FTC Says Parental Consent Proposal From AssertID Fails to Meet COPPA Rule

By Jenny Paul and Marc Martin 

A parental consent method proposed by AssertID does not meet the criteria for approval set forth in a revised Children’s Online Privacy Protection Act rule,
the Federal Trade Commission recently determined.

Under the COPPA rule, covered online sites and services must obtain verifiable parental consent before collecting personal information from children under 13.  While the rule enumerates acceptable methods for gaining parental consent, changes to the rule that took effect July 1 opened the door for FTC approval of unenumerated VPC methods.

AssertID was among the first of companies to react to the stricter revised rule, even as commenters predicted that companies would
struggle to comply with the revisions.  AssertID, which develops privacy and identity-verification solutions, submitted for FTC approval an unenumerated method called ConsentID.  ConsentID would facilitate verification by asking a parent’s “friends” on a social network to verify the identity of the consenting parent and the existence of the parent-child relationship — so-called social-graph verification. 

The FTC denied AssertID’s application by a
4-0 vote, finding that the company had failed to provide sufficient evidence that ConsentID was reasonably calculated to ensure that the person providing consent is actually the child’s parent.  In doing so, the FTC determined that there is not yet adequate research or market testing which demonstrates the reliability of the social-graph verification method.  It expressed concern that users can easily fabricate Facebook profiles, noting that Facebook itself estimates it has about 83 million fake accounts, and that children under 13 may falsify their age information to establish social media accounts that could appear to the software to be credible.

While AssertID’s effort to create a new verification solution to manage compliance in a stricter COPPA environment was unsuccessful, the company still
plans to offer an automated VPC service that relies on verification methods the FTC has already approved.  

SEC Opens Door to Use of Social Media for Corporate Disclosures

By J. Bradford Currier, Marc Martin, and Matt Morley

Companies may use social media outlets like Facebook and Twitter to announce key corporate information so long as investors are alerted in advance about which platforms will be used, according to a recent report issued by the Securities and Exchange Commission.

The SEC announcement follows an investigation into a post by Netflix’s CEO on his personal Facebook page stating that Netflix’s monthly online viewing exceeded one billion hours for the first time. Netflix did not report this information to investors through a press release or formal SEC filing, and it had not previously used the CEO’s Facebook page to announce company information. 

The SEC’s Regulation Fair Disclosure requires companies to distribute material corporate information in a manner reasonably designed to assure that it is broadly disseminated to the public. The regulation seeks to ensure that all investors have the ability to gain access to material information simultaneously, and to prevent some investors from “getting a jump” on others. The regulation does not require the use of any particular method to distribute company information, but does mandate that the means chosen be reasonably calculated to provide a broad and non-exclusive distribution. The SEC previously indicated that company websites may be used for these purposes if a company takes steps to alert the market that it intends to follow this practice.

The SEC’s report criticized the conduct of Netflix, warning that investors would not ordinarily assume that the personal social media pages of company executives would be used to disclose material corporate information. The SEC, however, declined to take enforcement action against Netflix or its CEO, recognizing that there had been uncertainty about how Regulation FD would apply to social media. The SEC investigation report said that social media may be used for such purposes, but that companies doing so must provide sufficient advance notice to investors of this practice. The SEC noted that its announcement was not aimed at inhibiting corporate use of “evolving social media channels,” but rather at ensuring a level playing field for investors in a world of multiple outlets for corporate communications.

Online Advertising Guidance Updated by FTC

By Brian McCalmon and J. Bradford Currier

The Federal Trade Commission has updated its primary business guidance for online advertising, “.com Disclosures: How to Make Effective Disclosures in Digital Advertising.” The update to the guidance, which had not been revised since 2000, addresses the emergence of new electronic media and communications protocols over the last 13 years and compliance with the FTC Act’s requirement that ads be truthful and not misleading, adequately substantiated, and not unfair. Each of these mandates can require the disclosure of qualifying information in a manner that the FTC intends to be “clear and conspicuous” – i.e., easily accessed and understood by the consumer.

With the emergence of smartphones, tablets, and social media, the form and placement of adequate disclosures has become more complicated than it was over a decade ago. For example, with their smaller screens, smartphones can complicate the task of ensuring that a necessary disclosure is clear and conspicuous. The same goes for ads on social media outlets such as Facebook or Twitter that may impose space constraints on advertisers (such as Twitter’s character number limitation). With its updated guidance, supported by 22 appended examples, the FTC renews its call for advertisers either to ensure that disclosures satisfy the FTC Act and rules, or to refrain from using the medium if adequate disclosures cannot be provided.

The updated guidance reflects the FTC’s recent focus on social media and consumers’ growing reliance on wireless devices to access Internet services. Although FTC guidelines do not have the legally binding effect of regulations, they are intended and considered to be highly reliable statements of the FTC’s enforcement intent; once issued, companies ignore them at their own, potentially significant, peril.

