The FTC recently announced a $5.7 million settlement with app developer Musical.ly for COPPA violations associated with its app (now known as TikTok)—the agency’s largest-ever COPPA fine since the enactment of the statute. The agency charged the app company, which allows users to create and share videos of themselves lip-syncing to music, with unlawfully collecting personal information from children.

To create a TikTok profile, users must provide contact information, a short bio, and a profile picture. According to the FTC, between December 2015 and October 2016, the company also collected geolocation information from app users. In 2017, the app started requiring users to provide their age, although it did not require current users to update their accounts with their age. By default, accounts were “public,” allowing users to see each other’s bios (which included their grade or age). It also allowed users to see a list of other users within a 50-mile radius, and gave users the ability to direct message other users. Many of the songs available on the app were popular with children under 13.

The FTC further alleged that Musical.ly received thousands of complaints from parents asserting that their child had created the app account without their knowledge (and noted an example of a two-week period where the company received more than 300 such complaints). The agency also noted that while the company closed the children’s accounts in response, it did not delete the users’ videos or profile information from its servers.

The FTC’s Complaint focused on practices spanning from 2014 through 2017. Musical.ly was acquired by ByteDance Ltd. in December 2017, and merged with the TikTok app in August 2018.

COPPA identifies specific requirements for operators who collect personal information from children under 13, including obtaining consent from parents prior to collection and providing information about collection practices for children’s data. Online services subject to the rule generally fall into two categories: (1) sites that are directed to children and collect personal information from them; and (2) general audience sites that have actual knowledge that they are collecting personal information from children. Civil penalties for violations of COPPA can be up to $41,484 per violation.

According to the FTC, Musical.ly’s app fell into both categories:

  1. The company included music and other content appealing to children on the app. For example, many of the songs included on the app were popular with children under 13, and the app used “colorful and bright emoji characters” that could appeal to children.
  2. Once the company began collecting the ages of its users, Musical.ly had actual knowledge that some of its users were under the age of 13. In spite of this, the company did not obtain consent from the parents of users under the age of 13, or comply with other COPPA requirements.

FTC Commissioners Chopra and Slaughter issued a joint statement on the settlement, pointing out that FTC staff had uncovered disturbing practices of a company willing to pursue growth at the expense of endangering children. They also noted that previously, FTC investigations typically focused on individual accountability in limited circumstances, rather than pursuing broader enforcement against company leaders for widespread company practices. The Commissioners further indicated that as the FTC continues to pursue legal violations going forward, it is time to “prioritize uncovering the role of corporate officers and directors” and to “hold accountable everyone who broke the law.”

This settlement indicates that the FTC continues to prioritize privacy enforcement—particularly where vulnerable audiences, such as children, are involved. Future FTC enforcement actions could signal an expanded approach to individual liability, including with respect to larger companies.

The case is also a good reminder of the value in performing robust privacy due diligence when considering acquiring an entity, and meaningfully assessing the risk of a company’s data practices before adding them to the portfolio. A widely popular business with significant data assets may not look as attractive once civil penalties and injunctive terms are added to the mix.

The Federal Trade Commission (FTC) announced this week that it would not update its anti-spam rule, completing the agency’s first 10-year review of the regulation.

The FTC last updated the rule, known as the CAN-SPAM Rule, in 2008. The rule requires, among other things, that commercial e-mail messages have a mechanism for allowing the recipient to opt out of future messages.

As part of the FTC’s review process, the FTC sought comments on whether the agency should update the definition of “transaction or relationship messages,” shorten the time period for honoring opt-out requests, or add to the statutory list of aggravated violations.

