Photo of Lauren Myers

Email
(202) 342-8473
Bio

The FTC recently announced a $5.7 million settlement with app developer Musical.ly for COPPA violations associated with its app (now known as TikTok)—the agency’s largest-ever COPPA fine since the enactment of the statute. The agency charged the app company, which allows users to create and share videos of themselves lip-syncing to music, with unlawfully collecting personal information from children.

To create a TikTok profile, users must provide contact information, a short bio, and a profile picture. According to the FTC, between December 2015 and October 2016, the company also collected geolocation information from app users. In 2017, the app started requiring users to provide their age, although it did not require current users to update their accounts with their age. By default, accounts were “public,” allowing users to see each other’s bios (which included their grade or age). It also allowed users to see a list of other users within a 50-mile radius, and gave users the ability to direct message other users. Many of the songs available on the app were popular with children under 13.

The FTC further alleged that Musical.ly received thousands of complaints from parents asserting that their child had created the app account without their knowledge (and noted an example of a two-week period where the company received more than 300 such complaints). The agency also noted that while the company closed the children’s accounts in response, it did not delete the users’ videos or profile information from its servers.

The FTC’s Complaint focused on practices spanning from 2014 through 2017. Musical.ly was acquired by ByteDance Ltd. in December 2017, and merged with the TikTok app in August 2018.

COPPA identifies specific requirements for operators who collect personal information from children under 13, including obtaining consent from parents prior to collection and providing information about collection practices for children’s data. Online services subject to the rule generally fall into two categories: (1) sites that are directed to children and collect personal information from them; and (2) general audience sites that have actual knowledge that they are collecting personal information from children. Civil penalties for violations of COPPA can be up to $41,484 per violation.

According to the FTC, Musical.ly’s app fell into both categories:

  1. The company included music and other content appealing to children on the app. For example, many of the songs included on the app were popular with children under 13, and the app used “colorful and bright emoji characters” that could appeal to children.
  2. Once the company began collecting the ages of its users, Musical.ly had actual knowledge that some of its users were under the age of 13. In spite of this, the company did not obtain consent from the parents of users under the age of 13, or comply with other COPPA requirements.

FTC Commissioners Chopra and Slaughter issued a joint statement on the settlement, pointing out that FTC staff had uncovered disturbing practices of a company willing to pursue growth at the expense of endangering children. They also noted that previously, FTC investigations typically focused on individual accountability in limited circumstances, rather than pursuing broader enforcement against company leaders for widespread company practices. The Commissioners further indicated that as the FTC continues to pursue legal violations going forward, it is time to “prioritize uncovering the role of corporate officers and directors” and to “hold accountable everyone who broke the law.”

This settlement indicates that the FTC continues to prioritize privacy enforcement—particularly where vulnerable audiences, such as children, are involved. Future FTC enforcement actions could signal an expanded approach to individual liability, including with respect to larger companies.

The case is also a good reminder of the value in performing robust privacy due diligence when considering acquiring an entity, and meaningfully assessing the risk of a company’s data practices before adding them to the portfolio. A widely popular business with significant data assets may not look as attractive once civil penalties and injunctive terms are added to the mix.

Last week, the California Assembly’s Standing Committee on Privacy and Consumer Protection held a hearing to discuss the California Consumer Privacy Act. While many panelists from the private sector pointed out problems with the law, a few panelists defended the law, and some suggested that it didn’t go far enough. For example, Stacey Schesser, the Supervising Deputy Attorney General for the Privacy Unit in the Consumer Law Section of the Office of the California Attorney General, stated that the current law presents “unworkable obligations and operational challenges” for the AG’s office and suggested several significant changes. This week, California AG Becerra and state Senator Hannah-Beth Jackson announced a bill that would seek to implement the changes Ms. Schesser described into law.

The bill includes two proposals that could materially affect potential exposure for businesses under the CCPA:

  • Private Right of Action:  The current law allows any consumer whose unencrypted or unredacted personal information is breached “as a result of a violation of the duty to implement and maintain reasonable security procedures and practices” to recover statutory damages of up to $750 per incident. The private right of action is likely to be used in litigation, particularly over what constitutes “reasonable” practices, but at least it is limited to breaches. The new bill, however, would expand the private right of action to cover violations of any other section of the law, as well.
  • Right to Cure:  The current law requires the AG to give businesses notice and 30 days to cure alleged violations before the AG can seek an injunction and civil penalties. This 30-day cure period can provide a warning to businesses that are trying to comply with a confusing law, if their efforts fall short. The proposed bill, however, would remove the right to cure, leaving businesses immediately exposed for any violations.

