FDA and FTC Joint Warning Letters Target Amazon Affiliates Making False COVID-19 ClaimsEarlier this week, federal regulators continued their efforts to combat the spread of products featuring allegedly false and misleading claims that products can diagnose, treat, cure, or prevent COVID-19.  In warning letters issued to CBD Gaze, Alternavita, Musthavemom.com, and Careful Cents LLC, the agencies identify the respective recipients as participants in the Amazon Affiliate program.  Amazon Affiliates are marketers who earn commissions by promoting products sold on Amazon.  The letters state that the products at issue, which include essential oils, grapefruit seed extracts, cod liver oil, and others, feature false treatment and prevention claims such as the following:

  • CBD Gaze:  “Find the best CBD Oil to help fight Coronavirus.”
  • Alternavita:  “4 Proven Ways To Protect Yourself Against Coronavirus,” you represent that “Everyone is concerned about Coronavirus and looking for ways to protect themselves,” and then state the following:

“Grapefruit Seed Extract If you want a little extra daily protection GSE is a safe antibiotic . . . [Amazon associate link].”

  • Musthavemom.com:  “NATURAL REMEDIES FOR CORONAVIRUS. . .There are plenty of things you can do to boost your immune system and fight off any virus including coronavirus. Here are a few!”  … “2. Vitamin D . . . This important vitamin plays a crucial role in immune health. Being deficient in Vitamin D can increase your risk of infection. I recommend this brand of Vitamin D [Amazon associates link] and starting at a minimum dose of 5,000 IU.” [from your website https://musthavemom.com/coronavirus-prevention-treatment-plan/]
  • Careful Cents LLC:  “How to Boost Your Immune System Naturally With Essential Oils to Fight Coronavirus” you state: “Can you use essential oils to boost your immune system and fight coronavirus? Yes! Essential oils are one of the best tools to strengthen your immune system naturally . . .”

The letters state that the products are unapproved new drugs and misbranded pursuant to the Food Drug and Cosmetic Act.  Causing the introduction or delivery for introduction of these products into interstate commerce is prohibited under sections 301(a) and (d) of the FD&C Act, 21 U.S.C. § 331(a) and (d).  The letters also state that “it is unlawful under the FTC Act, 15 U.S.C. 41 et seq., to advertise that a product can prevent, treat, or cure human disease unless you possess competent and reliable scientific evidence, including, when appropriate, well-controlled human clinical studies, substantiating that the claims are true at the time they are made.  For COVID-19, no such study is currently known to exist for the product identified above.  Thus, any coronavirus-related prevention or treatment claims regarding such product are not supported by competent and reliable scientific evidence.”

What’s the lesson?  The difference between these letters and the warning letters that FDA and the FTC issued earlier this year is that these are targeted not to the company making the product or even the retail platform on which they are sold.  They were sent to the middleman marketer, who likely does not produce or possess the product, but who is promoting and profiting from its sale.  This is consistent with the FTC’s letters to product influencers in other marketing contexts but is a departure from FDA’s typical enforcement approach.  Although we have seen FDA pursue retailers (particularly online ones), FDA has not made pursuit of marketing affiliates a priority.  Clearly, regulators want affiliate marketers (Amazon or otherwise) to understand that they are not immune from enforcement if they are making aggressive or unsubstantiated health claims.

Ad Law Access Podcast


Democrats Release Their Own COVID-19 Privacy LegislationFollowing the Republican-sponsored COVID-19 Consumer Data Protection Act of 2019, Democratic legislators recently introduced the Public Health Emergency Privacy Act. Senators Richard Blumenthal and Mark Warner of Connecticut and Virginia, respectively, and a group of Democratic Representatives, including Jan Schakowsky of Illinois and Anna Eshoo of California, introduced the measure.

While both measures similarly require “affirmative express consent” prior to most processing of personal information for COVID-19 purposes, notice prior to using the data, reporting requirements, and destruction after data use, the bills vary in many other respects. Some differences between the Republican and Democratic bills include preemption, enforcement authority, and civil and voting rights protections.

