Florida AG Files Complaint Against Restaurant for Allegedly Deceptive “Locally Sourced” and “Sustainable” Claims

Florida attorney general Pam Bondi filed a complaint last week against Icebox Cafe, L.C. alleging that the restaurant violated Florida’s Deceptive and Unfair Trade Practices Act by making misleading claims that its food products were “locally-sourced” and “sustainable.”  The defendant operates a self-proclaimed “farm-to-table” restaurant in Miami Beach, along with select locations at airports.

According to the complaint, Icebox sought to capitalize on the market for locally sourced and sustainable food products by making false and misleading claims.  For example, the Icebox Miami airport location claimed that its menu items were “farm-to-terminal” and “local,” but the company’s invoices indicate that almost none of the products were sourced from local farms and distributors, according to the action.  The complaint also alleges that defendant’s menus contained representations that its products were from specific local farms and distributors, but its invoices again belied this assertion.

The complaint additionally identifies allegedly misleading claims about “wild” salmon and other fish that had been purportedly caught the same day it was sold to consumers.  While the complaint doesn’t address the substantiation that the advertiser would have needed to support these claims, general advertising law principles require advertisers to have a reasonable basis to support such claims.  The Florida AG points to Icebox’s invoices as evidence that the defendant lacked such a basis and could not support the claims.

The action is an important reminder that advertisers must consider how consumers are likely to interpret “locally sourced” and “sustainable” claims and ensure that they have substantiation to support those takeaways before making the claims.  Unlike many claims for food products that are expressly defined by federal and/or state law, claims about local sourcing and sustainability are not generally defined.  The action here, therefore, reinforces the need to consider substantiation both for claims subject to explicit standards and claims related to undefined terms that may be subject to varying interpretations by different consumers.

In this case, the complaint suggests that the defendant’s invoices demonstrate that the claims were outright false, but one could imagine an instance where some consumers might consider the food sufficiently “local” and others might view the claim as deceptive.  For example, is fish sold in Miami but harvested in north Florida “local”?  What makes a product “sustainable”?  Consumer perception evidence could be useful in these closer calls.  It will be interesting to see whether the terms of any settlement effectively set a new standard for these terms in Florida.  Until then, the lesson for advertisers everywhere is to be precise when using such undefined but attractive language.

 

Why So BLU?: FTC Settles Privacy and Data Security Claims with Mobile Company; Fencing-In Relief Requires Consumer Opt-In to Data Sharing

Earlier this week, the FTC settled its case with BLU Products, Inc., a cell phone company the FTC claimed misled consumers about its privacy and data security practices. According to the agency, the company represented that it did not collect unnecessary personal information and that it imposed specific data security procedures to protect consumers’ personal information. But the FTC claimed not so fast, alleging that BLU allowed one of its partners, an advertising software company, to collect sensitive consumer information such as text message contents and call logs with full telephone numbers. The FTC also alleged that BLU failed to implement the security features it represented to consumers, allowing the company’s devices to be subject to security vulnerabilities that could allow third parties to gain full access to the devices.

In settling the case, BLU agreed not to misrepresent its data collection or data security practices. The order also requires BLU to clearly and conspicuously disclose: (1) all of the “covered information” that the company collects, uses, or shares; (2) any third parties that will receive this “covered information”; and (3) all purposes for collecting, using, or sharing such information. This disclosure must be separate from the company’s privacy policy or terms of use and the company must obtain the consumer’s affirmative express consent to the collection, use, and sharing of such information. “Covered Information” is defined as geolocation information, text message content, audio conversations, photographs, or video communications from or about a consumer or their device. Continue Reading

Senate Confirms Full Slate of New FTC Commissioners

The Senate yesterday confirmed all five nominees to the Federal Trade Commission by voice vote, which means the five-person body will soon be restored to full capacity after over a year with only two Commissioners.  Current Chair Ohlhausen released a statement congratulating incoming Chair Joseph Simons and soon-to-be new Commissioners Noah Phillips, Becca Slaughter, Rohit Chopra, and Christine Wilson.

