As we previously reported, “Phase I” of class action filings relating to the COVID-19 pandemic has become a significant contagion of its own with more than 500 cases being filed since March challenging refund policies, school closures, event cancellations, and marketing and pricing practices.  As the economy gradually reopens, “Phase II”—how companies respond to these cases—is just beginning.  Not surprisingly, defendants are fighting hard and early to defeat these claims, with many opting to file motions to dismiss rather than answering the complaint and entering into lengthy and expensive discovery.

Early Action in Cases Against Public-Facing Businesses

Public-facing businesses—such those in the retail, travel and hospitality industries—have been the first to re-open and are currently navigating a patchwork of state guidelines on how to do so safely.  Compounding this burden, these same companies are facing a wave of lawsuits by customers and employees alleging negligence, breach of contract, and unfair business practices during the pandemic.

These industries are not new to class action litigation and many companies have included arbitration clauses and class arbitration waivers in their consumer contracts.  These defendants have, not surprisingly, moved to compel arbitration, and plaintiffs have responded with unique (but likely ineffective) allegations of unconscionability, fraud and duress to try to stay in court.  For example, in a case against Amazon, the plaintiffs alleged that the arbitration agreement was unconscionable because they were under duress during the pandemic and were forced to purchase products from Amazon.  Amazon’s response was based on the black-letter principle that unconscionability is measured at the time of contracting, and not at the time of the challenged conduct.

Other companies have focused on substance, arguing that they complied with their contractual obligations and that their customers have not suffered damages.  For example, in the case of recurring monthly payments for fitness club memberships, defendants have argued that their membership agreements do not mandate refunds for temporary closures, and therefore plaintiffs who filed suit within days or weeks of the initial closure did so too quickly. Continue Reading What will “Phase II” of COVID-19 Class Actions Look Like?

The replay of our recent webinar Product and Earnings Claims in the Time of COVID-19 is available here.

The FTC has recently sent warning letters to hundreds of companies for allegedly falsely implying that products can be used to treat, cure, mitigate, or prevent COVID-19. The FTC has also issued warning letters for implied earnings claims connected to the pandemic, alleging that some have overpromised on the financial opportunities available and misleadingly tied them to the pandemic. These announcements have made clear that any claim mentioning COVID-19, the pandemic, or even “these times” will be closely scrutinized.

To help ensure your company isn’t next, please watch the replay of our webinar covering the basics of advertising product and earnings claims, and how those should be applied during the pandemic. Discussion topics included:

• Claim Substantiation and Puffery
• Express and Implied Product Claims
• Express and Implied Earnings Claims
• Enforcement Examples and Takeaways
• Monitoring Third Parties Making Claims on Your Behalf (Endorsers, Independent Distributors)
• What to do if you receive a warning letter or other enforcement action

To view the presentation slides, click here.

To view the webinar recording, click here.

Subscribe to our Ad Law News and Views newsletter to receive information on our next round of webinars and to stay current on advertising and privacy matters.

Visit the Advertising and Privacy Law Resource Center for additional information for additional information, past webinars, and educational materials.

Advertising and Privacy Law Resource Center

Product and Earnings Claims in the Time of COVID-19
On Wednesday, July 8, we will be holding a webinar for anyone who is currently making or plans to make product claims or earnings claims, anyone new to claims or in need of a refresher.

The FTC has recently sent warning letters to hundreds of companies for allegedly falsely implying that products can be used to treat, cure, mitigate, or prevent COVID-19.  The FTC has also issued warning letters for implied earnings claims connected to the pandemic, alleging that some have overpromised on the financial opportunities available and misleadingly tied them to the pandemic.  These announcements have made clear that any claim mentioning COVID-19, the pandemic, or even “these times” will be closely scrutinized.