Perhaps the most material distinctions focus on preemption and enforcement – a common theme in federal privacy legislation. These areas continue to be sticking points between the parties in discussions regarding privacy legislation. While both measures allow for FTC and state attorney general enforcement, the Democrats’ bill also provides for a private cause of action, which would allow for damages between $100 and $1000 per negligent violation, and $500 and $5000 per reckless, willful, or intentional violation. And while the Republican measure expressly preempts any similar state measure, the Democratic measure expressly does not.

The Democratic measure also addresses other concerns regarding using health data for COVID-19 purposes where the Republican bill is silent. Specifically, the Democrats’ bill expressly prohibits the use of emergency health data for advertising or discriminatory purposes. The bill also requires the Secretary of Health and Human Services to work with both the U.S. Commission on Civil Rights and the FTC to submit a report examining how the collection, use, and disclosure of COVID-19 health information impacts civil rights issues.

In addition, the Democrats’ bill prevents government entities from restricting the right to vote based on an individual’s: (1) participation or non-participation in a program to collect emergency health data; (2) medical condition; or (3) emergency health data itself.

As with Congress’s debate over comprehensive federal privacy legislation, COVID-19 privacy legislation may come down to similar disputes over enforcement and preemption. Whether the parties will be able to agree on these issues as they apply in a more limited capacity remains to be seen.

Advertising and Privacy Law Resource Center

In light of concerns associated with attempts to use personal data to track the spread of COVID-19, a group of Republican Senators, led by Mississippi Senator Roger Wicker, introduced the COVID-19 Consumer Data Protection Act of 2020 today.

The bill imposes specific requirements on entities seeking to process precise geolocation data, proximity data, persistent identifiers, and personal health information (together, “covered data”) in association with COVID-19 mitigation efforts. Among other things, the Act would require:

  • Notice/Consent: Prior notice and affirmative express consent for the collection, processing, or transfer of covered data to track COVID-19, monitor social distancing compliance, or for COVID-19 contact tracing purposes;
  • Opt Out Rights: Giving individuals the right to opt out of such processing;
  • Deletion Rights: Deleting or de-identifying all covered data once the entity is no longer using it;
  • Data Processing Restrictions: A public commitment to limit the processing of the data, unless certain exceptions apply;
  • Notice: Posting a clear and conspicuous privacy policy within 14 days of the Act’s enactment that provides information about data transfers, data retention practices, and data security practices; and
  • Accountability: During the public health emergency, providing a bi-monthly public report identifying the aggregate number of individuals from whom the covered entity has collected, processed, or transferred covered data for COVID-19 purposes with additional detail about how and why that information was used.

The bill also requires covered entities to engage in data accuracy (including allowing the individual to report inaccuracies), data minimization, and data security practices. The FTC has enforcement authority under the bill and would also be required to release data minimization guidelines in relation to COVID-19 processing.

Separately, the bill explicitly exempts covered entities from requirements under the Communications Act or regulations in relation to this processing. The bill also preempts any similar state law, although state attorneys general have enforcement authority along with the FTC.

Whether Congress will pass the measure is unclear, as Democrats and public interest organizations have voiced concerns about the bill. Still, assuming Congress can agree, it’s worth monitoring to see whether the measure may be included in any upcoming COVID-19 relief bill.

Advertising and Privacy Law Resource Center

Ad Law Access Podcast - Health Claims in the Context of COVID-19

The FTC recently sent warning letters to companies for falsely claiming that their products can treat or prevent COVID-19. On the latest episode of the Ad Law Access Podcast, partner Kristi Wolff  discusses the importance of keeping the current pandemic context in mind when making health claims more generally.

Listen on AppleGoogleSoundcloudSpotify, or wherever you get your podcasts.

For more information on these and other topics, visit:

Ad Law Access Podcast


The FTC and FCC have taken a number of actions to stem unlawful robocalls generally and, during the COVID-19 pandemic, to stem harmful and deceptive calls that seek to exploit the COVID-19 crisis. Even amid the backdrop of their long-standing commitment, the agencies’ most recent action stands out as an aggressive new approach to unlawful calls. On April 3, 2020, the enforcement arms of each agency jointly sent warning letters to three Voice over Internet Protocol (“VoIP”) service providers allegedly facilitating the transmission of international scam telemarketing calls originating overseas. The letters make an unprecedented demand:  block the traffic of specific allegedly unlawful actors or have all of your traffic blocked by other carriers. In this post, we’ll take a look at this new approach, and discuss its relationship to the broader provisions of the Telephone Robocall Abuse Criminal Enforcement Act (“TRACED Act”), which institutes a number of measures designed to combat illegal robocalls.

