Last week, all five FTC Commissioners – Chairman Joseph Simons (R), and Commissioners Christine Wilson (R), Noah Phillips (R), Rebecca Slaughter (D), and Rohit Chopra (D) – sent a letter to the Chairs and Ranking Minority members of the Senate Commerce and House Energy & Commerce Committees urging the Committees to pass legislation that would “restore Section 13(b) to the way it has operated for four decades.”  The full letter appears here.  Its most salient paragraph:

Without congressional action, the Commission’s ability to use Section 13(b) to provide refunds to consumer victims and to enjoin illegal activity is severely threatened. As explained below, courts of appeals in the Third and Seventh Circuits have recently ruled that the agency cannot obtain any monetary relief under Section 13(b). Although review in the Supreme Court is pending, these lower court decisions are already inhibiting our ability to obtain monetary relief under 13(b). Not only do these decisions already prevent us from obtaining redress for consumers in the circuits where they issued, prospective defendants are routinely invoking them in refusing to settle cases with agreed-upon redress payments. Moreover, defendants in our law enforcement actions pending in other circuits are seeking to expand the rulings to those circuits and taking steps to delay litigation in anticipation of a potential Supreme Court ruling that would allow them to escape liability for any monetary relief caused by their unlawful conduct. This is a significant impediment to the agency’s effectiveness, its ability to provide redress to consumer victims, and its ability to prevent entities who violate the law from profiting from their wrongdoing. Accordingly, it is imperative that Congress act quickly so that the FTC can continue to effectively protect American consumers.

Prospects in Congress are uncertain.  Most believe that, if there is any action on this following the November 3 election, it would come from the Senate as part of the SAFE DATA Act (a comprehensive data privacy bill).  Prospects that the privacy bill will move, however, are considered by many to be a long-shot.

On a related note, yesterday Commissioner Rohit Chopra and his Attorney Advisor Samuel A.A. Levine released a paper entitled “The Case for Resurrecting the FTC Act’s Penalty Offense Authority.”  In it, Commissioner Chopra and Mr. Levine contend that the Commission should “resurrect one of the key authorities it abandoned in the 1980s: Section 5(m)(1)(B) of the FTC Act, the Penalty Offense Authority.”  The Penalty Offense Authority allows the Commission to formally declare a practice as unfair or deceptive in a cease-and-desist order, rendering that practice a “Penalty Offense.” Companies (or individuals) that later engage in that practice, with knowledge, would be subject to stiff financial penalties.

For more information on the FTC and other topics, see:

 

Advertising and Privacy Law Resource Center

California became the first U.S. state with a comprehensive consumer privacy law when the California Consumer Privacy Act (“CCPA”) became operative on January 1, 2020. The CCPA provides for broad privacy rights for residents of California and imposes data protection obligations on companies doing business in California that meet certain criteria.  For further background on the CCPA, see our prior CCPA blog posts here.

Privacy Risks Trigger Public Disclosure

While many businesses continue to work on their CCPA privacy compliance strategies and risk mitigation measures, those subject to the law also should consider whether their data practices prompt any material disclosures. Item 105 of Securities and Exchange Commission (“SEC”) Regulation S-K requires public companies to disclose the most significant factors that make investing in their securities speculative or risky.

The SEC published a proposed rule for public comment in the Federal Register on August 23, 2019, that sets forth amendments to modernize the description of business, legal proceedings, and risk factor disclosures that registrants are required to make pursuant to Regulation S-K.  In a public comment to the proposed rule, the World Privacy Forum advised the SEC that the privacy and security risks and obligations that companies face today require that there be more disclosure of those risks in public disclosures. Thus, it requested that the SEC expressly require the appropriate disclosure of material privacy and security risks faced by regulated companies.

In support of its request to the SEC, the World Privacy Forum pointed not only to the risk of data breaches, but also to the material impact that privacy regulations, including the CCPA, can have on a company’s operations. Specifically, it pointed to a $5 billion fine that the Federal Trade Commission imposed on Facebook for its failure to comply with a privacy-related FTC consent decree and the potential for a fine of up to four percent of a company’s worldwide revenues for violations of the European Union’s General Data Protection Regulation (“GDPR”).

The comment continues, however, by noting that fines are not the only risk that companies face from privacy regulations. Compliance with privacy and security regulations can also have a material risk on a company’s operations, with the comment specifically citing:

  • Loss of markets, customers, and opportunities;
  • Failure of business models to be consistent with privacy requirements;
  • Charges for responding to data breaches; and
  • Loss of key personnel.

Because privacy and security risks are unique to each company, boilerplate disclosures will not suffice to warn investors of these risks. As noted in the comment, a company that collects and uses consumer data as part of its business model faces a significantly larger threat to the continuity of its operations by privacy regulations than a company that maintains only its employees’ data.

These and other privacy law developments are a good reminder for public companies that their CCPA-related exposure extends beyond the CCPA’s monetary provisions, which are limited to a narrow private right of action for data breaches, as well as enforcement by the California Attorney General. Class action plaintiffs have used similar data privacy statutes to support securities fraud claims, and companies should expect to see similar claims predicated on compliance with the CCPA. Rather than basing the claim on a direct violation of the privacy statute at issue, such as the CCPA, the complaints are rooted in violations of federal securities laws and claim that the company did not accurately disclose its compliance with regulatory obligations under the privacy law or disclose the impact that the privacy law would have on its business.

Privacy Shareholder Litigation Examples

For example, shareholders of Nielsen Holdings PLC (“Nielsen”) brought a securities class action against the company and some of its officers and directors alleging securities fraud under the federal securities laws based on false or misleading statements made by the company regarding how the GDPR would impact its business and financial performance. The consolidated complaint alleges that the defendants misled investors by stating that the GDPR would not have any major impact on the company, assuring investors that the company was ready for the GDPR’s effective date, and assuring investors that the company would continue to have access to data from Facebook and others, which it relied upon for many of its products and services. The defendants went as far as to call the GDPR a “non-event” for the company.

In reality, however, the GDPR had a material effect as soon as it became effective by preventing Nielsen from getting the data it needed from large data providers. The truth was revealed to the market on July 26, 2018, the complaint alleges, when Nielsen reported its 2Q18 earnings and disclosed a significant decline in its performance. Nielsen attributed its poor performance to the GDPR, and admitted that Nielsen no longer had access to the data from Facebook and other data providers for its analytical products, including data that helped advertisers target individual consumers. Following this disclosure, Nielsen’s stock price declined 25% in one day.

In another securities class action predicated in part on the GDPR, investors alleged that Facebook made false and misleading statements regarding its compliance with the GDPR and the impact that the legislation would have on its business and operations. Specifically, the operative complaint alleges that Facebook made materially false and misleading statements when: “(i) it falsely and without a reasonable basis assured investors that GDPR had not caused, and would not cause, a decline in active use of Facebook’s solid [sic] media platforms; and (ii) it portrayed Facebook as adhering to and prepared to meet the requirements of the GDPR, when in reality Facebook was not.”

The investors claim that the truth was revealed to the market on July 25, 2018, when Facebook released its 2Q18 earnings report and revealed “a significant decline in users in Europe, zero user growth in the United States, decelerating worldwide growth of active users (i.e., those most responsible for generating data used in targeted advertising), lower than expected revenues and earnings, ballooning expenses affecting profitability, and reduced guidance going forward.” The company’s stock dropped by nearly 19% the following day.

The complaint alleges that the GDPR contributed to Facebook’s declining revenue growth by limiting the data that users share with the company, which lead to a reduction in spending by advertisers, and by requiring the company to “incur billions in expenses to become privacy compliant.” The complaint alleged this was in contrast to the company’s prior reassurances that the GDPR would not have a material impact on Facebook’s business because the vast majority of users were opting into data sharing and because the company’s privacy practices were already compliant with the regulation.

