This week, the FTC announced a settlement with VIZIO, Inc., one of the world’s largest manufacturers of “smart” TVs.  The settlement, also with the Office of the New Jersey Attorney General, arises from claims by regulators that VIZIO installed software that collected viewing data for 11 million consumer TVs without consent.  The $2.2 million settlement includes a payment of $1.5 million to the FTC as consumer redress, and $1 million to the New Jersey Division of Consumer Affairs, $300,000 of which is suspended.

In particular, the complaint alleged that VIZIO sold televisions that continuously track what consumers are watching and transmit that information through automated content recognition (“ACR”) software.  It also alleged that VIZIO remotely installed ACR software on previously-sold televisions that did not originally have ACR software installed at the time of purchase. VIZIO allegedly then shared that data and other data such as IP addresses with third parties for purposes of audience measurement, analyzing advertising effectiveness, and targeting advertising to particular consumers.

The complaint alleged three types of violations of the FTC Act and NJ Consumer Fraud Act:

  • Unfair Tracking: VIZIO’s collection and sharing of sensitive data without consumers’ consent is unfair, in that it has caused or is likely to cause substantial injury to consumers that is not outweighed by countervailing benefits to consumers or competition and is not reasonably avoidable by consumers themselves. According to the complaint, consumers do not expect that TV manufacturers would be engaged in tracking of their viewing data. The FTC complaint pointed, by way of example, to privacy protections for consumers’ viewing history under the Cable Privacy Act. 47 U.S.C. § 551.
  • Deceptive Omission: VIZIO failed to adequately disclose that the “Smart Interactivity” feature comprehensively collected and shared consumers’ television viewing activity from cable boxes, DVRs, streaming devices, and airwaves, which Defendants then provided on a household-by- household basis to third parties. The complaint alleged that VIZIO’s representations were not sufficiently clear or prominent to alert consumers to their practices related to data collection and sale of licenses. In particular:
    • Purchasers of TVs with ACR tracking pre-installed received no onscreen notice of the collection of viewing data.
    • Consumers who received the update to install ACR received a pop-up notification, but that notification provided no information about the collection of viewing data or ACR software, and it did not directly link to the settings menu or a privacy policy.
    • In March 2016, VIZIO sent a pop-up notification that referenced television viewing data, but that notification timed out after 30 seconds without input from the consumer who happened to be viewing the screen at the time and did not provide easy access to the settings menu.
    • VIZIO televisions with ACR tracking had a setting called “Smart Interactivity” with the description “Enables program offers and suggestions,” but the description did not include information about the collection of viewing data.
  • Deceptive Representation: The complaint alleged that VIZIO represented expressly or by implication that it would provide program offers and suggestions to consumers with “Smart Interactivity” enabled on their televisions, but it has not done so for more than two years.

All three commissioners at the time, including former Chairwoman Edith Ramirez and new Acting Chairwoman Maureen Ohlhausen, voted in favor of the complaint and proposed order. Acting Chairwoman Ohlhausen issued a concurring opinion. In her concurring opinion, Acting Chairwoman Ohlhausen reiterated the FTC’s concern as to Count II (deceptive omission).  However, she expressed concern as to the implications of the unfairness claim in Count I, which, she argued, alleged for the first time that household or individual television viewing activity is sensitive personal information.   She announced plans to launch an effort to further examine what constitutes “substantial injury” in the context of information about consumers.

This case is yet another example of enforcement action alleging privacy violations for “smart” technology. We will continue to monitor developments in this space, particularly in light of the new administration and Acting Chairwoman Ohlhausen’s new leadership.

On January 16, 2017, the Article 29 Working Party (“Working Party”)—the EU’s central data protection advisory board—published a press release regarding its Action Plan for 2017, which was adopted as part of its wider implementation strategy for the General Data Protection Regulation (“GDPR”).  The Action Plan follows up on the actions initiated in 2016 and outlines the priorities and objectives for the year to come in anticipation of the entry into force of the GDPR in May 2018.

In 2017, the Working Party commits to continue and/or finalize work on several key issues:

  • Guidelines on certification and processing likely to result in a high risk and Data Protection Impact Assessments (“DPIA”);
  • Administrative fines;
  • Setting up the administration of the European Data Protection Board (“EDPB”) structure; and
  • Preparation of the one-stop shop and the EDPB consistency mechanism.

New work priorities and objectives for 2017 include:

  • Guidelines on the topics of consent and profiling;
  • Guidelines on the issue of transparency; and
  • Update of existing opinions and guidance documents on data transfers to third countries and data breach notifications.