Please join us for a webinar covering the basics of advertising product and earnings claims, and how those should be applied during the pandemic. Discussion topics include:

  • Claim Substantiation and Puffery
  • Express and Implied Product Claims
  • Express and Implied Earnings Claims
  • Enforcement Examples and Takeaways
  • Monitoring Third Parties Making Claims on Your Behalf (Endorsers, Independent Distributors)
  • What to do if you receive a warning letter or other enforcement action

Register here

Trade Association Antitrust 101
Please join us on July 14 for a webinar geared toward association legal counsel, executives, marketers, staff and members, participants in association activities or attendees to association meetings.

Antitrust issues are a constant concern for trade associations and their members. Competition regulators will have associations and their members under even greater scrutiny as groups work together to address the ongoing challenges presented by COVID-19. Please join us for a webinar covering the basics of antitrust compliance for association legal and compliance counsel, executives, staff and outside advisers. This webinar is designed to help association professionals and those who attend association functions identify potential antitrust issues and provide practical guidance for effective compliance programs and mitigating risk. Finally, we will talk about how to respond to enforcement actions in the event your organization is involved in an investigation.

Discussion topics include:

  • Antitrust law basics
  • Best practices for associations and its membership
  • Effective compliance and training programs
  • Strategies for responding to warning letters or other enforcement actions

Register here

Additional webinars will be announced soon.

Upcoming Webinars: Product and Earnings Claims in the Time of COVID-19 and Trade Association Antitrust 101

FDA and FTC Joint Warning Letters Target Amazon Affiliates Making False COVID-19 ClaimsEarlier this week, federal regulators continued their efforts to combat the spread of products featuring allegedly false and misleading claims that products can diagnose, treat, cure, or prevent COVID-19.  In warning letters issued to CBD Gaze, Alternavita, Musthavemom.com, and Careful Cents LLC, the agencies identify the respective recipients as participants in the Amazon Affiliate program.  Amazon Affiliates are marketers who earn commissions by promoting products sold on Amazon.  The letters state that the products at issue, which include essential oils, grapefruit seed extracts, cod liver oil, and others, feature false treatment and prevention claims such as the following:

  • CBD Gaze:  “Find the best CBD Oil to help fight Coronavirus.”
  • Alternavita:  “4 Proven Ways To Protect Yourself Against Coronavirus,” you represent that “Everyone is concerned about Coronavirus and looking for ways to protect themselves,” and then state the following:

“Grapefruit Seed Extract If you want a little extra daily protection GSE is a safe antibiotic . . . [Amazon associate link].”

  • Musthavemom.com:  “NATURAL REMEDIES FOR CORONAVIRUS. . .There are plenty of things you can do to boost your immune system and fight off any virus including coronavirus. Here are a few!”  … “2. Vitamin D . . . This important vitamin plays a crucial role in immune health. Being deficient in Vitamin D can increase your risk of infection. I recommend this brand of Vitamin D [Amazon associates link] and starting at a minimum dose of 5,000 IU.” [from your website https://musthavemom.com/coronavirus-prevention-treatment-plan/]
  • Careful Cents LLC:  “How to Boost Your Immune System Naturally With Essential Oils to Fight Coronavirus” you state: “Can you use essential oils to boost your immune system and fight coronavirus? Yes! Essential oils are one of the best tools to strengthen your immune system naturally . . .”

The letters state that the products are unapproved new drugs and misbranded pursuant to the Food Drug and Cosmetic Act.  Causing the introduction or delivery for introduction of these products into interstate commerce is prohibited under sections 301(a) and (d) of the FD&C Act, 21 U.S.C. § 331(a) and (d).  The letters also state that “it is unlawful under the FTC Act, 15 U.S.C. 41 et seq., to advertise that a product can prevent, treat, or cure human disease unless you possess competent and reliable scientific evidence, including, when appropriate, well-controlled human clinical studies, substantiating that the claims are true at the time they are made.  For COVID-19, no such study is currently known to exist for the product identified above.  Thus, any coronavirus-related prevention or treatment claims regarding such product are not supported by competent and reliable scientific evidence.”

