Photo of Kristi Wolff

Email
(202) 342-8805
Bio

Social media influencers help drive consumer engagement with the brands they love. Better reviews, more “likes,” and thousands of re-tweets can all add up to a bigger bottom line and greater insight into what sells and what doesn’t. When the line between advertising and objective content isn’t made clear, though, it can also prompt legal scrutiny and enforcement from the FTC. Partner Kristi Wolff and Richard Cleland, Assistant Director in the FTC’s Advertising Practices Division held a webinar discussion of recent enforcement and key “rules of the road” for your company’s next influencer campaign on Thursday, November 9. Please click here for a copy of the slides and here for a copy of the recording. As a courtesy, we are also including a list of links to the FTC’s native advertising guidance, a checklist for review of native advertising, and a summary of the SEC’s enforcement on native ads for financial products. We hope that you find these materials useful.

In a keynote address at the National Advertising Division conference earlier this month, Mary Engle, Associate Director in the Advertising Practices Division of the FTC, included “Made in USA” as among the agency’s current enforcement priorities.   The FTC’s interest in U.S. origin claims is nothing new, but these claims have garnered considerable regulatory attention in recent years, as we have written about here.  With manufacturers and retailers increasingly eager to highlight their domestic operations, we took a look at how the FTC’s “Made in USA” enforcement this year stacks up to prior years.

For 2017 year to date, the FTC has issued 15 closing letters and has settled one case (Block Division).  By comparison, for calendar years 2014-2016, the FTC issued 56 closing letters and settled one case (Chemence, Inc.)  This suggests that “Made in USA” enforcement is roughly on pace with the prior three years.

Enforcement year to date also spans a considerable number of industries and products, involving advertising on household items like pillows, coffeemakers, and lawn mowers, to office and industrial equipment such as ice machines, standing desks, data security products, scales, cell phone signal boosters, air purifiers, and LED tubes.   Common remedial measures noted in closing letters include discontinuation of the claims at issue and replacement with qualified claims, packaging modifications, coordinating corrective measures with vendors, and monitoring and correcting third-party marketers.

Given that “Made in USA” claims will remain a priority from the foreseeable future, claim substantiation is a key consideration for advertisers.  If you are new to making country of origin claims or just need a refresher, check out our webinar, originally offered in May 2017, called “Buy American, Hire American: Is Your (Or Your Competitor’s) Product Really ‘Made in the USA’?,” for an overview on the substantiation requirements for advertising and the “Buy American” standard that applies to government procurement.

 

On June 28, the FTC and National Highway Traffic Safety Administration (NHTSA) brought together a variety of stakeholders including regulators, automakers, software companies, and consumer groups to discuss connected cars, including current innovations and challenges in the field of data privacy. Acting FTC Chairwoman Maureen Ohlhausen opened the day by asserting that regulators will need to show “humility” in trying to understand the risks associated with connected cars. However, she emphasized that the FTC will still use their enforcement authority against those who misuse consumer data, while taking care not to conflict with NHTSA’s oversight efforts. Terry Shelton, acting executive director of NHTSA, agreed with these goals.  The day’s panels focused on three main themes:

Safety – Fewer Accidents, Better Recall Compliance, and Privacy

Connected cars are expected to be able to decrease accidents and traffic fatalities. According to Terry Shelton, Acting Executive Director of NHTSA, 94% of fatal car accidents are due to human error. Additionally, both Shelton and Acting FTC Chairwoman Ohlhausen emphasized that the number of automobile-related fatalities has risen considerably in recent years.

It is less clear what happens when the artificial intelligence (AI) systems responsible break down. As cars become better able to make decisions on their own, the question of liability when a mistake occurs will be brought to the forefront. However, connected cars may increase compliance with safety recalls as self-driving cars may bring themselves into the shop for repair, and manufacturers will more easily be able to trace automated cars that have not been updated. The panel also discussed whether consumers should be allowed to opt out of sharing safety data and whether safety concerns may be used as excuses to collect information for commercial use.