Facebook and Nielsen are examples of a growing trend of cases in securities class action litigation that allege class-wide harm to shareholders based on violations of the federal securities law, in these cases sections 10(b) and 20(a) of the Securities Exchange Act of 1934 and Rule 10b-5, rather than harm to consumers based on direct violations of privacy statutes like the GDPR or CCPA. Also notable is that neither of these class actions was preceded by regulatory action prosecuting a breach of the privacy regulation by the company.  The Facebook plaintiffs recently filed their Third Amended Complaint and Nielsen has a pending motion to dismiss, therefore it remains to be seen whether this theory of securities fraud will prove successful for plaintiffs’ attorneys.

Public Company Privacy Disclosure Considerations

These developments raise several considerations for public companies.  At a minimum, public companies should ensure that they have accurately assessed and disclosed their compliance with and exposure under privacy statutes, including the CCPA. Companies should not attempt to rely on generic risk disclosure provisions but instead should provide thoughtful, tailored disclosures of the impact that newly-enacted data protection legislation—including the CCPA—will have on their businesses.

Companies also would do well to consider the extent to which:

  • The company’s data practices trigger compliance with U.S. and international privacy laws (often this means becoming familiar with the broadening definition of personal information under such laws);
  • Increased consumer rights concerning the sharing of personal information may limit or preclude the company’s ability to use the personal information in a manner that is material to its business practices, which could impact the company’s growth strategies or financial condition;
  • Data protection laws and industry changes will require the company to delete or remove consumer information from its records or otherwise materially increase the costs of doing business to ensure compliance;
  • The company’s failure to comply with privacy or data protection obligations could result in governmental investigations, enforcement actions or litigation, resulting in monetary penalties to the company, restrictive injunction terms, or a general loss of trust in the company, which in turn could have an adverse effect on a company’s reputation and business;
  • Data protection laws and industry changes will result in changes to the company’s data sources that, in turn, could affect the company’s ability to procure the data necessary for the company’s operations and thereby limit sources of revenue for the company;
  • Data protection laws and industry changes will result in business clients or consumer users choosing to limit or not adopt and use the company’s products, affecting the company’s ability to acquire customers and thereby limiting sources of revenue for the company.

While privacy laws in the U.S. are clearly at an inflection point, the trend line demonstrates that data strategies must be evaluated both for their possibilities and potential risks to the company.  Public companies that routinely perform rigorous internal privacy analyses and continue to closely monitor these quick moving legal and industry changes will be better positioned to address their transparency obligations, and in so doing, mitigate the risk of facing privacy shareholder suits.

For more information on the CCPA and other topics, see:

 

Advertising and Privacy Law Resource Center

Stokely-Van Camp (or “SVC”), the makers of Gatorade, recently challenged claims made by BodyArmor about its SuperDrink and Lyte sports drinks, including banners with the following text:

  • The only sports drink. No artificial sweeteners, flavors, or dyes. Potassium packed electrolytes.
  • The only sports drink. Low calorie. No sugar added. No artificial sweeteners, flavors, or dyes.

SVC worried that consumers would view these claims as comparisons to Gatorade products. BodyArmor disagreed. It Sports Drinksargued that the first sentence – “the only sports drink” – was obvious puffery because no reasonable consumer would believe that BodyArmor is the only sports drink on the market. And it argued that the subsequent sentences were truthful monadic claims about its own products.

NAD started its decision with a reminder that it’s important to consider the “net impression created by an advertisement as a whole,” rather than the accuracy of specific phrases standing alone. Although “the only sports drink” may be puffery standing on its own and the remaining claims may be accurate as they pertain to the advertised products, the inquiry doesn’t stop there.

In this case, because “the only sports drink” appeared in close proximity to accompanying text describing the products’ contents, NAD was concerned that consumers would read them together. In other words, consumers could reasonably interpret the ads to mean that the BodyArmor beverages were the only sports drinks to have the attributes listed (such as having no artificial sweeteners). This wasn’t accurate.

This case highlights a common theme in cases in which advertisers raise a puffery defense. Claims that may be puffery on their own may take on a different meaning based on the words that appear around them. It’s always important for advertisers to look at these things in context and through the eyes of typical consumer.

The October issue of Kelley Drye’s TCPA Tracker newsletter is here:

TCPA (Telephone Consumer Protection Act) Tracker Newsletter is a cross-practice effort produced to help you stay current on TCPA (and related) matters, case developments and provide an updated comprehensive summary of TCPA petitions pending before the FCC.

Recent News

As Required by the TRACED Act, FCC Releases NPRM Examining Past TCPA Exemptions 

On October 1, 2020 the FCC released a Notice of Proposed Rulemaking (NPRM) to seek input on proposed rules to codify previous exemptions to the TCPA’s consent requirements.  Section 227(b) of the TCPA prohibits “any telephone call to any residential telephone line using an artificial or prerecorded voice to deliver a message without the prior express consent of the called party” unless the call meets the requirements of certain exemptions.  The exemptions under review by the FCC include “(1) non-commercial calls to a residence; (2) commercial calls to a residence that do not constitute telemarketing; (3) tax-exempt nonprofit organization calls to a residence; (4) HIPAA-related calls to a residence; (5) package delivery-related calls to a wireless number; (6) financial-institution calls to a wireless number; (7) healthcare-related calls to a wireless number; (8) inmate calling service calls to a wireless number; and (9) cellular carrier calls to their own subscribers.   Section 8 of the Pallone-Thune TRACED Act directed the FCC to examine these exemptions to ensure that they contain requirements addressing “(1) the classes of parties that may make such calls; (2) the classes of parties that may be called; and (3) the number of such calls that may be made to a particular called party.”  To this end, the proposed measures include classifying parties as “informational callers” for callers only providing information, and “transactional callers” for callers trying to complete or confirm commercial transactions, in addition to limiting the number of calls that may be made during a period of time.  Comments are due October 26, 2020, and reply comments are due November 3, 2020.

FCC Adopts New Rules to Combat Spoofed Robocalls 

On October 1, 2020, the FCC released a Second Report and Order in its ongoing call authentication proceeding under the TRACED Act.  In March, the FCC required originating and terminating voice service carriers to implement the STIR/SHAKEN call authentication framework in the IP portions of their networks by June 30, 2021.  In the Second Report and Order, the FCC requires intermediate carriers also to implement the STIR/SHAKEN framework in their IP networks and to pass STIR/SHAKEN authentications to downstream carriers.  The FCC extended the implementation deadline for small voice carriers (those with fewer than 100,000 subscriber lines) for two years, until June 30, 2023.  Any carrier taking advantage of the extension must, however, implement a reasonable call mitigation program to reduce the origination of unlawful robocalls and must, by a date to be specified by the FCC, file a certification describing its call mitigation program.  In addition, the Second Report and Order requires voice service carriers either to convert the non-IP portions of their networks to IP by June 30, 2021 or to be participating in industry efforts to develop and implement a call authentication framework for non-IP calls.  Finally, implementing a requirement of the TRACED Act, the FCC prohibits voice service providers from imposing a line item fee on consumers to implement the STIR/SHAKEN framework.

FCC Proposes to Dismiss Old TCPA Preemption Petitions

On September 23, 2020 the Consumer and Governmental Affairs Bureau released a Public Notice, announcing plans to dismiss 10 pending petitions seeking preemption of state laws addressing unwanted robocalls and faxes.  The petitions were filed between 2003 and 2005, and the relief requested may no longer be relevant due to regulatory changes that have occurred since their filing.  The FCC will dismiss the petitions with prejudice unless petitioners file letters by November 20, 2020.

FCC Warns Robocall Scams May Undermine COVID-19 Contact Tracing Efforts 

The FCC has warned consumers in the past against answering calls from unknown numbers in order to avoid falling victim to robocall scammers.  During the September 25, 2020 Consumer Advisory Committee meeting, the CGB acknowledged that this advice may interfere with contact tracing efforts, as contact tracing calls will likely come from unknown numbers.  Complicating matters, many recent scams explicitly refer to contact tracing in robocall messages.  Some scammers even go so far as to spoof actual health department phone numbers.  The FCC published an updated consumer guide and COVID-19 scam alert on their website to help consumers identify scams.