In addition to these changes, the bill proposes to remove a provision that would allow businesses to seek guidance from the AG on how to comply withCA Flag the law.

If the bill is enacted into law, these changes would be a boon to plaintiffs’ attorneys and privacy litigators. However, to use Ms. Schesser’s words, the changes would result in even more “unworkable obligations and operational challenges” for businesses. We will continue to closely track these developments, and keep you posted.

As we noted previously, the California Attorney General is holding a series of public forums on the California Consumer Privacy Act (CCPA) to provide the public with an initial opportunity to comment on CCPA requirements and the corresponding regulations that the Attorney General must adopt on or before July 1, 2020.  On Friday, January 25, 2019, the Attorney General’s Office held its fourth of six hearings before a full auditorium in Los Angeles.  This blog post summarizes the main themes discussed at the hearing.

Timing/Scope:  For businesses hoping for CCPA clarity and guidance soon, that seems unlikely. California Deputy Attorney General Lisa Kim initiated the hearing, emphasizing that the Attorney General’s Office was in the beginning of its rulemaking process and noting that she anticipated the formal review process not to start until Fall 2019.  For now, the Attorney General’s Office encouraged interested parties to submit comments by the end of February, focusing on subjects within the scope of the Attorney General’s rulemaking responsibilities, as set forth in the CCPA, including:

  • Categories of Personal Information
  • Definition of Unique Identifiers
  • CCPA Exemptions
  • Submitting and Complying with Consumer Requests
  • Uniform Opt-Out Logo/Button
  • Notices and Information to Consumers, including Financial Incentive Offerings
  • Certification of Consumers’ Requests

During the hearing, the Attorney General’s Office displayed this PowerPoint deck, summarizing the CCPA regulatory process.

Main Themes

Continue Reading California Privacy Update: What We Heard at Friday’s CCPA Hearing

California Attorney General Xavier Becerra announced yesterday that the California Department of Justice will hold a series of six public forums on the California Consumer Privacy Act (CCPA).  The hearings will take place during January and February of this year and will give the public an initial opportunity to comment on the requirements set forth by the CCPA and the regulations the Attorney General must adopt on or before July 1, 2020.

The CCPA was passed in June of this year, and gives California residents specific privacy rights related to their online activities. Starting January 1, 2020, businesses will be required to comply with a number of provisions including requirements to disclose data collection and sharing practices to consumers, grant consumers a right to request deletion of their data, grant consumers a right to opt out of the sale of their personal information, and a prohibition on selling personal information of consumers under the age of 16 without explicit consent.

The CCPA requires the Attorney General to “solicit broad public participation” and adopt regulations regarding issues such as the definition of personal information, considering changes in technology and data collection practices, procedures for how a consumer can submit a request to opt out of the sale of his or her personal information, and procedures for businesses to determine whether a consumer’s request for information is verifiable.

The Attorney General’s announcement is particularly important because CCPA enforcement will not begin until six months after the promulgation of these regulations, or July 1, 2020, whichever is sooner.  These public forums indicate that Attorney General Becerra’s office is taking steps to adopt these rules, meaning CCPA enforcement may come sooner rather than later.

These hearings will serve as the first public forum in which businesses and members of the public can voice their thoughts or concerns about the required regulations. Members of the public who would like to speak at the forums can, but are not required to, register online. Comments may also be submitted via mail or email. A full schedule of the forums can be found here.

Kelley Drye is happy to assist if your business is considering whether to submit comments concerning the CCPA regulations or enforcement.  These forums present a critical opportunity for any stakeholder interested in California privacy law and enforcement to have their voices heard.  For more information on the CCPA and how it may affect your business, please visit our past blog posts here and here.

About a year ago, the SEC issued a warning to celebrities and social influencers who promoted Initial Coin Offerings (ICOs) on social media, noting that such promoters are subject to federal securities laws. Apparently, at least two celebrities weren’t paying attention because they recently settled the SEC’s first cases regarding promoting ICOs without proper disclosures.

Khaled Khaled, better known as music producer DJ Khaled, and professional boxer Floyd Mayweather Jr. both allegedly promoted investments in ICOs for Centra Tech Inc. in 2017 without disclosing the compensation they received in exchange for their endorsements ($50,000 for Khaled and $100,000 for Mayweather). This triggered a violation of the anti-touting provision of the federal securities laws.