Data – Notice and Consent, Types and Use of Data

As is the case with all connected devices, data collection and use presents many questions. Current technology allows devices to use driving patterns to detect drowsy driving, but newer devices will use biometric data for this purpose.  Depending on how the data is gathered, mechanisms for consumer notice and consent remain a challenge.

Stephen Pattison of ARM offered three important categories of data that may be taken from connected vehicles. The first is information linking the user to the vehicle. He asserted that this is the most sensitive information, and should be controlled by the consumer. The second is information that is brand sensitive, and may be of interest to competitors. This also includes information about individual components of the car. It will be up to the manufacturer how and when this information is shared. The third category is non-identifying information such as road conditions. This information is useful for other companies and law enforcement to use under some agreement that outlines the terms of use.

Panelists noted that the information produced by these vehicles is not encrypted or anonymized, as doing so would destroy the value of the data. It is important for the car or car system to be able to understand why a mistake occurred, or be able to make choices using very granular data, and share that data either with itself or in vehicle to vehicle communications to make other cars smarter and more able to make those decisions as well.

After-market products that are purchased by consumers and voluntarily placed into their cars are also collecting data. These include devices such as remote start, backup cameras, or an insurance dongle. While there is more consumer acknowledgement that these devices will be tracking personal information, the panelists at the workshop were in general agreement that more information should be given to consumers in clear and concise ways to enable them to make informed choices.

Security and Privacy – It’s Not If, But When A Breach Will Happen

One phrase that was repeated during the conference was: it is not a question of if, but when a breach will happen. Carrie Morton of the University of Michigan’s Mcity automated-vehicle research center explained that consumers are often “okay with the tradeoff” of exposing their personal driving information if they see a benefit. However, there is some information that even the most connected of drivers do not want exposed. While it may be true that consumers care less about who has their data is than what is being done with it, this cannot be mistaken for a lack of care concerning data privacy in general.

Earlier this year, NHTSA released a set of best practices to protect connected cars against cyberattacks and data breaches. These included a push for earlier integration of breach detection, a feature which Jeff Massimilla of GM said they are building into their cars from the beginning. NHTSA will look to the FTC for support in enforcing these regulations. There was also support from some panelists for harsher FTC sanctions for those that unlawfully access or re-identify anonymized data, as the data will likely be easy to de-anonymize.

*          *          *

We’ll continue to follow these issues and related connected product developments here at Ad Law Access.

 

Summer Associate Carmen Tracy contributed to this post. Ms. Tracy is not a practicing attorney and is practicing under the supervision of principals of the firm who are members of the D.C. Bar.

As part of the FTC’s ongoing review of the needs, costs, and benefits of regulations, the agency recently announced it is reviewing the following rules:

  • The Picture Tube Rule requires manufacturers to base screen size measurements on the horizontal measure of the viewable area, unless the alternative method of measurement is clearly disclosed. This rule was originally intended to help consumers compare products, but with the changes in television technology. In determining whether the rule is still needed, relevant concerns include changes in television technology such as the incorporation of plasma, LED, OLED, and other similar materials in flat display screens. The full list of questions the FTC hopes to address can be found on the Notice of Public Rulemaking here. Comments are due August 31.
  • The FTC is also seeking comment on a proposal to eliminate the “housemark” provisions of the Textile Rules. The housemark provisions require marketers who want to use a “housemark” (a distinctive mark used to identify all a firm’s products) on a textile’s tag in lieu of their business name only if they first register their housemark with the Commission. It is the agency’s position that that provision, imposed in 1959, is no longer necessary because trademark owners can easily be identified by searching online or via the U.S. Patent and Trademark Office website. Therefore, the FTC believes that removing these requirements will reduce compliance costs and increase firms’ flexibility. Comments are due by July 31.
  • The FTC is seeking public comment on its CAN-SPAM Rule, which requires a commercial email to contain accurate header and subject lines, identify itself as an ad, include a valid physical address, and offer recipients a way to opt out of future messages. The FTC is seeking comment on whether consumers have benefitted from the Rule, whether it should be modified, the costs of compliance, whether it should be amended to account for technological or economic changes, among other things. Comments are due by August 31.
  • The Energy Labeling Rule is also being edited to eliminate burdens on the industry and account for new products. The Energy Labeling Rule requires yellow EnergyGuide labels on certain appliances to help consumers compare similar models using estimated operating cost and energy consumption ratings. The comments period for this change has ended. The FTC sought public comment on these changes in September 2016. The accepted changes eliminate obsolete marking requirements for plumbing products, exempt certain ceiling fans from labeling requirements, and update the labels to cover electric instantaneous water heaters.