California Adopts New Social Media Privacy Protections for Employees and Students

By J. Bradford Currier and Marc Martin

California employers and universities will no longer be permitted to ask employees and students for access to their social media accounts under a pair of bills recently signed into law. The legislation comes in response to concerns from state officials that some businesses were requiring employees and prospective employees to provide access to their social media accounts in order to conduct background checks and take disciplinary action. State officials were also concerned with universities using social media to monitor student behavior, particularly for student athletes. The California laws follow similar legislation passed by Maryland and Illinois, as well as federal legislation currently under consideration by Congress, and poses new restrictions on employers and educators from using online material to take action offline.

The bills define “social media” as not only the user’s account information but also a user’s social media content, including videos, photos, blogs, text messages, email, and web site profiles. Under Assembly Bill 1844, employers are prohibited from requiring employees or prospective employees to: (1) disclose their username or password; (2) access personal social media in the presence of the employer; or (3) divulge any personal social media information, and employers may not take any disciplinary action against an employee for refusing to comply with such a request. Employers may seek social media information when accessing an employer-issued electronic device, and the new legislation is not intended to impede investigations of workplace misconduct or employee violation of the law. The legislation also states that California's labor commissioner is not required to investigate alleged violations of the new law. Senate Bill 1349 similarly prohibits universities from asking a student, prospective student, or student group to disclose or access personal social media information and further prohibits the universities from taking disciplinary actions against students who refuse such requests. Universities will also be required to post its social media privacy policy on the institution’s website. The legislation states that the restrictions do not affect a university’s right to investigate or punish student misconduct.

According to the California governor’s office, the new laws will protect residents from “unwarranted invasions” of privacy. However, critics of the bills suggest that the new restrictions may prevent employers from adequately investigating cases of workplace harassment and universities from ensuring their student athletes comply with NCAA rules.

Free Speech Protections for Facebook "Likes" to be Examined by Fourth Circuit

By J. Bradford Currier, Marc Martin, and Marty Stern

When employees click on a Facebook “like” icon indicating their support for a particular cause or candidate, do they engage in protected free speech? The U.S. Court of Appeals for the Fourth Circuit will soon tackle this issue [PDF link] in connection with a lawsuit filed by employees of a Virginia sheriff’s office who were discharged after “liking” the page of the sheriff’s opponent in an upcoming election. In response, the sheriff maintained that the firings were the result of poor work performance and workplace disruptions. The case represents another example of the unresolved legal issues surrounding employer monitoring of employee social media and whether online actions deserve the same protections as offline statements.

The employees filed the appeal after a district court ruled [PDF link] earlier this year that clicking a “like” button does not warrant First Amendment protection because it does not involve “actual statements” upon a matter of public concern. The district court drew a distinction between “liking” a page, which requires no additional statement on the part of the user, to a Facebook post describing the employee’s stance on a particular issue which may deserve free speech protection. In their appeal [PDF link], the employees argue that their actions on Facebook “clearly evinced” their support of the sheriff’s opponent and that their subsequent discharge was a direct result of their “likes.” Facebook and the ACLU recently filed briefs in support of the employees’ suit, analogizing the Facebook “like” to other non-verbal political support, such as planting a campaign sign in your yard or wearing a campaign pin. Facebook noted that clicking a “like” button “generates verbal statements and communicative imagery on the User’s Profile” that can be seen by other users, representing actual statements deserving protection. The ACLU argued that the employees’ “likes” did not represent personal grievances with their employer, but rather a statement on an important matter of public concern, the sheriff’s election. Supporters suggest that the medium of political support should not determine whether an action receives First Amendment protection and that courts should recognize the growing use of social media to allow users to express their beliefs and opinions. Reply briefs are due by mid-September [PDF Link], with oral argument to follow.

Employers "Surfing" into Uncharted Waters with Social Media Practices

As social media continues to blur the line between personal and professional lives, employers have grappled with whether they can or should use social media to monitor current employees or screen potential hires. While social media can provide employers with information to combat workplace harassment, protect confidentiality, and conduct internal background checks, recent lawsuits, media reports, and legislative activity at both the state and federal level indicate that employers may put themselves and their businesses at risk for taking action in the workplace for something posted online. In addition to recently enacted or proposed state laws prohibiting employers from requesting or requiring access to employee or applicant social media accounts, using social media information may potentially violate privacy, anti-discrimination, and labor laws as well as the terms of use of many social media sites.

A detailed summary of these potential risk areas that employers should consider as their social media practices and policies progress may be found here.

