Privacy & Data Security

Subscribe to Privacy & Data Security via RSS

This week, the Federal Trade Commission (FTC) announced a proposed settlement with MoviePass to resolve allegations that the company offered an automatically renewing movie subscription program but blocked paid subscribers from using the advertised services, and failed to adequately secure subscribers’ personal data.

The FTC brought the case against MoviePass under the Restore Online Shoppers Confidence Act (ROSCA), the federal statute governing online negative option programs. The statute requires sellers to clearly and conspicuously disclose all “material terms of the transaction” and obtain consumers’ express informed consent before charging them for online negative option features.

However, the FTC’s complaint did not take issue with the company’s billing disclosures or consent mechanism. Instead, it asserted that the company’s failure to disclose its deceptive tactics that prevented subscribers from accessing all of the advertised benefits violated ROSCA. In the complaint the FTC alleged that MoviePass, Inc deceptively marketed a MoviePass subscription service that allowed customers to view movies at local theaters for a monthly fee. However, once customers purchased a subscription, MoviePass allegedly used various methods to prevent subscribers from accessing the advertised service. For example, to limit the movies that customers could view, MoviePass allegedly blocked account access by invalidating subscriber passwords under the guise of “suspicious activity or potential fraud.” The FTC asserted that resetting a password was cumbersome and often failed, precluding subscribers from regaining access. Next, the FTC alleged that MoviePass’s operators implemented a ticket verification program that required users to submit pictures of their physical movie ticket stubs for approval through the app within a certain time frame after purchase. Users who failed to submit their ticket stubs would be blocked from viewing future movies and could risk subscription termination. Third, MoviePass allegedly used “trip wires” to block certain groups of subscribers—heavy users who viewed more than three movies per month—from using the service to purchase more tickets. These allegations seem to echo statements from the FTC’s Dark Patterns workshop (we blogged about the workshop here), which discussed ways the FTC should address websites and apps that impair consumers’ autonomy, decision making, and choice.Continue Reading Lights, Camera, Action! FTC Settlement Signals Novel Use of ROSCA

Spring 2021 Edition: Not a Symposium, but a Virtual Ad Law CLE Bonanza

In a recent series of webinars, members of Venable’s advertising law practice, Reed Freeman, Len Gordon, and Shahin Rothermel, along with some leading industry figures, explored and addressed key issues of concern to companies in the advertising space.

Our attorneys along with Panelists Mary Engle and Laura Brett from BBB National Programs, which administers the National Advertising Division (NAD), the investigative unit of the industry’s system of self-regulation; Lou Mastria from the Digital Advertising Alliance (DAA); and Daniel Kaufman from the Federal Trade Commission (FTC) also answered some audience questions. Below are some highlights from each session.

Session #1: NAD at 50 Years: Regulation and Self-Regulation Over the Past 50 Years

Q: To what extent does the NAD support the work of the FTC in enforcing self-regulation?

A: There has always been a strong relationship between the FTC and the NAD in supporting self-regulation. The FTC has limited resources, and it considers the NAD to be another cop on the street. There are always going to be cases that the FTC will want to pursue, regardless—for example, when it’s important to get money back to consumers. But anytime the NAD can define advertising as misleading and cause an advertiser to modify or discontinue the advertising, it frees up resources for the FTC. To show its support, the FTC prioritizes referrals from the NAD (as opposed to letters from competitors sent directly to the FTC). Similarly, after cases are referred to the FTC, it encourages the advertiser to participate in the NAD process and comply with the NAD’s decisions. So broadly speaking, the FTC really believes in the NAD’s role in encouraging self-regulation and in promoting truthful and non-misleading advertising.Continue Reading You Asked. We Answered.

We’re sorry not to be meeting up with you in person, but we hope you can join us for our spring 2021 edition of “Not a Symposium, but a Virtual Ad Law CLE Bonanza.” Combining the experience and thought leadership of one of the nation’s largest advertising law practices with key figures in advertising regulation, these three CLE-packed sessions are designed to educate and innovate. Topics will cover broad trends and anticipated developments, as well as industry-specific hurdles, highlights, and more.