What’s the lesson?  The difference between these letters and the warning letters that FDA and the FTC issued earlier this year is that these are targeted not to the company making the product or even the retail platform on which they are sold.  They were sent to the middleman marketer, who likely does not produce or possess the product, but who is promoting and profiting from its sale.  This is consistent with the FTC’s letters to product influencers in other marketing contexts but is a departure from FDA’s typical enforcement approach.  Although we have seen FDA pursue retailers (particularly online ones), FDA has not made pursuit of marketing affiliates a priority.  Clearly, regulators want affiliate marketers (Amazon or otherwise) to understand that they are not immune from enforcement if they are making aggressive or unsubstantiated health claims.

Ad Law Access Podcast

 

Democrats Release Their Own COVID-19 Privacy LegislationFollowing the Republican-sponsored COVID-19 Consumer Data Protection Act of 2019, Democratic legislators recently introduced the Public Health Emergency Privacy Act. Senators Richard Blumenthal and Mark Warner of Connecticut and Virginia, respectively, and a group of Democratic Representatives, including Jan Schakowsky of Illinois and Anna Eshoo of California, introduced the measure.

While both measures similarly require “affirmative express consent” prior to most processing of personal information for COVID-19 purposes, notice prior to using the data, reporting requirements, and destruction after data use, the bills vary in many other respects. Some differences between the Republican and Democratic bills include preemption, enforcement authority, and civil and voting rights protections.

Perhaps the most material distinctions focus on preemption and enforcement – a common theme in federal privacy legislation. These areas continue to be sticking points between the parties in discussions regarding privacy legislation. While both measures allow for FTC and state attorney general enforcement, the Democrats’ bill also provides for a private cause of action, which would allow for damages between $100 and $1000 per negligent violation, and $500 and $5000 per reckless, willful, or intentional violation. And while the Republican measure expressly preempts any similar state measure, the Democratic measure expressly does not.

The Democratic measure also addresses other concerns regarding using health data for COVID-19 purposes where the Republican bill is silent. Specifically, the Democrats’ bill expressly prohibits the use of emergency health data for advertising or discriminatory purposes. The bill also requires the Secretary of Health and Human Services to work with both the U.S. Commission on Civil Rights and the FTC to submit a report examining how the collection, use, and disclosure of COVID-19 health information impacts civil rights issues.

In addition, the Democrats’ bill prevents government entities from restricting the right to vote based on an individual’s: (1) participation or non-participation in a program to collect emergency health data; (2) medical condition; or (3) emergency health data itself.

As with Congress’s debate over comprehensive federal privacy legislation, COVID-19 privacy legislation may come down to similar disputes over enforcement and preemption. Whether the parties will be able to agree on these issues as they apply in a more limited capacity remains to be seen.

Advertising and Privacy Law Resource Center

In light of concerns associated with attempts to use personal data to track the spread of COVID-19, a group of Republican Senators, led by Mississippi Senator Roger Wicker, introduced the COVID-19 Consumer Data Protection Act of 2020 today.

The bill imposes specific requirements on entities seeking to process precise geolocation data, proximity data, persistent identifiers, and personal health information (together, “covered data”) in association with COVID-19 mitigation efforts. Among other things, the Act would require:

  • Notice/Consent: Prior notice and affirmative express consent for the collection, processing, or transfer of covered data to track COVID-19, monitor social distancing compliance, or for COVID-19 contact tracing purposes;
  • Opt Out Rights: Giving individuals the right to opt out of such processing;
  • Deletion Rights: Deleting or de-identifying all covered data once the entity is no longer using it;
  • Data Processing Restrictions: A public commitment to limit the processing of the data, unless certain exceptions apply;
  • Notice: Posting a clear and conspicuous privacy policy within 14 days of the Act’s enactment that provides information about data transfers, data retention practices, and data security practices; and
  • Accountability: During the public health emergency, providing a bi-monthly public report identifying the aggregate number of individuals from whom the covered entity has collected, processed, or transferred covered data for COVID-19 purposes with additional detail about how and why that information was used.

The bill also requires covered entities to engage in data accuracy (including allowing the individual to report inaccuracies), data minimization, and data security practices. The FTC has enforcement authority under the bill and would also be required to release data minimization guidelines in relation to COVID-19 processing.