Overall, this announcement is consistent with the FTC’s recent systematic review of rules and guides. We will continue to track the comments and provide updates on any important developments.

 

Summer Associate Carmen Tracy contributed to this post. Ms. Tracy is not a practicing attorney and is practicing under the supervision of principals of the firm who are members of the D.C. Bar.

The U.S. Senate Committee on Commerce, Science, and Transportation has scheduled a reading this week of the proposed S. 118 Reinforcing American-Made Products Act of 2017.   The bill proposes to amend the Violent Crime Control and Law Enforcement Act of 1994 to require the Federal Trade Commission’s regulation of the labeling of products as “Made in the U.S.A.” or “Made in America” to supersede any state laws regarding the extent to which a product is introduced, delivered, sold, advertised, or offered for sale in interstate or foreign commerce with such a label in order to represent that the product was in whole or substantial part of domestic origin.  The bill’s sponsors include the following: Sens. Mike Lee (R-Utah), Shelley Moore Capito (R-W.V.), Susan Collins (R-Maine), Deb Fischer (R-Neb.), Angus King (I-Maine).

The FTC has been a consistent enforcer of its “Made in USA” advertising policies in recent years, having issued 57 investigation closing letters between 2014 and 2016 alone. In 2017, the agency has already released ten closing letters regarding “Made in USA” claims to companies selling everything from pillows to water filters to standing desks. As domestic manufacturing has received more attention from the Trump administration, many companies are wondering whether they can say their product is “Made in the USA” and, for some, whether they can sell that product to the government under the provisions of the Buy American Act.

We will tackle just these issues in our upcoming webinar “Buy American, Hire American: Is Your (Or Your Competitor’s) Product Really ‘Made in the USA’?” on Wednesday, May 17, at Noon-1:00 Eastern.  More information and registration details are here.

New York Attorney General Eric Schneiderman recently announced settlements with three mobile health app developers resolving allegations that they made deceptive advertisements and had irresponsible privacy practices. The Attorney General alleged that the developers sold and advertised mobile apps that purported to measure vital signs or other indicators of health using just a smartphone. The apps had over a million downloads, giving these concerns considerable consumer reach. The Attorney General’s office reportedly became aware of the apps through consumer complaints and reports to the Health Care Bureau.

Failure to Properly Substantiate Health Benefit Claims

The NY AG’s core concerns regarding the advertising claims were as follows:

  • Runtastic created “Heart Rate Monitor, Heartbeat & Pulse Tracker”. The NY AG alleged that Runtastic promoted its app as a product that purports to measure heart rate and cardiovascular performance under stress but had not tested the app with users engaged in vigorous exercise.
  • Cardiio created and sold the “Cardiio Heart Rate Monitor”. Cardiio allegedly also marketed its app as a means of monitoring heart rate following vigorous movement but had not tested the app under those conditions. In addition, the NY AG alleged that Cardiio’s representations that its product was endorsed by MIT were deceptive.

