The recent Netflix and Hulu documentaries about the Fyre Festival have thrust the failed event back into the spotlight. That was a few scandals ago, so for those of you who don’t remember it, here’s a short recap.

Billy MacFarland and Ja Rule wanted to host a luxury festival on a deserted island. They found an island that belonged to Pablo Escobar, and secured a lease on the condition that they wouldn’t mention the drug lord’s name. Not long after that, Fyre used Escobar’s name in a social media post. And not long after that, the company was forced to find a new deserted island – or find a way to make an inhabited one look deserted. (They chose option B.)

Meanwhile, a group of over 60 influencers – including Kendall Jenner and Emily Ratajkowski – got to work promoting the festival on Instagram, without disclosing that Fyre Logothey had been paid to do so. (According to some reports, the initial group of influencers were paid between $20,000 and $250,000 each.) This resulted in over 300 million impressions in 24 hours. The hype worked, and people started paying up to $12,000 for tickets.

Things on the ground were going less smoothly. When guests arrived, instead of finding the luxury accommodations, gourmet food, and big-name bands they were promised, they found FEMA tents, a food shortage, and none of those bands. If you’re wondering whether any of this is fraud, Ja Rule directly addressed that question in the Netflix documentary. During a phone call, he assured his colleagues that it’s not fraud – it’s just “false advertising.” (Note to Mr. Rule’s lawyer: maybe keep him off the witness stand.)

As MacFarland sits in jail and Ja Rule and his colleagues fight lawsuits, a federal judge gave a bankruptcy trustee permission to subpoena Kendall Jenner’s company, some of the agencies that represented other influencers, and other vendors who were paid to organize or promote the festival. It’s too early to tell what will happen next, but these developments are likely to lead to more scrutiny about how companies advertise on social media and use influencers.

We’ve posted about these issues many times before. To summarize:

  1. Social media posts are subject to advertising laws, so those posts must be truthful and not misleading;
  2. Influencers need to disclose their connections to the companies they are promoting; and
  3. Companies need to take steps to manage their influencers.

But if you don’t have time to read those posts, watch one of the documentaries, see what the Fyre organizers did, and do the opposite.

As we noted previously, the California Attorney General is holding a series of public forums on the California Consumer Privacy Act (CCPA) to provide the public with an initial opportunity to comment on CCPA requirements and the corresponding regulations that the Attorney General must adopt on or before July 1, 2020.  On Friday, January 25, 2019, the Attorney General’s Office held its fourth of six hearings before a full auditorium in Los Angeles.  This blog post summarizes the main themes discussed at the hearing.

Timing/Scope:  For businesses hoping for CCPA clarity and guidance soon, that seems unlikely. California Deputy Attorney General Lisa Kim initiated the hearing, emphasizing that the Attorney General’s Office was in the beginning of its rulemaking process and noting that she anticipated the formal review process not to start until Fall 2019.  For now, the Attorney General’s Office encouraged interested parties to submit comments by the end of February, focusing on subjects within the scope of the Attorney General’s rulemaking responsibilities, as set forth in the CCPA, including:

  • Categories of Personal Information
  • Definition of Unique Identifiers
  • CCPA Exemptions
  • Submitting and Complying with Consumer Requests
  • Uniform Opt-Out Logo/Button
  • Notices and Information to Consumers, including Financial Incentive Offerings
  • Certification of Consumers’ Requests

During the hearing, the Attorney General’s Office displayed this PowerPoint deck, summarizing the CCPA regulatory process.

Main Themes

Continue Reading California Privacy Update: What We Heard at Friday’s CCPA Hearing

On Monday, France’s Data Protection Agency announced that it levied a €50 million ($56.8 million) fine against Google for violating the EU’s new General Data Protection Regulation (GDPR).  The precedent-setting fine by the Commission Nationale de l’Informatique et des Libertés (“CNIL”) is the highest yet imposed since the new law took effect in May 2018.

How Does Google Violate GDPR, According to CNIL?