A few examples of these endorsements include Khaled referring to Centra’s ICO as a “Game changer” on various social media accounts, and Mayweather tweeting that Centra’s ICO “starts in a few hours. Get yours before they sell out, I got mine…”

Mayweather also allegedly failed to disclose his relationship with two other ICOs that paid him $200,000 for posts such as, “You can call me Floyd Crypto Mayweather from now on.”

In settling the charges, Khaled agreed to pay $152,725 in disgorgement, penalty, and prejudgment interest, while Mayweather agreed to pay $614,775 for the same. Mayweather and Khaled also agreed not to promote any securities, digital or otherwise, for three and two years, respectively.

Although proper disclosures in social media endorsements have been an area of concern for the FTC for years, this settlement indicates that the SEC is just as interested in making sure consumers understand when they’re seeing sponsored content in the marketing of financial products.

For more information on this topic, check out our earlier post on SEC activity and our webinar, “Advertising Under the Influence.”

In June of this year, California passed the California Consumer Privacy Act (CCPA) giving California residents specific rights related to their online privacy, similar to those proscribed by GDPR. The law was passed hastily to avoid a stricter ballot measure on the subject, but Governor Brown recently signed a bill amending the law.

Many of the amendments clarify some of the CCPA’s “technical” errors, such as solidifying that the Act should not be enforced to contradict the California Constitution. The most significant change, however, deals with the enforcement of the Act. Although Section 1798.198 makes the Act operative on January 1, 2020, the newly-added Section 1798.185(7)(c) prevents the Attorney General from bringing an enforcement action under the Act until July 1, 2020, or six months after the final regulations made pursuant to the Act are published, whichever is sooner. Thus, although the effective date is January of 2020, the California Attorney General may not be able to bring enforcement actions until up to six months after the enactment date, depending on when the office promulgates regulations. The amendments also extend the date by which the Attorney General must promulgate regulations from January 1, 2020 to July 1, 2020.

Another point worth noting is that the amendments remove the requirement for a private plaintiff to inform the Attorney General of a claim he or she has brought to enforce his or her private cause of action under the Act. This eliminates the ability of the Attorney General to bring its own action in lieu of a private one.

Additional changes include specifying additional laws to which the Act does not apply, including: (1) the Confidentiality of Medication Information Act or regulations promulgated in response to HIPAA, or the Health Information Technology for Economic and Clinical Health Act; (2) the Federal Policy for Protection of Human Subjects; and (3) the California Financial Information Privacy Act. The amendments also limit the civil penalty to $2,500 per violation, or $7,500 for each intentional violation.

Although this bill has clarified some issues with the original law, this will likely not be the last set of amendments to the CCPA before it goes into effect. We will keep you posted.

 

The Northern District of California recently ruled on DIRECTV’s motion for judgment on partial findings in a case where the FTC is seeking $3.95 billion in damages. The FTC’s case alleges that DIRECTV engaged in misleading advertising over a span of more than a decade and across a variety of media channels ranging from television to the company’s website, violating Section 5 of the FTC Act and the Restore Online Shopper’s Confidence Act (ROSCA).

Specifically, the FTC alleges that the company failed to prominently display certain key provisions, such as the 24-month contract requirement and that advertised prices would increase after 12 months, on over 40,000 advertisements. The agency did not allege that the advertising in question was false, but that the details were not displayed sufficiently.

In partially granting DIRECTV’s motion, the court found that the FTC failed to prove a Section 5 violation as to the company’s banner, print, or TV ads because the agency did not establish that there was a misleading net impression among consumers, and because the Commission did not sufficiently identify the alleged net impression. The proffered evidence did not establish that the advertisements were likely to mislead a reasonable consumer.

The FTC provided evidence for less than 1,000 of the challenged 40,000 advertisements at issue in the case. The court determined that this, along with the additional evidence that the FTC did provide, such as expert testimony regarding three specific ads, were not enough for the agency to meet its burden. The court noted that the agency was not required to introduce all 40,000 ads into evidence, but it did need to explain why the conclusions made about a few ads could be generalized among a large number of others that varied in format, content, and emphasis. The court also highlighted that DIRECTV’s print ads displayed the necessary disclosures in text that was in all caps, bolded, and in a dark font against a light background, which the court determined was likely sufficiently prominent and in compliance with the FTC’s .com Disclosure guidance.