Anderson + Wanca File Application for Review of Ryerson Order 

On October 5, 2020 Anderson + Wanca filed an Application for Review, asking the FCC to consider reversing the Ryerson Declaratory Ruling. According to Anderson + Wanca, “the Commission should reverse the Ryerson Bureau Order under Rule 1.115(b)(2) because its reasoning regarding ‘online fax services’ is in conflict with the statute, regulations, case precedent, and established Commission policy, and is based on erroneous factual findings.”  More specifically, the Application questions whether the equipment referenced in the Ryerson decision as an online fax service has the requisite capacity to be a telephone fax machine.  Anderson + Wanca also argue that the Amerifactors Declaratory Ruling, the decision cited as the primary reason for granting the Ryerson Petition, was based on a mistaken understanding of the TCPA guidelines and thus warrants Commission review.

FCC Petitions Tracker

Kelley Drye’s Communications group prepares a comprehensive summary of pending petitions and FCC actions relating to the scope and interpretation of the TCPA.

Number of Petitions Pending

  • 29 petitions pending
  • 1 petition for reconsideration of the rules to implement the government debt collection exemption
  • 1 application for review of the decision to deny a request for an exemption of the prior express consent requirement of the TCPA for “mortgage servicing calls”
  • 1 request for reconsideration of the 10/14/16 waiver of the prior express written consent rule granted to 7 petitioners

New Petitions Filed

  • None

Upcoming Comments

  • None

Decisions Released

  • None

Click here to see the full FCC Petitions Tracker.

 

Cases of Note

District Court Finds All TCPA Claims Between 2015 And 2020 Barred By Supreme Court’s Barr Decision

In Creasy v. Charter Commc’ns, Inc., the Eastern District of Louisiana found that the Supreme Court’s decision in Barr v. Am. Ass’n of Political Consultants (“Barr”) rendered the entirety of 227(b)(1)(A)(iii) unconstitutional during the period from Congress’s 2015 addition of the unconstitutional government-owed debt exception until its July 6, 2020 severance from the TCPA.  Thus, the Court ruled that it lacked subject matter jurisdiction to hear claims alleging violations of the TCPA’s ATDS prohibition during that window of time.

In Barr, the Supreme Court held that the 2015 amendment adding an exception to the TCPA’s ATDS provision for calls made in connection with a government-owed debt created an impermissible content-based speech restriction.  As a remedy, the Supreme Court excised the government-owed debt exception and left the (other constitutional) remainder of the TCPA intact.

In Creasy, the plaintiffs alleged that the defendant made 130 autodialed calls and texts without the necessary consent.  None of the calls involved a government-owed debt.  One hundred twenty-nine of the 130 were made during the time that the government-owed debt exception to the TCPA was operative.

The defendant moved to dismiss all claims as to the 129 calls arguing that the Court lacked subject matter jurisdiction because courts lack authority to enforce violations of unconstitutional laws. The Eastern District of Louisiana dismissed the 129 calls finding that the unconstitutional exception rendered the entire statute unconstitutional during that time period. Because the Supreme Court found the exception unconstitutional, the Court determined that it lacked subject matter jurisdiction to apply the law to the defendant’s conduct.

With respect to the lone remaining communication, the defendant unsuccessfully sought dismissal and the case will proceed.  The Court rejected arguments that the defendant could not be held responsible for calls placed by its subsidiary and found the plaintiffs had met the standard for stating a valid claim.  Thus, the motion to dismiss was granted-in-part and the claims as to the one post-Barr call will continue.

Creasy v. Charter Commc’ns, Inc., No. CV 20-1199, 2020 WL 5761117 (E.D. La. Sept. 28, 2020)

Court Dismisses Vague Text Claims For Lack Of Standing 

In Clements v. Porch.com, Inc., the District of Alaska dismissed 17 plaintiffs’ TCPA claims based on a failure to allege proper standing.  Plaintiffs alleged a total of 3,318 texts received, based solely on an approximation derived from multiplying the number of weeks during which each plaintiff received texts times an alleged average of 2 messages per week.  The Court found that plaintiffs did not support those calculations with any specific allegations concerning specific text messages received by any specific plaintiff and produced only exemplar text messages.  The Court found the Complaint lacked clear allegations that each plaintiff had received texts in violation of the statute.  The Court further found that plaintiffs failed to properly allege which plaintiff(s) were pursuing Do Not Call claims under § 227(c)(5) since there were no allegations regarding any plaintiff’s number being listed on the National DO Not Call Registry.  Thus, the Court held that plaintiffs’ assumptions were insufficient to establish an injury in fact and dismissed based on a lack of constitutional standing.

Clements v. Porch.com, Inc., No. 1:20-CV-00003-SLG, 2020 WL 5739591 (D. Alaska Sept. 24, 2020)

Court Dismisses Fraud Counterclaim Against TCPA Plaintiff 

In Mey v. Castle Law Grp., the District of West Virginia granted plaintiff’s motion to dismiss fraud counterclaims against an alleged “serial” TCPA plaintiff because it found that the alleged basis for the counterclaim was actually behavior encouraged by the TCPA.  Plaintiff’s complaint alleged that the defendants and/or their agents had called her using auto-dialers and pre-recorded messages selling debt relief services in violation of the TCPA.  Four of the defendants counterclaimed for fraud asserting that the plaintiff voluntarily participated in a credit card qualification process in order to “trap the purported telemarketers into a lawsuit.”

Plaintiff moved to dismiss arguing that her alleged conduct did not constitute fraud but was instead the type of investigation encouraged under the TCPA.  The Court agreed.  The Court relied heavily on a prior, similar District Court case holding that statutory damages in laws like the TCPA are “specifically designed to appeal to plaintiffs’ self-interest and direct that self-interest toward the public good” and “operate as bounties, increasing the incentives for private enforcement of the law.”  Thus, the court dismissed the fraud counterclaim.

Mey v. Castle Law Grp., No. 5:19-CV-185, 2020 WL 5648326 (N.D.W. Va. Sept. 22, 2020)

Subscribe to the TCPA Tracker here.

VISIT THE ADVERTISING AND PRIVACY LAW RESOURCE CENTER
ADVERTISING, PRIVACY AND CONSUMER PROTECTION ANSWERS. ALL IN ONE PLACE.

With most employees working remotely amidst the COVID-19 pandemic, the use of videoconferencing platforms like Zoom, Microsoft Teams, Skype, WebEx, GoTo, Ring, and BlueJeans in everyday business has risen dramatically.  Unlike a traditional conference call, videoconferencing feels more personal and more like an in-person meeting because it allows users from around the country and the world to be safely brought together via video.  Further, most videoconferencing platforms allow for easy recording and sharing of that video.  That convenience and functionality, however, raises security, confidentiality and discovery issues.  Therefore, it is important for a business to understand these issues and to implement best practices tailored for the use of videoconferencing and the recording features in order to manage and minimize the risks associated with it.

Security and Confidentiality

You may have recently read news stories concerning “Zoombombing,” a practice whereby an uninvited third-party manages to access a Zoom videoconference and fill it with inappropriate content or otherwise disrupt the conference.  While Zoombombing is a nuisance there are more troubling implications; the ability to insert that inappropriate content means that a third-party gained unauthorized access to your private and confidential business communications.  Accordingly, it is imperative to make sure that the videoconferencing platform your business utilizes is secure and protects your business’s confidences.  In order to manage security concerns and to avoid the proliferation of videoconferencing data scattered in multiple locations and formats, the first step is to select and approve the videoconferencing platform that the business will use internally and when it hosts such virtual conferences.  One of the key security features to look for when selecting a videoconferencing platform is whether it provides end-to-end encryption (a method of secure communication that makes it more difficult for third-parties to access data in transit from one end system or device to another).