Ultimately, the Commission chose to keep the 2008 rule. Despite the advent of social media, increasingly sophisticated processes for identifying spam and managing opt-outs, and never-ending threats to a clean inbox, the FTC repeatedly declined to take up commenters’ suggestions for changing the CAN-SPAM Rule, citing unclear cost-benefit analysis outcomes, lack of evidence, and limited Congressional authority.  Here’s some examples:

  • On shortening the time period for opt-out requests: “[N]one of these comments provided the Commission with evidence showing how or to what extent the current ten business-day time-period has negatively affected consumers, nor did they address the concerns noted by other commenters that such a change may pose substantial burdens on small businesses.”
  • On commenter suggestions to modify opt-out requirements: “[N]one of the comments provides the Commission with information about the costs and benefits of these proposed rule changes.”
  • On comments asking the FTC to require consumer permission before transferring or selling a consumer’s email address to a third-party, and blocking all unsolicited spam from servers outside the US: “The Commission also declines to consider the remaining proposed modifications because each would be inconsistent with the Commission’s circumscribed authority under the Act.”

The FTC voted unanimously to confirm the CAN-SPAM Rule. If you have any questions about your obligations pursuant to the CAN-SPAM Rule, please contact Alysa Hutnik or Alex Schneider at Kelley Drye.

Most of our posts regarding “Made in USA” claims relate to FTC investigations and enforcement actions. Private plaintiffs, however, also closely watch those claims. For example, in 2018 plaintiffs filed a class action lawsuit against New Balance Athletics Inc. challenging qualified “Made in USA” claims. Although the plaintiffs acknowledged that New Balance qualified the claim in some places to indicate that the domestic value is at least 70%, they alleged that the general impression is that the products are American made. To resolve that litigation, a California federal judge recently granted preliminary approval to a proposed $750,000 settlement.

In Dashnaw v. New Balance Athletics, Inc., consumers alleged that New Balance mischaracterized its line of “Made in USA” sneakers because as little as 70% of the product was made with domestic components or labor. The claim appeared in advertising, on the shoes, and on the shoe boxes. The complaint acknowledged that New Balance disclosed in some places that its “Made in USA” sneakers contain a domestic value of 70% or greater, but alleged that an “Made in USA” claim appeared in places like the shoe and the shoe box. Because 30% of the value of those shoes could be attributed to a foreign country, plaintiffs alleged that the claims violated both California law, requiring that foreign materials must not exceed 5% of the final wholesale value, and FTC guidelines, stating that a product must be “all or virtually all” made in the United States.

The case was transferred from state court to the U.S. District Court for the Southern District of California, where the parties initiated settlement discussions. In April, the parties proposed a settlement of $750,000, with $215,000 going to settlement administration costs and compensation and $535,000 to consumers, with each consumer receiving up to $10. Judge Lorenz denied the settlement stating that the proposed amount was not enough for the estimated 1 million class action members. In response, the parties explained that a 5% participation rate among class members would result in full compensation and even with a 10-15% participation rate, each class member would receive 35-50% of the maximum damages the class could receive at trial, which they called a “reasonable settlement amount.” Judge Lorenz granted preliminary approval to the proposed settlement of $750,000 on January 25, 2019.

This case reminds advertisers that when using a disclosure to qualify a Made in USA claim or any other claim, the disclosure must appear consistently to maximize effectiveness. The FTC has also cautioned that even qualified claims may imply more domestic content than exists, so advertisers should avoid qualified claims unless the product has a significant amount of U.S. content or U.S. processing.

The Federal Trade Commission has long supported advertising industry self-regulation as a means of promoting truthfulness and accuracy in advertising. One of the key aspects of this success has been threat of referral to the FTC: Advertisers that refuse to participate in the self-regulatory process or refuse to comply with recommendations after participating are referred to the appropriate government entity, usually the FTC’s Division of Advertising Practices, which will review the claims at issue. Over the years, the specter of a National Advertising Division referral to the FTC has prompted most advertisers to participate in the self-regulatory process and comply with the final decision.