Separately, the bill explicitly exempts covered entities from requirements under the Communications Act or regulations in relation to this processing. The bill also preempts any similar state law, although state attorneys general have enforcement authority along with the FTC.

Whether Congress will pass the measure is unclear, as Democrats and public interest organizations have voiced concerns about the bill. Still, assuming Congress can agree, it’s worth monitoring to see whether the measure may be included in any upcoming COVID-19 relief bill.

Advertising and Privacy Law Resource Center

Ad Law Access Podcast - Health Claims in the Context of COVID-19

The FTC recently sent warning letters to companies for falsely claiming that their products can treat or prevent COVID-19. On the latest episode of the Ad Law Access Podcast, partner Kristi Wolff  discusses the importance of keeping the current pandemic context in mind when making health claims more generally.

Listen on AppleGoogleSoundcloudSpotify, or wherever you get your podcasts.

For more information on these and other topics, visit:

Ad Law Access Podcast

 

The FTC and FCC have taken a number of actions to stem unlawful robocalls generally and, during the COVID-19 pandemic, to stem harmful and deceptive calls that seek to exploit the COVID-19 crisis. Even amid the backdrop of their long-standing commitment, the agencies’ most recent action stands out as an aggressive new approach to unlawful calls. On April 3, 2020, the enforcement arms of each agency jointly sent warning letters to three Voice over Internet Protocol (“VoIP”) service providers allegedly facilitating the transmission of international scam telemarketing calls originating overseas. The letters make an unprecedented demand:  block the traffic of specific allegedly unlawful actors or have all of your traffic blocked by other carriers. In this post, we’ll take a look at this new approach, and discuss its relationship to the broader provisions of the Telephone Robocall Abuse Criminal Enforcement Act (“TRACED Act”), which institutes a number of measures designed to combat illegal robocalls.

The Warning Letters

The agencies identified the three VoIP gateway providers as the sources of the illegal calls through the efforts of the USTelecom Industry Traceback Group, a consortium of phone companies that help officials identify potentially unlawful calls. The phone companies used a process known as “traceback,” in which they share information to trace unlawful spoofed robocalls to their origination.

In the letters, the agencies reminded the companies that the COVID-19 scam robocalls are in fact illegal and directed them to cease transmitting the traffic immediately, as the calls have “the potential to inflict severe harm on consumers.” The letters warned the companies that if they did not stop transmitting the identified traffic within 48 hours, the FCC would authorize other U.S. voice providers to block all calls from the companies and take any other steps necessary to prevent transmission of the calls. The agencies also sent a separate letter to USTelecom advising the trade association that, if the VoIP providers do not block the traffic, the FCC will authorize other U.S. service providers to block all calls coming from that gateway and will take other actions as necessary to authorize U.S. service providers to block traffic from the originating entities. In addition, the FCC encouraged other service providers to take immediate action to block unlawful calls pursuant to existing legal authority.

This action is a significant – and significantly aggressive – new approach by the agencies. While both agencies have taken actions to prevent and deter unlawful robocalls, the threat to block traffic from the originating carrier is a new tactic in the fight against unlawful calls. Notably, it is not clear under what authority the FCC can or would order the blocking of all traffic from the subject VoIP gateway providers if they failed to block the allegedly unlawful robocalls. The letter does not cite any provision of the Communications Act that would authorize such blocking. Moreover, existing FCC orders relating to call blocking have authorized only limited call blocking practices that were optional for the carriers. Were the FCC to order such blocking (and to make it mandatory), it appears that such action would be the first of its kind by the agency.

Briefly, we will review the agencies’ recent history with anti-robocall activities.

