

Proposed Order Provisions

The Zoom order is generally consistent with recent changes in FTC data security orders, which reflect the agency’s efforts to ensure that its orders are specific enough to be enforceable, set tighter standards for security program assessments, and impose requirements for managerial oversight and order compliance.  Along these lines, key requirements in the Zoom order are as follows:

  • Comprehensive Information Security Program.  Zoom’s security program that Zoom must, at minimum, meet 10 families of requirements, most of which consist of multiple sub-requirements.
  • Independent Assessments.  Zoom must obtain independent security assessments every other year during the order’s 20-year term.  Among other requirements, the assessor must identify the evidence obtained to support its conclusions and may not rely on “primarily on assertions or attestations” by the company.
  • Annual Certifications.  A “senior corporate manager” must file an annual certification stating that the company has met the requirements of the order and is not aware of any “material noncompliance” that has not been corrected or disclosed to the FTC.
  • Incident Reporting.  Finally, Zoom must report to the FTC instances of unauthorized access to or acquisition of recorded or livestream video or audio content within 30 days of discovering such an incident, unless the incident affects fewer than 500 users or meets other exceptions.

Dissents:  A Preview of the Next FTC?

Consistent with their dissents in a string of major privacy and data security cases (e.g., YouTube and Facebook), Commissioners Chopra and Slaughter criticize the Zoom settlement for falling short in the relief provided to consumers and the changes required in Zoom’s business practices.

Perhaps most significantly in light of the potential changes in store for the FTC under a Biden-Harris administration, Commissioners Chopra and Slaughter endorse a list of seven recommendations to “restore credibility” (in Commissioner Chopra’s words) and “improve the effectiveness” of the FTC’s enforcement efforts:

  1. Strengthen orders to emphasize more help for individual consumers and small businesses, rather than more paperwork.
  2. Investigate firms comprehensively across the FTC’s mission.
  3. Diversify the FTC’s investigative teams to increase technical rigor.
  4. Restate existing legal precedent into clear rules of the road and trigger monetary remedies for violations.
  5. Demonstrate greater willingness to pursue administrative and federal court litigation.
  6. Increase cooperation with international, federal, and state partners.
  7. Determine whether third-party assessments are effective.

With respect to Zoom in particular, Commissioner Slaughter argues that the company’s practices harmed consumers’ privacy interests and that a “more effective order” would require Zoom to address privacy and security risks in its services.  Despite the greater specificity in the Zoom order compared to FTC data security orders of a few years ago, Commissioner Chopra criticizes this settlement as a “status quo approach” that does not provide for direct notice or relief for Zoom’s customers.

For more information on the FTC and other topics, visit:

Advertising and Privacy Law Resource Center

 

This morning, in a brief line order, the Supreme Court vacated its prior grant of the Federal Trade Commission’s petition for certiorari in Federal Trade Commission v. Credit Bureau Center, LLC (“Credit Bureau”). Justice Barrett did not take part in the decision to vacate the grant of certiorari. None of the remaining Justices dissented from the order.

As we explained in a prior post, in Credit Bureau, the Seventh Circuit reversed its prior precedent, concluding that Section 13(b) of the FTC Act does not authorize the FTC to obtain monetary restitution. In doing so, the Credit Bureau court admonished that Section 13(b) must be taken on its own terms. “By its terms, section 13(b) authorizes only restraining orders and injunctions,” not restitution. 937 F.3d 764, 767.

The Supreme Court’s action will not prevent this issue from being litigated at the High Court. Credit Bureau had been consolidated with another case, AMG Capital Management, LLC v. Federal Trade Commission (“AMG”). AMG is in many ways a parallel case to Credit Bureau, with similar facts leading to an opposite outcome. In AMG, a Ninth Circuit panel disapproved of the broad and atextual reading of Section 13(b) allowing for monetary restitution, but concluded that it “remain[ed] bound by” the ample Ninth Circuit precedent broadly construing Section 13(b). 910 F.3d 417, 427. AMG remains before the Supreme Court, and oral arguments will be heard sometime in the first half of 2021.