Once the business selects a platform, it should issue company-provided videoconferencing accounts and implement a policy designating the approved platform as the sole authorized service.  The business should also familiarize itself with and implement certain settings in that platform to improve the business’s security posture.  For example, in Zoom, certain settings you should consider implementing include:

  • Requiring participants to enter meeting passwords;
  • Prohibiting participants from joining meetings until the host joins the meeting;
  • Disabling the screen sharing option by participants other than the host;
  • Disabling recording option by participants other than the host;
  • Disabling the chat feature altogether, or if chat is enabled, it should be configured so that only messaging among the host and all participants (versus private messaging between participants) is permitted;
  • Enabling a waiting room, which allows the host to decide who is allowed into the conference; and/or
  • Enabling the use of automatically generated meeting IDs in lieu of personal meeting IDs.

Further, when scheduling a videoconference with a third-party, the best practice is to offer to host the videoconference whenever possible.  By doing so, you ensure that you are using software that has been vetted by your business, and you maintain control over various aspects of the videoconference—such as participant-admission, screen-sharing, and recording options.  That is not always an option, however, and if you participate in a videoconference hosted by a third-party, those parties will likely maintain control over whether to record the meeting.  Accordingly, if you notice that you are on a videoconference that you believe is being unnecessarily or inappropriately recorded, bring that to the host’s attention.  (If you are on a Zoom videoconference that is being recorded, the word “recording” will appear in red in the upper left corner of all participants’ screens.)

If you are the host and you do opt to record a videoconference, you also need to consider where you want to save and store such recordings and the ramifications thereof.  For example, Zoom provides users with the option of saving recordings on the Zoom cloud or to your desktop/server.  If a user saves a recording of a videoconference to the Zoom cloud, that recording is in Zoom’s possession and is subject to Zoom’s retention policies and security procedures, remains outside your direct control, and is vulnerable to a potential data breach.  Therefore, for security purposes, it may be prudent to save your confidential and sensitive recordings within your system or with your trusted vendor.  Regardless of where you store such recordings, it is very important to save them in a central location so as to be able to locate them quickly and efficiently should the need arise.  The expense of storing large video/audio recording files should also be taken into account.

Finally, businesses can further mitigate security and legal risks by providing training to their employees on the approved platform, the settings thereof, and the proper business use and etiquette of videoconferencing and issues associated with it.  For example, employees should be reminded that videoconferences are a business tool, and the good business judgment and professionalism that is expected in the office is also expected and should be practiced during videoconferences.  Moreover, it is important for employees to understand that they need to take precautions to maximize security and privacy when working remotely, including not holding videoconferences in a public place.

To Record Or Not To Record

Discovery implications of recording videoconferences

With the ease and convenience of the recording feature come potential pitfalls and serious implications for commercial litigation that need to be carefully considered and addressed before deciding to press the record button.  This is particularly true today with many employees working remotely – often from the comfort of their home – that has likely fostered a level of informality during these types of communications.  Such informality may result in participants making jokes, facial expressions or other gestures that might not reflect favorably on them or the business if such recordings made it into discovery and were to be played to a jury.  It is also important to understand what exactly is being recorded and retained.  For example, when a videoconference is recorded on Zoom, multiple files are created containing the video, audio as well as any chats that may have occurred during the conference.  Further, Zoom offers the ability to transcribe the videoconference and if you enable this option, the audio of the videoconference will automatically be transcribed and a text file of the transcription will also be created and retained.

In making a decision as to whether or not to record some or all videoconferences, it is important to note that absent a legal obligation to record a conversation (for example financial services where one may be required to record a client’s permission for a transaction), there is likely no general duty to record your videoconferences.  A videoconference is parallel to a face-to-face meeting that in the pre-COVID-19 world would have been memorialized by meeting notes or related correspondence, if at all.  To think of it another way, when is the last time you set up a camera and pressed record before a meeting with a colleague in the office?  Despite having the ability to do so using a widely available technology like your iPhone, the likely answer is never.  And the fact you can record the same meeting today that is being held remotely because of COVID-19 with a touch of a button should not change your business practice.

As for recordings of videoconferences that already exist, there is likely no obligation to retain and preserve such data for any particular period of time absent a specific regulatory and/or legal requirement.  However, please remember that legal obligations to retain data are based on the data’s content and not its format.  In that regard, recordings of videoconferences are no different than an e-mail or any other record that may contain data that may be required to be retained for specific periods of time.

Absent any such requirement, to the extent you choose to record, recordings should only be retained while that information has value to the business.  A business should update or implement a retention policy specifically addressing how and when such recordings will be maintained, preserved and destroyed.  Indeed, as the Supreme Court of the United States has observed, regular disposition of data and information that is not required to be retained is a best information management practice.  See Arthur Andersen LLP v. United States, 544 U.S. 696, 704 (2005) (“Document retention policies which are created in part to keep certain information from getting into the hands of others, including the Government, are common in business.  It is, of course, not wrongful for a manager to instruct his employees to comply with a valid document retention policy under ordinary circumstances.”) (internal citations and quotations omitted).  Failure to implement specific and strict policies governing videoconference recordings and their retention and deletion will likely result in the proliferation of discoverable data and expenses associated with the preservation, collection and review of such data once a duty to preserve does arise.

Once litigation or an investigation is reasonably anticipated and the duty to preserve is triggered, all bets are off.  Under common law and as expressly referenced in Federal Rule of Civil Procedure (“FRCP”) 37(e), a party must preserve documents and electronically stored information (“ESI”) when it reasonably anticipates litigation.  There is no bright line rule when the duty to preserve arises and the threshold varies by jurisdiction but suffice it to say, it arises as soon as a business anticipates litigation or regulatory investigation.  See e.g., Zubulake v. UBS Warburg, 220 F.R.D. 212 (S.D.N.Y. 2003) (“Once a party reasonably anticipates litigation, it must suspend its routine document retention/destruction policy and put in place a ‘litigation hold.’”).  Once the duty to preserve is triggered, you are obligated to preserve documents and ESI in all forms if it is potentially relevant to the anticipated litigation or investigation and must suspend your routine document and ESI retention/destruction policy.  To the extent any existing recordings of videoconferences are potentially relevant to the anticipated litigation or investigation, they would fall within the scope of the preservation obligation.  Indeed, the business may be subject to severe spoliation sanctions under FRCP 37(e) if potentially relevant documents and ESI are subsequently deleted or lost, such as a monetary penalty, an adverse inference instruction to a jury or even striking of the party’s pleadings.

To the extent you have any doubt, a relevant and non-privileged recording of a videoconference is discoverable ESI.  Under FRCP 34(A)(1)(a) and its state-law analogs, a party must produce in response to a proper request “[a]ny designated documents or electronically stored information —including writings, drawings, graphs, charts, photographs, sound recordings, images, and other data or data compilations—stored in any medium from which information can be obtained either directly or, if necessary, after translation by the responding party into a reasonably usable form . . . .”  (Emphasis added).  The 2006 Advisory Committee notes on FRCP 34 further explained the broad and expansive scope of what is covered by this language:

Discoverable information often exists in both paper and electronic form, and the same or similar information might exist in both.  The items listed in Rule 34(a) show different ways in which information may be recorded or stored.  Images, for example, might be hard-copy documents or electronically stored information.  The wide variety of computer systems currently in use, and the rapidity of technological change, counsel against a limiting or precise definition of electronically stored information.  Rule 34(a)(1) is expansive and includes any type of information that is stored electronically.  A common example often sought in discovery is electronic communications, such as e-mail.  The rule covers—either as documents or as electronically stored information—information “stored in any medium,” to encompass future developments in computer technology.  Rule 34(a)(1) is intended to be broad enough to cover all current types of computer-based information, and flexible enough to encompass future changes and developments.

(Emphasis added).  In addition, for the avoidance of doubt, most document requests from an adversary also contain expansive definitions of “Documents” that are being requested and explicitly call for the production of recordings of videoconferences.  That being said, it is important to note that the usual limits on discovery – such as proportionality – equally apply to such recordings as they do to any other form of discoverable data.