The Educare Services Enforcement Action and Prior FTC Warning Letters

In the three letters to the VoIP gateway providers, the FCC and FTC reference the FTC’s recent enforcement action against VoIP provider Globex Telecom. This action relied upon provisions of the FTC’s Telemarketing Sales Rule (“TSR”), which addresses calls made for a telemarketing purpose. In December 2019, the FTC obtained a preliminary injunction against Educare Services and Globex Telecom Inc. for robocalling consumers to promote allegedly fraudulent credit card interest rate reduction services. The FTC complaint alleges that Globex played a key role in “assisting and facilitating” the illegal credit card interest rate reduction services Educare promoted by providing Educare with the means to call consumers via interconnected VoIP communication services and facilities. For a VoIP company to be liable under a TSR “assisting and facilitating” theory, the FTC must prove that the company “knew or consciously avoided knowing” the robocall campaigns violated the TSR.

A week before the joint letters, the FTC sent letters to nine VoIP service providers and other companies warning them that “assisting and facilitating” in the transmission of illegal COVID-19-related telemarketing or robocalls is unlawful. The agency also sent letters to nineteen VoIP service providers in January with a similar warning about all illegal robocalls.

FCC TRACED Act Implementation and the STIR/SHAKEN Mandate

Like the FTC, the FCC recently shifted its focus in robocall enforcement towards the originating carriers. On February 4, 2020, the FCC’s Enforcement Bureau sent letters to seven VoIP gateway service providers, notifying them that unlawful robocalls had been traced to their networks and asking for their assistance in tracking down the originators of the calls. Although no enforcement action was threatened at the time, the FCC also asked each provider to detail their anti-robocall efforts to the Commission.

More recently, the FCC took several steps in implementing the TRACED Act, which requires the FCC to initiate several near-term rulemakings and other actions aimed at addressing unlawful spoofing and robocalling operations. On March 27, the agency adopted a Report and Order and Further Notice of Proposed Rulemaking establishing rules for the registration of a single consortium to conduct private-led “traceback” efforts, which is expected to formalize the relationship with the USTelecom Industry Traceback Group. Additionally, on March 31, the FCC adopted a separate Report and Order and Further Notice of Proposed Rulemaking mandating that originating and terminating voice service providers implement the STIR/SHAKEN framework in the IP portions of their networks by June 30, 2021. STIR/SHAKEN—the technology framework behind the “traceback” process—allows providers to verify that the caller ID information transmitted with a particular call matches the caller’s number as the calls are passed from carrier to carrier. FCC Chairman Pai previously urged major providers to adopt STIR/SHAKEN technology voluntarily and warned that the voluntary approach would become a mandate if the providers did not move fast enough. Still to come are comments on a “know your customer” obligation for service providers and rules to deny access to numbering resources to originators of unlawful calls.

As we have previously noted, the TRACED Act also requires the implementation of an alternative call authentication framework in non-IP networks, extends the FCC’s statute of limitations for bringing some illegal robocall enforcement actions, and eliminates the requirement to give warnings before issuing certain filings.

Takeaways

These letters, coupled with the recent activity by the FTC and FCC to combat illegal robocalls, signal the agencies’ desire to cause a meaningful reduction in unlawful calling, and in particular, demonstrate a desire to prevent scammers from taking advantage of the COVID-19 crisis to carry out their deceptions. Both agencies can seek civil penalties and take other actions necessary to prevent the proliferation of these calls.

Importantly, the targets of agency action are not necessarily limited to the entities that place the unlawful calls. These federal actions are a good reminder for VoIP and other service providers to assess whether their customers’ practices may indicate unlawful use of VoIP or other services. With the warning letters, and now these blocking letters, the FCC and FTC increasingly are showing an openness to pursuing penalties under vicarious liability theories. If there are facts that support knowledge of the unlawful activity or “red flag” type practices (such as a customer being the target of multiple third party government subpoenas, among other facts), that’s a good indication that further steps by the VoIP provider may be warranted to mitigate the risk of facing an enforcement action by the FTC or FCC. If you have questions about how these enforcement trends and related risk factors are relevant to your business, please contact your Kelley Drye counsel.

Few businesses are immune from the economic effects of the coronavirus pandemic, but among those that have been hit the hardest are business involved with sports, concerts, performances, and other live events. According to StubHub, more than 23,000 events have been canceled, rescheduled, or postponed over the past few weeks in the US alone.