  • Lack of Transparency: GDPR Articles 12-13 require a data controller to provide data subjects with transparent, intelligible, and easily accessible information relating to the scope and purpose of the personal data processing, and the lawful basis for such processing. CNIL asserts that Google fails to meet the required level of transparency based on the following:
    • Information is not intelligible: Google’s description of its personal data processing and associated personal data categories is “too generic and vague.”
    • Information is not easily accessible: Data subjects must access multiple Google documents or pages and take a number of distinct actions (“5 or 6”) to obtain complete information on the personal data that Google collects for personalization purposes and geo-tracking.
    • Lawful basis for processing is unclear: Data subjects may mistakenly view the legal basis for processing by Google as legitimate interests (that does not require consent) rather than individual consent.
    • Data retention period is not specified: Google fails to provide information on the period that it retains certain personal data.
  • Invalid Consent: Per GDPR Articles 5-7, a data controller relying on consent as the lawful basis for processing of personal data must be able to demonstrate that consent by a data subject is informed, specified, and unambiguous. CNIL claims that Google fails to capture valid consent from data subjects as follows:
    • Consent is not “informed”: Google’s data processing description for its advertising personalization services is diluted across several documents and does not clearly describe the scope of processing across multiple Google services, the amount of data processed, and the manner in which the data is combined.
    • Consent is not unambiguous: Consent for advertising personalization appears as pre-checked boxes.
    • Consent is not specific: Consent across all Google services is captured via consent to the Google Terms of Services and Privacy Policy rather than a user providing distinct consent for each Google personal data use case.

What Does This Mean for Other Companies?

Continue Reading C’est la vie? French Regulator Fines Google Nearly $57 million for GDPR Non-compliance

On January 10, 2019, Massachusetts Governor Charlie Baker signed into law the Massachusetts’s Data Breach Notification Act, which amends Massachusetts data breach reporting laws. The new law, available here, amends the timing and content of individual and regulator data breach notifications, and provides for credit monitoring services when social security numbers may have been compromised.

Key updates to the state’s data breach notification laws include the following:

  • Free Credit Monitoring: Following breaches involving Social Security numbers, entities must “contract with a third party to provide” free credit monitoring services to impacted Massachusetts residents at no cost for at least 18 months (42 months, if the company is a consumer reporting agency), and provide consumers with instructions on how to access these services.
  • No Mandatory Arbitration Clauses: Companies are prohibited from asking individuals to waive their right to a private action as a condition for receiving credit monitoring services.
  • Additional Required Information for the Breach Notice: The required notice to consumers, the Massachusetts Attorney General, and the Office of Consumer Affairs and Business Regulation already provided for under current Massachusetts law must now also include additional information such as the name and address of the person that experienced the breach of security, the person responsible for the breach, if known, and the type of personal information compromised. Entities are also required to submit to regulators a sample of the notification letters that they send to consumers, which will be posted online.
  • Notice Timing: An entity may not delay notice to affected individuals on the grounds that it has not determined the total number of individuals affected. Rather, the entity must send out additional notices on a rolling basis, as necessary.
  • Disclosure of Parent/Affiliate Company: If the company experiencing a breach is owned by a separate entity, the individual notice letter must specify “the name of the parent or affiliated corporation.”

Under Massachusetts data security regulations (201 CMR § 17.03), any entity that owns or licenses personal information about a Massachusetts resident is currently obligated to develop, implement, and maintain a comprehensive written information security program that incorporates the prescriptive requirements contained in the regulation.

The Massachusetts’s Data Breach Notification Act will take effect on April 11, 2019. This is a good opportunity for businesses to update their data breach notification related policies and procedures to ensure that they are in compliance with all state requirements. We will continue to track any updates to state breach notification statutes and post on this blog.

Subscription plans that automatically renew at the end of a term are becoming more popular with companies. They’re also getting more scrutiny from regulators. As we’ve posted before, some states regulate how these plans can be structured, and there have been both lawsuits and regulatory investigations targeting companies that have failed to comply. This week, Washington, DC joined the crowd by enacting a new law governing automatic renewals.

The law requires businesses that sell goods and services on a recurring basis to clearly and conspicuously disclose their automatic renewal provisions and cancelation procedures in their contracts. In addition, if a contract has an initial term of at least 12 months and will automatically renew for a term of at least one month, a business must take steps to notify consumers before renewal. This must be done by mail, e-mail, text message, or in-app notification. (For text messages, don’t forget the TCPA.) The reminder must be sent at least 30 – but no more than 60 – days before the deadline to cancel.

Businesses that offer free trials of at least one month that automatically renew must receive a consumer’s affirmative consent to sign up for the automatic renewal program one to seven days before the expiration of the free trial term.