Ohlhausen’s statement suggests that she intends to remain at the Commission until confirmed by the Senate to her nomination as a Judge on the U.S. Court of Federal Claims – with Wilson set to fill Ohlhausen’s seat once she departs.  Current Commissioner McSweeny recently announced that she intended to depart the Commission tomorrow, April 27, and that she hoped the Senate would move expeditiously in the confirmation process.

As we previously discussed here and here, the new Chair and Commissioners will bring a breadth of knowledge and experience to the FTC.  While working in private practice for the majority of his career, incoming Chair Simons also has significant experience at the Commission, having served as Director of the Bureau of Competition from June 2001 to August 2003 and in other roles at the FTC in the late 1980s.  Wilson, currently a Senior Vice President at Delta Airlines, overlapped with Simons during his most recent stint at the Commission while Wilson served as Chief of Staff to then-Chair Timothy Muris.

The other three Commissioners have not previously served at the FTC, but have notable expertise and experience in other areas.  Chopra, the only non-lawyer of the bunch, comes most recently from the Consumer Federation of America and previously served as Assistant Director at the Consumer Financial Protection Bureau.  Phillips and Slaughter will be departing legal positions on the Hill – Phillips serving as Chief Counsel to Senator Cornyn and Slaughter as Chief Counsel to Senator Schumer.  As the fifth and final nominee, Slaughter was unanimously reported out of the Commerce Committee earlier this week.

The new slate of Commissioners is expected to shake things up at the FTC.  While generally avoiding firm policy positions or legal interpretations during the confirmation process, the appointees affirmed their commitment to vigorously enforcing consumer protection and antitrust laws and expressed distinct interests in specialized topics such as big data and interconnected devices.  Now that the confirmation process has run its course, the coming days are likely to shed more light on the key priorities for the new Chair and Commissioners.

FTC Files Complaint Against Lending Club for Allegedly Deceptive and Unfair Online Loan Practices

The FTC today filed a complaint against Lending Club alleging that it deceived consumers by advertising loans with “no hidden fees” and subsequently concealing substantial loan origination fees.  The complaint points to consumer complaints and internal compliance documents as evidence that Lending Club knew that consumers were being misled and continued to misrepresent the loans anyway.

The complaint charges four distinct violations:

  • Deception regarding up-front fees.  While advertising loans with “no hidden fees,” the Commission alleged that Lending Club actually charged substantial loan origination fees (on average, about 5% of the loan amount) and failed to clearly and conspicuously disclose those fees – both in advertising and throughout the application and approval process.  The complaint provides screenshots of the consumer experience from advertisement to sign-up to approval.  In both the desktop and mobile environment, the FTC charged that consumers were deceived because they would need to do either of the following to learn about the fee: (1) hover over a hyperlink explaining advertised APR to learn that the represented rate includes the loan origination fee; or (2) scroll to the bottom of the loan approval page and notice the fee disclosure embedded in the middle of a text heavy page.  The FTC cited frequent consumer complaints and internal compliance documents referencing potential deception to argue that Lending Club knew it was deceiving consumers and decided to continue its practices anyway.
  • Deception regarding loan approval.  The complaint also alleges that Lending Club made deceptive representations that loans were “on the way” or were “100% backed,” notwithstanding that it knew that a more significant approval step had yet to be completed and many consumers would not ultimately obtain the allegedly approved loans.  According to the complaint, Lending Club uses a two-step “front-end” and “back-end” approval process and misleadingly suggested that consumers were approved after just the first step, despite knowing many consumers would be rejected after the “back-end” step.
  • Unfair billing practices.  The complaint also alleges that Lending Club engaged in unfair acts by withdrawing money from consumers’ bank accounts without authorization, or in amounts in excess from consumers’ authorizations.  Many of these unauthorized charges occurred after consumers had already paid off their loans with Lending Club, according to the complaint.
  • Gramm-Leach-Bliley Act (GLBA) violations.  Lastly, the complaint alleges that Lending Club violated GLBA by failing to deliver initial privacy notices to consumers as required under GLBA and FTC and CFPB implementing regulations.  The complaint explains that Lending Club was subject to GLBA because it is a financial institution under the Act in that it services loans, notwithstanding that the loans are actually made by a third-party bank.  The GLBA allegations are a good reminder that the definition of “financial institution” under GLBA is a tricky one that is distinct from similar definitions under other statutes.

