c
compose new post
j
next post/next comment
k
previous post/previous comment
r
reply
e
edit
o
show/hide comments
t
go to top
esc
cancel

Updates from tony RSS

  • FTC Brings First Case Against Mobile Apps

    Tony 12:27 pm on August 24, 2011 | 0 Comments Permalink | Post Your Comment!


    In the FTC’s first case involving mobile applications, the Commission charged a developer of apps as well as the company’s president and owner with violations of the Children’s Online Privacy Protection Act (“COPPA”). Specifically, W3 Innovations (d/b/a Broken Thumbs Apps) develops and distributes mobile apps that allow users to play games and share information online. Several of W3’s apps were specifically directed to children, and were listed in the Games-Kids section of Apple’s App Store. W3’s games include “Cootie Catcher” and “Truth or Dare,” as well as a group of apps that invited kids to email questions and comments to “Emily” and submit postings to the Emily Blog.

    The FTC alleged that the company collected and maintained thousands of email addresses through the Emily apps, as well as allowed children to publicly post information, including personal information, on message boards. According to the FTC complaint, the company did not provide notice of their information-collection practices and did not obtain verifiable parental consent prior to collecting or disclosing personal information from children. The FTC complaint indicated that these apps were “online services directed to children,” and thus subject to the COPPA Rule.

    The parties settled with the FTC obtaining a $50,000 civil penalty from W3 and W3 agreeing to delete all information collected from children through the apps.

    This case demonstrates that the FTC views apps as “online services” potentially subject to COPPA. Companies should thus ensure that where appropriate their apps comply with COPPA. In particular, companies should take care with the following types of apps: apps that are directed to children, apps that are appealing to children, or apps through which companies know that they collect children’s information.

     

  • Potential New FTC Commissioner Strengthens Consumer Protection Focus

    Tony 10:03 am on July 25, 2011 | 0 Comments Permalink | Post Your Comment!


    The Obama administration has just announced its intention to nominate Maureen Ohlhausen as the next FTC Commissioner. She would replace Commissioner Bill Kovacic, who finishes his term in September of this year. While Kovacic is a strong antitrust academic, Ohlhausen is a practicing lawyer experienced in issues of privacy and consumer protection. This nomination, therefore, illustrates the growing focus on the FTC to address consumer protection issues.

    Ohlhausen served as Director of the Office of Policy Planning and as attorney advisor to former Commissioner Swindle. During her tenure, the OPP encouraged informative labeling and advertising designed to inform consumers, as well as clearer disclosure by mortgage lenders and pharmaceuticals.

    Ms. Ohlhausen clerked for Judge David Sentelle (D. C. Cir.) and Judge Robert Yock (Fed. Cl.). She received a B.A. from the University of Virginia and a J.D. from George Mason University School of Law, and has taught Unfair Trade Practices as an adjunct professor at her alma mater. Ms. Ohlhausen has also contributed academically to the analyses of the relationship between advertising and childhood obesity.

     

  • Expert Interview: Developing a Compliant Social Media Policy

    Tony 11:30 am on May 12, 2011 | 0 Comments Permalink | Post Your Comment!


    What do legal departments need to consider when crafting a compliant social policy that still leaves enough room for marketers and community managers to still be creative?

    It seems to me that a company or brand’s social media policy has to really reflect the culture and soul of the organization. So the way it’s put together; the stakeholders at the table; the way it’s implemented throughout the organization; the way it’s monitored to be sure its speakers comply with its guidelines; all of these cultural factors are very important because that soul of the organization needs to come through in the social media policy. It isn’t a legal document. It isn’t a compliance document. It’s one that requires the input of many stakeholders that reflects the core cultural values of the organization.

    Having said that, there are also some core ingredients that are needed in any social media policy for it to be compliant. First of all, if there is a sponsored communication involved, there are required disclosures under the FTC Guides. The social media policy needs to be very clear as to what type of disclosures are needed in what circumstances and on what platforms. In addition, the core substance of a social media policy has to reflect the company’s commitments to transparency, accuracy, honesty, and respect in all of their communications either by their employees or by third parties such as bloggers or agencies.