The Warning Letters

The agencies identified the three VoIP gateway providers as the sources of the illegal calls through the efforts of the USTelecom Industry Traceback Group, a consortium of phone companies that help officials identify potentially unlawful calls. The phone companies used a process known as “traceback,” in which they share information to trace unlawful spoofed robocalls to their origination.

In the letters, the agencies reminded the companies that the COVID-19 scam robocalls are in fact illegal and directed them to cease transmitting the traffic immediately, as the calls have “the potential to inflict severe harm on consumers.” The letters warned the companies that if they did not stop transmitting the identified traffic within 48 hours, the FCC would authorize other U.S. voice providers to block all calls from the companies and take any other steps necessary to prevent transmission of the calls. The agencies also sent a separate letter to USTelecom advising the trade association that, if the VoIP providers do not block the traffic, the FCC will authorize other U.S. service providers to block all calls coming from that gateway and will take other actions as necessary to authorize U.S. service providers to block traffic from the originating entities. In addition, the FCC encouraged other service providers to take immediate action to block unlawful calls pursuant to existing legal authority.

This action is a significant – and significantly aggressive – new approach by the agencies. While both agencies have taken actions to prevent and deter unlawful robocalls, the threat to block traffic from the originating carrier is a new tactic in the fight against unlawful calls. Notably, it is not clear under what authority the FCC can or would order the blocking of all traffic from the subject VoIP gateway providers if they failed to block the allegedly unlawful robocalls. The letter does not cite any provision of the Communications Act that would authorize such blocking. Moreover, existing FCC orders relating to call blocking have authorized only limited call blocking practices that were optional for the carriers. Were the FCC to order such blocking (and to make it mandatory), it appears that such action would be the first of its kind by the agency.

Briefly, we will review the agencies’ recent history with anti-robocall activities.

The Educare Services Enforcement Action and Prior FTC Warning Letters

In the three letters to the VoIP gateway providers, the FCC and FTC reference the FTC’s recent enforcement action against VoIP provider Globex Telecom. This action relied upon provisions of the FTC’s Telemarketing Sales Rule (“TSR”), which addresses calls made for a telemarketing purpose. In December 2019, the FTC obtained a preliminary injunction against Educare Services and Globex Telecom Inc. for robocalling consumers to promote allegedly fraudulent credit card interest rate reduction services. The FTC complaint alleges that Globex played a key role in “assisting and facilitating” the illegal credit card interest rate reduction services Educare promoted by providing Educare with the means to call consumers via interconnected VoIP communication services and facilities. For a VoIP company to be liable under a TSR “assisting and facilitating” theory, the FTC must prove that the company “knew or consciously avoided knowing” the robocall campaigns violated the TSR.

A week before the joint letters, the FTC sent letters to nine VoIP service providers and other companies warning them that “assisting and facilitating” in the transmission of illegal COVID-19-related telemarketing or robocalls is unlawful. The agency also sent letters to nineteen VoIP service providers in January with a similar warning about all illegal robocalls.

FCC TRACED Act Implementation and the STIR/SHAKEN Mandate

Like the FTC, the FCC recently shifted its focus in robocall enforcement towards the originating carriers. On February 4, 2020, the FCC’s Enforcement Bureau sent letters to seven VoIP gateway service providers, notifying them that unlawful robocalls had been traced to their networks and asking for their assistance in tracking down the originators of the calls. Although no enforcement action was threatened at the time, the FCC also asked each provider to detail their anti-robocall efforts to the Commission.