Register today for any or all sessions!Continue Reading Spring 2021 Edition: Not a Symposium, but a Virtual Ad Law CLE Bonanza

On January 11, 2021, the Federal Trade Commission (FTC or the “Commission”) announced it reached a proposed settlement with Everalbum, Inc. (“Everalbum”), a developer of a photo app, to resolve allegations that the company deceived consumers about its use of facial recognition technology.

The settlement highlights the FTC’s focus on biometric data and increased scrutiny regarding facial recognition technology. Specifically, in announcing the settlement, the FTC stated that facial recognition technology can turn photos into “sensitive biometric data” and emphasized that ensuring companies keep their promises regarding the use of biometric data will be a “high priority for the FTC.” Additionally, while the proposed settlement was approved by all five FTC Commissioners, Commissioner Rohit Chopra issued a separate statement criticizing facial recognition technology and expressing support for a moratorium or restrictions on the use of such technology.

Everalbum provides a photo storage and organization app called “Ever,” which allows users to upload photos and videos to be stored and organized using the company’s cloud-based storage service. Starting in 2017, Ever launched its “Friends” feature, which uses facial recognition technology to group users’ photos by the faces of people appearing in the photos. Initially, the feature was automatically enabled for all users and could not be turned off, although the company later allowed users located in Illinois, Texas, Washington, and the EU to choose whether to turn on the feature. However, according to the FTC’s complaint, Everalbum’s website represented that Everalbum was not using facial recognition technology unless a user affirmatively enabled or turned on the technology. As the technology was instead enabled by default for users located outside of Texas, Illinois, Washington, and the EU, the FTC alleged that this representation was deceptive, in violation of Section 5(a) of the FTC Act.Continue Reading FTC Takes Aim at Facial Recognition Claims in Latest Deception Settlement

States can now require internet retailers to collect sales taxes even if the retailer has no physical presence in the state.

In South Dakota v. Wayfair, the Supreme Court overturned its 1992 decision in Quill Corporation v. North Dakota, which limited a state’s ability to impose its sales tax on an out-of-state retailer. In Quill the Court ruled that only a retailer that had a physical presence in a state by means of employees, stores, warehouses, or the like was required to collect such state’s sales tax. The Quill decision is one of the main reasons why many e-commerce retailers did not have to collect sales tax for sales to out-of-state residents.Continue Reading States Win and E-Retailers Lose as U.S. Supreme Court Alters Sales Tax Collection Standard

Practitioners have been waiting for quite some time for the 11th Circuit’s decision in the LabMD case. LabMD, Inc. v. Fed. Trade Comm’n, No. 16-16-270 (11th Cir. June 6, 2018). In particular, there was a great deal of interest as to how the court might resolve the issue of whether the “substantial injury” requirement under the unfairness prong of Section 5(a) of the FTC Act was satisfied by a data breach in 2008 involving approximately 9000 consumers and with little evidence of actual consumer monetary injury.

Well, the 11th Circuit published its decision this week but the issue regarding the meaning of “substantial injury” will have to wait for another day as the Court declined to address that question, instead ruling that the Federal Trade Commission’s order as drafted is unenforceable. In doing so, the 11th Circuit likely surprised a lot of folks and created a great deal of uncertainty regarding FTC orders in general.

The Court noted that for the most part the FTC’s complaint against LabMD was premised not upon certain affirmative acts taken by the company but rather by their failure to act in particular ways. In other words, the company had been negligent in establishing a reasonable data security program. The Court assumed for the sake of argument that the FTC could base an unfairness complaint upon a negligent failure to act but then went on to find the order unenforceable because the order set forth an indefinite “reasonableness” standard with respect to the Company’s future obligations in establishing data security measures. The relevant order language read as follows:Continue Reading 11th Circuit’s LabMD Decision has Implications Outside of Just Privacy

Flu shotSome people really do not like being told to get a flu shot and, in Latner v. Mount Sinai Health System, Inc., 2018 WL 265085 (2d Cir. amended decision Jan. 9, 2018), a man sued his hospital over it. Well, not exactly. Plaintiff Daniel Latner claimed that a text message sent by a third party telemarketer for Mt. Sinai Health System reminding him to get a flu shot violated his rights under the Telephone Consumer Protection Act (TCPA). Among other things, the TCPA allows individuals to file lawsuits and collect statutory damages for receiving autodialed text messages without the recipient’s prior express consent. Latner addressed the scope of consent required for a healthcare message made by a covered entity or its business associate, as those terms are defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Continue Reading Dose of Relief for Healthcare Entities: Second Circuit Finds Hospital Had Sufficient Consent Under the TCPA