Revisions to Children's Online Privacy Rules Proposed By FTC

By J. Bradford Currier, Marc Martin, and Lauren Pryor

Websites, social media platforms, software “plug in” developers, and online advertisements aimed at children may face new restrictions under proposed rules recently released by the Federal Trade Commission. The proposed rules would modify key definitions contained in the Children’s Online Privacy Protection Act (“COPPA”), which requires websites or online services directed at children under the age of 13 to seek and obtain parental consent before collecting or using a child’s personal information. With the new definitions, the FTC aims to clarify the responsibilities under COPPA when third parties (such as advertising networks or downloadable “plug-ins”) collect personal information from users on child-directed websites. The proposed rules represent another example of the FTC’s recent efforts to expand its enforcement on a variety of privacy-related issues related to children. Comments on the proposed rules will be accepted until September 10, 2012.

The proposed rules modify the scope of the FTC’s COPPA Notice of Proposed Rulemaking released in September 2011. As we reported previously, the earlier proposals would have expanded the definition of personal information to include so-called “persistent identifiers,” which represent unique user identification information obtained through “cookies” or other methods for purposes other than to support the website/service’s internal operations. The initial proposals would also have extended COPPA protections to photographs, videos, or audio files that include a child’s image or voice. The prior proposals further stated that the FTC would consider a wider range of factors, including whether a website included child celebrities and music content, when determining whether a website or online service was directed to children. Stakeholders submitted hundreds of comments in response to the 2011 proposals, leading the FTC to release this new round of proposed rule changes.

The new proposed rules modify the obligations under COPPA in three key areas:

(1)        Website Operators

Previous FTC guidance suggested that the responsibility for providing notice to parents and obtaining consent for the collection of personal information from children rested with the entity actually collecting the information. As a result, a child-directed website/service operator could permit others to collect personal information from child visitors without taking responsibility for seeking and obtaining parental consent. The proposed rules would now hold responsible both the child-directed website/service operator andany third-parties collecting information on such operator’s behalf for the parental consent requirements. Specifically, the FTC stated that “an operator of a child-directed site or service that chooses to integrate into its site or service other services that collect personal information from its visitors should be considered a covered operator under [COPPA].” The FTC noted that the website/service operator is often in the best position to give notice and obtain consent from parents and can control which third-party plug-ins, software downloads, or advertising networks are integrated into its site.

(2)        Website/Service Directed to Children

The COPPA rules only apply to websites/services “directed to children.” The new rules would clarify that that a third-party plug-in, software download, or advertising network is covered under COPPA when the third-party provider “knows or has reason to know” that it is collecting personal information through a child-directed website or online service. The new rules would not require third-party providers to monitor or investigate whether their services are incorporated into child-directed websites/services, but providers may not ignore information brought to their attention indicating that incorporation has occurred.

The proposed rules also attempt to address the fact that some websites/services that contain child-oriented content may also be of interest to adults. Under current FTC rules, these sites must treat all visitors as under 13 years of age. In response, some commenters suggested that the FTC adopt a system that would permit websites/services directed to a broad audience to implement procedures to differentiate among users and require notice and consent only for users who self-identify as under age 13 years of age. The FTC agreed. The new rules allow general audience websites/services to “age screen” all users (i.e. by supplying a birth date) and provide notice and obtain consent only for users who identify themselves as under 13 years of age. The FTC recognized that child users may lie about their age, but thought the age screening process “strike[s] the correct balance” between privacy and access. However, child-directed websites/services that knowingly target children under 13 as their “primary audience” or whose overall content is likely to attract children under 13 must continue to treat all users as children under COPPA.

(3)        Persistent Identifiers and Website/Service Support

The new rules clarify how child-directed websites/services can use persistent identifiers. The FTC first reiterated its 2011 proposal that persistent identifiers should be included in the definition of personal information. The FTC then stated that website/service operators may still use persistent identifiers without obtaining consent for activities such as performing site maintenance and analysis; performing network communications; authenticating users; maintaining user preferences; serving contextual advertisements; and protecting against fraud and theft. The exemption would not apply when the information collected through persistent identifiers is used to contact a user directly, including through the use of behaviorally-targeted advertising, or for any other purpose.

Maryland "Facebook Law" Regulates Employer Access to Social Media Accounts

By David A. Tallman and Andrew L. Caplan

It is increasingly common for employers to request that job applicants and employees divulge the passwords to their Facebook accounts and to other social media sites. This trend has not gone unnoticed by the media and privacy advocates, which view this practice as an intrusive violation of individual privacy. On the other hand, employers often have valid reasons to exercise oversight over social media activities, especially in highly regulated industries where employees’ activities may be more likely to cause the company to incur liability.

This month, the Maryland General Assembly stepped into the debate by passing a law that will prevent employers from accessing the personal social media accounts of their employees and job applicants. Subject to certain exceptions, Senate Bill 433 (“S.B. 433”) provides that “an employer may not request or require that an employee or applicant disclose any user name, password, or other means of accessing a personal account or service through an electronic communications device.” S.B. 433 also provides that an employer may not discharge, discipline, or penalize (or threaten to discharge, discipline, or penalize) an employee based upon the employee’s refusal to disclose access to the employee’s personal social media account. A similar prohibition exists with respect to prospective employees – an employer may not fail or refuse to hire a job applicant based upon the applicant’s failure to provide access information to a personal social media account.