Finally, it is important to note that even unrecorded videoconferences generate data that may be subject to preservation obligations and discovery.  For example, Zoom collects the IP address, operating system, and device details for all videoconference participants even if the video of the meeting itself is not recorded.  Therefore, it is important to have a full understanding of what and how such additional data is generated and where and for how long is it stored when approving a videoconferencing platform for your business.

Do I need to or can I change what I do after a preservation obligation arises

It is equally important to remember that “spoliation sanctions apply when a party has lost or destroyed evidence, not when it has failed to create evidence.”  Alsadi v. Intel Corp., 2020 WL 4035169, at *5 (D. Ariz. July 17, 2020); see also Burton v. Walgreen Co., 2015 WL 4228854, at *2 (D. Nev. July 10, 2015) (“When determining whether to impose discovery sanctions for spoliation, the threshold question that the court must decide is whether relevant evidence existed.  If no relevant evidence existed, then the motion for spoliation is moot.”) (internal citation omitted).  Moreover, parties are not generally required to create a record where one otherwise does not exist.  See e.g., Malletier v. Dooney & Bourke, Inc., 2006 WL 3851151, at *2 (S.D.N.Y. Dec. 22, 2006).  As such, it is unlikely that a party would be subject to spoliation sanctions for not starting to record its otherwise unrecorded videoconferences after a duty to preserve has arisen.

The answer is not as clear, however, if a party changes its practice and stops recording videoconferences that it previously recorded after a duty to preserve has arisen.  Although spoliation sanctions generally do not apply when a party has failed to create evidence, some courts have treated changes in business practice as suspect.  See e.g.Braun v. Wal-Mart, Inc., 2008 Minn. Dist. LEXIS 109, *34 (Minn. Dist. Ct. Dakota Cty. June 30, 2008) (finding that changes in employment related record practice could have been due to both legitimate business reasons and reasons related to ongoing litigation).  Accordingly, if a business makes the decision to record some or all of its videoconferences, it may be exposed to spoliation sanctions if it changes its business practice of recording after a preservation obligation has arisen.  Of course, even if no sanctions are imposed, an adversary may use the optics of such a change in business practice against you.

Before recording consider consent and privacy laws of relevant jurisdictions

Although most states require only one-party consent (i.e., consent of the party recording is enough), some states (including California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania, and Washington) require that all parties to a call or videoconference consent to being recorded.  Failure to obtain proper consent could result in civil and/or criminal liability.  Further, in some countries, data related to a videoconference may implicate privacy laws like the European Union’s General Data Protection Regulation that have to be considered prior to recording videoconference with participants located outside of the United States.

When videoconferencing with individuals in different states—or even different countries—it may be difficult to determine which laws apply.  Thus, it is always best to obtain the consent of all participants before recording a videoconference.  It is advisable to use a disclaimer in the meeting invitation that discloses that the videoconference will be recorded and to have the host of the videoconference remind the participants of that fact at the start as well.  If you believe that it is important to record a videoconference and are unable to obtain the consent of one or more of the participants, make sure you understand the applicable laws of all jurisdictions in which the participants are located.

Key Takeaways and Best Practices

Videoconferencing has become an important and integral tool in how we do business and communicate in the COVID-19 world and likely going forward.  As such, it is not possible nor practical to prohibit or avoid using videoconferencing in your business.  Instead, it is vital to understand the issues that videoconferencing and the recording thereof present and to address them proactively.  Accordingly, please take note of the following “best practices” for the use of videoconferencing:

  1. Select and approve a videoconferencing platform to be used by your business.
  2. Implement specific default settings on the approved videoconference platform to improve security.
  3. Implement employee training on the approved platform and proper business use of videoconferencing.
  4. Unless there is a specific obligation or business purpose, implement a policy prohibiting or strictly limiting the recording of videoconferences.
  5. To the extent recordings already exist or there is a specific business reason to make such recordings, update/implement a retention policy specifically addressing how and when such recordings will be maintained, preserved and destroyed and add specific language to your litigation hold notices concerning such recordings to make sure that they are retained if a preservation obligation arises.
  6. For sensitive communications that would typically take place during in-person meetings, consider using a traditional form of communication like a telephone call as opposed to a videoconferencing platform.
  7. If you have something sensitive to discuss on a videoconference, include your attorney on the videoconference.  Although the mere presence of an attorney does not guarantee that the videoconference will be deemed privileged in a future litigation, it will certainly help make the recording non-discoverable.
  8. Implement a procedure for obtaining consent from participants prior to recording a videoconference.

 

 

Advertising and Privacy Law Resource Center

Section 13(b) at the Start of the Supreme Court’s October Term:  Where Things Stand, Where They’re Likely to End, And A Proposed Legislative Fix

The Supreme Court’s new term began last Monday. This new term has taken on heightened significance with President Trump’s nomination of current Seventh Circuit Judge Amy Coney Barrett to the High Court. President Trump and Senator McConnell have vowed to place Barrett on the Court this year, with the aim of doing so before the November 3 election. With her confirmation hearing underway, it seems all but certain that Judge Barrett will soon become Justice Barrett, giving the Supreme Court a 6-3 conservative majority and likely cementing a rightward shift in upcoming jurisprudence for years to come.

One primary concern of the Court’s newly invigorated majority is textual fidelity. Sticking to a textual interpretation of statutes was something former Justice Scalia touted as a central tenet of judicial restraint. While originally more a conservative position, textualist renderings of statutes— in which the Court hews closely to the words of the texts and eschews interpretations that stray from the language’s plain meaning—have gained acceptance on both sides of the legal divide.

For practitioners litigating before and against the FTC, the ramifications of this textualist shift in jurisprudence will likely be massive. In two consolidated cases currently pending before the Court, Federal Trade Commission v. Credit Bureau Center, LLC and AMG Capital Management, LLC v. Federal Trade Commission, the new justice and her colleagues will be tasked with deciding whether or not Section 13(b) of the FTC Act authorizes the FTC to seek monetary relief from the individuals and entities it pursues under that statutory provision. Those cases, stemming from the Seventh and Ninth Circuits, respectively, will be heard and decided sometime in the first half 2021.

Although the text of Section 13(b) speaks only of injunctive relief, appellate courts have extended the reach of 13(b) to include monetary “restitution” since 1982. In 1989, the Seventh Circuit in FTC v. Amy Travel Serv., Inc. decided that Section 13(b) “carries with it the power to issue whatever ancillary equitable relief is necessary.” 875 F.2d 564, 571 (quotation omitted). Over the years, this expansive definition of 13(b) was adopted by nearly all of the Circuit Courts.

But that expansive definition of 13(b) is beginning to erode. On September 30, 2020, the Third Circuit, in FTC v. AbbVie Inc. et al, joined the Seventh Circuit in concluding that the reach of 13(b) does not extend to monetary restitution. These appellate decisions, along with the new composition of the Supreme Court, strongly suggest that, absent a legislative fix, the FTC’s historically broad restitution powers under 13(b) may soon be cut back, leaving practitioners with a wide-open question: What comes next?

Many believe that a legislative fix is in order, and steps have been taken to address the issue in Congress. Proponents argue that the FTC needs the broad powers appellate courts have historically provided it under Section 13(b) to indemnify the public against truly bad actors who commit egregious fraudulent conduct. But is a return to the status quo ante the right course of action?

One view is that a legislative remedy should be limited, so that restitution would be available under 13(b) only where the conduct rises to the level of  the “dishonest or fraudulent” standard articulated in Section 19 of the FTC Act. The FTC has a need for vibrant Section 13(b) remedies, but those remedies are only appropriate where the actors either knew or should have known that their conduct was false or deceptive. In more of the run of the mill substantiation cases, administrative proceedings are far more appropriate. There is a strong argument that any new language added to Section 13(b) should make that distinction clear.

Federal Trade Commission v. Credit Bureau Center, LLC (“Credit Bureau”)

Credit Bureau concerns a credit monitoring website that offered consumers what was purportedly a “free credit report and score.” Consumers opting to receive this report would unknowingly be enrolled in a monthly “membership,” costing $29.94 a month. Consumers only learned that they had been enrolled in the business’s monthly service when they received a post-hoc letter, detailing the commitment they had supposedly made.