The complaint was filed without a consent judgment in federal court in the Northern District of California, and was approved by both remaining Commissioners, Chair Ohlhausen and Commissioner McSweeny.  McSweeny recently announced that she will leave the Commission at the end of this week on April 27.  Five new Commissioners nominated by President Trump are presently awaiting a full Senate confirmation vote.

New Article on Whether A Single FTC Commissioner Constitute A Quorum

FTC Commissioner Terrell McSweeny is scheduled to resign effective April 28 and may leave with acting Chairman Maureen Ohlhausen as the sole commissioner. Law360  published an article by partner John Villafranco and professor Stephen Calkins that discusses whether the FTC can take formal action by a 1-0 vote and when does a commission cease being a commission? To read the full article, please click here.

Ding Dong, TCCWNA Class Actions Are Dead.

Today, the New Jersey Supreme Court issued a much-anticipated decision construing New Jersey’s Truth-in-Consumer Contract, Warranty, and Notice Act (“TCCWNA”). The decision affirmed that one who has not suffered actual harm from an allegedly unlawful provision in a contract or notice is not “aggrieved” and therefore cannot sue under the TCCWNA.  Importantly, the Court held that the harm need not necessarily be monetary, but it does have to exist.  This unanimous decision should bring an end to the recent wave of speculative class action lawsuits asserting TCCWNA claims based, for example, on standard provisions in online Terms of Service.

The TCCWNA, as discussed in prior posts here and here, imposes a steep $100-per-violation penalty whenever a “contract” or “notice” contains a term that violates “clearly established” New Jersey or federal law.  If a contract or notice says that some of its terms may not apply in “some states,” without specifically identifying provisions that are unlawful and thus inapplicable in New Jersey, the same $100 penalty attaches.  In a landmark decision last October, the New Jersey Supreme Court curtailed the circumstances in which TCCWNA claims can be pursued on behalf of a class by holding that the statute’s requirement that a consumer must be “aggrieved” requires proof that every putative class member at least was “presented with” the offending notice (in that case a restaurant menu).  The court also put real teeth in the requirement that the “right” a notice supposedly violates must be “clearly established.”

The October decision did not address other important TCCWNA issues, including whether one can be an “aggrieved consumer” without having suffered any actual harm. Just after oral argument in the October-decided case, however the Supreme Court accepted a certified question from the Third Circuit Court of Appeals as to whether one without damages can sue under the TCCWNA.

In Spade v. Select Comfort Corp., the plaintiffs purchased an allegedly faulty adjustable bed and received a refund after the defendant could not fix it.  The plaintiffs nevertheless sued the seller under the TCCWNA, contending that its contract failed to conform to New Jersey regulations for selling household furniture regarding delivery timing.  A district judge dismissed those claims, finding the consumers were not “aggrieved” because they received their refund and because their claim against the seller had nothing to do with delivery timing.

In Wenger v. Bob’s Discount Furniture LLC, the plaintiffs ordered goods from the defendant and received them without complaint, but still sued under the TCCWNA based on allegedly unlawful aspects of the customer agreement, including font size, the company’s refund policy, and several of the contract’s other provisions.  The same district judge dismissed those claims, too, on essentially the same basis, and both cases found their way to the Third Circuit.