The prohibitions in S.B. 433 do not come without exceptions. For example, an employer is not prohibited from accessing an employee’s personal accounts in connection with an employee downloading company proprietary information and financial data. Moreover, S.B. 433 contains a significant exception that appears intended to address the concerns of businesses. Specifically, an employer may access an employee’s “personal web site, internet web site, or web-based account, or similar account,” if: (i) the employer receives information that the account is being used for a business purpose; and (ii) the purpose of the access is to ensure compliance with “applicable securities or financial law, or regulatory requirements.” Since S.B. 433 does not define “applicable securities or financial law, or regulatory requirements,” it is uncertain how broadly this exception will be construed in practice. It is also noteworthy that the exception only permits an employer to access an employee’s personal account when the employer has reason to believe that the account is being used for business purposes. This effectively means that businesses will not be able to access an employee’s personal account until after the damage is done.

Maryland appears to be one of the first states to pass legislation that specifically addresses this increasingly high-profile issue. While the exceptions articulated in the bill do not appear to permit businesses to either request or require job applicants or employees to disclose their social media log-in credentials in order to monitor social media activity on an ongoing basis (unless the employer has information to suggest that the account is being used for business purposes), there remain other less intrusive social monitoring techniques that companies might employ. For example, an employer might ask its employees to “friend” a social media account controlled by the compliance department or otherwise take steps to make social media account activity visible to the company.

S.B. 433 demonstrates that social media monitoring is an increasingly sensitive issue – and it seems likely that other states will follow Maryland’s lead by passing legislation to prevent perceived overreach. Businesses must be prepared to incorporate these legal requirements into their social media policies.

Consumer Privacy Report Released By FTC

By J. Bradford Currier and Lauren B. Pryor

The Federal Trade Commission recently released its long-awaited Final Report on protecting consumer privacy, in which it stated that consumers should have more choice and control over how their personal information is collected and used. The FTC’s Final Report offers non-binding recommendations for companies “that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device.” The Final Report comes more than a year after the FTC first issued its proposed framework for regulating consumer privacy and just a month after the White House released a proposed Consumer Privacy Bill of Rights

Recognizing the potential burden of the Final Report’s recommendations on small businesses, the FTC stated that its conclusions did not apply to companies that merely collect and do not transfer non-sensitive data on fewer than 5,000 consumers a year. Similarly, a company’s data collection practices may fall outside the scope of the Final Report if:  (1) a given data set has been reasonably stripped of personally identifiable information; (2) the company publicly commits not to re-identify such information, and (3) the company requires any secondary users of the data to keep it in de-identified form. While the majority of the Final Report discusses protecting consumer privacy online, the FTC noted that its recommendations would also apply to companies collecting personal information offline, such as financial institutions and healthcare industries. With these qualifications, the Final Report provides three best practices for companies collecting personal information from consumers:

(1)        Privacy By Design

The Final Report recommends that companies build in consumer privacy protections at every stage of the development of their products and services. Specifically, companies should incorporate reasonable procedures for collecting, securing, and retaining customer data. The Final Report commends a number of leading online service companies that have adopted stringent encryption systems in the face of increasing cyberattacks. Companies should limit data collection to activities which are “consistent with the context of a particular transaction,” and provide prominent notices to consumers regarding the collection of data unrelated to the requested service. Companies should also destroy consumer data when the company no longer needs this information to provide the requested service. On this point, the FTC expressed support for offering consumers an “eraser button” on social media websites to allow the deletion of personal information at the user’s discretion. Additionally, companies should ensure that data collected remains accurate and offer customers an opportunity to correct erroneous information. By adopting these policies, most online services’ default privacy settings would be strong.

(2)        Simplified Consumer Choice

The FTC also advised companies to provide easy-to-use mechanisms allowing customers to determine how their data is collected and used. The application of the simplified consumer choice policy will vary depending on the context of the interaction between the company and the consumer. For example, a car dealership may send a coupon to a customer based upon personal information obtained during prior purchases at the dealership without providing the customer with a choice. By contrast, if the car dealership intends to sell that customer’s personal information to a third-party data broker for use in unrelated marketing activities, the car dealership must provide the consumer with the ability to prevent the sale of his or her information. 

For most online services, the FTC suggested that companies allow users to choose data sharing preferences during the registration process or at least before any personal information is collected. The FTC identified company practices requiring consumers to disclose personal data in order to obtain important services on a “take it or leave it basis” as especially problematic and inconsistent with the public interest. 