The FTC sued Michael Brown, the sole owner and operator of Credit Bureau, under Section 13(b) of the Act. Relying on this longstanding precedent allowing the FTC to use Section 13(b) to assess money damages, the district court ordered Brown to pay more than $5 million is restitution to the FTC.

The district court’s ruling was appealed to the Seventh Circuit Court of Appeals. The Seventh Circuit, in a precedential opinion, reversed, finding that the FTC does not have the authority to obtain monetary restitution under Section 13(b). In doing so, the Credit Bureau court admonished that Section 13(b) must be taken on its own terms. “By its terms, section 13(b) authorizes only restraining orders and injunctions,” not restitution. 937 F.3d 764, 767. Because Section 13(b) does not explicitly authorize monetary restitution, the Seventh Circuit concluded that the FTC has no restitution powers under 13(b).

Ironically, it had been the Seventh Circuit, in Amy Travel Serv., that had originally expanded the FTC’s restitution powers under Section 13(b) thirty-one years ago. Although the principle of stare decisis would normally have constrained the Credit Bureau panel to follow Amy Travel’s precedent, even if the current panel disagreed with it, the Credit Bureau court decided that the textualist Supreme Court of the present-day would not allow Amy Travel to stand. In the words of the Seventh Circuit, “[s]tare decisis cannot justify adherence to an approach that [recent] Supreme Court precedent forecloses.” 937 F.3d 764, 767. The FTC asked the full Seventh Circuit to rehear the case, but that request was denied.

After being denied rehearing before the full Seventh Circuit, the FTC petitioned for certiorari of the Seventh Circuit’s Credit Bureau decision to the Supreme Court. In its Supreme Court petition, the FTC asked the Supreme Court to uphold the textual reading of Section 13(b) that has become prominent over the past thirty years. The Supreme Court accepted the FTC’s petition, granting certiorari, in July.

Notably, the FTC is representing itself before the Supreme Court. This is highly unusual. In the normal course of events, the Solicitor General of the United States represents government agencies at the High Court. In this case, the Solicitor General chose to sit it out, signaling that the Trump Administration might agree with the Seventh Circuit’s reading limiting the FTC’s powers under 13(b).

AMG Capital Management, LLC v. Federal Trade Commission (“AMG”)

AMG is in many ways a parallel case to Credit Bureau, with similar facts leading to an opposite outcome. Indeed, depending on what happens at the Supreme Court next year, AMG may represent the last of the old guard of cases in which the appellate court affirms the FTC’s broad restitution powers under Section 13(b).

AMG, like Credit Bureau, involved a single-proprietor business, AMG Capital Management. The business’s sole function was to provide payday loans. The FTC sued Scott Tucker, the owner of AMG, under Section 13(b) of the Act, asserting that the terms disclosed in the loan notes provided to consumers did not reflect the harsher terms that Tucker actually enforced. The district court found Tucker liable, and pursuant to Section 13(b), levied a staggering $1.27 billion in equitable monetary relief to be paid by Tucker to the Commission.

Tucker appealed the district court’s ruling to the Ninth Circuit Court of Appeals, arguing, inter alia, that Section 13(b) forecloses monetary relief. Like the Seventh Circuit in Credit Bureau, the Ninth Circuit noted that the argument that 13(b) does not allow restitution “has some force.” 910 F.3d 417, 426. Yet, unlike the Seventh Circuit, the AMG panel concluded that it “remain[ed] bound by” the ample Ninth Circuit precedent broadly construing Section 13(b). Id. at 427.

Two of the three judges on the AMG panel, in separate concurrences, called for the Ninth Circuit to rehear the case en banc, in order to overrule its prior precedent (something only the full Circuit has the power to do in the Ninth Circuit). However, the full Circuit denied AMG’s petition for a panel rehearing. After its petition for rehearing was denied, AMG filed a petition for certiorari with the Supreme Court. The Supreme Court granted that petition in July, consolidating the case with Credit Bureau for a single oral argument.

FTC v. AbbVie Inc. et al (“AbbVie”)

On September 30, in a precedential decision, the Third Circuit joined Credit Bureau in concluding that “district courts lack the power to [authorize monetary disgorgement] under Section 13(b).” The facts in Abbvie concerned a patented drug called AndroGel. The FTC sued the owners of Androgel’s patent under Section 13(b), alleging they had filed sham patent infringement suits against generic drug makers, and that they had entered into an anticompetitive reverse-payment agreement with one of those generic providers. The district court awarded the FTC disgorgement of $448 million.

The Third Circuit reversed the order of disgorgement. In doing so, the Abbvie panel, like the Seventh Circuit before it, focused on the text of the statute. The Abbvie court found that the text was dispositive, allowing only injunctive relief and (at best) minimal monetary penalties. In the Third Circuit’s view, “Section 13(b) authorizes a court to ‘enjoin’ antitrust violations. It says nothing about disgorgement, which is a form of restitution.” Emphasizing this point, the court wrote that “[a] contrary conclusion would undermine the FTC Act’s statutory scheme.” In reaching its conclusion, the AbbVie court explicitly relied on the findings of its sister Circuits in Credit Bureau and AMG, calling the Seventh Circuit’s Credit Bureau decision “a thorough and well-reasoned opinion.”

Because AbbVie was just decided, the Supreme Court will not be hearing it directly this term. However, Abbvie indicates that, when it comes to 13(b), the dominoes are falling. The appellate courts, like the Supreme Court, have become much more textually inclined over the last decade. The Third Circuit’s AbbVie panel consisted of two Trump appointees and a George W. Bush appointee. The parties before the Supreme Court in Credit Bureau are currently in the midst of briefing. The Third Circuit’s AbbVie decision is certain to play a large role in that briefing, and has further potential to influence the Supreme Court’s Credit Bureau decision.

The End of Restitution Under 13(b)?

Seventh Circuit Judge Amy Coney Barrett, President Trump’s nominee to join the Supreme Court, has often affirmed her textualist beliefs. This past summer, Barrett was quoted as explaining that “textualism matters because it is a theory, one that I think is consistent with the judicial role under the Constitution of what I do quite often, which is interpreting statutes.” Although Barrett was not on the Seventh Circuit’s Credit Bureau panel that reversed Amy Travel and concluded the FTC does not have broad restitution powers under Section 13(b), she did join the majority of the Seventh Circuit in voting to deny rehearing of that panel decision. This, along with her textualist bona fides, strongly suggests a Justice Barrett would affirm the Seventh Circuit and reverse the Ninth Circuit, concluding that Section 13(b) does not allow for monetary relief.

Even in the unlikely event Judge Barrett is not confirmed to the Supreme Court, any of the other women on President Trump’s short list are likely to take a similar textualist position. Even the shrinking liberal wing of the High Court has lately been going textualist, especially when it comes to statutory language akin to that of Section 13(b), language that is far from unambiguous.

Earlier this year, in Liu v. Securities and Exchange Commission, the Supreme Court analyzed a similar statute found in the Securities Exchange Act, Section 21(d)(5). The appellate courts had historically treated that statute similarly to 13(b) of the FTC Act, allowing the SEC to use it to seek monetary relief even though its text said nothing about disgorgement. In its June 22, 2020 ruling, the Supreme Court significantly narrowed the disgorgement remedy, finding that the text of the Exchange Act does not allow for the broad monetary disgorgement SEC has been wielding. Notably, it was Justice Sotomayor—now probably the most liberal member of the Court—that authored the Supreme Court’s Liu decision.

Textually, Section 13(b) provides even more limited powers than Section 21(d)(5) of the Exchange Act. While the Exchange Act specifically allows for “any equitable relief,” Section 13(b) of the FTC Act expressly limits itself to injunctive relief. Given the textualist inclinations of the current Court, and its continuing march toward textualism if Barrett is elevated to the bench—there is good reason to believe the justices will soon narrow or even do away with the FTC’s ability to seek monetary relief under 13(b).

