T-Minus 30 to California’s New Landmark Privacy Law

On New Year’s Day, the California Consumer Privacy Act of 2018 (“CCPA”) goes into effect.  The strictest privacy law in the country, the CCPA could become the de facto data privacy standard in the United States, which, unlike Europe, with its General Data Privacy Regulation (“GDPR”), has yet to enact a national consumer privacy law. 

Though different from the GDPR in its approach to consumer consent (opt out vs. opt-in), the CCPA is based on the same principles of a consumer’s “right to know” what companies know about them and the “right to be forgotten.” Like Europe, California is seeking to return to its residents some real measure of autonomy and control over the personal information that is collected, used and shared about them on the Internet as they go about their daily digital lives.   

The CCPA gives California consumers four basic rights over their personal information:

1. the right to know what personal information a business has collected about them, where it came from, what it is being used for, whether it is being disclosed or sold, and to whom it is being disclosed or sold;

2. the right to “opt out” of allowing a business to sell their personal information;

3. the right to have a business delete their personal information; and

4. the right to receive equal service and pricing, even if they exercise their privacy rights.

Businesses must disclose consumers’ rights under the CCPA, including the right to deletion of their personal data; the categories of personal information they collect; the purposes of collection; and the categories of personal information that they sold or disclosed in the preceding 12 months.  Unless they are operating exclusively online, they need to provide at least two methods (including, at a minimum, a toll-free telephone number and website) for consumers to use to request information about their personal data.  The requested information must be provided free of charge within 45 days. 

To make it easy for consumers to prevent the sale of their personal data, the CCPA requires companies to place an opt-out link entitled “Do Not Sell My Personal Information” on their home pages.  For consumers under 16, affirmative “opt in” consent is needed to sell their personal information (for those under 13, consent must come from a parent or guardian).

Businesses cannot “discriminate” against consumers for exercising their privacy rights under the CCPA, meaning they cannot treat them differently in their product offerings and pricing from consumers who don’t exercise their privacy rights.  However, they are allowed to offer financial incentives to consumers for the collection, sale, or deletion of personal information.

The CCPA applies to for-profit businesses that collect and control California residents’ personal information, do business in California, and: (a) have annual gross revenues over $25 million; or (b) receive or disclose the personal information of 50,000 or more California residents, households or devices annually; or (c) derive 50 percent or more of their annual revenues from selling California residents’ personal information.  Non-profits, small companies, and/or those that do not earn most of their money from the sale of Californians’ personal data, are thus exempt.

As a practical matter, because so many online companies have California customers, those meeting these jurisdictional thresholds, wherever located, and without any physical presence in California, will be subject to the law.  The CCPA is enforceable by the California Attorney General, with civil penalties of up to $7500 for each intentional violation.  Subject to notice and a cure period, consumers also have the right to enforce it, individually or as a class, and seek damages for mistreatment of their sensitive (i.e., health, financial) personal information or for a business’s failure to implement and maintain reasonable security procedures.

If the CCPA applies to you, are you ready?  Have you updated your privacy policy and practices to be compliant?  If not, you have 30 days left.  To get ready, and thereby reduce the risk of being targeted by the California AG or a class action attorney for violations, consulting appropriate counsel can be helpful.

Reversing Prior Losses, FTC Scores a Win in its RCT Crusade

As I have written before (see past posts at https://www.ftcadlaw.com/blog/), it is no secret that the Federal Trade Commission’s substantiation policy on health claims, including for dietary supplements, is that the only acceptable form of substantiation is a randomized, placebo-controlled human clinical trial (“RCT” for short).  While the FTC’s might enables it to impose this stringent and expensive requirement on companies that are forced to settle for financial or other practical reasons, its policy has met with mixed success in the courts.  In FTC v. POM Wonderful, for example, the U.S. Court of Appeals for the District of Columbia, while affirming an RCT requirement for disease treatment (drug) claims, reversed an FTC mandate of two RCTs, and held that for non-disease health claims, the more flexible traditional standard of “competent and reliable scientific evidence” applies.  As defined by the FTC, that means:

tests, analyses, research, studies, or other evidence based on the expertise of professionals in the relevant area, that have been conducted and evaluated in an objective manner by persons qualified to do so, using procedures generally accepted in the profession to yield accurate and reliable results.

Courts have disagreed on the meaning of this standard, and whether it can be reasonably interpreted to require an RCT, as the FTC has argued.  In U.S. v Bayer, an FTC contempt action against Bayer for failing to have “competent and reliable scientific evidence” for probiotic claims, as required by a prior consent order, the FTC argued that the standard required an RCT, which Bayer didn’t have, thus placing it in violation of its order. The court rejected the FTC’s argument and contempt motion on several grounds.  First, the Dietary Supplement Health & Education Act of 1994 (“DSHEA”) does not require RCTs.  DSHEA does not impose a stringent “drug-level” RCT substantiation standard for dietary supplements, but only that supplement claims be “truthful and not misleading…as long as a supplement is not marketed as a drug, it is not regulated like a drug.” Second, the FTC’s own published substantiation guidance explicitly states that the “competent and reliable scientific evidence” test, unlike the standard for drug claims, is “flexible…Randomized clinical trials are not required….”  Third, the “competent and reliable scientific evidence” standard in Bayer’s order did not give it adequate notice that the only acceptable substantiation for its probiotic claims was an RCT. The FTC, the court found, “presented no evidence of any law, regulation or guidance that would have provided notice to Bayer that…RCTs are required for the…claims at issue.”      