On November 23, 2016, the Third Circuit asked the New Jersey Supreme Court to decide whether (1) a consumer who receives a non-conforming contract, but who has not suffered any adverse consequences, is “aggrieved” and therefore can sue under the TCCWNA; and (2) a contract provision that violates the state’s Furniture Delivery Regulations satisfies the “clearly established right” provision of the TCCWNA. That is what led to today’s decision.

The Supreme Court answered the first question by holding that contracts containing provisions at odds with regulations do violate the TCCWNA.  That aspect of today’s ruling cannot be ignored.  Among other things, it means that the New Jersey Attorney General’s Office absolutely can pursue businesses for TCCWNA violations if they include such unlawful provisions.

The Court very clearly and strongly held, however, that consumers cannot sue unless they are “aggrieved.” The plaintiffs tried to define “aggrieved” to mean anyone who is offered or enters into a contract containing an offending term, but the Court held that such an expansive interpretation would effectively write the word “aggrieved” out of the statute.  The term “aggrieved consumer,” the Court held, must “denote[] a consumer who has suffered some form of harm as a result of the defendant’s conduct.”

Although there is much for the business community to celebrate in today’s decision, attention must be paid to the last section of the Court’s opinion, beginning with “[w]e do not, however, view [cognizable] harm to be limited to injury compensable by monetary damages.” TCCWNA, the Court held, “contemplates that a consumer may be entitled to a remedy notwithstanding the absence of proof of monetary damages.”  This might include, for example, someone who received a late delivery and was dissuaded from seeking a refund because an unlawful provision told her she could not do so.  Allegations like this would seem to be highly individualized, however, and therefore not proper subjects for class actions.

Wenger and Spade now return to the Third Circuit, which presumably will uphold the district court’s dismissals.  A cascade of dismissals of other suits then should follow.

Data Breach Notification Law Roundup

Just when you think you have it all under control, the data breach notification law landscape changes – again. Over the past few weeks, several data breach notification statutes were updated, including an effective date for Canada’s mandatory breach notification obligations, as well as the adoption of legislation in the two holdout states (Alabama and South Dakota). Here is the latest:

  • Canada: On March 26, the Governor General in Council, on recommendation of the Minister of Industry, set November 1, 2018, as the effective date for the mandatory data breach notification obligations in the Digital Privacy Act 2015, which amended the Personal Information Protection and Electronic Documents Act (PIPEDA). Beginning November 1, any organization must report to the Privacy Commissioner if it has a reasonable belief that a breach of information under its control creates a real risk of “significant harm” to Canadian residents, as well as notify affected individuals. The term “significant harm” includes bodily harm; humiliation; damage to reputation or relationships; loss of employment, business, or professional opportunities; financial loss; identity theft; negative effects on the credit record; and damage to or loss of property. The notice to affected individuals must contain sufficient information to allow the individual to understand the significance of the breach and to take any steps to mitigate or reduce the risk of any resulting harm.
  • Alabama: On May 1, 2018, the Alabama Data Breach Notification Act will take effect, requiring that companies provide notice of the unauthorized acquisition of electronic data containing sensitive personally identifiable information that is reasonably likely to cause substantial harm. The term “sensitive personally identifiable information” includes an Alabama resident’s first name or first initial and last name in combination with Social Security or tax identification number; driver’s license or other unique government-issued identification number; financial account number in combination with the required security code, access code, password, expiration date, or PIN; medical and health insurance information; or online account credentials. The Act sets a 45-day time limit for consumer and Attorney General (if more than 1,000 Alabama residents are affected) notice. The consumer notice must contain (1) the estimated date(s) of the breach; (2) a description of the affected information; (3) a general description of the remedial actions taken; (4) a general description of the steps consumers can take to protect themselves from identity theft; and (5) the company’s contact information. The Attorney General notice must contain (1) a synopsis of the event surrounding the breach at the time notice is provided; (2) the approximate number of affected Alabama residents; (3) any free services offered to affected individuals, and instructions on how to use those services; and (4) the name, address, telephone number, and email address of the company’s point person for the breach. A violation of the Act will constitute an unlawful trade practice under the Alabama Deceptive Trade Practices Act, subject to a civil penalty of up to $5,000 per day.
  • South Dakota: On March 21, South Dakota enacted S.B. 62. Effective July 1, 2018, the statute will require that companies provide notice of the unauthorized acquisition of unencrypted computerized data (or encrypted computerized data and the encryption key) that materially compromises the security, confidentiality, or integrity of personal or protected information. The statute (1) contains expanded definitions of personal and protected information, which include health information, an employer-assigned ID number in combination with the required security code, access code, password, or biometric data, and online account credentials; and (2) sets a 60-day time limit for consumer notice, unless legitimate law enforcement needs require a longer timer period. Attorney General notice is required if the number of affected South Dakota residents exceeds 250. Violators are liable for a civil penalty of up to $10,000 per day per violation.
  • Oregon: On March 16, Oregon enacted amendments to its data breach notification law, which take effect June 2, 2018. The amendments clarify that personal information includes an Oregon resident’s first name or first initial and last name in combination with any information or combination of information that would permit access to her financial account, and require consumer and Attorney General (if the number of affected residents exceeds 250) notice within 45 days of discovery of a breach. Additionally, if a company provides free credit monitoring or identity theft prevention and mitigation services, it may not require that consumers provide a credit or debit card number (or any fee) to take advantage of those free services. Likely prompted by the Experian data breach, the amendments also prohibit consumer reporting agencies from charging a fee for a consumer to place or lift a security freeze. Previously, the statute capped such fees at $10.
  • Arizona: On April 5, the Arizona Governor received H.B. 2154, which if enacted, would (1) expand the definition of personal information to include a private key unique to an individual and used to authenticate or sign an electronic record, medical and health insurance information, passport and taxpayer identification number, unique biometric data, and online account credentials; and (2) require notification to affected consumers, as well as the Attorney General and the three largest credit reporting agencies if more than 1,000 Arizona residents are affected, within 45 days. Such notices would need to include the approximate date of the breach; a brief description of the affected personal information; the toll-free numbers for the three largest CRAs; and the toll-free number, address, and website address for the FTC. Importantly, these amendments would also create notice provisions specific to online account credentials and clarify that notice should not be made to the affected account, and should prompt the individual to (1) immediately change her password or security question and answer, and (2) take appropriate steps to protect the affected account and all other online accounts with the affected account credentials. If Arizona adopts these amendments, it will become the twelfth state to require notice in the event of a breach of online account credentials – joining California, Delaware, Florida, Illinois, Maryland, Nebraska, Nevada, Rhode Island, and Wyoming, and most recently, Alabama and South Dakota.

These developments demonstrate that data breach notification statutes are evolving, often in response to high-profile data breaches and/or concerns about a specific industry or a specific type of data – such as online account credentials. We expect U.S. states to continue to update these laws, and in particular, to (1) expand the definition of personal information to include medical and health insurance information, biometric data, and online account credentials; (2) require notice to consumers and/or regulators within a specific time period; (3) impose data security requirements; and (4) address concerns with specific industries, such as credit reporting agencies. Stay tuned for more updates!

No SpielBurgers for you! Steven Spielberg Shuts Down Unauthorized Use of His Name

Last week, Carl’s Jr. announced that in honor of Steven Spielberg’s new movie, Ready Player One, they would change the name of their Charbroiled Sliders to “SpielBurgers.” They tweeted: “@StevenSpielberg hasn’t signed off yet, but we’re pretty sure he’ll be down with it.”

In fact, Spielberg was not down with it. He posted a video on Twitter politely declining the honor: “It’s recently come to my attention that Carl’s Jr. wants to rename their Charbroiled Sliders ‘SpielBurgers.’ And they’re pretty good, but I’m passing. Cease and desist. You can’t do it. Sorry, guys.”