    It’s very important that those four core ingredients are identified in the contents of the social media policy. So in short, a social media policy has to reflect both the culture of an organization and the core content needed to comply with the FTC Guides.

    Over the last year, what is the greatest change you have seen in the social media/WOM ethics realm?

    I think there are two major issues that are being presented right now in the WOM space. The first is privacy. This is on the front burner. Earlier this month, the FTC’s announcement of its action against Google really tees this up. That is something that is going to be on the minds of everybody in the WOM or social media space. The question is how we appropriately respect the privacy of our customers and how do we be appropriately transparent in letting them know what we’re going to do with their personal identifiable information.

    The second issue is the evolution of the FTC Guides. Social media policies are a dynamic process. Just because they were drafted after the FTC Guides came out, that doesn’t mean it’s the end of the story. The FTC would ask not only if you have an appropriate social media policy in place, but also if it has been appropriately and effectively implemented. So that requires training, education of employees and third parties. It requires monitoring and auditing of blogs and communications to be sure the social media policy has been honored.

    It’s a very dynamic process. The company can’t just draft a policy and place it on the website, intranet or somebody’s bookshelf. It’s important that the company see this as an ongoing process that requires refinement by all stakeholders, not just the legal or marketing team. Everyone from senior executives to customer service need to be involved in that evolution.

    What does the FTC’s recent ruling that requires Google to implement a comprehensive privacy program mean for other companies?

    I think that this is the first announcement from the FTC that requires a company to bake privacy into the business practices of the company. The bottom line is that every company and brand that is going to receive any sensitive or personal identifiable information from consumers has got to adopt a framework of a program similar to what the FTC is asking Google to do.

    You’ve got not only the FTC, but you have other governmental agencies like the Department of Commerce involved in this conversation. You also have the legislative interest. Up on Capitol Hill and in state legislatures, there are conversations about what needs to be done with respect to consumer privacy in this digital age. Then you also have the plaintiff class action attorneys who are going to see a ripe area for lawsuits because customers are going to be really unhappy if they find that companies are using their information in a way that they thought that they wouldn’t be doing. Also, from a PR perspective, you can have all this risk management and legal clouds in the sky, but you better believe that there can be a data breach. Or somewhere there is a group of complaints like at Google where customers were concerned with what they thought was going on with their Gmail accounts. That creates negative publicity.

    Negative publicity about consumer privacy is going to affect the brand whether it’s financial, health or other sensitive information. That’s a huge issue for companies. So it’s not only good risk management, it’s also good prudent business policy to adopt a comprehensive privacy program that incorporates some of the elements of the FTC requirements for Google.

    WOMMA is working on, through its legal affairs committee and privacy subcommittee, a template on guidance or best practices that we hope to announce shortly that will identify those principles that companies need to adhere to be sure they are moving in the right direction in designing their privacy policy.

     

  • FTC Responds to Privacy Questions Posed by WOMMA

    Tony 10:53 am on May 6, 2011 | 0 Comments Permalink | Post Your Comment!


    Google action and implications:

    In the recent action against Google, Part III of the proposed order requires the company to establish and maintain a comprehensive privacy program, and identifies several requirements. Is the FTC attempting to send a message that the type of program identified in the order is, as a practical matter, a compliance requirement, such that the failure of a company to implement the requirements could constitute a violation of the FTC Act?

    Part III of the proposed order in Google Buzz requires the company to establish, implement, and maintain a comprehensive privacy program that is reasonably designed to: (1) address privacy risks related to the development and management of new and existing products and services for consumers, and (2) protect the privacy and confidentiality of covered information. Given the allegations in the complaint, including allegations about the ways that Gmail users’ information was shared in many instances without prior notice or the opportunity to consent, this provision is necessary relief related to the alleged law violations in this case and should deter future violations. The order requirements do not apply to third parties. Still, Part III provides a template that other companies that collect consumer information should consider implementing so that privacy concerns are integrated at all stages of the product cycle and are not just an afterthought.