Moreover, the Working Party commits to continue consultation rounds and will invite relevant stakeholders to provide input on topics of interest.  During a “Fablab” workshop announced for April 5 and 6, stakeholders will have the opportunity to comment on the Working Party’s Action Plan. Non-EU counterparts will have an opportunity to exchange views on the Working Party’s GDPR implementation and the GDPR generally during an interactive workshop scheduled for May 18 -19, 2017.

*           *           *

In other data protection news, on January 11, 2017 the U.S. and Switzerland signed a Privacy Shield Agreement recognizing the adequacy of U.S. data protection legislation in light of Swiss requirements.  Months earlier, on October 7, 2015, the Swiss Data Protection Commission stated that it would follow the Court of Justice of the European Union’s invalidation of the U.S. – EU Safe Harbor framework, and hence, a new framework was required.  Resembling the EU – U.S. Privacy Shield, the new Swiss – U.S. agreement enables certified companies to export data from Switzerland to the U.S. in compliance with Swiss data protection laws.  There are three notable differences between the EU –U.S. and Swiss – U.S. Privacy Shield frameworks:

EU – U.S. Privacy Shield Swiss – U.S. Privacy Shield
EU Data Protection Authority is cooperation and compliance authority Swiss Federal Data Protection and Information Commissioner is cooperation and compliance authority
Sensitive data definition under Choice Principle Modified sensitive data definition under Choice Principle includes ideological or trade union-related views or activities, information on social security measures or administrative or criminal proceedings and sanctions, which are treated outside pending proceedings
Binding arbitration option in place Commerce to work with Swiss Government to put in place binding arbitration option at first annual review

The new agreement replaces the existing U.S. – Swiss Safe Harbor Framework with immediate effect. The Department of Commence will begin accepting self-certification applications on April 12, 2017.

Just over one week after being named acting chair of the Federal Trade Commission (FTC), Maureen Ohlhausen delivered the keynote address at the American Bar Association’s biennial Consumer Protection Conference in Atlanta on February 2.

During her remarks, acting chair Ohlhausen offered insight into consumer protection priorities during her tenure as acting chair.

First, acting chair Ohlhausen signaled the importance of the Agency focusing on stopping fraudulent schemes, especially those targeting vulnerable populations such as the elderly or military members.

Second, the acting chair noted that remedies sought in FTC cases should be more closely linked to actual, rather than speculative, consumer injury or harm, echoing her recent dissent in Qualcomm, and further posited that the FTC’s efforts in recent cases to collect disgorgement in non-fraud cases is inconsistent with prior FTC practice.  Specifically, the acting chair called into question the Agency’s practice of seeking disgorgement that is disproportionate to actual consumer injury.  As an example, she referred to her dissent in Uber, where she wrote that “I dissent from the complaint against Uber and the settlement resolving that complaint because the monetary settlement of $20 million is not tied to an estimate of consumer harm.”  And for privacy enforcement actions, she emphasized the need for “concrete injury” to justify agency action.

Third, acting chair Ohlhausen indicated a desire for the FTC to be more transparent about its investigation and enforcement matters.  She noted that there may be value in disclosing (without disclosing confidential information) details of investigations where the FTC closes an investigation without nay enforcement action.  According to acting chair Ohlhausen, such transparency would help provide guidance to businesses about practices and policies that the Commission deems permissible, in addition to those that are not.  It is unclear how much additional information acting chair Ohlhausen envisions disclosing beyond information contained in Commission closing letters at present.

Also with respect to investigations, the acting chair signaled the need for the Agency to narrowly tailor investigative requests to only obtain information that is necessary and relevant to its investigations.  Recognizing the burden of overly broad information requests, she stated that “the FTC must remain able to collect the information we need to enforce the law, but I am certain that we can do this while reducing the burden on businesses, particularly third parties who are not under investigation.”

Although her remarks were brief, the acting chair’s address suggests a more restrained approach by the FTC than it has pursued in recent years.  Given the three open seats on the Commission yet to be filled, two by Republicans, and the future appointment of a permanent chairperson, more changes are a certainty.

Please join Kelley Drye in 2017 for the Advertising and Privacy Law Webinar Series. Like our annual in-person event, this series will provide engaging speakers with extensive experience and knowledge in the fields of advertising, privacy, and consumer protection. These webinars will give key updates and provide practical tips to address issues faced by counsel.

This webinar series will commence January 25 and continue the last Wednesday of each month, as outlined below.

January 25, 2017 | February 22, 2017 | March 29, 2017 | April 26, 2017 | June 28, 2017
July 26, 2017 | September 27, 2017 | October 25, 2017 | November 29, 2017

Kicking off the series will be a one-hour webinar on “Marketing in a Multi-Device World: Update on Cross Device Tracking” on January 25, 2017 at 12 PM ET. For more information and to register, please click here. CLE credit will be offered for this program.