Law360 published the article “NAD Referrals To FTC: How Big Is That Stick?,” co-authored by partner John Villafranco and senior associate Donnelly McDowell.  The article provides an analysis of recent NAD cases that suggests referrals to the FTC are on the rise over the past two years and discusses advertiser commitment to the self-regulatory process. Are advertisers turning their back on self-regulation and rolling the dice at the FTC? And are they doing so based on an assessment of the risk that a referral could result in a major FTC investigation or enforcement action?

To read the article, please click here.

While many today returned to work after the Holiday season, things remained quieter than usual here in the nation’s capital – with many federal workers furloughed until further notice as the federal government continues to be in a partial shutdown.  President Trump is reportedly meeting with congressional leaders today ahead of Thursday’s start to a new congressional session but, at least for now, there’s no immediate end to the shutdown in sight.

Here’s how the shutdown is affecting federal agencies responsible for overseeing and enforcing advertising and privacy laws:

  • The FTC closed as of midnight December 28, 2018.  All events are postponed and website information and social media will not be updated until further notice.  While some FTC online services are available, others are not.  More information here.
  • The CPSC is also closed, although a December 18, 2018 CPSC memorandum summarizing shutdown procedures indicates that certain employees “necessary to protect against imminent threats to human safety” will be excepted employees and continue work during the shutdown.  The CPSC consumer hotline also continues to operate. Companies should remember that obligations to report potential safety hazards are not furloughed, so the mantra of “when in doubt, report” still applies, even if public announcement of a recall may be delayed.
  • Roughly 40% of FDA is furloughed according to numbers released by its parent agency, the Department of Health and Human Services.  In a post on its website, the agency explained that it will be continuing vital activities, to the extent permitted by law, including monitoring for and responding to public health issues related to the food and medical product supply.  The agency is also continuing work on activities funded by carryover user fee balances, although it is unable to accept any regulatory submissions for FY 2019 that require a fee payment.
  • Because the CFPB is funded through the Federal Reserve and not Congress, it remains in operation.

Andrew Smith was recently named Director of the FTC’s Bureau of Consumer Protection. With a strong background in financial matters, businesses can expect Smith to focus on issues affecting consumer financial services.

Smith is not a stranger to federal positions. Although most recently a Partner in the Regulatory and Public Policy Group at Covington & Burling LLP and Co-Chair of the firm’s Financial Services Group, Smith previously held roles as Senior Counsel and Acting Assistant General Counsel at the SEC from 1997 to 2000 and as the Assistant to the Director of the Bureau of Consumer Protection from 2001 to 2005. During Smith’s time at the FTC, he focused largely on consumer financial protection policy—mainly through enforcement and rulemaking. For example, while serving as the program manager for the Fair and Accurate Credit Transactions Act of 2003, Smith helped to draft ten rules and six studies.

Smith’s interest in financial services has followed him throughout his career. His practice at Covington focused specifically on financial privacy—including regulatory compliance, consumer financial services laws, and enforcement actions and investigations. He also serves as the Chair of the ABA’s Consumer Financial Services Committee.

Notably, in January of this year, Smith testified before the House of Representatives Subcommittee on Financial Institutions and Consumer Credit about fintech policy. His statements suggest that he is in favor of an increased role of fintech in the banking industry, although he proposes passing legislation that clarifies the role of banks as lenders, regardless of the vendor or service provider. Further indications of Smith’s interest in the fintech space come from an editorial he authored in The Hill in February of this year. He advocates collaboration between fintech and banks to offer the middle class more financial options, e.g., point-of-sale lending. In Smith’s words, “the future of banking is the internet, and brick-and-mortar is the past.” His piece supports the Modernizing Borrower Credit Opportunities Act of 2017, a bipartisan bill to regulate the fintech industry introduced in November of 2017.

Another indication of Smith’s likely priorities as Bureau Director may be the people he worked with during his prior stint at the FTC. For example, he worked closely with Howard Beales who served as the Director of the Bureau of Consumer Protection from 2001 to 2004. Regarding advertising specifically, Beales advocates for a flexible “reasonable basis” standard for substantiation requirements, as opposed to more stringent evidentiary standards. This position favors the view that consumers benefit from having access to information. Having served with Beales, Smith may take a similar approach to substantiation requirements as Director.