Representations Consistent with a Regulated Medical Device

  • Matis’s “My Baby’s Beat-Baby Heart Monitor App” raised slightly different concerns. Matis allegedly promoted the app with statements such as “Turn your smartphone into a fetal monitor with My Baby’s Beat app” and language that encouraged consumers to use the app as an alternative to more conventional fetal heart monitoring tools.  The app allegedly had not undergone proper review by the FDA to be marketed as such, however.

As readers of this blog and our sister blog, Food and Drug Law Access, know, the FDA has authority to regulate medical devices and has taken a risk-based approach to consumer-directed mobile health products.  The FTC has been even more active than the FDA in bringing health-related enforcement actions, as we have written about here, here, and here.  As these federal agencies transition into a new administration, the NY AG is making clear with these settlements that regulators are still watching for potentially misleading health claims.

The NY AG also alleged several problematic privacy practices, including the following:

  • Failing to disclose the risk that third parties could re-identify de-identified user information,
  • Issuing conflicting statements on data sharing under the Privacy Policy and under the Privacy Settings,
  • Failing to disclose that the company collected and provided to third parties consumer’s unique device identifiers,
  • Employing a practice of consent by default, where a consumer is deemed to have consented to a privacy policy just by using the website, and
  • Failing to disclose that protected health information collected, stored, and shared by the company may not be protected under the Health Insurance Portability and Accountability Act.

As we noted in a previous post on privacy and data security in mobile health apps, legal compliance is all too often an afterthought when it comes to app development. These allegations underscore the importance of understanding and reconciling data collection and use practices with the statements companies make to consumers.

A recent decision the by the U.S. Court of International Trade (CIT) has important implications for importers, government contractors, and manufacturers that make “Assembled in America” and similar claims. In a ruling against Energizer Battery, Inc., the CIT determined that domestic assembly of foreign component parts does not fulfill the Buy America requirements found in government procurement law.

The case turned on the question of what constitutes “substantial transformation” of a product, a standard also used by the FTC in regulating “Made in the USA”-type marketing claims. Because FTC defers to Customs in determining whether an article has been “substantially transformed,” this ruling could impact the validity of current marketing claims.  Companies making these claims currently or who may be considering what kinds of “Made in USA”-type claims they can make going forward will want to understand how this decision impacts their products.  Read more about it here.

The FTC recently announced a settlement with Breathometer, Inc., a company that marketed a smartphone accessory that it claimed could detect blood alcohol levels.  Users could simply plug the accessory into the headphone jack, open the Breathometer app, blow, and receive a reading of their blood alcohol content within five seconds.  Breathometer marketed the products as “FDA registered devices,” featuring “law enforcement”-grade technology, to help you “make informed, dependable decisions” about whether to drive after drinking.

The FTC alleged that Breathometer did not have adequate substantiation for its performance claims. Specifically, the products were tested to determine accuracy at .02% blood alcohol content, not .08%, which is the legal limit under state laws.  In addition, testing revealed that the accuracy of the Breeze version of the product degraded over time and the company did not have a means of recalibrating it remotely.  Breathometer stopped selling the Breeze product but allegedly did not adequately inform consumers of the issue.

This case is yet another illustration of the FTC taking the lead on mobile health products that are or could potentially be regulated by the FDA. As readers of our Food and Drug Law Access blog may know, FDA has taken a risk-based approach to regulation of such products and, with the exception of products that could cause patient harm or death upon malfunction, is exercising regulatory discretion. Yet, many companies, particularly those who are new to the health market, presume that FDA is the primary, if not the only, regulator likely to have an interest in their product and claims.

Not so. The FTC has repeatedly voiced concerns about the proliferation of mobile health apps and whether claims were being properly substantiated, particularly where disease diagnosis, treatment, or mitigation claims are featured.  Along with the Breathometer matter, the Lumosity, Melanoma Detective and Aura Labs cases collectively demonstrate that when it comes to many consumer-directed mobile health products, the regulator most likely to take interest is the FTC.