More recently, the FCC took several steps in implementing the TRACED Act, which requires the FCC to initiate several near-term rulemakings and other actions aimed at addressing unlawful spoofing and robocalling operations. On March 27, the agency adopted a Report and Order and Further Notice of Proposed Rulemaking establishing rules for the registration of a single consortium to conduct private-led “traceback” efforts, which is expected to formalize the relationship with the USTelecom Industry Traceback Group. Additionally, on March 31, the FCC adopted a separate Report and Order and Further Notice of Proposed Rulemaking mandating that originating and terminating voice service providers implement the STIR/SHAKEN framework in the IP portions of their networks by June 30, 2021. STIR/SHAKEN—the technology framework behind the “traceback” process—allows providers to verify that the caller ID information transmitted with a particular call matches the caller’s number as the calls are passed from carrier to carrier. FCC Chairman Pai previously urged major providers to adopt STIR/SHAKEN technology voluntarily and warned that the voluntary approach would become a mandate if the providers did not move fast enough. Still to come are comments on a “know your customer” obligation for service providers and rules to deny access to numbering resources to originators of unlawful calls.

As we have previously noted, the TRACED Act also requires the implementation of an alternative call authentication framework in non-IP networks, extends the FCC’s statute of limitations for bringing some illegal robocall enforcement actions, and eliminates the requirement to give warnings before issuing certain filings.


These letters, coupled with the recent activity by the FTC and FCC to combat illegal robocalls, signal the agencies’ desire to cause a meaningful reduction in unlawful calling, and in particular, demonstrate a desire to prevent scammers from taking advantage of the COVID-19 crisis to carry out their deceptions. Both agencies can seek civil penalties and take other actions necessary to prevent the proliferation of these calls.

Importantly, the targets of agency action are not necessarily limited to the entities that place the unlawful calls. These federal actions are a good reminder for VoIP and other service providers to assess whether their customers’ practices may indicate unlawful use of VoIP or other services. With the warning letters, and now these blocking letters, the FCC and FTC increasingly are showing an openness to pursuing penalties under vicarious liability theories. If there are facts that support knowledge of the unlawful activity or “red flag” type practices (such as a customer being the target of multiple third party government subpoenas, among other facts), that’s a good indication that further steps by the VoIP provider may be warranted to mitigate the risk of facing an enforcement action by the FTC or FCC. If you have questions about how these enforcement trends and related risk factors are relevant to your business, please contact your Kelley Drye counsel.

Few businesses are immune from the economic effects of the coronavirus pandemic, but among those that have been hit the hardest are business involved with sports, concerts, performances, and other live events. According to StubHub, more than 23,000 events have been canceled, rescheduled, or postponed over the past few weeks in the US alone.

As consumers look for refunds, many businesses are reviewing their policies to determine whether there are creative ways they can stop cash from going out the door. On March 12, for example, StubHub announced that consumers had the option of either getting a refund for a cancelled event or a coupon for 120% of the original ticket price. Apparently, the option was well-received, and many consumers opted for the coupon.

On March 25, StubHub changed the terms of its policy and limited the availability of the option, stating that “if the event is canceled and not rescheduled, you will get a refund or credit for use on a future purchase, as determined in StubHub’s sole discretion (unless a refund is required by law).” Other communications omitted that parenthetical, suggesting that all consumers would get a coupon, rather than a refund.

It only took about a week for the first lawsuit to be filed. In a class action filed in Wisconsin federal court, a plaintiff argues that by retroactively changing its refund policy, StubHub breached its contract with consumers and violated California false advertising laws. Among other things, the plaintiff is asking for refunds for class members, which could exceed $5 million.

Lawmakers are looking at this, too. In February, the House Energy and Commerce Committee invited representatives from six companies to a hearing to discuss issues in the live event ticket industry. And this month, Committee Chairman Frank Pallone called on companies in the industry “to fully reimburse all consumers affected by canceled or postponed events,” rather than issue credits.

Although it’s too early to tell how this issue will play out, there is likely to be scrutiny on how companies handle refunds across a range of industries. If you are considering changes to your refund policy, think carefully about what promises you’ve made to consumers and whether your terms provide flexibility for changes. Saving money on refunds can be a good thing, but those savings have to be balanced against the legal and reputational costs of a bad decision.

Effective March 21, 2020, the New York SHIELD Act imposes data security requirements on most businesses that own or license computerized data that includes the “private information” (defined below) of New York residents. In sum, such businesses must develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of that private information. Many businesses likely already comply with the these requirements, but statutes like the SHIELD Act provide a good reminder to review your data security program and confirm that you have everything squared away.