While the Supreme Court’s vacation of the grant of certiorari in Credit Bureau cannot be viewed as a definitive endorsement of the Seventh Circuit’s position, it certainly comes close. While not an outright affirmance on the merits, the vacation signals that the Supreme Court is comfortable with the Seventh Circuit’s Credit Bureau holding. When the Supreme Court vacates grants of certiorari, it will often do so with the brief explanation that the original grant of certiorari was “improvidently granted,” meaning that the Supreme Court no longer believes the case merits review. The Supreme Court did not do that here. Instead, the High Court simply vacated the grant. This, along with the continued presence of AMG on the Supreme Court’s docket, signals that the Supreme Court does think the issues in Credit Bureau merit review, but the Court no longer believes Credit Bureau is the best vehicle to review the issue of monetary restitution under Section 13(b).

While the Supreme Court’s line order does not specify why the Court vacated the grant of certiorari, we believe there is one likely reason. Justice Barrett (who did not participate in the vacation of the grant of cert) was a member of the Seventh Circuit when Credit Bureau was decided. While then Judge Barrett was not on the Credit Bureau panel, the panel’s decision was reviewed by the entire Seventh Circuit because it overturned prior Seventh Circuit precedent. While some members of the Seventh Circuit dissented from the panel’s Credit Bureau decision, Judge Barrett did not. Judge Barrett’s decision to allow Credit Bureau to stand while she was on the Seventh Circuit certainly qualifies as participation in a lower court’s case before it made its way to the Supreme Court. Many believe that it would have been an ethical conflict for Justice Barrett to participate again in a review of Credit Bureau—effectively reviewing her own decision.

The Supreme Court’s decision to vacate the grant of certiorari in Credit Bureau thereby allows Justice Barrett to participate in the AMG case on the merits while avoiding any ethical issues. The eight members of the Court who chose to vacate the grant of certiorari Credit Bureau are signaling that they want Justice Barrett to participate in the proceedings.

This, in turn, seems like a strong signal that the Supreme Court may reverse the Ninth Circuit’s decision in AMG, concluding that Section 13(b) does not allow for the FTC to obtain monetary restitution. If the High Court agrees with the Seventh Circuit’s Credit Bureau decision and reverses the Ninth Circuit’s contrary AMG decision, there is no real need to review the Seventh Circuit’s decision on the merits. The Supreme Court’s reversal of the Ninth Circuit’s AMG decision will, of course, be precedential nationwide. And, the Supreme Court will thereby effectively affirm Credit Bureau, allowing Justice Barrett to participate in its AMG decision while bypassing any ethical quagmires.

Now that Joe Biden has been declared the winner of this year’s presidential election, many practitioners are beginning to turn their focus to how a Biden Administration will reshape federal agencies. This post takes a look at changes that may be in store for the FTC.

For much of the past few years, the FTC has been at the center of vigorous debates about the exercise of its competition and consumer protection authority, with issues such as consumer privacy and potential antitrust enforcement against internet platforms dominating much of the agency’s agenda. Although it is too early to assess how the FTC’s substantive priorities might change under new leadership, a look at the Commission’s structure provides some clues about the levers that a Biden-appointed Chair will be able to use to set the FTC’s direction. This post examines some of the key elements of that structure.

Vacancies and Party Balance

The first question is whether and when President Biden will be able to put the FTC under Democratic control. The FTC Act provides that no more than three Commissioners can be of the same political party. Currently, three Republicans and two Democrats lead the FTC, with Joe Simons, a Republican, serving as Chairman. President Trump appointed all five members of the current Commission; they were confirmed by the Senate and sworn in in 2018, resulting in the most rapid turnover in the FTC’s membership since its establishment in 1914.