    Transparency:

    How can companies be more transparent regarding their treatment of personally identifiable information?

    In December, FTC staff issued a preliminary report, Protecting Consumer Privacy in an Era of Rapid Change (“the Report”),1 that emphasized the importance of transparency in communicating to consumers how information that is collected about them is used, and suggested a range of approaches to improve transparency. Despite the shortcomings of most privacy policies in current use in the marketplace today, privacy policies can still be an important communication tool as long as they are clear, concise, and easy-to-read. Another practice that aids transparency is getting information about the company’s privacy practices – and choices about sharing information – out of the privacy policy, and presenting them to consumers at the time that the consumer is asked to provide information. Consumers should get notice and the opportunity to consent to retroactive changes to the privacy policy. Depending on factors such as the sensitivity and uses of the information collected, providing consumers with access to the information that is maintained about them can be another way to give consumers more of a window into the types of information that is collected about them and how it is used. In addition, consumer education to help consumers understand, for example, how their information is used in connection with particular industry practices is also helpful. We have been reviewing public comments on the preliminary report’s proposals and expect to issue a final report later this year.

    Accountability:

    What should companies do to verify that they are adhering to their privacy policies and principles?

    The first step is to assess what types of information the company collects from consumers and how the information is being used, and confirm that the privacy policy describes the company’s practices accurately. When designing new products or services, taking privacy into account at this initial stage – so-called “privacy by design” – can pay dividends down the road. A company may discover, for example, that instead of putting security measures in place to protect a particular type of consumer information, the product can be designed so that the information need not be collected in the first place. At the other end of the product cycle, companies should assess whether information must be retained and, if so, for how long. Employee training about privacy and the company’s policies – and assigning an individual who is accountable within the company for ensuring that privacy rules are followed – are also important steps.

    Privacy Policies:

    What criteria should companies use to evaluate their privacy policies?

    The Report highlights some of the problems with privacy policies. They are often designed to limit liability rather than to inform consumers, and so tend to be long documents written in legalese. Still, privacy policies do serve important accountability and other purposes. Some tips to improve them:

    Ask whether you are using plain language – could a non-lawyer understand it? Could a high school graduate understand it?

    Does the policy clearly state that you are collecting consumer data, what types of data are being collected, why you are collecting it, and how the data will be used?

    Don’t bury important information. In the Sears case, for example, the Commission alleged that the company inadequately disclosed the extent of information collection. (See Sears, available at http://www.ftc.gov/os/caselist/0823099/090604searsagreement.pdf ).

    The Report also calls on industry to explore setting standard definitions to make it easier for consumers to compare different companies’ practices.

    Codes of Conduct:

    What are the essential ingredients for privacy codes of conduct that are created by industry groups?

    Broadly, meaningful self-regulatory approaches should be comprehensive – comprising a significant percentage of the relevant industry – and enforceable, with sanctions for non-compliance. They should also be effective and robust. The essential ingredients may vary depending on the particular conduct addressed by the code. In the Do Not Track context, for example, Bureau Director Vladeck has talked about five essential elements that should be included in an industry-designed mechanism: the mechanism must be, first, easy for consumers to use and understand; second, effective and enforceable; and third, universal. Fourth, the mechanism must allow consumers to opt out not only from the use of tracked data, but also from its collection. Finally, an effective Do Not Track mechanism will ensure that consumers’ choices will be persistent.

    Determination of “harm:”

    From the FTC’s perspective, how is consumer “harm” or “injury” defined with respect to privacy? Is it more than economic or the potential for identity theft? If so, what is the evidence or legal support for such an expanded determination?