And forces in favor of doing exactly that are ensuring their voices will be heard.  An amicus brief filed last week by the Washington Legal Foundation summarized the position of the groups in a manner that they hope will be fruitful:

To ‘start with the obvious,’ ‘injunction’ does not mean ‘restitution.’  Credit Bureau Ctr., 937 F.3d at 771-772.  ‘Apples,’ after all, does not mean ‘oranges.’  Nor does ‘injunction’ mean ‘equitable relief (including, at times, restitution).’  That would be like saying that ‘apples’ means ‘fruit (including, at times oranges).’  Nor, finally, can it be said that some aspect of the FTC Act’s structure reveals Congress’s subtle intent to use ‘injunction’ to mean ‘injunction, but maybe restitution too.’  Section 13(b) is plainly designed to be ‘a simple stop-gap measure,’ 910 F.3d at 431 (O’Scannlain, J., specially concurring), one that enables the FTC to enjoin a practice while it uses other statutory authority to prosecute an offender.

The Issue is Having an Effect in the Courts and at the Negotiating Table

With the fate of Section 13(b) in the balance, practitioners and lower courts are catching on. In late August, for example, a Northern District of California court granted the Motion to Stay of defendant LendingClub in a 13(b) action, pending the Supreme Court’s determination in Credit Bureau. The district court reasoned that, if the High Court significantly narrows 13(b)’s scope, “the viability of the remedy motivating the case” against Lending Club would disappear.

The trial in LendingClub had been scheduled for October. In finding a stay of that trial warranted, the LendingClub court emphasized that the FTC’s authority to seek monetary relief under Section 13(b) (or lack thereof) is “an issue of enormous consequence to this case.” The court explained, “[g]oing forward with trial would needlessly burden LendingClub to put on a trial defense only to possibly have the entire enterprise mooted by the FTC’s inability to seek any monetary relief under Section 13(b).”

Lending Club is not the only defendant caught in the FTC’s crosshairs to raise the prospect of a near-term sea change. To date, at least nine other defendants in 13(b) actions around the country have requested that courts stay their cases pending the Supreme Court’s decision in Credit Bureau. We fully expect to see a flurry of these motions in the months ahead.

Earlier this month,  a federal district court judge in the Northern District of Texas granted one such motion, staying an FTC action against Match Group, Inc. In its complaint, the FTC had alleged that the company used fake love interest advertisements to trick consumers into purchasing paid subscriptions on Match.com, and sought disgorgement under Section 13(b). Notably, the Texas court chose to stay the case even though it was at an early stage – discovery had not yet commenced – evidently believing that the FTC would abandon its action if it could no longer receive a monetary remedy.

And just this past Friday, a federal district court in the Central District of California ruled for the FTC and against the defendants in FTC v. Cardiff, another 13(b) action. While the court had denied the defendants’ motion to stay the case prior to resolution of liability, “the Court recognized that the United States Supreme Court will likely decide whether restitution is available under Section 13(b)” in the coming term. The Cardiff court therefore stayed the resolution of liability pending the Supreme Court’s ruling, even though it had conclusively determined the defendants were liable under 13(b).

The effects of a potential Supreme Court decision neutering Section 13(b) also have implications outside of the courtroom. For companies currently engaged in FTC negotiations, knowing that a potential Supreme Court ruling limiting the FTC’s equitable powers under 13(b) can be a valuable asset. The awareness that the FTC may not be able to obtain monetary relief through Section 13(b) has an obvious effect on the context of such negotiations. Savvy practitioners now have the ability (some might say the obligation) to leverage the potential limitation of Section 13(b) restitution in order to push the FTC to discount monetary demands. After all, the FTC may soon lose any ability at all to demand monetary relief under 13(b).

What Comes Next?

Under the current 13(b) framework, the FTC has the ability to take a party directly to court, and to sue for both monetary and injunctive relief. If the FTC’s ability to sue for monetary relief goes away, the FTC will still be able to use Section 13(b) to enjoin a party in federal court, but in order to obtain monetary restitution, the FTC will have to resort to Section 19 of the FTC Act.

Under Section 19 of the Act, the FTC can seek monetary damages against a party in federal court, eventually. But the process to do so is cumbersome and time-consuming. First, the FTC must bring the case at the Commission before an Administrative Law Judge. Assuming the FTC prevails before the ALJ, the losing party can (and almost certainly will) appeal that decision to the full Commission. The FTC must make its case a second time before the Commission in order to receive a final order, allowing the case to be brought in federal court. Only then can the FTC begin prosecuting the actual lawsuit against the party. Especially compared to the current Section 13(b) framework, the Section 19 process is lengthy and convoluted, making it far harder for the FTC to obtain quick and effective monetary remedies.

There is some hope for those concerned about the FTC losing a major weapon in its arsenal following the Supreme Court’s Credit Bureau decision. On September 17, four Senate Republicans introduced S. 4626, the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act – a comprehensive privacy bill. Section 403 of the bill, as currently written, would modify the text of Section 13(b) to clarify that the FTC has the explicit ability to obtain monetary restitution. The proposed provision comes in response to numerous agency requests for Congressional action on 13(b) following ongoing legal challenges to the scope of its authority.

While some portions of the SAFE DATA Act are contentious, revising Section 13(b) seems to carry bipartisan support. At a September 23 hearing on privacy legislation, Ranking Member Maria Cantwell, a Democratic Senator from Washington, suggested that the “core mission of the FTC would be crippled” without the authority to obtain monetary relief under Section 13(b). This suggests that a bipartisan legislative fix could be in the offing. Of course, given the political climate, such a legislative remedy is unlikely to be enacted until 2021, at the earliest. Without the enactment of such legislation, there is a very real possibility FTC’s ability to obtain monetary restitution from parties under Section 13(b) will be curtailed in the coming year.

Any Legislative Fix Should Curb FTC Excess

In the absence of the availability of monetary restitution under Section 13(b), the FTC will likely make more use of its remaining 13(b) powers. Particularly, the FTC will likely increasingly use Section 13(b) to attempt to enjoin and freeze companies’ assets quickly while a Section 19 action is pending. Instead of the current Section 13(b) landscape, consisting of federal litigation taking place over a defined period of time, followed by a potential money judgment (or not), companies in such a scenario would face potentially years of Section 19 litigation at the FTC and in court while their assets have already been frozen under Section 13(b).  This would have a devastating effect on a company’s business.

By losing its ability to seek 13(b) monetary restitution, the FTC could thereby ironically gain tremendous leverage over companies it ends up suing for injunctive relief under Section 13(b). Many companies would likely choose to settle with the FTC rather than face an indefinite asset freeze, even in those cases where settlement might not be appropriate.

To be sure, you would expect just about all parties to agree that the FTC should not be able to freeze assets of a typical advertiser whose substantiation for a product claim is called into question and there is no evidence that they acted in a dishonest and fraudulent manner. While there is an obvious difference between cases of fraudulent conduct and more run of the mill substantiation cases, the line has become increasingly blurred over the past ten years.

Given the Court’s leanings and the evident bipartisan support to reinvigorate Section 13(b), we may see a legislative fix in the coming year. Any legislative remedy should clarify that Section 13(b)’s remedies—both injunctive and monetary—can only be used against truly bad actors. In this regard, Congress has a clear legislative playbook to follow. Section 19 of the FTC Act allows the FTC to obtain monetary remedies only for “dishonest or fraudulent conduct.”

While the power courts of appeals have given the FTC under their expansive interpretations of Section 13(b) is warranted in severe situations, it should not be doled out to companies engaged in routine if not always perfect behavior, such as an alleged failure to properly substantiate claims. The FTC has other, administrative remedies to deal with those types of problems, and if the current Rules of Practice do not allow for acceptably fast disposition (they do not), those Rules can be revised. Section 13(b), however, is a powerful tool. If and when it is revised, Congress should ensure it is used only when necessary and appropriate – in cases involving dishonest and fraudulent conduct.

For more information on the FTC and other topics, see:

 

Advertising and Privacy Law Resource Center

The replay for our October 13, 2020 Futureproofing Privacy Programs webinar is available here.