Despite Smith’s previous experience, however, his appointment has not been without controversy. While at Covington, Smith represented Facebook, Uber, and Equifax in both investigations and FTC settlements regarding data breaches. Although Smith plans to recuse himself from these high profile cases in his new role, opponents have noted that Smith’s representation of these companies may put him at odds with the FTC’s consumer protection mission. Senator Richard Blumenthal stated that he could “imagine worse choices [for Bureau Director], but not many,” noting that Smith was “on the wrong side of [the] issues” in his testimony on behalf of Equifax last fall. During that testimony, Smith indicated that credit bureaus should not have a fiduciary duty to consumers from whom they collect data, and that current industry regulations were satisfactory to protect consumers. Senator Elizabeth Warren called Smith’s appointment “corruption, plain and simple,” referring to him as “Equifax’s hired gun.” Further, David Vladeck, who was Bureau Director from 2009 to 2012, noted that Smith’s recusing himself from some of the agency’s most important cases is an unusual position for someone in his role and wondered “how far-reaching the recusals will be.”

The FTC’s newly-appointed Democratic Commissioners had similar concerns, turning a usually perfunctory vote into a point of contention. Rebecca Slaughter noted that appointing a Director “who is barred from leading on data privacy and security matters that affect so many consumers, command so much public attention, and implicate such key areas of the law potentially undermines the public’s confidence in the commission’s ability to fulfill its mission.” Rohit Chopra, a fellow Democrat, agreed, noting that Smith’s conflicts “[raise] many questions,” and would put Smith “on the sidelines” in some of the agency’s most important cases. He also noted that FTC Chairman Joe Simons made the pick without a Commission meeting. Simons, however, called the appointment a “source of unnecessary controversy,” indicating that “it is impossible to attract high caliber professionals to the FTC without encountering some conflicts,” and noting that the agency can readily handle recusals.

Although we may have some insight into Smith’s new role as Director, his position on consumer protection issues outside of the financial industry, and the effects of his recusals, are left to be seen. We can expect, however, that helping to regulate fintech, and other financial security issues, will likely be high on his list of things to do.

The Republican-led FCC’s effort to get out of the business of regulating broadband providers’ consumer practices took a step forward on Monday.  In an appeal that has been proceeding in parallel with the FCC’s “Restoring Internet Freedom” reclassification proceeding, the U.S. Court of Appeals for the Ninth Circuit issued an opinion giving the Federal Trade Commission (FTC) broad authority over practices not classified by the FCC as telecommunications services.  Specifically, the Ninth Circuit, sitting en banc, issued its long-awaited opinion in Federal Trade Commission v. AT&T Mobility, holding that the “common carrier exemption” in Section 5 of the FTC Act is “activity based,” exempting only common carrier activities of common carriers (i.e., the offering of telecommunications services), and not all activities of companies that provide common carrier services (i.e., rejecting a “status-based” exemption).  The case will now be remanded to the district court that originally heard the case.  Coupled with the FCC’s reclassification of Broadband Internet Access Services (BIAS) in the net neutrality/restoring internet freedom proceeding, the opinion repositions the FTC as top cop on the Open Internet and broadband privacy beats.

Background

As we discussed in several earlier blog posts, this case stems from a complaint that the FTC filed against AT&T Mobility in the Northern District of California in October 2014 alleging that AT&T deceived customers by throttling their unlimited data plans without adequate disclosures.  AT&T moved to dismiss the case on the grounds that it was exempt under Section 5, based on its status as a common carrier, but the district court denied the motion, finding that the common carrier exemption was activity-based, and AT&T was not acting as a common carrier when it offered mobile broadband service, which, at the time the FCC classified as a non-common-carrier “information service.”  AT&T appealed and a three-judge panel of the Ninth Circuit reversed the district court, holding that the common carrier exemption was “status-based,” and the FTC lacked jurisdiction to bring the claim.  As we noted then, the three-judge panel’s decision was the first recent case to address the “status-based” interpretation of the common carrier exemption, and the decision – if it stood – could re-shape the jurisdictional boundaries between the FCC’s and the FTC’s regulation of entities in the communications industry.