    The Commission has authority to challenge deceptive or unfair acts or practices. For purposes of deception, the key inquiry is whether a misrepresentation or deceptive omission is material to consumers – that is, whether it is likely to affect a consumer’s choice of or conduct regarding a product or service. An act or practice is unfair if it causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition. As stated in the FTC Policy Statement on Unfairness, the Commission is not concerned with trivial or merely speculative harms. In most cases a substantial injury involves monetary harm, as when sellers coerce consumers into purchasing unwanted goods or services or when consumers buy defective goods or services on credit but are unable to assert against the creditor claims or defenses arising from the transaction. Unwarranted health and safety risks may also support a finding of unfairness. Emotional impact and other more subjective types of harm, on the other hand, will not ordinarily make a practice unfair.

    In the policy context, the Report notes that in addition to harms that cause physical or economic injury (such as identity theft or fraud) or unwarranted intrusion into consumers’ daily lives (such as the unwanted calls from telemarketers addressed by the Do Not Call Registry), “for some consumers, the actual range of privacy-related harms is much wider and includes reputational harm, as well as the fear of being monitored or simply having private information ‘out there.’” Report at 20. Thus, in the Report, Commission staff proposed a new policy framework for addressing privacy writ large. This effort is solely a policy initiative, however, and has not changed the legal standards applicable to the Commission’s authority.

    Self-regulation:

    What expectations does the FTC have concerning a meaningful role for self-regulation?

    The Commission has indicated its support for self-regulation over many years and in many different contexts. In 2008, for example, the Commission staff proposed a set of principles on which self-regulatory efforts in the online behavioral advertising space could be based. We continue to encourage self-regulation in the privacy area. In fact, the Report was “intended to inform policymakers… and guide and motivate industry as it develops more robust and effective best practices and self-regulatory guidelines.” The FTC staff specifically supported the development of a “comprehensive consumer choice mechanism” for online behavioral advertising either by legislation or “robust, enforceable self-regulation.” Report at 66.

    Data Security Breach Notification Law:

    The Department of Commerce paper recommends the consideration of a federal commercial data security breach notification law that establishes standards. Does the FTC have a position on such a law?

    In testimony before Congress, the Commission has stated:

    [Breach] notification in appropriate circumstances can be beneficial. Indeed, various states have already passed data breach notification laws which require companies to notify affected consumers in the event of a data breach. These laws have further increased public awareness of data security issues and related harms, as well as data security issues at specific companies. Breach notification at the federal level would extend notification nationwide and accomplish similar goals.

    See Prepared Statement of the Federal Trade Commission Before the S. Comm. on Commerce, Science, and Transportation, Subcomm. on Consumer Protection, Product Safety, & Insurance, 111th Cong. (Sep. 22, 2010), available at http://www.ftc.gov/os/testimony/100922datasecuritytestimony.pdf, at 11. This recommendation is consistent with previous Commission recommendations. See Prepared Statement of the Federal Trade Commission Before the S. Comm. on Commerce, Science, and Transportation, 109th Cong. (Jun. 16, 2005), available at http://www.ftc.gov/os/2005/06/050616databreaches.pdf; Prepared Statement of the Federal Trade Commission Before the S. Comm. on Commerce, Trade, and Consumer Protection, 111th Cong. (May 5, 2009), available at http://www.ftc.gov/os/2009/05/P064504peertopeertestimony.pdf.

     

  • FDA again delays promised social media guidance

    Tony 1:47 pm on April 5, 2011 | 0 Comments Permalink | Post Your Comment!


    The FDA has once again missed its target for releasing guidance on social media and internet marketing. The agency’s Division of Drug Marketing, Advertising, and Communications (DDMAC) had previously announced its intention to issue a guidance on the topic in the first quarter.

    Read more here.

     

  • FTC Settlement With Google Requires Implementation of Comprehensive Privacy Program and Alleges Violations of U.S.-EU Safe Harbor Framework

    Tony 10:02 am on March 31, 2011 | 0 Comments Permalink | Post Your Comment!


    Today, the FTC announced a settlement with Google, concerning allegations that Google used deceptive practices and violated its own privacy promises to consumers when it launched its social network, Google Buzz, in 2010.