Seal of the Federal Trade CommissionA change in administration inevitably raises questions regarding the priorities and direction of federal agencies. To help set the record straight, Lesley Fair, a Senior Attorney with the Federal Trade Commission’s (FTC or Commission), Bureau of Consumer Protection, reminded us during last week’s NAD Annual Conference that the FTC has kept quite busy over the last year or so, with numerous enforcement cases arising out of the FTC’s Bureau of Consumer Protection. Ms. Fair also shared her views regarding the FTC’s key enforcement priorities that affect advertisers and marketers. Perhaps unsurprisingly, these priority areas generally relate to (i) advertising substantiation; (ii) use of social media, endorsements, and consumer reviews; (iii) matters involving privacy and data security; and (iv) allegations of financial deception. While such topics warrant serious consideration and attention for advertisers, one would be remiss in failing to mention that, in typical Ms. Fair fashion, she discussed these issues in a manner that not only kept the audience engaged, but largely entertained.

With respect to advertising substantiation, Ms. Fair took the opportunity to remind the audience that despite our obsession with smartphones—and our assumption that they can do almost anything except fold our laundry—the FTC will carefully scrutinize advertisers’ claims about their products, including health apps for smartphones, to ensure they are adequately substantiated. As an example, Ms. Fair mentioned the Commission’s January 2017 Settlement with Breathometer, Inc. and Charles Michael Yim in which the FTC alleged that marketers of two app-supported smartphone accessories, marketed to accurately measure consumers’ blood alcohol content (BAC), failed to adequately test the accuracy of the app and failed to notify customers that the app regularly understated BAC levels. In another smartphone settlement from December 2016, FTC v. Aura Labs, Inc. and Ryan Archdeacon, the FTC alleged that the marketer’s blood pressure app lacked reliable testing, and that the app’s readings were significantly less accurate than those taken with a traditional blood pressure cuff. In both of these cases, Ms. Fair suggested that FTC seemed particularly concerned due to potential safety issues arising from the lack of proper testing, especially where an intoxicated driver might get behind a wheel, or where a consumer may think his/her blood pressure does not present a health risk. These cases serve as a reminder that the FTC will evaluate substantiation with an especially critical eye where advertisers make health and safety-related claims.Continue Reading What’s the Federal Trade Commission Been Up to Recently?

Virtual DataVirtual reality (VR) and augmented reality (AR) are now considered mainstream technologies, and if your company is not yet using them, it will be.

AR has the ability to blur the lines between reality and computer-generated information, whereas VR is further along the spectrum of computer-generated content and involves the creation of an immersive, wholly computer-generated environment.

Both are known primarily for their use in recreation, most notably video games, though the technologies are also being incorporated into other industry sectors. Some argue AR will change the way we work, for example architects in various locations around the world may be able to, in real time and in 3D, manipulate the designs of buildings. And VR is already being used to train people in various industries, such as the military and medicine. Indeed, some experts believe that AR and VR will achieve widespread adoption in commercial applications well before either receives widespread consumer adoption for recreational purposes.Continue Reading Are You Prepared for the Legal Issues of Augmented Reality?

little girl and laptopOn June 21, 2017, the Federal Trade Commission (FTC) updated one of its Children’s Online Privacy Protection Act (COPPA) compliance guides for businesses. Known as the “Six-Step Compliance Plan,” this document provides a step-by-step road map for determining if a company is covered by COPPA and what to do to comply.

COPPA applies to operators of websites and online services that collect “personal information” from children under 13 years of age, where the site or service is directed to children or has actual knowledge that it is collecting personal information from a child. COPPA’s coverage extends to a variety of online services, such as mobile apps, internet-enabled gaming platforms, and – in some cases – companies that collect personal information directly from users of another website or online service (such as ad networks and plug-ins).Continue Reading FTC Updates COPPA Guidance for IoT and New Consent Options