Reaching a different conclusion, the Eleventh Circuit in September affirmed a lower court decision in FTC v. National Urological Group holding Hi-Tech Pharmaceuticals and other defendants in contempt for violating a prior order which prohibited them from making health claims without “competent and reliable scientific evidence,” and upheld the $40 million judgment against them.  Unlike in Bayer, where the court found that the company had not been given fair warning that “competent and reliable scientific evidence” meant an RCT, the Eleventh Circuit accepted this stringent interpretation because the defendants had repeated notice for years that it was how the FTC and the district court construed the standard. It also noted that defendants had not raised objections to the clarity of the standard when the prior order was being proposed to the court.

Beginning with its defeat in Bayer, the FTC now expressly defines “competent and reliable scientific evidence” to mean an RCT in its dietary supplement and other health product orders. Notwithstanding the Bayer court’s findings that neither DSHEA nor the FTC’s official substantiation guidance requires an RCT, and regardless of the adequacy of notice of an RCT requirement to any particular defendant, dietary supplement and other health product marketers should be under no illusion about the FTC’s mission to mandate RCTs for health claims, especially following its win in National Urological Group.  More than ever, supplement marketers should assume that, whatever the courts say (short of a final definitive decision by the Supreme Court), the FTC will expect them to have an RCT to support their claims, and will make them pay dearly if they don’t.  Just ask Hi-Tech Pharmaceuticals and its co-defendants in National Urological Group.

FTC Busts “Fake Influencer” Racket

As the marketing power of social influencers has grown, so has the Federal Trade Commission’s desire to have influence, by monitoring and attacking deception in influencer marketing.  In legal actions against both advertisers using influencers and the influencers themselves, the FTC has sought to enforce its endorsement rules requiring clear and conspicuous disclosure of a “material connection” between a paid influencer and its sponsor, so that the consumer can know the endorsement is not entirely objective and weigh that fact in her product consideration and purchasing decision. 

What makes an influencer attractive enough to an advertiser to want to pay to use the person in its social media marketing is, of course, that the person has influence over the buying decisions of the advertiser’s target customers.  And the larger the influencer’s following, the more valuable she becomes to advertisers and the more money she makes.  It is therefore in the influencer’s self-interest to maximize the size of her following in just about any way she can.

One way, the FTC has discovered, is to buy “fake influence.” This month, the FTC again exerted its influence over social media marketing by suing and obtaining a settlement with a company that was selling fake indicators of influence, including fake followers, subscribers, views, and likes, to users of social media platforms, including LinkedIn, Twitter, YouTube, Pinterest, Vine, and SoundCloud. The company, Devumi, sold fake Twitter followers to actors, athletes, musicians, writers, and others who wanted to increase their appeal as online influencers, and to motivational speakers, law firm partners, investment professionals, and others who wanted to boost their credibility to potential clients. It allegedly filled more than 58,000 orders for fake Twitter followers; made more than 4,000 sales of fake YouTube subscribers and over 32,000 sales of fake YouTube views, including to musicians who wanted to increase the apparent popularity of their songs; and sold more than 800 fake LinkedIn followers to marketing, advertising, and public relations firms; companies offering computer software solutions; banking, investment, and other financial services firms; human resources firms; and others.  With these fake followers and views, the buyers were able to deceptively magnify their influence, thereby fooling consumers, potential clients, and investors.

The settlement bans the Devumi defendants from selling social media influence to users of social media platforms and misrepresenting anyone’s social media influence, and imposes a $2.5 million judgment against the owner-CEO, which was to be suspended upon an “ability to pay” payment of $250,000.

Although the deception was committed by the purchasers of the fake influence metrics and not by Devumi itself, the FTC’s complaint alleged that it was liable because it provided the “means and instrumentalities” for the deception.  Because the FTC lacks “aiding and abetting” authority other than in telemarketing cases, it seeks to get around that limitation by resorting to the use of this rather nebulous – and legally dubious – alternative pleading device.  Even if “means and instrumentalities” is merely “aiding and abetting” by another name, the FTC will continue to use it in non-telemarketing cases to sweep in third party defendants who cannot be directly charged with deception – until a party so charged has the means to sustain, and a court upholds, a legal challenge to the FTC’s own arguable fakery.

Pleading gamesmanship aside, the Devumi case is a warning not only to other sellers of fake social media influence, but to buyers of it, that the FTC is watching you and will not tolerate fraudulent gamesmanship in the influencer world.  When the FTC began to police influencer marketing, it first went after the sponsoring advertisers for failing to meet “material connection” disclosure requirements, and only later against the influencers themselves.  We can expect the same pattern here.  The next time the FTC discovers hanky panky in the acquisition and representation of fake influence, the purchasers, and not just the peddler, may incur its wrath as well.