    Significantly, this is the first time an FTC settlement order has required a company to implement a comprehensive privacy program; and this is the first time the FTC has alleged violations of the substantive privacy requirements of the U.S.-EU Safe Harbor Framework, a voluntary program administered by the U.S. Department of Commerce in consultation with the European Commission, which provides a method for U.S. companies to transfer personal data lawfully from the European Union to the United States.

    In its administrative complaint, the Commission alleges that when Google launched its social network service called Google Buzz through its Gmail web-based email product, Google led Gmail users to believe that they could choose whether they wanted to join the network. Specifically, on the day Buzz was launched, Gmail users got a message announcing the new service and were given two options: “Sweet! Check out Buzz,” and “Nah, go to my inbox.” However, the complaint alleges that some Gmail users who clicked on “Nah” were nonetheless enrolled in certain features of the social network; and for those Gmail users who clicked on “Sweet!,” they were not adequately informed that the identity of individuals they emailed would be shared publicly by default. The FTC finds that while Google also offered a “Turn Off Buzz” option, that option did not fully remove the user from the social network. The FTC also finds that certain personal information of Gmail users was shared without consumers’ permission through the Buzz social network.

    The FTC complaint notes that in response to the Buzz launch, Google received thousands of complaints from consumers who were concerned about public disclosure of their email contacts, which included ex-spouses, patients of mental health professionals, clients of attorneys, and children.

    In alleging violations of the FTC Act, the Commission charged that Google:
    • did not use information from consumers only for the purpose of providing them with a web-based e-mail service; instead, Google used the information to populate its new social networking service;
    • did not seek consumers’ consent before using the information they provided;
    • falsely represented the features of the Buzz social network; and
    • falsely represented that consumers would be able to exercise control over what information would be made public through their Google public profile.

    The FTC complaint also finds that Google’s failure to adhere to the U.S. Privacy Principles of Notice and Choice issued by the Department of Commerce in connection with the U.S.-EU Safe Harbor Framework constitutes a deceptive act or practice.

    The proposed consent order prohibits Google from misrepresenting the privacy and confidentiality of any “covered information” (defined broadly) as well as Google’s compliance with any privacy or compliance program, including the U.S.-EU Safe Harbor Framework. The proposed order also requires Google to establish a privacy program to (i) address privacy risks related to the development and management of new and existing products and services; and (ii) protect the privacy of covered information. The proposal also requires Google to obtain an assessment and report biennially from an independent professional for 20 years, making certain certifications concerning compliance with the order.

    Key Takeaways:
    • When companies intend to develop new products or services, they need to determine how these changes impact their current privacy policies and practices and whether the core principles set forth by the FTC as well as the Department of Commerce in their recent papers are being adhered to;
    • The FTC intends to enforce aggressively the issues relating to privacy and to protect consumers’ expectations concerning the disclosure of their personal information; and
    • The FTC intends to actively influence the current debate on privacy.

     

  • A Privacy “Bill of Rights”

    Tony 10:00 am on March 17, 2011 | 0 Comments Permalink | Post Your Comment!


    Today, the Obama administration called on Congress to enact a consumer “privacy bill of rights.”

    The announcement, which represents a significant policy shift, came at a hearing held by the Senate Commerce, Science, and Transportation Committee.

    “[T]he U.S. consumer data privacy framework will benefit from legislation to establish a clearer set of rules of the road for businesses and consumers, while preserving the innovation and free flow of information that are hallmarks of the Internet,” said Lawrence E. Strickling, assistant secretary for communications and information at the Commerce Department’s National Telecommunications and Information Administration.

    The announcement comes as key members of Congress, including Sen. John Kerry (D-Mass.), chairman of the Senate Commerce Subcommittee on Communications, Technology and the Internet, are drafting federal privacy bills.
    Strickling specifically called for federal privacy legislation that:

    • is based on a comprehensive set of fair information practice principles;
    • provides the Federal Trade Commission with the authority to enforce any baseline protections; and
    • creates incentives, such as a safe harbor, for firms to develop and adopt “codes of conduct.”