This content is password protected. To view it please enter your password below:

On Monday, August 29, 2016, the Ninth Circuit Court of Appeals issued an opinion that may dramatically alter the boundaries between the Federal Trade Commission’s (FTC) and Federal Communications Commission’s (FCC) authority over phone companies, broadband providers, and other common carriers.  The Ninth Circuit dismissed a case that the FTC brought against AT&T over its practices in connection with wireless data services provided to AT&T’s customers with unlimited data plans.  The FTC had filed a complaint against AT&T for “throttling” the data usage of customers grandfathered into unlimited data plans.  Once customers had used a certain level of data, AT&T would dramatically reduce their data speed, regardless of network congestion.  The FTC asserted that AT&T’s imposition of the data speed restrictions was an “unfair act or practice,” and that AT&T’s failure to adequately disclose the policy was a “deceptive act or practice.”

The Ninth Circuit’s decision is the latest in a series of actions attempting to identify the jurisdiction over Internet access services and Internet-based services.  As providers and regulators have struggled to identify the proper regulations applicable to such services, the Ninth Circuit’s decision could force significant shifts by both the FTC and FCC for at least a large segment of the industry.

Background

At issue before the Ninth Circuit was the scope of the FTC Act’s exemption of “common carriers” from the FTC’s authority.  The FTC argued, and the trial court held, that the common carrier exemption only applied to the extent that the service in question is a common carrier service (i.e., an “activity-based” test that precluded FTC jurisdiction only where a common carrier is engaging in common carrier activities).  Because the service that the FTC challenged (wireless broadband Internet access service (“BIAS”)) was not a common carrier service at the time that the FTC brought its action against AT&T, the trial court held AT&T was not engaging in common carrier activity and therefore the FTC had authority to bring its lawsuit.

AT&T appealed the decision, arguing that the FTC Act’s exemption of common carriers should be based on their status, and thus telecommunications service providers like itself are exempt from the FTC’s authority regardless of whether the activity at issue is a common carrier service.

The Ninth Circuit noted two things related to the dispute.  First, the court noted that “it is undisputed that AT&T is and was a ‘common carrier[] subject to the Acts to regulate commerce’ for a substantial part of its activity.”  Further, the court noted that, during the time period in question, AT&T’s mobile data service “was not identified and regulated by the FCC as a common carrier service” although, since the FCC’s 2015 Open Internet Order, the FCC has classified the service as a common carrier service.

The Ninth Circuit sided with AT&T, and remanded the case for an entry of an order for dismissal. The court held that under the plain language of the statute, the exemption is based on a company’s status and applies regardless of the activity at issue.  The “literal reading of the words Congress selected,” the court wrote, “simply does not comport with an activity-based approach [to the common carrier exemption].”  The court compared the common carrier exemption to the other exemptions in the statute (for banks, savings and loan institutions, federal credit unions, air carriers and foreign air carriers) that are admitted by the FTC to be status-based, and to the exemption for meatpackers “insofar as they are subject to the Packers and Stockyards Act,” which the court found to be activity-based.  The court held that amendments enacted in 1958 to Section 5 – which added the “insofar as” language – indicated an activity-based exemption for that provision but affirmed status-based exemptions for the remainder “then and now.”

Notably, the Ninth Circuit chose to address the status question, rather than addressing a more narrow issue of whether the FCC’s 2015 reclassification of BIAS as a telecommunications service applied to AT&T’s service retroactively.

Implications

The FTC issued a statement that it is “disappointed” and “considering [its] options,” but it is unclear whether it will appeal the ruling to the Supreme Court.   It is worth noting that, although the Ninth Circuit did not discuss the decisions, this is the third time that a court of appeals has faced status-based arguments relating to the common carrier exemption.  The Seventh Circuit’s 1977 decision in U.S. v. Miller, and the Second Circuit’s 2006 decision in FTC v. Verity Int’l, Ltd., both involved entities claiming common carrier status, although neither decision brought finality to the question.  If the FTC pursues the issue further, industry and practitioners could receive welcome guidance on the issue.

More broadly, the FTC has openly called for the end of the common carrier exemption in the past few years.  This decision may add fuel to the agency’s efforts in that regard.

As is, the decision makes it more difficult for the FTC to bring an action against a company that can claim to be a common carrier.  The Ninth Circuit’s decision noted that AT&T unquestionably was a common carrier “for a substantial part of its activity” and at one point distinguished a case, noting that AT&T’s status “is not based on its acquisition of some minor division unrelated to the company’s core activities.”  Nevertheless, the court’s analysis leaves open the possibility that even providing only a small amount of common carrier service may be enough to qualify all of a company’s activities for the common carrier exemption.