Subject to narrow exceptions, violations of the law will constitute violations of the DC Consumer Protection Procedures Act and render the automatic renewal provision void.

The 2018 Farm Bill legalized cultivation and processing of industrial hemp and various by-products.  One hemp-based derivative of considerable interest to manufacturers of personal care products, dietary supplements, cosmetics, and OTC drugs is cannabidiol (“CBD”).  As industry races to commercialize and advertise CBD, it’s important to understand the regulatory hurdles that remain.  Ad law partner, Kristi Wolff, addresses several common misunderstandings in an article recently published online in Nutritional Outlook

Earlier this week, the Direct Selling Self-Regulatory Council (DS-SRC) opened its doors for business. Its objective is to provide independent, impartial, and comprehensive monitoring of direct selling companies on an industry-wide basis, address income misrepresentations (including unsubstantiated lifestyle claims) and false product claims by companies and salesforce members, and enhance the reputation of direct selling.

The DS-SRC will be administered by the Advertising Self-Regulatory Council (ASRC), which operates under the Council of Better Business Bureaus.   This should help the new self-regulatory body achieve its goals, considering the great success of ASRC and the programs it currently administers, including the National Advertising Division (NAD), Children’s Advertising Review Unit (CARU), National Advertising Review Board (NARB), Electronic Retailing Self-Regulation Program (ERSP) and Online Interest-Based Advertising Accountability Program (Accountability Program.).

Peter Marinello, Vice President of CBBB, will serve as Executive Director of the DS-SRC, and will oversee the program and its staff.  Additional staffing will include a senior legal analyst, and a staff attorney. DS-SRC may utilize monitoring services at its discretion, and in consultation with the Direct Selling Association (DSA).

DS-SRC’s will have jurisdiction over the following:

  • Independent monitoring of the direct selling marketplace;
  • Matters referred by the DSA Code Administrator based on a pattern and practice of complaints identified, or pursuant to media reports, or matters identified by consumers;
  • Matters raised by competitor challenges;
  • Inquiries received from distributors, customers and other users of direct selling companies products or services; and
  • Complaints from Better Business Bureaus directed to DS-SRC.

DS-SRC’s legal standards will be rooted in case decisions, FTC guidance, self-regulatory decisions of the National Advertising Division and the Electronic Retailing Self-Regulation Program, the DSA Code of Ethics, and the BBB Code of Advertising.

DS-SRC’s independent monitoring will allow for the review of relevant promotional content created by direct selling companies and their salesforces, including websites and social media.  Any problematic content will be identified, and companies will be provided an opportunity to address the issues.

When a matter is referred by the DSA Code Administrator, pursuant to media reports, or inquiries, DS-SRC will identify content of concern, and the company will be given an opportunity to address these concerns within 15 business days.  In the event that substantiation is not sufficient, DS-SRC may request additional information or recommend corrective measures or remedial instruction to the salesforce.  It will also issue a case report with a summary of issues.

With respect to competitor challenges, DS-SRC will allow companies to challenge the income representations and/or product claims of competitor companies, with a submission addressing the content with a reasonable level of specificity.  A company will also be given the opportunity to address content, and the DS-SRC will issue a decision which will then be reported publicly (so long as it has not been appealed).    DS-SRC reserves the right to not hear a case if the complaint is overly broad, if a party publicizes the case while pending, if the matter is the subject of litigation, or if the content has been withdrawn.

Companies that do not agree to implement corrective measures, ignore the inquiry, or do not participate, may be referred to the appropriate government agency, most likely the Federal Trade Commission.

DS-SRC will issue case decisions within 30 days of the last document received, prepare a case decision, and invite the company to provide a responsive statement.  Should the DS-SRC find that the content at issue is not adequately substantiated, the company will have to submit a response indicating whether it (1) agrees to comply with DS-SRC’s recommendations; (2) will not comply with DS-SRC’s recommendations; or (3) will appeal all or part of DS-SRC’s decision.

Once a case decision has been made, they will be published in Case Reports.  The decision will include a summary of the content at issue, a summary of each party’s position, and the ultimate resolution (including whether a party complied or was unresponsive).

The formation of the DS-SRC responds directly to statements made by FTC commissioners, bureau directors, and senior staff over the years, and should be viewed as a very positive step for an industry that is frequently the subject of regulatory attention.  Expect greater self-regulatory focus on income misrepresentations and lavish lifestyle claims in the months ahead, with the objective of promoting truthful and accurate advertising among direct selling companies and, in turn, raising the credibility of the industry.