The Final Report generally concludes that companies should provide consumers with the ability to opt out of being tracked across third parties’ websites. However, the FTC stopped short of recommending that Congress pass “do not track” legislation and stated that the FTC would work closely with stakeholders to develop an industry-led solution. The FTC reaffirmed its commitment expressed in recent enforcement actions to requiring companies to give prominent disclosures and to obtain express affirmative consent for material retroactive changes to privacy policies and before collecting especially sensitive information such as health, financial, and precise geolocation data. The Final Report indicates that the FTC will host a workshop on the concerns raised by the data collection practices of large ISPs, search engines, and social networking platforms later this year.

(3)        Information Collection Transparency

In accordance with industry guidance on mobile applications released earlier this month, the Final Report calls for “clearer, shorter, and more standardized” privacy policies. This recommendation can result in a Catch-22: if brevity comes at the expense of accuracy, there is increased risk that a privacy policy will be deemed misleading, deceptive, or insufficient. The FTC noted that screen size limitations on mobile phones further compound the difficulties with providing sufficient privacy disclosures and stated that it will host a workshop in May 2012 regarding how mobile privacy disclosures can be short, effective, and understandable on small screens.

The Final Report also encourages transparency by recommending that companies allow consumers more options to access their personal data. Specifically, the FTC indicated its support for recent legislation which would give access rights to consumers for information held by data brokers. The Final Report also suggests that the data broker industry should explore the idea of creating a centralized website where data brokers identify themselves to consumers, describe how they collect consumer data, and disclose the types of companies to which they sell information. At a minimum, the Final Report asks all companies collecting personal data to improve their consumer outreach and education efforts relating to data privacy practices.

FTC Continues to Flex Its Enforcement Muscle With Regard to Social Media Promotional Activity

by Ann M. Begley, Lawrence C. Lanpher and Carolina M. Heavner

The Federal Trade Commission’s (“FTC”) recent action against a company and its owner in connection with the allegedly deceptive promotion of music teaching tools signals FTC’s continued intention to keep social media promotional activity as an enforcement priority. In its third public investigation and second enforcement action since issuing its revised Guides Concerning the Use of Endorsements and Testimonials in Advertising[1] (hereafter, FTC Endorsement/Testimonial Guides) in December 2009, FTC continues to expand advertisers’ responsibility to monitor third party interactive media communications containing endorsements of advertisers’ products.

In finding the advertiser and its owner, an individual, responsible for assuring that endorsers adequately disclose any material connections with the advertiser, FTC states that an advertiser agreement that requires endorsers to comply with FTC guidelines and disclosures is insufficient in the absence of an advertiser monitoring program that ensures clear and prominent disclosure of the relationship with the advertiser.[2]

Thus, in addition to a $250,000 penalty against the company and its owner, FTC has required a far-reaching monitoring program – a potentially expensive and burdensome commitment for the future.

Material Connection
The first public FTC investigation in this area concerned a division of the popular fashion company Ann Taylor Stores Corp., LOFT. The FTC investigation of LOFT was prompted by an exclusive event held by the company in January 2010 where it invited bloggers to preview the store’s 2010 summer collection.[3]FTC focused on LOFT’s provision of gifts to bloggers with the expectation that they would blog about the event. FTC was concerned that bloggers failed to disclose that they received gifts for posting blog content.

While deciding not to take enforcement action in this case due to mitigating factors, in the closing letter issued to the company, FTC noted that “[d]epending on the circumstances, an advertiser’s provision of a gift to a blogger for posting blog content about an event could constitute a material connection that is not reasonably expected by readers of the blog.”[4]

FTC’s statements concerning the need for disclosures of a “material connection” in Ann Taylor Stores are not unlike its statements in section 255.5, example 7, of the FTC Endorsement/Testimonial Guides describing a company that gave a free game system to a video game expert blogger for review. In the example, readers of the blog frequently sought advice from the blogger regarding video game hardware and software. FTC stated that this particular blogging forum created an environment in which readers are unlikely to know that the blogger received a free game in exchange for the review, and that the value of the game could materially affect the credibility they attach to the endorsement. The FTC Endorsement/Testimonial Guides state that under such circumstances, the connection must be fully disclosed.

Clear and Prominent Disclosure
A second investigation (and the first enforcement action) pursuant to the FTC Endorsement/Testimonial Guides held the endorser liable for failure to clearly and prominently disclose the endorser’s material connection to the product developer.[5]

According to FTC, employees of Reverb Communications, Inc. (“Reverb Communications”), a public relations agency, posted public reviews about its clients’ gaming applications in the iTunes Store “using account names that would give the readers of these activities the impression [that] they had been submitted by disinterested consumers.”[6] The reviews endorsed the products by giving them high ratings (four or five stars) and posting positive comments about the gaming applications in iTunes.

FTC found that Reverb Communications had engaged in deceptive advertising by posing as “ordinary consumers,” and failing to disclose both that the reviews were submitted by paid employees working on behalf of the developers of the gaming applications and that the company was often paid a percentage of the applications’ sales. FTC concluded that these facts would have been “material” to consumers when making a decision to purchase a particular gaming application.