Notably, the court declined to make a similar conclusion about DIRECTV’s website advertisements. The court found that the FTC’s evidence, although “far from overwhelming” was enough to defer a determination about the Section 5 and ROSCA claims associated with the website advertising at issue. Specifically, the court focused on the fact that the challenged advertising required consumers to hover over or click on a link or icon to learn about the pertinent terms of the offer. In theory, therefore, a consumer could have flowed through the entirety of the online order process without confronting important details about the offer.

The court also discussed the FTC’s nearly $4 billion potential remedy, suggesting that the agency would be unlikely to meet its burden to prove an adequate basis for relief due to the court’s partially granting DIRECTV’s motion. The court had issues with the FTC expert’s calculation of unjust gains because he presumed that all of the defendant’s subscribers for the time period at issue were misled in the same way, without a sufficient basis for that presumption other than the FTC’s instruction. This presumption was especially problematic because there were so many iterations of the advertisements. However, the court deferred the issue to see if the FTC would be able to prove liability with the remaining claims.

In a case that is historic for the breadth of advertising at issue and the amount of damages the FTC seeks, the court’s order creates significant challenges for the agency as to the remaining claims in the case. We will continue to monitor this case for any updates as it proceeds.

In the meantime, the case continues to be notable in highlighting the scrutiny that a company may face when failing to sufficiently disclose post-introductory prices and term commitments for subscription type plans. Following best practices and regulatory guidance on disclosing material terms are helpful steps to avoid such scrutiny in the first instance.

The FTC recently finalized updates to its Guides for the Jewelry, Precious Metals, and Pewter Industries, which provide the FTC’s interpretation of the jewelry marketing rules found in 16 C.F.R. §23.  The FTC hosted a roundtable in 2013, which we wrote about here, and considered stakeholder comments prior to finalizing the new Guides.  The updated Guides address a number of topics, including the surface application of precious metals, below-threshold previous metal alloys, gemstone products, and “cultured” diamonds.

What’s Changed

Some highlights of the changes include advising that jewelry marketers may:

  • Qualify if a coated product only has a service layer of a precious metal;
  • Advertise a product’s precious metal coating to assure reasonable durability;
  • Disclose the purity of coatings made with precious metal alloys;
  • Qualify a product’s gold karat fineness or a parts per thousand (PPT) designation for silver products that have less than 925 PPT;
  • Use alternative words and phrases for man-made stones (where it shares the same properties as the named stone) if they clearly and conspicuously convey that the product is not a mined stone.

Continue Reading All That Glitters Is Not Gold: FTC Updates Jewelry Guides

Last week, the House Committee on Energy and Commerce held a Committee Hearing on the Oversight of the Federal Trade Commission. All five Commissioners attended and their message was largely the same: the FTC needs additional rulemaking and civil penalty authority to better protect consumers, especially as it applies to privacy and data security enforcement.

Privacy and data security were a focus of the Chairman’s opening statements, during which he noted that both were a top priority for the agency. Chairman Simons also discussed the need for the FTC to have jurisdiction over nonprofits and common carriers, imploring Congress to pass legislation giving the agency such authority, along with comprehensive data security legislation. Simons noted that the FTC was watching and assessing the EU’s implementation of its comprehensive privacy law, the General Privacy Data Protection Regulation (GDPR), to see how it may apply to the U.S. and he reaffirmed enforcement of the EU-U.S. Privacy Shield, which the FTC has enforced in the past.

Chairman Simons also referenced the hearings that the Commission will be holding in the fall, emphasizing that he anticipated the agency would benefit from participant input on a number of topics—from merger guidelines to privacy and data security. Simons, a former student of Chairman Pitofsky, noted that the agency held similar hearings during the Pitofsky era that resulted in agency action, such as amendments to the merger guidelines. The Chairman noted that he wanted this year’s hearings to be similarly effective in setting the agency’s future agenda. Continue Reading Big Government? FTC Advocates for More Authority in Congressional Hearing

California recently passed the California Consumer Privacy Act (CCPA), providing new rights for California consumers (broadly defined as California residents) regarding their personal data. The CCPA is modeled after the EU’s General Data Protection Regulation (GDPR), which provides EU citizens with a number of rights related to data processing and imposes specific requirements on companies that process EU citizen data. The new California law provides similar requirements for businesses that collect data from California consumers. The following are some key points of comparison. Continue Reading GDPR Sidebar: Comparing the California Consumer Privacy Act to the GDPR