The Biden Administration is likely to have fewer vacancies to fill initially. The Commissioners serve staggered seven-year terms, meaning that the terms don’t all expire at once. (See the table below for details.)  Only Commissioner Rohit Chopra’s term has expired; he could be re-nominated or may continue to serve until a successor is confirmed. If Chairman Simons resigns, as is common upon a change in party control of the White House, the Biden Administration would be able to appoint a third Democrat. If other Commissioners resign before completing their terms, their successors would serve for the remainder of their predecessor’s original term.

Commissioner Political Party Term Dates
Joseph J. Simons (Chairman) Republican 05/01/2018-09/25/2024
Rebecca Kelly Slaughter Democrat 05/02/2018-09/25/2022
Noah Joshua Phillips Republican 05/02/2018-09/25/2023
Christine S. Wilson Republican 09/25/2018-09/25/2025
Rohit Chopra Democrat 05/02/2018-09/25/2019

Even if Chairman Simons does not resign, the new President may replace him as Chairman. A new Chairman would have significant leeway to set the FTC’s priorities, starting with the ability to appoint new directors for the FTC’s three Bureaus: Consumer Protection, Competition, and Economics. The Bureau Directors, in turn, would be able to effectuate the new Chair’s priorities in their respective Bureaus through case selection and the development of regulatory and policy proposals. The Chair also has the ability to appoint a handful of other positions, such as the General Counsel, though these officials play a less influential role in setting enforcement and regulatory priorities.

The FTC Chair’s Levers and Limitations

At this point, it would be pure speculation to identify likely candidates for FTC Chair or the Directors of the Bureaus of Consumer Protection and Competition. One thing to note – given the way the Commission is viewing conflicts of interest in recent years, it is much less likely that these positions will be filled by attorneys in private practice. The Commission will impute a Firm’s entire client list to the candidate, creating a potential lengthy list of conflicts that could force a Commissioner or Directors to have to recuse themselves on important enforcement and policy issues. We saw this when Andrew Smith was proposed as Bureau Director, leading to a contentious debate at the Commission, with both Democrats voting against Mr. Smith.

Regardless, a Democratic Chair would face limitations in his or her ability to realize new enforcement or policy objectives. A majority of the Commissioners must vote in favor of any significant agency action, such as proposing or issuing rules, filing complaints, and accepting settlements. Furthermore, if Chairman Simons departs from the Commission, the Senate could be slow to confirm a fifth Commissioner. In the meantime, the Commission would be evenly split between Democrats and Republicans, creating the potential for a stalemate which could delay any significant agency action.

The FTC is likely to undergo significant changes in a Democratic administration. Still, like most things in a new administration, its effects will take time to unfold. We will continue to closely monitor developments during the transition and beyond.

 

On Tuesday, November 3, 2020, California voters passed ballot Proposition 24, the California Privacy Rights Act of 2020 (“CPRA”). Also known as CCPA 2.0, CPRA brings a number of changes to the CCPA, the majority of which will become operative on January 1, 2023. In addition to revising some of the definitions that are fundamental to commercial relationships under the CCPA (e.g., the definition of “sale” and “service provider”), CPRA provides additional consumer rights, incorporates data minimization and certain other principles from the General Data Protection Regulation, and establishes a new California Privacy Protection Agency to replace the attorney general’s office as the statute’s enforcer.

In a previous blog post about CPRA, we provided a general overview of the differences between CPRA and CCPA.  Now that CPRA has passed, we provide a more detailed some of its key provisions:

Sharing and Selling.

The CPRA introduces the term “sharing” as distinct activity from “selling” personal information. Sharing is defined as disclosing or otherwise communicating a consumer’s personal information for “cross-context behavioral advertising” – defined as ad targeting based on information obtained about a consumer across different apps or services – whether or not for monetary or other valuable consideration, including transactions between a business and a third party. Consumers have the right to opt out of the sharing of their personal information with third parties.