43 State Attorneys General and the District of Columbia announced yesterday a settlement with Neiman Marcus Group LLC resolving the states’ investigation into the company’s 2013 data breach and its security practices. Over a three-month period in 2013, a breach of the Dallas-based retailer exposed customer credit card data at 77 Neiman Marcus stores nationwide. The data breach, discovered in 2014, resulted in access to over 370,000 Neiman Marcus credit cards, at least 9,200 of which the states alleged were used fraudulently.

In addition to a monetary settlement of $1.5 million, Neiman Marcus has agreed to implement a number of security-relatedinjunctive terms, including:

  • Complying with Payment Card Industry Data Security Standard (PCI DSS) requirements;
  • Maintaining an appropriate system to collect and monitor its network activity, and ensuring logs are regularly reviewed and monitored;
  • Maintaining working agreements with two separate, qualified Payment Card Industry forensic investigators;
  • Updating all software associated with maintaining and safeguarding personal information, and creating written plans for replacement or maintenance of software that is reaching its end-of-life or end-of-support date;
  • Implementing appropriate steps to review industry-accepted payment security technologies relevant to the company’s business; and
  • Devaluing payment card information, using technologies like encryption and tokenization, to obscure payment card data.

Neiman Marcus must also obtain an information security assessment and report from a qualified third-party professional and detail any corrective actions that it takes. The full settlement report is available here.

This settlement follows another multistate resolution with Adobe (here), highlighting the interest and monitoring by State Attorneys General on companies’ data security programs and steps taken to prevent, detect, and remediate data breaches. This most recent case is a good reminder to take steps to make sure you have an appropriate data security program in place, and that your records meaningfully reflect the comprehensive steps taken to address cyber incidents that may arise.

The Federal Trade Commission has long supported advertising industry self-regulation as a means of promoting truthfulness and accuracy in advertising. One of the key aspects of this success has been threat of referral to the FTC: Advertisers that refuse to participate in the self-regulatory process or refuse to comply with recommendations after participating are referred to the appropriate government entity, usually the FTC’s Division of Advertising Practices, which will review the claims at issue. Over the years, the specter of a National Advertising Division referral to the FTC has prompted most advertisers to participate in the self-regulatory process and comply with the final decision.

Law360 published the article “NAD Referrals To FTC: How Big Is That Stick?,” co-authored by partner John Villafranco and senior associate Donnelly McDowell.  The article provides an analysis of recent NAD cases that suggests referrals to the FTC are on the rise over the past two years and discusses advertiser commitment to the self-regulatory process. Are advertisers turning their back on self-regulation and rolling the dice at the FTC? And are they doing so based on an assessment of the risk that a referral could result in a major FTC investigation or enforcement action?

To read the article, please click here.

While many today returned to work after the Holiday season, things remained quieter than usual here in the nation’s capital – with many federal workers furloughed until further notice as the federal government continues to be in a partial shutdown.  President Trump is reportedly meeting with congressional leaders today ahead of Thursday’s start to a new congressional session but, at least for now, there’s no immediate end to the shutdown in sight.

Here’s how the shutdown is affecting federal agencies responsible for overseeing and enforcing advertising and privacy laws:

  • The FTC closed as of midnight December 28, 2018.  All events are postponed and website information and social media will not be updated until further notice.  While some FTC online services are available, others are not.  More information here.
  • The CPSC is also closed, although a December 18, 2018 CPSC memorandum summarizing shutdown procedures indicates that certain employees “necessary to protect against imminent threats to human safety” will be excepted employees and continue work during the shutdown.  The CPSC consumer hotline also continues to operate. Companies should remember that obligations to report potential safety hazards are not furloughed, so the mantra of “when in doubt, report” still applies, even if public announcement of a recall may be delayed.
  • Roughly 40% of FDA is furloughed according to numbers released by its parent agency, the Department of Health and Human Services.  In a post on its website, the agency explained that it will be continuing vital activities, to the extent permitted by law, including monitoring for and responding to public health issues related to the food and medical product supply.  The agency is also continuing work on activities funded by carryover user fee balances, although it is unable to accept any regulatory submissions for FY 2019 that require a fee payment.
  • Because the CFPB is funded through the Federal Reserve and not Congress, it remains in operation.