Building a successful privacy program requires much more than compliance with data protection laws. To thrive in today’s global, data-driven environment, companies also need to understand the political environment and public attitudes surrounding privacy in the countries in which they operate. Of course, companies must anticipate and adapt to changing privacy regulations as well. This webinar presented strategies to help meet these challenges, with a focus on setting up structures to join local awareness with global compliance approaches.

This webinar will feature Kelley Drye attorney Aaron Burstein, along with Abigail Dubiniecki and Kris Klein of nNovation LLP.

To view the webinar recording, click here.

Subscribe to the Ad Law Access blog to receive realtime updates on privacy and other related matters.

The Ad Law News and Views newsletter provides information on our upcoming events and a summary of recent blog posts and other publications.

Visit the Advertising and Privacy Law Resource Center for additional information, past webinars, and educational materials.

Advertising and Privacy Law Resource Center

Only two months after finalizing the CCPA regulations, the California Attorney General’s office today released a new set of proposed changes, most significantly addressing “Do Not Sell My Personal Information” requests. The office has also recommended changes to the regulations related to providing notice when businesses collect personal information offline, proof required when an authorized agent submits a request on behalf of a consumer, and a grammatical change related to providing notice of how to opt in to the sale of children’s information.

  • Do Not Sell Requests. The proposed addition specifies that a “Do Not Sell” request must “be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out.” The change would prohibit businesses from using any method that is designed to or would have the effect of preventing a consumer from opting out. The proposal enumerates specific examples, such as requiring a consumer to: (1) complete more steps to opt out than to re-opt in after a consumer had previously opted out; (2) provide personal information that is not necessary to implement the opt-out request; and (3) read through a list of reasons why he or she shouldn’t opt out before confirming the request.
  • Notice for Offline Collection. The proposal requires businesses that collect personal information offline to provide an offline notice, such as providing consumers with paper forms or posting signs in a store, or giving an oral notice if collecting personal information over the phone.
  • Authorized Agent Requests. The finalized regulations previously permitted businesses to require that a consumer provide the authorized agent with signed permission to submit the access or deletion request. The proposed change shifts the burden to the authorized agent to provide proof of signed permission, rather than imposing the requirement on the consumer to provide signed permission.
  • Children’s Information. The proposed grammatical change in section 999.332, requires businesses who sell personal information of children under the age of 13 or between the ages of 13 and 15 (rather than both) to include a description of how to make a sale opt-in request in their privacy policies.

The deadline to submit written comments related to these proposals is 5:00 PM PST on October 28, 2020. We will continue to monitor and will report any changes made to the regulations once they are finalized.

***

For more updates and information on the CCPA and and other privacy topics, visit:

 

Futureproofing Privacy Programs
Building a successful privacy program requires much more than compliance with data protection laws. To thrive in today’s global, data-driven environment, companies also need to understand the political environment and public attitudes surrounding privacy in the countries in which they operate. Of course, companies must anticipate and adapt to changing privacy regulations as well. This webinar will present strategies to help meet these challenges, with a focus on setting up structures to join local awareness with global compliance approaches.

This webinar will feature Kelley Drye attorney Aaron Burstein, along with Constantine Karbaliotis, Abigail Dubiniecki and Kris Klein of nNovation LLP.

Register Here

Futureproofing Privacy Programs

Please join us for the following upcoming virtual events: 

October 13
Futureproofing Privacy Programs

Building a successful privacy program requires much more than compliance with data protection laws. To thrive in today’s global, data-driven environment, companies also need to understand the political environment and public attitudes surrounding privacy in the countries in which they operate. Of course, companies must anticipate and adapt to changing privacy regulations as well.

In conjunction with Canadian firm nNovation LLP, Privacy and Information Security practice chair Alysa Hutnik and partner Aaron Burstein will present strategies to help meet these challenges, with a focus on setting up structures to join local awareness with global compliance approaches.

Register Here


October 20
New Frontiers of the Intersection Between Privacy Laws, Antitrust and Misleading Advertising Enforcement
Canadian Bar Association (CBA) 2020 Fall Competition Law Conference
The Bureau is pushing the boundaries of the intersection between competition and privacy laws, and the pandemic has accelerated pre-existing trends in digital enforcement. The FTC is similarly continuing to pursue robust enforcement in cutting-edge areas such as data privacy and fintech. Join Alysa Hutnik and a host of others for this session for a conversation on misleading advertising priorities in Canada and the U.S. in the digital economy.

Register Here


November 10
Nuts and Bolts of Basic Advertising: Substantiation, Disclosures and Social Media
2020 ANA/BAA Marketing Law Conference: A Virtual Experience

Join partner Gonzalo Mon for this session, which will cover important principles of advertising law, including prerequisites to prove your claims, the type of proof required, how to make disclosures, and application of these principles to social media. In addition, it will cover options for challenging competitors. Whether new or experienced to advertising, this session will give you down-to-earth information you need to put later sessions into context. This presentation will put a great new spin on important topics.

Register Here


October 21
2020 Election Outlook: An In-Depth Analysis of the Race for the White House and Congress
Please join Kelley Drye’s Government Relations and Public Policy Group as we present a bipartisan assessment of the upcoming 2020 elections. Election analysts Greg Speed and Jim Ellis will provide a detailed and data-packed assessment of the current state of play in the race for the White House.  In addition, they will cover key Senate and House races and the prospects for control of both chambers in the upcoming 117th Congress.

Register Here

November 10, 2020
The Future of Consumer Protection and Privacy – What to Expect from the FTC
As the election approaches, our government prepares for a transition – either to the second term under President Trump or to the Biden Administration. As this is occurring, consumer protection law also finds itself in transition. Partners Christie Grymes Thompson and John Villafranco will focus on what this means, in terms of recent enforcement activities and priorities related to privacy, data security, marketing, advertising, and other areas of consumer protection.

Register Here

For on-demand webinar replays and other content organized around Advertising and Marketing Standards, Privacy and Data Security and Consumer Product Safety, visit the Advertising and Privacy Law Resource Center microsite.  Available via www.KelleyDrye.com, the site provides practical, relevant information to help in-house counsel answer the questions and solve the problems that they face on a daily basis.

Kelley Drye's Advertising and Privacy Law Resource Center

Prior to the September 30 deadline to sign or veto legislation, California Governor Gavin Newsom recently took action on three bills related to data privacy. Bringing some potential certainty to the dynamic CCPA landscape, Governor Newsom signed into law AB 1281, which provides for the extension of the CCPA’s exemptions related to employee data until January 1, 2022. In 2019, the Legislature exempted from the CCPA collection of personal information from job applicants, employees, business owners, directors, officers, medical staff, and contractors until January 1, 2021. Notably, AB 1281 only goes into effect if California voters do not approve the California Privacy Rights Act (CPRA) ballot initiative on November 3rd.

However, Governor Newsom vetoed two other privacy bills that would have tightened data- and service-specific regulations beyond the CCPA’s standards. Citing the risk of unintended consequences during the COVID-19 pandemic, Governor Newsom nixed SB 980, which would have created heightened privacy and security requirements for genetic data handled by direct-to-consumer genetic testing and analysis companies. Instead, Governor Newsom directed the state’s Health and Human Services Agency and Department of Public Health to work with the Legislature to identify “a solution that achieves the privacy aims of the bill while preventing inadvertent impacts on COVID-19 testing efforts.”

The second vetoed bill, AB 1138, would have required companies that offer “social media” services to obtain parental consent before allowing a user who companies actually know to be under the age of 13 to create an account. In his veto message, Governor Newsom explained that AB 1138 “would not meaningfully expand protections for children,” but indicated that he is “open to exploring ways to build upon current law to expand safeguards for children online.”

Privacy developments in California this year are unlikely to end with the Legislature’s session. As we have discussed, the November 3rd vote on CPRA could have far-reaching implications for California privacy law. With the election only 33 days away, we will continue to monitor and post relevant updates.