In its latest action involving allegedly deceptive earnings claims, the FTC announced yesterday that Uber had agreed to settle charges that it misled potential drivers with inflated earnings claims.  The complaint also alleges that Uber misrepresented benefits of its Vehicle Solutions Program, which connects potential drivers with auto companies to buy or lease a vehicle to be used to pursue the Uber opportunity.

To supports its allegations, the FTC cited a former post on Uber’s website that claimed that uberX Drivers’ “median income is more than $90,000/year/driver in New York and more than $74,000/year/driver in San Francisco.”  However, according to the complaint, actual median incomes were significantly less in those cities — $29,000 less in New York and $21,000 less in San Francisco. The complaint also cites allegedly inflated per hour earnings claims made for other major cities across the United States. According to the FTC’s analysis of Uber’s data, typically only between 10-30% of drivers made as much as the quoted hourly rate in a particular city.

The complaint also alleges that Uber made misrepresentations about its Vehicle Solutions Program to induce consumers to sign up as a driver.  These claims included “own a car for as little as $20/day” and enter into a lease with “unlimited miles.”  The FTC alleged that Uber lacked any basis for making these claims and that Uber actually had information at the time suggesting these claims were false.  For example, the FTC suggested that actual payments made by consumers were significantly higher than those represented and that many leases imposed significant mileage limits.

In her dissent, Commissioner Ohlhausen explained that she did not see the monetary settlement of $20 million as tied to any estimate of consumer harm and asserted that settlements for partial disgorgement of profits, as here, are “inappropriate for a non-fraudulent enterprise that significantly benefits consumers.”  Commissioner Ohlhausen also seemed to question whether certain representations were misleading in the first place, suggesting that the complaint erroneously “suggests that the sole acceptable description of earnings potential is the median earnings of participants.”   She also contended that the complaint unjustifiably excluded certain incentive and promotional payments from the FTC’s calculations of earnings.

The case is a reminder for entities making earnings claims that such claims should be substantiated prior to making the claim, and not false or misleading in the context in which they are made.  It’s worth emphasizing that the FTC never alleged that Uber drivers don’t make money, or that the Uber drivers would have been better off never pursuing the opportunity.  For the two Commissioners in the majority, the discrepancy between actual and represented earnings was enough to support a Section 5 violation and the $20 million monetary settlement.

The Federal Trade Commission and Department of Health and Human Services Office for Civil Rights (OCR) recently announced the release of new guidance for businesses on the Health Insurance Portability and Accountability Act (HIPAA) and the FTC Act. The resource reminds businesses that their obligations to protect consumer health data do not end with HIPAA, but extend to the FTC Act, which prohibits deceptive or misleading advertising.

The guidance provides an overview of HIPAA and the FTC Act, and highlights four actions covered entities can and should take to comply with disclosure requirements under the FTC Act.

  1. Review your entire user interface. The size, color and graphics of disclosure statements should be clear and conspicuous. Therefore, avoid burying key facts in a separate disclosure or positioning disclosures such that they are distant from the underlying claim.
  2. Review the devices consumers use to view your disclosures. Covered entities who promote their services using websites, mobile app platforms and space-constrained screens, should consider and account for disclosure challenges that affect informed consent and violate the FTC Act. The FTC’s .com Disclosures report, is a helpful source for additional guidance.
  3. Provide a full disclosure before consumers make material decisions. Correct disclosure contradictions and omissions, particularly those where the consumer makes a material decision before the covered entity tells them how their information may be used.
  4. Reconcile the above actions with hard copy disclosures. The clear and conspicuous disclosure requirement applies to all mediums, so review paper disclosure statements and how these are presented to consumers.

The guidance also highlights additional FTC resources for health apps, which we’ve covered in a previous post. The moral of the story here is that covered entities and their appointed privacy officials should recognize that compliance with the FTC Act is central to their obligations to safeguard consumer health data and to ensure that disclosures give consumers the opportunity to make informed choices.