Carl’s Jr. took the rejection well, focusing on the positive: “OMG Spielberg likes our Charbroiled Sliders!” Although this was probably a successful campaign for the company, it could have easily turned out worse. As we’ve noted before, some celebrities respond to the unauthorized use of their names less politely. For example, when a clothing company played on Don Henley’s name and encouraged people to “Don a Henley,” the famous musician filed a lawsuit against them.

Some celebrities are willing to play along with these stunts. For example, Mark Hamill tweeted that he was “completely open to the idea of “HAMILLBURGERS” #NoShameNoGain.” But, if you guess wrong, gambling on whether a celebrity is going to be OK with your use of their name can be very costly.

For a more in-depth analysis of these issues, check out Part IPart II, and Part III of a series on Right of Publicity claims on Drye Wit.

CPSC to Hear About the Safety Consequences If a Smart Device Isn’t So Smart

Manufacture, import, or sell a connected device?  In addition to the potential hazards associated with the physical performance of the product, you also need to consider the potential hazards associated with the product’s connectivity.  The Consumer Product Safety Commission (“CPSC”) is considering the Internet of Things and will hold a public hearing on May 16 for interested stakeholders to discuss the potential safety issues with connected products and the CPSC’s role in addressing these issues, along with industry best practices and current standards development.  Privacy and personal data security issues in the IoT environment do not fall under the CPSC’s jurisdiction, but the agency has the authority to cover consumer hazards resulting from IoT products, which could include fire, burn, shock, tripping or falling, laceration, contusion, and chemical exposure.  

The CPSC has identified two product safety challenges associated with IoT products: (1) preventing or eliminating hazardous conditions designed into products intentionally or without sufficient consideration; and (2) preventing and addressing incidents of hazardization.  While the former falls into the CPSC’s wheelhouse of preventing and correcting consumer product issues, the latter is a non-traditional area of product safety activity and could pose some challenges with the high rate of growth of connected products.   The CPSC defines hazardization as “the situation created when a product that was safe when obtained by a consumer, but which, when connected to a network, becomes hazardous through malicious, incorrect, or careless changes to operational code.”  Examples include a connected cooktop with a software glitch that ignites without the consumer’s knowledge and starts a fire or an integrated home security system that fails to download a software update and the default condition is to deactivate the system, disabling the smoke alarms without the consumer’s knowledge. Continue Reading

Seller Beware When Using Third-Party Services to Manage Returns

The Wall Street Journal recently published an article discussing a growing practice among retailers who use third-party services to identify fraudulent returns. These services will inform retailers when they think a return is fraudulent, and some retailers will reject returns based on this information, notwithstanding what is in their return policies. The article presents an example of consumer who was surprised when a retailer rejected his return and then referred him to the third-party service.

Although retailers generally have broad discretion about how to structure their return policies, there are some legal boundaries. For example, some states have specific requirements about what must be in a return policy and how it must be disclosed. More broadly, federal and state consumer protection laws generally require that retailers clearly disclose material terms prior to a purchase. This arguably includes terms of a return policy, including any exceptions under that policy.

Third-party services that help detect return fraud can provide significant benefits for retailers. (According to the article, less fraud can also benefit consumers because retailers can offer more generous policies.) But retailers should use care when relying on these services. If a customer complies with a retailer’s return policy, and the retailer rejects the return based on information from a third-party, the retailer is likely to face complaints. Simply pointing a finger at the third-party is unlikely to help.

One key question in any consumer complaint – or worse, AG investigation or law suit – will be whether the retailer acted in accordance with its policies and whether those policies were adequately disclosed. Articles such as the one in the Wall Street Journal often serve as food for thought for class action attorneys, so if you are using (or thinking about using) a third-party service to identify fraudulent returns, now might be a good time to take a look at your policy.

LexBlog