On December 14, 2016, operators of online extramarital dating and social networking website AshleyMadison.com came to an agreement with the Federal Trade Commission, and several States, to settle FTC and related state charges that the website deceived consumers and failed to protect 36 million users’ account and profile information. As we discussed immediately following the July 2015 breach (and in several later posts) the data of some 36 million AshleyMadison.com accounts was posted online. It was reported by KrebsOnSecurity that the breach included the theft of user databases, financial records (including salary information), and other records from AshleyMadison, Cougar Life, and Established Men, three social networking web sites operated by the Toronto, Canada-based firm Avid Life Media, now known as Ruby Corp.
Worried about a company retaliating against you when you post a negative review on Yelp or TripAdvisor? Worry no longer because Congress has your back. Last week, Congress passed a law that will make it illegal for companies to retaliate against U.S. consumers who post negative reviews online.
It seems like managing data breaches has become a part of doing business these days. From the October denial of service attack on Dyn (a company that provides core internet services to companies like Twitter, Spotify and Netflix) to the recent hacks of the Clinton campaign’s emails, data breaches are increasing in frequency, scope and cost. The average cost of a data breach increased to $4 million in 2015, and the 2016 Cost of Data Breach Study: Global Analysis published by IBM and the Ponemon Institute places the likelihood of a company having a material data breach involving 10,000 lost or stolen records in the next 24 months at 26 percent.
Social media has become a must-have medium for most companies and celebrities. The medium provides an easy, inexpensive and instantaneous connection to customers and fans. However, as social media marketing continues to expand and evolve, so do concerns about deceptive advertising.
Earlier this year, the Federal Trade Commission (FTC) went after Warner Bros. Home Entertainment Inc. for not clearly representing that several digital influencers were paid as part of a marketing campaign for the video game Middle Earth: Shadow of Mordor. (See our prior posts on FTC enforcement of its disclosure requirements.) According to the complaint, these influencers were paid amounts ranging from hundreds of dollars to tens of thousands of dollars and received advance-release copies of the game with instructions on how to promote the game. The sponsored videos were viewed more than 5.5 million times. One very popular influencer, Felix Kjellberg, known as “PewDiePie” on YouTube, created a video that has been viewed over 3.7 million times by itself.
The Federal Trade Commission recognizes that many people benefit from companies’ online tracking by getting advertising that is more targeted to their preferences. However, as the technologies and techniques used by companies and advertisers to uniquely identify and track individuals’ online behavior advances, the FTC warns that companies’ privacy disclosures and practices must be updated. Failure to do so could be considered deceptive under the FTC Act.
We’ve written previously on the rise in FTC scrutiny and enforcement regarding the use by companies of paid digital influencers without the proper disclosures. Recently, retailer Lord & Taylor found itself in the FTC’s crosshairs when it employed bloggers and Nylon magazine as part of a very successful campaign to promote a clothing collection online and on social media. Unfortunately, the campaign was less successful in its compliance with the FTC Act.
Along with colleagues Lori Levine and Lauren Lynch Flick, we’ve taken a closer look at the case in Lord & Taylor Case Shows the Importance of Transparency in Advertising, itself just the latest example of how companies can run into trouble when they fail to fully disclose a promotion or advertisement.
As we saw in a prior post regarding Kim Kardashian and Instagram, the FDA pays attention to how brand companies use paid celebrities to endorse their products. Likewise, the FTC closely scrutinizes how brand companies use paid or sponsored endorsers. Be it digital influencers or bloggers, brand companies must be mindful of the disclosures required to be made in connection with any advertisement or promotion disseminated by an endorser for the brand company. If the brand company provides compensation of any kind to the endorser in exchange for the promotion, FTC regulations require disclosure of this fact. Per the FTC’s 2013 .com Disclosures guidelines, the disclosure must be “clear and conspicuous.” If the brand company uses an advertising agency, the company must ensure that the agency is complying with the FTC’s regulations. Ultimately, the brand company can be held liable for FTC violations by its advertising agency.
Cyberattacks are on the rise—so much that we seem to hear about a high-profile hack more often than it probably rains in most parts of California. Although reputational damage from a cyberattack can be scarring, a recent U.S. Third Circuit Court decision provides a reminder that the pain can come in many forms. In Federal Trade Commission v. Wyndham Worldwide Corp, the Court confirmed that the FTC can levy expensive fines on a business for failing to adequately protect consumer information. If there wasn’t sufficient reason before, the Third Circuit opinion should convince many who ignored cybersecurity to take a more proactive approach.
Following an 18-month investigation into the practices and operations of data brokers,
the Federal Trade Commission has issued a voluminous report calling for legislation to regulate the industry in the interests of consumer privacy. The report, called Data Brokers: A Call for Transparency and Accountability, identifies “data brokers” as “companies that collect consumer’s personal information and resell or share that information with others,” and notes that in today’s economy, “Big Data is big business.” The report recounts that the privacy issues that data brokers present today were first addressed back to the 1970’s when Congress enacted the Fair Credit Report Act (FCRA) to regulate the collection and use of consumer data in connection with credit, housing, employment and similar decisions. The FTC has been active in enforcing the provisions of the FCRA, but has also argued for similar types of protections even where the FCRA does not apply, such as where data is collected for marketing purposes, fraud prevention purposes, and people search products. In its March 2012 report “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers”, the FTC noted that prior self-regulatory efforts by the industry had not addressed its concerns with transparency and called for the industry to create a web portal to provide consumers with more information about and access to information that data brokers hold about them. In addition, an FTC Commissioner has spearheaded a “Reclaim Your Name” campaign urging the industry to adopt self-regulatory reforms to educate consumers as to how information is collected and used and to allow consumers access to the data that brokers hold,
correct any errors in it, and opt out of its use for marketing purposes.
Noting that the industry has not moved on past suggestions such as these, the report calls for legislation that would require data brokers to provide the consumer with access to the data they hold regarding the consumer and to permit consumers to opt-out of the sharing of that information for marketing purposes. The FTC reiterates its suggestion that a central web portal be created where data brokers identify themselves and their information collection and use practices and allow consumers access to their data and to opt out of certain uses. The report also calls for legislation that would require data brokers to disclose to consumers that they not only use raw data that they collect, but whether they combine that data with other information and draw conclusions based on it such as determining a consumer’s interests based on magazine subscriptions, previous purchases, or website visits. To facilitate consumer education, the report suggests that all consumer-facing entities be required to disclose if they sell consumer information to data brokers, provide opt out options concerning this sharing, and to provide the names of the specific data brokers with which the information is shared and a link to the web portal where consumers can learn more about the data brokers and their data access and opt out rights. With respect to risk mitigation products, the report recommends extending FCRA-like notices to the consumer where, for example, the consumer is denied a cellular phone contract not because he or she is a credit risk, but because risk mitigation information indicates that he or she is an identity thief. The notice would identify the data broker from which the information was obtained and the data broker in turn would provide the consumer with access to the data and a right to correct it if it is inaccurate. In connection with people search products, the report recommends not only that consumers have the ability to access their data and opt out of certain uses, but that limits on those opt outs be clearly identified and that the data broker’s sources of information be identified.
The report concludes with a recommendation that all data brokers adopt the principles in the Commission’s 2012 report that they adopt “privacy by design”
and incorporate consumer privacy into all aspects of their operations.