    The administration is planning to issue a formal statement of policy on the issue later this spring, according to Strickling.

    Strickling’s prepared testimony is available at http://op.bna.com/pl.nsf/r?Open=dapn-8ezlg8.

    More info: http://online.wsj.com/article/SB10001424052748704662604576202971768984598.html

     

  • FTC Settles With Company Using Deceptive Endorsements

    Tony 3:53 pm on March 15, 2011 | 0 Comments Permalink | Post Your Comment!


    Today, the FTC announced a settlement with a company that sells guitar lesson DVDs using social media. According to the Complaint, the company recruited affiliates to promote its courses through endorsements. In exchange, affiliates received commissions on sales resulting from referrals. The FTC charged that the company disseminated deceptive ads by representing that the endorsements reflected the views of ordinary “independent” consumers, without clearly disclosing that the affiliates were compensated. The company must pay $250,000 and monitor affiliates to ensure they are disclosing the commissions.

     

  • Obama’s Budget Proposal Increases Funding to the FTC

    Tony 1:13 pm on February 15, 2011 | 0 Comments Permalink | Post Your Comment!


    President Obama’s 2012 budget, released on February 14, proposes $326 million for the Federal Trade Commission – - reflecting increases of $21 million.

    Specifically, the 2012 budget proposal would provide a $12 million increase allotted for the agency’s consumer protection mission, noting that the $186 million for that mission would enable the agency to continue operating under its five objectives:
    • identify fraud, deception, and unfair practices that cause the greatest consumer injury;
    • stop fraud, deception, unfairness, and other unlawful practices through law enforcement;
    • prevent consumer injury through education;
    • enhance consumer protection through research, reports, rulemaking, and advocacy; and
    • protect American consumers in the global marketplace by providing sound policy and technical input to foreign governments and international organizations to promote sound consumer policy.

    This increase – - during a time of lawmakers’ talking about budget cuts – - certainly signals the administration’s attitude for law enforcement and consumer protection.

     

  • Report from the Congressional Research Service

    Tony 12:39 pm on February 10, 2011 | 1 Comments Permalink | Post Your Comment!


    As the Report notes:

    On the regulatory front, the Federal Trade Commission (FTC) released guidelines calling on bloggers to disclose paid product reviews, and in December 2010 recommended a Do Not Track function to allow consumers to prevent advertising and other firms from collecting data about individuals’ online activities. The U.S. Food and Drug Administration (FDA) is examining pharmaceutical marketing in social networks and could propose guidance for online marketing early in 2011. In December 2010, the Department of Commerce Internet Policy Task Force released a paper on commercial privacy issues.

    The key issue for lawmakers and regulators is how to protect consumers without stifling innovation. Rapid technological change is leading to new forms of advertising and to issues that were unknown only a few years ago, from competition in search advertising to fraudulent marketing over social networks. It is likely that regulators, and Congress, will continue to struggle to keep pace as they consider how to craft a workable system to oversee advertising in the rapidly changing digital world.

    View the report

     

Older Posts →



Disclaimer: Posts on this website have been written and displayed for informational purposes only, and they do not constitute legal advice. Posts reflect the personal opinions of the author, and are not the views of any past or present employer or institution with which the author may be affiliated. This information is not intended to create an attorney-client or similar relationship. Do not post or send confidential information. This site may be considered advertising under the rules of some states. Prior results described on this site cannot and do not guarantee or predict a similar outcome with respect to any future matter that we or any lawyer may be retained to handle. Laws differ by jurisdiction, and the information on this blog may not apply to every reader. You should not take, or refrain from taking, any legal action based upon the information contained on this blog without first seeking professional counsel. You may print a copy of any part of this blog for your own personal, noncommercial use, but you may not copy any part of the blog for any other purposes, and you may not modify any part of the blog. Inclusion of any part of this blog in another work, whether in printed or electronic, or other form, or inclusion of any part of the blog in another web site by linking, framing, or otherwise without the express permission of WOMMA is prohibited.