The SHIELD Act requires that businesses develop, implement, and maintain the following safeguards, at a minimum:

  • Reasonable Administrative Safeguards: Such safeguards should include the following: (1) designate one or more employees to coordinate the security program; (2) identify reasonably foreseeable internal and external risks; (3) assess the sufficiency of safeguards in place to control the identified risks; (4) train and manage employees in the practices and procedures of the security program; (5) select service providers capable of maintaining appropriate safeguards, and require those safeguards by contract; and (6) adjust the security program in light of business changes or new circumstances.
  • Reasonable Technical Safeguards: Such safeguards should include the following: (1) assess risks in network and software design; (2) assess risks in information processing, transmission, and storage; (3) detect, prevent, and respond to attacks or system failures; and (4) regularly test and monitor the effectiveness of key controls, systems, and procedures.
  • Reasonable Physical Safeguards: Such safeguards should include the following: (1) assess risks of information storage and disposal; (2) detect, prevent, and respond to intrusions; (3) protect against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal of the information; and (4) dispose of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.

“Private information” includes (1) Social Security numbers; (2) driver’s license numbers; (3) biometric information; (4) account numbers or credit or debit card numbers if they can be used to access an individual’s financial account; (5) account numbers or credit or debit card numbers in combination with security codes, access codes, or passwords that permit access to an individual’s financial account; and (6) usernames or email addresses in combination with a password or security question and answer that would permit access to an online account.

Businesses that follow the data security requirements in HIPAA, GLBA, the New York Department of Financial Services Cybersecurity Regulation, or any other New York statute or rule are not required to comply with the Act. A “small business” with fewer than 50 employees, less than $3 million in gross annual revenue, or less than $5 million in total assets, may also scale down its compliance program.

Breach Notification: Effective October 23, 2019, the SHIELD Act also made a number of edits to the New York data breach notification statute. Those edits included expanding the definition of “private information” to include biometric information and account credentials (following a trend we have seen with other states), prescribing additional content requirements for the individual and regulator notices, increasing the penalty caps to $20 per instance of failed notification (i.e., $20 per individual) up to $250,000, and extending the statute of limitations for regulator actions from two to three years. The statute does not expressly create a private right of action.

The COVID-19 pandemic continues to have far-reaching effects on businesses and consumers everywhere.  While many states are taking broadly consistent approaches on certain issues (e.g., price gouging, non-essential business closures), one area where we’ve seen significant divergence involves regulation of collection efforts – both by first party creditors and debt collectors.  In an effort to protect consumers who may themselves be experiencing financial distress, some states have imposed new, stringent restrictions to prevent businesses from engaging in certain collection activities.

For example, Massachusetts issued an emergency regulation that prohibits creditors from making unsolicited debt collection telephone calls to Massachusetts consumers for the next 90 days, unless the state of emergency ends before that time.  The regulation also prohibits collectors from

  • filing any new collection lawsuit;
  • garnishing wages, earnings, properties or funds;
  • repossessing vehicles;
  • applying for or serving a capias warrant;
  • visiting or threatening to visit the household of a debtor;
  • visiting or threatening to visit the place of employment of a debtor;
  • confronting or communicating in person with a debtor regarding the collection of a debt in any public place.

Nevada went a step further by requiring all collection efforts with Nevada consumers to cease until April 16, 2020, although its directive only applies to collection agencies holding a license or certificate and located out-of-state.  Other states such as California, New York, and Illinois have expressly stated that collection agencies and debt buyers are non-essential businesses, but have not sought to impose  additional restrictions on activities that can occur remotely consistent with other federal and state laws.

First-party collectors and debt collectors should consider the Massachusetts and Nevada initiatives before contacting consumers in those states, and continue to monitor whether other states follow suit with similar restrictions.

As localities order people to stay at home and non-essential businesses to close, consumers are turning to online options.  Although you might welcome the traffic, you might also be facing unexpected challenges like a reduced work force, supply chain disruptions, manufacturing shifts from regular inventory to medical necessities, and other hurdles that can cause shipping delays.  As you scramble to fulfill those orders, remember that under the FTC’s Mail Order Rule, you need a reasonable basis for any shipping representations and any delays may trigger obligations to notify purchasers and sometimes even cancel and refund orders.