In addition to requiring Reverb Communications to “take reasonable steps” to remove any previously posted endorsement that misrepresented the authors as independent reviewers or endorsers, the Reverb Communications Final Order also prohibited the company from making any representation about a product or service “unless they disclose, clearly and prominently, a material connection,” when one exists.[7] FTC elaborated on the meaning of “clear and prominent” for purposes of satisfying the FTC Endorsement/Testimonial Guides requirement to disclose material connections:

Text Communications: (e.g., printed publications or words displayed on the screen of a computer) the required disclosure must be of a type, size and location “sufficiently noticeable” for an “ordinary consumer” to read and comprehend.

Audio Communications: (e.g., radio or streaming audio) the required disclosure must be delivered in a “volume and cadence” sufficient for an “ordinary consumer” to hear and comprehend.

Video Communications: (e.g., television or streaming video) the required disclosures must be consistent with the requirement for textual communications and appear on the screen for a sufficient period of time to allow an “ordinary consumer” to read and comprehend.

Interactive Media Communications: (e.g., internet, online services, software) the required disclosures must be “unavoidable” and presented in a manner consistent with the requirements for textual communications, as well as audio and video, if applicable.

FTC stated that all such disclosures must be presented in an understandable language/syntax and in the same language as the predominant language used in the communication, and with no language that is in conflict with or mitigates the disclosure.[8]

Advertiser Monitoring
In FTC’s most recent enforcement action, it further expands on concepts set forth in the FTC Endorsement/Testimonial Guides by describing expectations related to advertiser monitoring of endorser activities. In Legacy, the advertiser used an online program through which it recruited “Review Ad Affiliates” to promote its musical instrument courses through endorsements in articles, blog posts, and other online material. The endorsements were required to include a hyperlink to the Legacy website in close proximity to the review.[9] Below are examples of some of the endorsements:[10]

“www.bestguitarsoftware.com: Features . . . . (5 Stars out of
5 stars) The undisputed No. 1 training product for someone wanting to learn how to play the guitar.”

“www.reviewmspy.com: Learn and Master Guitar. 4.9/5 Stars, The best home study DVD course for guitar I have ever seen.”

“www.reviewsnest.com: Review Nest, The Independent Reviews Site.”

Affiliates received substantial commissions (20%-45%) on sales of each product resulting from a referral.

Since the release of the revised FTC Endorsement/Testimonial Guides, Legacy has required its Affiliates to sign a contract requiring them to comply with FTC’s guidelines and disclosures. However, FTC concluded that the contract without advertiser monitoring was insufficient. Legacy “failed to implement a reasonable monitoring program to ensure that the [Affiliates] clearly and prominently disclos[ed] their relationship to Legacy.”[11]

FTC stated in the Legacy Complaint that many Affiliates either failed to provide any disclosure of a Legacy relationship, or provided disclosures through inconspicuous hyperlinks located at the bottom of the Affiliates’ websites. As a result of these findings, FTC stated that the Affiliates’ reviews were false and misleading, that the failure to disclose the financial relationship was a deceptive practice, and that these acts and practices constituted unfair or deceptive acts or trade practices in violation of Section 5(a) of the FTC Act. Legacy and its owner, Lester Gabriel Smith, have agreed to an administrative settlement which includes a proposed consent order. Following public comment, FTC will make a final determination as to the proposed order.

The Legacy 20-year proposed consent order contains several familiar requirements, including a civil penalty ($250,000) and employee notification requirements. In addition, it adopts the detailed description of “clearly and prominently” found in Reverb Communications, signifying an FTC standard for this term. However, this case is of particular interest in that it sets forth an advertiser monitoring program that contains elements that also may become standard. 

In Legacy, the company and its owner have agreed to establish a time-intensive monitoring program that includes the following elements:

  • Monthly monitoring and review of the activities of its top 50 revenue-generating Affiliates to ensure that the Affiliates do not misrepresent the status of their relationship with Legacy, and that the Affiliates’ material connection to Legacy is adequately disclosed. The monitoring activity must occur in a “manner reasonably calculated not to disclose the source of the monitoring [] at the time it is being conducted.”

  • Similar monthly monitoring and review activities in connection with Legacy’s remaining Affiliates, using a random sampling approach that includes at least 50 Affiliates.

  • Procedures to terminate and stop payment to any Affiliate where Legacy determines that the Affiliate either misrepresented its status (e.g., an independent user or ordinary consumer), or failed to clearly and prominently disclose the material connection between the Affiliate and Legacy.

  • Creation and maintenance of reports sufficient to show the results of its monitoring.

According to the FTC press release, Legacy must submit these reports to FTC on a monthly basis, with such submissions to last for 20 years.