The En Banc Court’s Analysis

The FTC appealed the case to an en banc panel of the Ninth Circuit, which issued its opinion this week.  The court’s decision relied on the text and history of the statute, case law, and significant deference to the interpretations of the FTC and FCC, which both view the common carrier exemption as activity-based rather than status-based.

The Court first analyzed the history of Section 5 and the common carrier exemption.  It found that the Congress intended the exemption to be activity based and rejected textual arguments advanced by AT&T that other statutory provisions—including Section 6 of the FTC Act and the Packers and Stockyard Exception—demonstrated that the common carrier exemption was status based.  The Court gave significant weight to the understanding of common carriers in 1914, when the FTC Act was first passed, and legislative statements made during consideration of that Act.

The Court then addressed case law that an entity can be a common carrier for some activities but not for others.  The Court found this case law to support an activity-based interpretation of the common carrier exemption.  Specifically, the Court found that while Congress has not defined the term “common carrier,” Supreme Court case law leading up to and following the passage of the FTC Act interpreted the term “common carrier” as an activity-based classification, and not as a “unitary status for regulatory purposes.”  The Court found that its approach was consistent with the Ninth Circuit’s longstanding interpretation of the term “common carrier” as activity-based, as well as the interpretations of the Second, Eleventh, and D.C. Circuits.  (AT&T did not contest these cases, but instead argued that the FCC had many legal tools to address non-common carrier activities, including Title I ancillary authority and potential structural separation.)

Notably, the Court also provided significant deference to the views of the FTC and FCC, both of which have recently expressed the view that the FTC could regulate non-common carrier activities of common carriers.  The Court cited the FCC’s amicus brief before the en banc panel and a 2015 Memorandum of Understanding between the two agencies that interpreted the common carrier exemption as activity-based.

Finally, the Court rejected arguments that the FCC’s 2015 Open Internet Order reclassifying mobile broadband as a common carrier service (or the FCC’s 2017 Restoring Internet Freedom Order reversing that classification) retroactively impacted the outcome of the appeal.

Agency Response

After the court issued its opinion, both FTC Acting Chairman Maureen Ohlhausen and FCC Chairman Ajit Pai applauded the ruling.  Chairman Ohlhausen stated that the ruling “ensures that the FTC can and will continue to play its vital role in safeguarding consumer interests including privacy protection, as well as stopping anticompetitive market behavior,” while Chairman Pai stated that the ruling is “a significant win for American consumers” that “reaffirms that the [FTC] will once again be able to police Internet service providers” after the Restoring Internet Freedom Order goes into effect.

Our Take

The Ninth Circuit’s ruling is unsurprising in some senses.  When a court grants en banc review, it often is for the purpose of reversing or at least narrowing the panel’s initial decision.  AT&T also faced fairly strong questioning during the oral argument in September.  Further, the Court’s decision affirms a position that the FTC had taken for many years and that the FCC – as evidenced by the 2015 Memorandum of Understanding – supported.  Thus, the en banc court here effectively affirms current practice.

All of that said, the issue is not settled.  AT&T’s reaction was decidedly muted, and it may still seek Supreme Court review of the question.  This option may be particularly attractive to AT&T because it noted several times during the oral argument that it faced both FTC and FCC enforcement actions against it for allegedly the same activities.  The Ninth Circuit did not mention the FCC enforcement action or the potentially conflicting interpretations of AT&T’s obligations.  It is not clear whether both actions could or would proceed as a result of the decision.