On the FCC side, there are equally broad questions raised by the decision.  The FCC recently has broadly construed its own authority under Section 201(b), to a fair degree of controversy, to address practices of common carriers “for or in connection with” their services, such as advertising and billing.  Presumably, these efforts will continue after the Ninth Circuit’s ruling.  The Ninth Circuit’s ruling, however, may encourage the FCC to fill any potential gap in coverage by taking a broader view of its own authority to regulate non-common carrier services that common carriers offer to consumers.  This could have significant implications for a number of ongoing FCC proceedings, including a proceeding to overhaul the FCC’s privacy rules after the Open Internet Order and requests to classify SMS messaging and interconnected voice-over-Internet-Protocol (VoIP) service as telecommunications services subject to common carrier regulation.  This also might color the FCC’s approach to regulation of over-the-top services provided by non-carrier entities using telecommunications or Internet services.

Time will tell how this plays out, but for now, the Ninth Circuit appears to have significantly reset the boundaries between the agencies’ jurisdictions.  AT&T is not off the hook yet, however, as it faces a parallel action from the FCC, which has issued a Notice of Apparent Liability to AT&T, alleging that its disclosures in connection with its unlimited data plans violated the FCC’s “transparency” rules.  The FCC proposed $100 million in forfeitures for the violation, which sparked vigorous dissent by the two Republican commissioners and was opposed by AT&T in a strongly-worded response.  The FCC forfeiture proceeding remains pending.

Steve Augustino and Jameson Dempsey, of Kelley Drye’s Communication Group, co-authored this post.

The Federal Trade Commission announced yesterday that it has approved final amendments to Commission Rule 1.98 that adjust the maximum civil penalty dollar amounts for violations of 16 provisions of law the FTC enforces, as required by the Federal Civil Penalties Inflation Adjustment Act of 2015 (“Adjustment Act”), which requires federal agencies to implement a “catch up” adjustment in 2016 to address due to inflation since the civil penalties in their jurisdiction were last set or adjusted by statute.

The maximum civil penalty amount has increased from $16,000 to $40,000 for the following violations and others listed in the Federal Register Notice:

  • Section 5(l) of the FTC Act, which pertains to violations of final Commission orders issued under section 5(b) of the FTC Act; and
  • Sections 5(m)(1)(A) and 5(m)(1)(B) of the FTC Act: trade regulation rules issued by the Commission under section 18 of the FTC Act that address unfair or deceptive acts or practices.

The new maximum civil penalty amounts will take effect on August 1, 2016, as required per the Adjustment Act.  Following this initial catch-up, the Adjustment Act directs agencies to adjust their civil penalties for inflation every January thereafter.

The Adjustment Act applies to civil penalties assessed after the effective date of the applicable adjustment, including civil penalties whose associated violation predated the effective date.  The Adjustment Act does not retrospectively change previously assessed or enforced civil penalties.  In addition, the Adjustment Act does not alter an agency’s statutory authority to assess penalties below the maximum level; however, to the extent that minimum penalties exist for violations, those are subject to adjustment as well.

How Penalties Were Selected For Adjustment

The Adjustment Act defined “civil monetary penalty” as “any penalty, fine, or other sanction that

(A)(i) is for a specific monetary amount as provided by Federal law; or

(ii) has a maximum amount provided for by Federal law; and

(B) is assessed or enforced by an agency pursuant to Federal law; and

(C) is assessed or enforced pursuant to an administrative proceeding or a civil action in the Federal courts.

Agencies were responsible for identifying applicable civil penalties.

Calculation of Inflation Adjustments

The catch-up adjustment is defined as the percentage by which the U.S. Department of Labor’s Consumer Price Index for all-urban consumers (“CPI-U”) for the month of October 2015 exceeds the CPI-U for the month of October for the year in which the amount of the penalty was last set or adjusted pursuant to law.  The Adjustment Act limits the amount of the catch-up increase for 2016 to 150% of the amount of the civil penalty in effect on November 2, 2015.

Guidance regarding calculation of future adjustments is forthcoming.  The Office of Management and Budget will issue adjustment rate guidance no later than December 15 each year to adjust for inflation in the CPI-U as of the most recent October.

Notice and Comment Not Used

The Commission did not engage in notice and comment prior to adopting this interim final rule.  Per the Commission, “advance opportunity for notice and comment are not required ‘when the agency for good cause finds (and incorporates the findings and a brief statement of the reasons therefore in the rules issued) that notice and public procedure thereon are impracticable, unnecessary, or contrary to the public interest.’”  5 U.S.C. 553(b)(3)(B)  In short, because the Adjustment Act directs agencies to promulgate the adjustment through an interim final rulemaking no later than July 1, 2016, and prescribes the formula for making the adjustment, the Commission determined that good cause exists to forego prior public notice and comment under the Administrative Procedures Act.