Legacy Fall-Out/Considerations
Needless to say, the monitoring program with monthly reports to FTC for the next 20 years may present a significant compliance burden for Legacy. This likely comes after a period of informal litigation where the company was required to respond to FTC data requests, followed by a need to negotiate the proposed consent order. The company had the opportunity to reject the proposed order and to take its chances in litigation with the FTC. However, no one can predict with certainty how such litigation might turn out, other than that it would be very expensive. Obviously, Legacy decided against this route.         

Nonetheless, with FTC taking seemingly ever-more-aggressive positions, companies should carefully consider whether settlement is the best course of action. A well-prepared company might prevail in cases where the company chooses to litigate. Thus, in addition to the development and implementation of a sound compliance program, a company should always consider its litigation posture depending on the facts.

Legacy, along with Ann Taylor Stores and Reverb Communications, demonstrates FTC’s ongoing intent to enforce the FTC Endorsement/Testimonial Guides in the social media space. Controlling the message in these new consumer-generated media venues clearly raises logistical complications not encountered in the traditional advertising forums, but FTC will expect companies across all industries to take active steps to maintain control where there is a material connection.

It is not enough for an advertiser to obtain compliance pledges from its endorsers. Rather, the advertiser bears responsibility according to FTC to make sure the commitments are carried out. Thus, endorser agreements, advertiser monitoring, endorser education, and procedures to halt deceptive representations when they are discovered should all be considered as the advertiser develops a compliance program.

Please contact us if you have any questions or would like assistance in developing or reviewing a compliance program.

[1] 16 C.F.R. Part 255; http://ftc.gov/os/2009/10/091005revisedendorsementguides.pdf.

[2] See In the Matter of Legacy Learning Systems Inc., FTC File No. 1023055 (hereafter Legacy), March 15, 2011. Available at http://ftc.gov/os/caselist/1023055/110315llsagree.pdf.

[3] See Closing Letter Issued to AnnTaylor [sic] Stores Corp., FTC File No. 102-3147 (hereafter Ann Taylor Stores), April 2010. Available at http://www.ftc.gov/os/closings/100420anntaylorclosingletter.pdf.

[4] Id.

[5] See In the Matter of Reverb Communications, Inc., FTC Docket No. C-4310 (hereafter Reverb Communications), November 22, 2010. Available at http://www.ftc.gov/os/caselist/0923199/index.shtm.

[6] See Reverb Communications FTC Complaint.

[7] See Reverb Communications Final Order (emphasis added).

[8] Id.

[9] See Legacy FTC Complaint, Para. 6.

[10] Id. at Para. 7.

[11] See Legacy FTC Complaint, Para. 9.

Ann M. Begley, +1.202.778.9365, ann.begley@klgates.com
Lawrence C. Lanpher, +1.202.778.9011, lawrence.lanpher@klgates.com
Carolina M. Heavner, +1.202.778.9175, carolina.heavner@klgates.com

States Support Additional Federal Consumer Information Privacy Protections

By Bruce Nielson and Samuel Castic

Fifteen state attorneys general recently sent a letter to the FTC supporting its recent proposal for a federal regulatory framework to protect the privacy and security of consumer information. The letter also recommends additional consumer information privacy and security protections that go beyond the FTC’s proposal. The FTC’s proposal, in the form of a preliminary FTC Staff Report entitled “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers” (the “Report”) was released on December 1, 2010 and is described in more detail in a prior blog entry.

The 15 state attorneys general – from Arizona, Illinois, Indiana, Iowa, Massachusetts, Montana, Nevada, New Mexico, New York, North Dakota, Rhode Island, Tennessee, Vermont, Virginia and Washington (the “States”) – make the following points in their February 18, 2011 letter to the FTC:

First, the States believe the four substantive protections described in Section V(B)(1) of the Report “should be incorporated into companies’ business practices in order to establish standard, comprehensive privacy protections for consumers.” (The four substantive provisions have to do with protecting, collecting, retaining and ensuring the accuracy of consumer information.) The States cite relatively new Massachusetts data security regulations and certain California statutes as examples of how consumer information privacy and security protections have been implemented in those states. The States recommend that, to the extent the FTC were to contemplate exempting any businesses from the reach of consumer information privacy requirements, the FTC “should err on the side of caution.” The States also indicate that they “generally support an approach to information security that assesses” the size, scope and resources of a business and the need for security of the personal information the business possesses.

Second, the States encourage the FTC to include consumers’ medical information and health insurance information as “sensitive information warranting privacy protection,” in addition to a consumer’s name in combination with a Social Security number or driver’s license or other state ID number, or with a financial account number, including credit and debit card numbers. The States also encourage the FTC “to explore further whether location-based data, which is capable of tracking a person’s movements, should be considered sensitive information.” The States recommend “strong mechanisms requiring consumer consent before companies may share location-based data with third-parties, and a concerted effort, on both the state and federal level, to educate consumers about the risks and benefits of location-based services.”