Why It Matters: Although California’s law will remain opt-out-based, the expansion to “sharing” may have a large impact on digital marketing contracts, and will expand businesses’ opt-out obligations. For instance, businesses that determined that their disclosures of personal information for ad-related purposes do not constitute “sales” because the exchanges do not involve valuable consideration may need to revisit those decisions. Businesses that engage in “selling” or “sharing” will also need to provide or update their opt-out links and processes to provide consumers with a “Do Not Sell or Share My Personal Information” choice.

Consumer Rights.

CPRA creates several new consumer rights and protections:

  • Right to Correct. Under CPRA, consumers have the right to correct inaccurate personal information the business holds about them. This mirrors the right to correction under the GDPR.
  • Automated Decision Making. Consumers also have a right to opt out of the use of their personal information for automated decision making, which includes “profiling” in connection with evaluations or decisions about to a consumer’s work performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movements. The consumer also has a right to access “meaningful information about the logic involved in such decision-making processes, as well as a description of the likely outcome of the process with respect to the consumer.”
  • Right to Restrict Use of Sensitive Personal Information. CPRA also regulates the use of “sensitive personal information,” which includes precise geolocation data, race, religion, sexual orientation, social security numbers, and certain health information outside the context of HIPAA. Consumers may limit the use and disclosure of sensitive personal information for certain “secondary” purposes, including prohibiting businesses from disclosing sensitive PI to third parties, subject to certain exemptions.
  • Right to Data Portability. Consumers may request that the business transmit specific pieces of personal information to another entity in a structured, commonly used and machine-readable format.

Why It Matters: Many businesses will likely need to implement new processes to accommodate these new consumer rights.

Service Providers and Contractors.

CPRA adds new requirements to qualify as a “service provider” and introduces the parallel category of “contractor.”  A business “makes available” personal information to a contractor; a service provider receives personal information from or on behalf of a business and processes the information on behalf of that business. The CPRA imposes substantively similar contractual and direct obligations on contractors and service providers, and also requires contractors to certify that they understand and will comply with such contractual obligations.

In addition, CPRA imposes a number of new requirements on service providers and contractors:

  • Data Silos.  Service providers and contractors must keep separate any data they obtain about a consumer in the course of assisting a business with advertising and marketing from other data they obtain about the consumer from other sources.
  • Marketing Services.  The CPRA clarifies that a service provider or contractor can provide advertising and marketing services, but not cross-context behavioral advertising.
  • Contractual Terms.  The business and service provider/contractor must enter into a written agreement that includes specific terms outlined in CPRA, similar in concept to GDPR Art. 28.
  • Subcontractors. Service providers and contractors to notify businesses of any engagement with a sub-service provider or subcontractor and to bind those parties to the same written terms as between businesses and service providers.

Why It Matters: Companies will need to review their service provider/contractor terms to determine whether they include the requisite contractual terms, and review the scope of their services to ensure they do not provide cross-context behavioral advertising.  These efforts come on the heels of updates to such agreements that many companies made relatively recently in response to CCPA obligations.

*             *             *

Finally, most CPRA provisions will become operative on January 1, 2023.  However, a few provisions, including the extension of the employee and B2B exceptions through the end of 2022, will become operative as soon as the administrative process of recording California’s vote is complete.  In the meantime, businesses must comply with the CCPA and its implementing regulations.  (As discussed in this post, the California Attorney General has proposed several modifications to the regulations.) Please contact any of the attorneys in Kelley Drye’s Privacy Group if you would like assistance in California privacy compliance.

Advertising and Privacy Law Resource Center

Ad Law Access PodcastCompanies often want to claim that their products or services are better than the products or services offered by a competitor. However, comparative claims tend to be highly scrutinized by competitors and subject to challenge.

On the latest episode of the Ad Law Access podcast, it provides five tips advertisers should keep in mind when creating comparative ads.

Listen on Apple, SpotifyGoogle Podcasts, Amazon Music, Soundcloud or wherever you get your podcasts.

For more information on these and other topics, visit: