Photo of Alex Schneider

 

 

Email
(202) 342-8634
Bio

 

 

 

The Federal Trade Commission (FTC) announced this week that it would not update its anti-spam rule, completing the agency’s first 10-year review of the regulation.

The FTC last updated the rule, known as the CAN-SPAM Rule, in 2008. The rule requires, among other things, that commercial e-mail messages have a mechanism for allowing the recipient to opt out of future messages.

As part of the FTC’s review process, the FTC sought comments on whether the agency should update the definition of “transaction or relationship messages,” shorten the time period for honoring opt-out requests, or add to the statutory list of aggravated violations.

Ultimately, the Commission chose to keep the 2008 rule. Despite the advent of social media, increasingly sophisticated processes for identifying spam and managing opt-outs, and never-ending threats to a clean inbox, the FTC repeatedly declined to take up commenters’ suggestions for changing the CAN-SPAM Rule, citing unclear cost-benefit analysis outcomes, lack of evidence, and limited Congressional authority.  Here’s some examples:

  • On shortening the time period for opt-out requests: “[N]one of these comments provided the Commission with evidence showing how or to what extent the current ten business-day time-period has negatively affected consumers, nor did they address the concerns noted by other commenters that such a change may pose substantial burdens on small businesses.”
  • On commenter suggestions to modify opt-out requirements: “[N]one of the comments provides the Commission with information about the costs and benefits of these proposed rule changes.”
  • On comments asking the FTC to require consumer permission before transferring or selling a consumer’s email address to a third-party, and blocking all unsolicited spam from servers outside the US: “The Commission also declines to consider the remaining proposed modifications because each would be inconsistent with the Commission’s circumscribed authority under the Act.”

The FTC voted unanimously to confirm the CAN-SPAM Rule. If you have any questions about your obligations pursuant to the CAN-SPAM Rule, please contact Alysa Hutnik or Alex Schneider at Kelley Drye.

The FTC’s “Hey Nineteen” blog post caught our attention this past week, and not just for its witty title. One of those reasons is the reference to continued interest in “Made in USA” claims.  As we’ve written about here, “Made in America” has been a frequent enforcement target in recent years and 2018 generally continued this trend.  Here’s how it stacked up:

The FTC completed 25 investigations, settling four enforcement actions and issuing 21 closing letters.

Similarly, in 2017 the FTC settled two enforcement actions and issued 22 closing letters. All indications are that these trends will continue in 2019.

So what can companies do to avoid being the subject of an upcoming FTC Business Center blog post? Here are some tips:

Tip #1: Audit Inventory Management Systems and Processes

Mistakes can launch FTC investigations, as one company learned this past year.

In response to inquiries from the FTC, Prime-Line Products Company, a maker of corner shields, stated that after depleting its inventory of US-made corner shields, it substituted identical imported corner shields. Then, apparently inadvertently, the company continued to apply the “Made in USA” label.

Eventually, the FTC closed its investigation without bringing an enforcement action against the company. But the case serves as a reminder to companies employing the “Made in USA” label to closely manage inventory.  If only a percentage of supply is sourced to the US, companies should create internal processes to avoid mislabeling inventory.

Of course, inventory management can become challenging, especially when working with multiple dealers, distributors, or resellers that may not be familiar with inventory changes. Companies should proactively develop a compliance plan to ensure marketing remains accurate in all sales channels.

Tip #2: Train Employees

Employees, from marketing and sales to the warehouse floor, are the first line of defense against false “Made in USA” claims. Employees should be aware of when “Made in USA” claims may be made, and should be trained on processes for alerting management if they observe any inadvertent errors.

As detailed in multiple closing letters, companies targeted by FTC investigations told the FTC that they would retrain staff on proper, non-deceptive claims. This common-sense approach is advisable for all companies.  All training materials should conform to the standards laid out by the FTC in its Complying with the Made in USA Standard guidance, but should also be practical and easy-to-use.  Checklists, webinars, and workplace posters are good options for educating a company’s workforce.

Tip #3: Qualify Advertising Claims

Last year’s cases show that investigations skewed toward plain, unqualified “Made in USA” claims. Qualified claims, which provide more detail about a component made domestically or process that occurred domestically, may take up more space or obscure a company’s marketing message.  Nevertheless, when it comes to “Made in USA” labeling, accuracy counts.

In one example from the last year, The Gillette Company, LLC, was the target of an FTC inquiry due to its “Boston Made Since 1901” advertising. The FTC closed its investigation, but the example is instructive.  Gillette has deep roots in Boston and sought to use this information in an advertisement.  But without a qualification, the FTC viewed the advertisement as asserting that all of Gillette’s products are made in the US.  Gillette stated that it would re-focus its advertising campaign to highlight its Boston-based employees and manufacturing and the FTC closed the matter.

Tip #4: Size Doesn’t Matter

When it comes to enforcement of the “Made in USA” standards, there is no safe harbor for small businesses. Companies large and small were the target of investigations in 2018.

That included large companies, like Hallmark Cards, Incorporated, and IKEA Purchasing Services (US), Inc. The FTC closed investigations into each of these companies via a closing letter, without further action.

Meanwhile, the FTC’s major enforcement actions of the year were primarily against small or mid-size companies. Underground Sports Inc. d/b/a Patriot Puck imported just 400,000 hockey pucks since January 2016, but faced a significant enforcement action.  Notably, American-made claims featured prominently in these companies’ advertising.  Indeed, their conduct was so objectionable, that following announcement of these settlements, discussion has arisen regarding monetary penalties for false “Made in USA” claims.

Tip #5: Act Now!  Financial Penalties May Be Coming

FTC commissioners are very publicly debating the merits of imposing financial penalties for false “Made in USA” claims.

A leading advocate has been Commissioner Rohit Chopra, who argued in a dissent that settlements have been too lenient and are not deterring similar conduct.  But, as reported in December in this blog, Chairman Joseph Simons too is focused on the potential need to impose monetary relief.  At a hearing before the Senate Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security, Simons said, “Now we’re exploring whether we can find a good case that would be appropriate for monetary relief to serve as an additional deterrent.”

Given the political interest in increasing the penalties for false claims, companies may want to (make and actually stick to) a New Year’s resolution to make sure their “Made in USA” claims are substantiated. If you’re new to this area or need a refresher, check out our webinar and materials here.

In the Data Business? You May Be Obligated to Register in Vermont by Thursday

Data brokers have until this Thursday to register with the Vermont Secretary of State as part of a new data broker oversight law that became effective January 1st.

Approved unanimously by the Vermont Senate last May, the Vermont Data Broker Regulation, Act 171 of 2018, requires data brokers to register annually, pay an annual filing fee of $100, and maintain minimum data security standards, but the law does not prevent data brokers from collecting or selling consumer data.

What Qualifies as a “Data Broker”?

The law only applies to “data broker[s],” defined as a “business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.” Continue Reading In the Data Business? You May Be Obligated to Register in Vermont by Thursday

On Monday, France’s Data Protection Agency announced that it levied a €50 million ($56.8 million) fine against Google for violating the EU’s new General Data Protection Regulation (GDPR).  The precedent-setting fine by the Commission Nationale de l’Informatique et des Libertés (“CNIL”) is the highest yet imposed since the new law took effect in May 2018.

How Does Google Violate GDPR, According to CNIL?

  • Lack of Transparency: GDPR Articles 12-13 require a data controller to provide data subjects with transparent, intelligible, and easily accessible information relating to the scope and purpose of the personal data processing, and the lawful basis for such processing. CNIL asserts that Google fails to meet the required level of transparency based on the following:
    • Information is not intelligible: Google’s description of its personal data processing and associated personal data categories is “too generic and vague.”
    • Information is not easily accessible: Data subjects must access multiple Google documents or pages and take a number of distinct actions (“5 or 6”) to obtain complete information on the personal data that Google collects for personalization purposes and geo-tracking.
    • Lawful basis for processing is unclear: Data subjects may mistakenly view the legal basis for processing by Google as legitimate interests (that does not require consent) rather than individual consent.
    • Data retention period is not specified: Google fails to provide information on the period that it retains certain personal data.
  • Invalid Consent: Per GDPR Articles 5-7, a data controller relying on consent as the lawful basis for processing of personal data must be able to demonstrate that consent by a data subject is informed, specified, and unambiguous. CNIL claims that Google fails to capture valid consent from data subjects as follows:
    • Consent is not “informed”: Google’s data processing description for its advertising personalization services is diluted across several documents and does not clearly describe the scope of processing across multiple Google services, the amount of data processed, and the manner in which the data is combined.
    • Consent is not unambiguous: Consent for advertising personalization appears as pre-checked boxes.
    • Consent is not specific: Consent across all Google services is captured via consent to the Google Terms of Services and Privacy Policy rather than a user providing distinct consent for each Google personal data use case.

What Does This Mean for Other Companies?

Continue Reading C’est la vie? French Regulator Fines Google Nearly $57 million for GDPR Non-compliance