As consumers look for refunds, many businesses are reviewing their policies to determine whether there are creative ways they can stop cash from going out the door. On March 12, for example, StubHub announced that consumers had the option of either getting a refund for a cancelled event or a coupon for 120% of the original ticket price. Apparently, the option was well-received, and many consumers opted for the coupon.

On March 25, StubHub changed the terms of its policy and limited the availability of the option, stating that “if the event is canceled and not rescheduled, you will get a refund or credit for use on a future purchase, as determined in StubHub’s sole discretion (unless a refund is required by law).” Other communications omitted that parenthetical, suggesting that all consumers would get a coupon, rather than a refund.

It only took about a week for the first lawsuit to be filed. In a class action filed in Wisconsin federal court, a plaintiff argues that by retroactively changing its refund policy, StubHub breached its contract with consumers and violated California false advertising laws. Among other things, the plaintiff is asking for refunds for class members, which could exceed $5 million.

Lawmakers are looking at this, too. In February, the House Energy and Commerce Committee invited representatives from six companies to a hearing to discuss issues in the live event ticket industry. And this month, Committee Chairman Frank Pallone called on companies in the industry “to fully reimburse all consumers affected by canceled or postponed events,” rather than issue credits.

Although it’s too early to tell how this issue will play out, there is likely to be scrutiny on how companies handle refunds across a range of industries. If you are considering changes to your refund policy, think carefully about what promises you’ve made to consumers and whether your terms provide flexibility for changes. Saving money on refunds can be a good thing, but those savings have to be balanced against the legal and reputational costs of a bad decision.

Effective March 21, 2020, the New York SHIELD Act imposes data security requirements on most businesses that own or license computerized data that includes the “private information” (defined below) of New York residents. In sum, such businesses must develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of that private information. Many businesses likely already comply with the these requirements, but statutes like the SHIELD Act provide a good reminder to review your data security program and confirm that you have everything squared away.

The SHIELD Act requires that businesses develop, implement, and maintain the following safeguards, at a minimum:

  • Reasonable Administrative Safeguards: Such safeguards should include the following: (1) designate one or more employees to coordinate the security program; (2) identify reasonably foreseeable internal and external risks; (3) assess the sufficiency of safeguards in place to control the identified risks; (4) train and manage employees in the practices and procedures of the security program; (5) select service providers capable of maintaining appropriate safeguards, and require those safeguards by contract; and (6) adjust the security program in light of business changes or new circumstances.
  • Reasonable Technical Safeguards: Such safeguards should include the following: (1) assess risks in network and software design; (2) assess risks in information processing, transmission, and storage; (3) detect, prevent, and respond to attacks or system failures; and (4) regularly test and monitor the effectiveness of key controls, systems, and procedures.
  • Reasonable Physical Safeguards: Such safeguards should include the following: (1) assess risks of information storage and disposal; (2) detect, prevent, and respond to intrusions; (3) protect against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal of the information; and (4) dispose of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.

“Private information” includes (1) Social Security numbers; (2) driver’s license numbers; (3) biometric information; (4) account numbers or credit or debit card numbers if they can be used to access an individual’s financial account; (5) account numbers or credit or debit card numbers in combination with security codes, access codes, or passwords that permit access to an individual’s financial account; and (6) usernames or email addresses in combination with a password or security question and answer that would permit access to an online account.

Businesses that follow the data security requirements in HIPAA, GLBA, the New York Department of Financial Services Cybersecurity Regulation, or any other New York statute or rule are not required to comply with the Act. A “small business” with fewer than 50 employees, less than $3 million in gross annual revenue, or less than $5 million in total assets, may also scale down its compliance program.

Breach Notification: Effective October 23, 2019, the SHIELD Act also made a number of edits to the New York data breach notification statute. Those edits included expanding the definition of “private information” to include biometric information and account credentials (following a trend we have seen with other states), prescribing additional content requirements for the individual and regulator notices, increasing the penalty caps to $20 per instance of failed notification (i.e., $20 per individual) up to $250,000, and extending the statute of limitations for regulator actions from two to three years. The statute does not expressly create a private right of action.