Representations About Shipping Dates
The Mail Order Rule requires that when you advertise merchandise, you must have a reasonable basis for representations about timing for shipping. If you provide no shipping date, you must have a reasonable basis for believing that you can ship within 30 days.  Particularly in these times of uncertainty, companies may choose to use a shipping date that is further out than what they would reasonably anticipate in typical circumstances.

Initial Delay Notice
If you cannot ship the merchandise by the promised time frame or within 30 days, you must notify the customer and give the option to cancel the order and obtain a full and prompt refund.

If you know when you can expect to ship the merchandise, the initial delay notice must contain: (1) the revised shipping date; (2) the customer’s ability to cancel for a full refund; and (3) a statement that a customer’s non-response is a consent to the delay.

If you cannot provide a revised shipping date, the initial delay notice must contain: (1) the reason for the delay and (2) a statement that, if the customer agrees to the indefinite delay, the customer may cancel the order any time before shipment.

Subsequent Delay Notices
Given the current unpredictability around supply chains and distributions, companies may be unable to ship by the date included in the initial delay notice.  If that occurs, prior to that date, you must send a “renewed” delay notice.  Although this notice must include much of the same information as the initial delay notice, a customer must expressly consent to further delay.

A renewed delay option must include information about: (1) a revised shipping date; (2) the customer’s ability to cancel for a full refund; and (3) a statement that, unless the customer agrees to wait beyond the most recent definite revised shipment date and the company has not shipped by then, you will automatically cancel the order and issue a prompt refund.

If you cannot provide a new definite revised shipping date, the notice must include: (1) the reason for the delay; and (2) a statement that, if the customer agrees to the indefinite delay, the customer may cancel the order any time until shipment.

Instead of sending a delay notification, you can cancel the order and send a refund, as long as you notify the customer and send the refund within the time you would have sent the consent notification.

Exemptions to the Rule
Not all merchandise is subject to the Mail Order Rule.  For example, products such as monthly gift clubs, subscription boxes, and magazine subscriptions are exempt, although because the FTC could still challenge practices allegedly unfair or deceptive, we recommend taking reasonable steps to notify consumers about shipping delays and to offer options for cancellation and perhaps a refund.

The FTC can extract large civil penalties for violations of the Mail Order Rule: up to $43,280 per violation plus consumer redress.  For example, in FTC v. DiscountMetalBrokers, Inc., a court ordered DiscountMetalBrokers to pay over $6 million for violations of the FTC Act and the Mail Order Rule.  The FTC has also levied fines of over $800,000 in settlements related to alleged Mail Order Rule violations.

*          *          *

The Mail Order Rule imposes very specific requirements that companies should navigate carefully, COVID-19 or not.  As companies face shipping and distribution disruptions, appropriate notice to customers as delays become known will avoid Mail Order Rule violations and enforcement.

For other helpful information during this pandemic, visit our COVID-19 Resource Center.

As the novel coronavirus (COVID-19) has reached pandemic levels, companies of all sizes and in all industries face myriad impacts to business operations and the health and well-being of employees.

To help clients navigate these new challenges, including the unpredictability of any outbreak-related business disruption, Kelley Drye has compiled a free resource center to help businesses navigate this uncertain environment.

Check it out for articles, webinars, and blog posts that cover a range of topics, including the following:

  • Legal exposure due to business interruptions and unsatisfied contracts, including counsel on contractual obligations, especially for significant business concerns.
  • Supply chain disruptions that are impacting the manufacture of consumer goods forcing manufacturers to seek alternative product sources that meet U.S. consumer regulations.
  • All types of employment issues, including how to communicate to your employees, managing affected employees, remote work policies, privacy of record and employee travel, among other pressing issues.
  • Evaluating disruptions to trading and markets, M&A/corporate transactions, commercial contracts, corporate governance (contingency planning for annual meetings) and disclosures for publicly traded companies.
  • Monitoring the federal government’s efforts to address these issues, as well as emerging issues that businesses may face.

We are updating the COVID-19 Resource Center as events unfold, so check back regularly.