FTC To Review Its Negative Option Rules. It’s About Time!

No marketing method has incurred the wrath of the Federal Trade Commission, with more dire consequences (asset freezes, receiverships, ruinous monetary judgments) to the targets of its wrath, than continuity, subscription or auto-renewal plans containing a “negative option” feature (under which the consumer agrees in advance to recurring charges for a product or service until he cancels). The issue with such offers is the adequacy of disclosure of the existence of a negative option, the length of any trial period (free or otherwise), the frequency and amount of the recurring charge, the right to cancel without incurring more charges, and the method to cancel. The FTC has shut down dozens of businesses, seizing and forcing the disgorgement of their (and their owners’) assets, for failing to disclose a negative option, or failing to do so effectively in its judgment, thus harming consumers who did not realize they were enrolling in an auto-renewal plan and did not knowingly authorize the recurring charges. The FTC puts deceptive negative options in the “fraud” category in its hierarchy of enforcement priorities, and policing them lies at the heart of its fraud enforcement program.

The FTC’s authority to prevent deceptive negative option marketing rests on Section 5 of the FTC Act, which prohibits unfair and deceptive business conduct, and on the “Restore Online Shoppers’ Confidence Act” (“ROSCA).  ROSCA codifies the principle –  articulated in FTC orders, guidance documents and court decisions – that for a negative option offer to be lawful, all material terms, including recurring charges, must be “clearly and conspicuously” disclosed before the consumer submits his billing information; the consumer must give his express informed consent to the offer; and it must be easy to cancel. 

While embedding in statute the ban on “unclear” and “inconspicuous” negative option sales, ROSCA does not define the meaning of “clear and conspicuous” but leaves that task to the FTC.  According to the agency, for a disclosure to be conspicuous, it must be “unavoidable.” What, exactly, does “unavoidable” mean?  Clearly it does not mean burying the negative option terms on a hyperlinked “Terms & Conditions” page, separate from the website, or placing them at the bottom of the checkout page, “below the fold” (requiring scrolling down to see them) and far from the order button and credit card fields.  But what about negative option terms that are placed in the vicinity of the order button and credit card fields and are even disclosed multiple times?  Are those disclosures “conspicuous enough” for the FTC?  Do they pass the “unavoidability” test?               

The FTC’s answer has been no.  In FTC v. One Technologies, LP, for example, an action against a provider of credit monitoring services, the FTC alleged that the terms of a negative option offer, including a recurring monthly charge, were not adequately disclosed even though they were presented on several pages of the website: at the top of the home page (“Free 7 Day Trial when you order your 3 Free Credit Scores.  Membership is then just $24.95 per month until you call to cancel.”); on an inside page, via a link to “Offer Details” which the consumer agreed to by clicking a button to continue the enrollment process; and on the signup page in an “Offer Details” box adjacent to the credit card fields and above the order button.

Despite being provided multiple times, well above the fold and viewable, One Technologies’ negative option disclosures weren’t up to snuff, according to the FTC, because they weren’t big enough or bright enough or prominently positioned enough.  Because they weren’t “enough” of what the FTC wanted, One Technologies was required to pay $22 million to settle. The moral of the case: not disclosing negative option terms in the exact color, font, type size, and place desired by the FTC can be legally perilous and expensive indeed.  

The vagueness of the “clear and conspicuous” standard, and the subjectivity with which the FTC applies it in the “grey zone” of negative option enforcement – where the adequacy of disclosure can be reasonably argued both ways and the FTC’s use of its draconian enforcement powers, including asset freezes and punitive settlements, is highly problematic – are fair targets for criticism.  Fortunately, the FTC has now provided a forum for marketers to voice that criticism to it directly.  Last month, the agency announced that it will be conducting a review of its regulation of negative option marketing, including subscription, continuity, auto-renewal and trial conversion plans that are presently regulated under Section 5 and ROSCA, and prenotification plans (e.g., book-of-the-month clubs) that are covered by its existing Negative Option Rule. The FTC is inviting public comment on a host of questions, including this one: “Should the Rule define ‘clearly and conspicuously’, given that it requires marketers to make certain disclosures clearly and conspicuously? If so, why, and how? If not, why not?” 16 CFR Part 425         

While all the questions on which the notice seeks public input are important, none is more urgent than the need for the FTC to decide that the correct answer to this question is yes!  It then must respond by promulgating clear, articulable, concrete guidance on the meaning and application of the “clear and conspicuous” standard as it applies to negative option disclosures, and then adhere scrupulously to its own guidance in future enforcement actions.  Never again should a company and its owners, like One Technologies, be so severely sanctioned based on a subjective and highly debatable determination by the FTC that its negative option disclosures were not “adequate” to prevent consumer deception.

  • Newsletter Sign Up

    join our mailing list
  • Recent Posts

  • Archives

  • Categories

  • Tags