Going forward, once the FCC’s Restoring Internet Freedom Order takes effect, we can expect that the FTC will serve as the top cop for alleged broadband consumer protection violations, including with respect to open Internet- and privacy-related complaints.  And yet, there is still some uncertainty.  The FCC’s Restoring Internet Freedom Order is under appeal.  If the appeals court that ultimately hears the challenges to the Restoring Internet Freedom Order were to reverse the Order, the possibility exists that broadband services would again come under FCC common carrier jurisdiction, thereby exempting the provision of such services from FTC jurisdiction even under an activity-based interpretation of the FTC Act.  Thus, we may not have finality on broadband regulation, despite the Court’s decision this week.

More broadly, we expect that the FTC will continue to push for eliminating the common carrier exemption altogether before the Congress, as it has for many years.  Congressional action to repeal the exemption appears unlikely in the near term.

At least for now, broadband providers should continue to ensure that their privacy and broadband practices are in line with FTC guidelines and judicial interpretations of Section 5, and should comply with remaining FCC Open Internet requirements, such as the transparency rule.

Most Popular Ad Law Access Posts of 2017

As reported in our Ad Law News and Views newsletter, Kelley Drye’s Advertising Law practice posted 106 updates on consumer protection trends, issues, and developments to this blog in 2017. Here are some of the most popular:

Ad Law News and Views is produced every two weeks to help you stay current on advertising law and privacy matters. You can subscribe to it and other Kelley Drye Publications here and the Ad Law Access blog by email or RSS feed.

2018 Advertising and Privacy Law Webinar Series 

Please join Kelley Drye in 2018 as we continue our well attended Advertising and Privacy Law Webinar Series. Like our in-person events, this series gives key updates and provides practical tips to address issues faced by counsel as well as CLE credit. This webinar series will start again in February 2018. Please revisit the 2017 webinars here.

On December 11, 2017, the Federal Communications Commission (FCC) and Federal Trade Commission (FTC) released a draft Memorandum of Understanding (MOU) which will allocate oversight and enforcement authority related to broadband Internet access service (BIAS) between the two agencies.  The new MOU was announced three days before the FCC’s scheduled vote to reclassify BIAS as an “information service,” and is expected to be finalized simultaneously with that vote.  The MOU is part of an ongoing effort to address concerns that reversing the current “net neutrality” rules will adversely affect consumers, and provides a guide for Internet service providers (ISPs) and other stakeholders to understand which agency will be taking the lead on oversight and enforcement going forward.  However, the extent to which the MOU takes effect will depend upon, among other things, the pending case interpreting section 5 of the FTC Act that is before the Ninth Circuit Court of Appeals.

Continue Reading On the Eve of the FCC’s Reclassification of Broadband Services, the FCC and FTC Release Memorandum of Understanding for Oversight of Broadband

On Monday, the FTC issued an Enforcement Policy Statement stating that the Commission will not take action against operators that collect an audio file of a child’s voice as a replacement for written words, such as for translation into text, without first obtaining parental consent, provided the file is retained only for the brief time necessary for that purpose. However, the operator is still obligated to indicate in its privacy policy how it will collect and use children’s voice recordings, as well as its policy for deletion. The FTC reasons that, although COPPA applies to the collection online of files that contain children’s voices, even if they are immediately deleted after collection, the risk associated with such collection and immediate deletion is minimal.

There are some additional limitations on this policy. It does not apply when the operator requests personal information, such as a child’s name. Moreover, the operator may not use the recording for any use other than translation into text, such as behavioral targeting or identification purposes, before deleting it. If the operator does plan to collect other types of personal information, then it would be required to obtain parental consent.

Although the policy provides some clarification about the application of COPPA to voice-capture technologies, operators of child-directed services that collect children’s voices should ensure that their privacy policies and consent and notification procedures comply with COPPA requirements. Violators are liable for up to $40,654 in civil penalties per violation.

 

Associate Lauren Myers contributed to this post. She is practicing under the supervision of principals of the firm who are members of the D.C. Bar.