Third, the States echo the FTC’s concern about young users of social networking sites, and the States support “the implementation of additional online safety tools that: (1) protect minors from inappropriate contact on social networking sites; (2) protect minors from inappropriate content on social networking sites; and (3) provide safety tools for all social networking site users.” The States cite joint agreements between 49 State Attorneys General and MySpace and, separately, Facebook as examples of state efforts “to protect the privacy of minors on social networking sites.” The States also recommend that “all users of social media sites should have extensive privacy controls to enable them to choose who can see their profile.”

Finally, the States urge the FTC not to preempt state laws with a federal consumer information privacy framework, but rather to follow a “dual sovereignty model” in which “both state and federal authorities would have the right to bring an action under federal law, and where state enforcement authority is explicitly granted under federal law.”

The FTC received 439 comments on the Report during the comment period that recently closed. We will update this blog with more information regarding the consumer information privacy framework proposals when the FTC takes further action on the proposals.

CALEA II - Bigger and Badder?

Recent leaks to the New York Times, as reported in September and October, indicate that the Obama administration will next year be pushing for sweeping expansions of the Communications Assistance for Law Enforcement Act (CALEA).  CALEA facilitates government surveillance by, among other things, requiring companies subject to the law both to design their systems so that the government can easily plug in and intercept communications in real-time and to provide assistance to the government in these efforts. 


A task force comprised of representatives from DOJ, Commerce, the FBI, and other agencies, are discussing amendments to the law.  These changes would greatly expand the reach of CALEA, would significantly increase the costs of non-compliance for covered companies, and would include other requirements which may fundamentally change business models for companies promising encryption and decentralized communication services.    



The most groundbreaking revisions under discussion would greatly expand the types of businesses to which CALEA will apply.  Currently, CALEA applies only to “telecommunications carriers,” which the law defines as entities: (1) engaged in the transmission or switching of wire or electronic communications, or (2) providing “commercial mobile service.”  47 U.S.C. § 1001(8).  Under the substantial replacement provision (SRP), the FCC may also designate as telecommunications carriers companies that provide a service that supplants a substantial portion of local telephone exchange service.  Under this SRP authority, the FCC has designated broadband Internet providers and VoIP providers as telecommunications carriers, finding that they supplanted a user’s need for a local telephone exchange service.  See In re CALEA and Broadband Access & Services, 20 F.C.C.R. 14989 (2005); American Council on Educ. v. FCC, 451 F.3d 226 (D.C. Cir. 2006) (upholding FCC’s designation of broadband and VoIP providers).  The New York Times article, apparently relying on a well-placed source, reports that officials seek to expand CALEA coverage to “all services that enable communications.”  This would extend CALEA to cover a broad swathe of nontraditional communications companies, particularly those on the Internet—for example, e-mail and instant messaging providers, social networks, and peer-to-peer communications services like Skype.


The revisions would also arm the DOJ and FCC with significantly stronger enforcement powers.  Although a carrier’s failure to comply with CALEA is currently punishable by court and FCC fines, 18 U.S.C. § 2522(c), In re CALEA and Broadband Access & Services, 21 F.C.C.R. 5360, 5390 (2006), the DOJ has traditionally not pressed the issue against carriers with faulty CALEA systems, preferring to preserve a working relationship in order to facilitate future CALEA requests.  However, a New York Times article reports that FBI officials have grown frustrated with CALEA system failures at two major carriers, and that the FBI’s technical assistance budget—spent to help carriers fix bugs in or retrofit their wiretapping systems—is close to $20 million annually.  Two specific proposals are circulating within the task force to address these issues: retroactive fines on carriers, and the ability to impose FBI engineering charges upon the carriers.  These proposals signal that the DOJ will begin shifting to carriers more costs of technical CALEA compliance, which may force carriers to more proactively manage and update their CALEA systems.


According to the New York Times articles, other proposals circulating within the task force include:


·                    Requiring that communication services offering encryption must be able to decrypt them upon government request.  This would bring US law in line with the UK Regulation of Investigatory Powers Act 2000 (RIPA)’s similar requirement, an issue of considerable controversy across the pond.


·                    Requiring that peer-to-peer communication services design a way to accommodate government wiretap requests.  This proposal could undermine the very nature of peer-to-peer communications, as it would require re-centralization of such communications.


·                    Requiring foreign providers that offer services in the US to make their systems available for government wiretaps.


The proposals are in very early stages, and it is certainly quite early to be reading the tea leaves.  As leaked, though, the proposals would represent a sea change in government surveillance law, imposing significant compliance costs on both traditional (think local exchange carriers) and nontraditional (think Facebook) communications companies.  The fairly specific leaks to Charlie Savage at the New York Times, including the leak that the bill will be introduced next year, are suggestive of trial balloons, so we should start to see some action soon.  Grab some popcorn and/or call your lobbyist.