That’s because, tucked away on pages 2800-2819 of last year’s 4000+ page Omnibus Appropriations Bill (between provisions addressing furniture tip-overs and Tribal swimming pools), is legislation requiring the marketplaces to collect and verify certain information from “high-volume third party sellers,” suspend sellers that fail to comply, and disclose the sellers’ contact information to purchasers.
The new law (the Integrity, Notification, and Fairness in Online Retail Marketplaces for Consumers Act, or the INFORM Consumers Act) charges the Federal Trade Commission (FTC), the state Attorneys General (AGs), and “other state officials” with enforcement; gives the FTC rulemaking authority; and authorizes substantial civil penalties for violations. The law was the result of a bipartisan effort led by Senators Durbin and Cassidy, as well as Representatives Schakowsky and Bilirakis, who remain invested in its success. (Note that Durbin and Schakowsky both mentioned INFORM at recent Congressional hearings.)
For companies that haven’t heard about this new law – or who just want to learn more – here are the key things to know as we approach the June 27 effective date:
What exactly does the law require?
In brief, INFORM requiresonline marketplaces (i.e., platforms that enable third parties to engage in sales, purchase, payment, storage, shipping, or delivery of consumer products in the US) to do the following:
Notably, INFORM’s legal obligations all fall on the marketplaces. They are the entities subject to enforcement and civil penalties if INFORM’s requirements are not adhered to. They are the ones responsible for ensuring compliance after a seller reaches the “high volume” sales and revenue thresholds. (This is true even for the disclosure requirements, which must appear on sellers’ landing pages or in their communications with purchasers.) However, the Act will have significant, if indirect, effects on high volume sellers, too, who will risk swift suspension if they fail to furnish accurate and timely information to the marketplaces, or fail to cooperate in providing the required disclosures.
Why was this law passed?
The law is designed to address concerns about the sale of stolen and counterfeit goods online, which, according to the law’s sponsors and several influential reports (see here and here), harms consumers and costs legitimate businesses billions of dollars a year. These sales often occur through online marketplaces, where criminals exploit the anonymity of the web to sell goods that have been stolen from stores, and/or are counterfeit or unsafe, and where the marketplaces historically have had minimal obligation to verify the identity of sellers.
As press releases heralding passage of the Act explained, requiring marketplaces to verify sellers’ identities will “shine a light” on anonymous online sellers, thus choking off a key avenue for them to sell stolen and harmful goods, while also protecting online purchasers and legitimate competitors.
What happens on the effective date?
On June 27, all of the above requirements kick in, which means that marketplaces must have systems in place to comply with all of them or risk enforcement (with substantial penalties) by the FTC, state AGs, and/or potentially “other state officials.” At the same time, high volume sellers must be ready to furnish the information, and cooperate in providing disclosures, or risk suspension by the marketplaces.
Should we expect enforcement immediately? Yes, it’s quite possible, though the FTC (and AGs) might start with warning letters or an announcement of a coming “crackdown.” Indeed, the Act touches on numerous FTC and state AG priorities – including protecting consumers from fraud and unsafe products; maintaining a fair marketplace; holding platforms accountable, both for their own conduct and as “gatekeepers” in critical markets; and authorizing all-important civil penalties of up to $50,020 per violation. It’s also the product of bipartisan consensus at a very partisan time.
In addition, with so many cops on the beat, action could come from, not just one enforcer, but many, possibly working in tandem. In recent budget testimony to Congress, FTC Chair Khan highlighted the Act (at p. 26), including the potential for joint FTC-state action:
Ensuring Honest Online Marketplaces
Our consumer reports data show that online platforms have become fertile ground for fraud and abuse, and we are taking on this problem using all of our tools. The newly enacted INFORM Consumers Act requires online marketplaces to collect and verify information about certain third-party sellers, and to disclose third-party seller contact information to consumers to ensure transparency. The Commission will enforce the law to the fullest extent possible and will collaborate with our state partners as well.
In short, whether you’re an online marketplace or a third party seller, it would be wise to bone up on INFORM’s requirements before the effective date, and make sure you’re ready to implement them when the magic date arrives. Kelley Drye will shortly be announcing a webinar on this topic – stay tuned for more details.
]]>ABBY STEMPSON (Special Counsel in the Ad Law and State AG practices) will be speaking on a panel entitled Fundamentals – Consumer Protection. The session will include a fact pattern to help set the scene for the audience and will discuss potential violations of federal and state law, as well as BBB self-regulatory standards. Panelists will examine enforcement, corporate compliance, and emerging issues, with Abby focusing in particular on state consumer protection laws, AG enforcement, and business compliance strategies. This session takes place on Wednesday from 9:00-10:15.
DONNELLY MCDOWELL (Partner in the Ad Law Practice) is moderating the panel Navigating the “Green” Minefield of ESG Claims, which will offer perspectives from the FTC, in-house counsel, and plaintiff’s counsel on issues related to green marketing and environmental, social and governance (ESG) initiatives. As we’ve discussed at length on Ad Law Access in a series of posts, green marketing claims continue to generate attention and scrutiny from the FTC, NAD, and plaintiff’s attorneys and are more prevalent than ever. In addition, the FTC has solicited comment on potential revisions to the Green Guides, as we discussed here. This session will address all of these developments and more, and takes place on Wednesday from 1:45-3:15 pm.
LAURA RIPOSO VANDRUFF (Partner and Chair of the Ad Law Practice) is the Session Chair and Moderator of the panel Is AMG the Tip of the Iceberg? Two years after the Supreme Court stripped the FTC of its authority to use Section 13(b) to obtain monetary remedies in FTC v. AMG, the FTC is facing new challenges on other fronts. Laura’s panel includes a former Chairman of the FTC; an attorney representing the Petitioner in Axon v. FTC; the FTC Bureau of Consumer Protection’s Chief Litigation Counsel; and a prominent member of the FTC defense bar. Among other things, the panel will assess whether Chair Khan’s ambitious rulemaking priorities are vulnerable to constitutional challenges, including under the major questions doctrine. This panel is on Thursday from 8:30-10:00 am.
PAUL SINGER (Ad Law Partner and co-chair of the State AG practice) is the Session Chair and Moderator of this year’s Consumer Protection Year in Review panel. This panel will feature representatives from the FTC, DOJ, NAD Division of BBB National Programs, Florida AG’s Office, and the private bar. This annual panel takes a look back at the major consumer protection developments of the past year, and will include a robust discussion of many of the hot topics that emerged through enforcement efforts, including dark patterns, privacy and data security, testimonials, endorsements and reviews, green claims, and health claims. The panel will also discuss the increased collaboration among enforcers – both between federal agencies (FTC/DOJ) and state-federal partnerships (FTC/State AGs). This panel will take place on Thursday from 1:30-3:00 pm.
Please join us at any or all of these interesting and timely panels.
]]>Notably, the first case alleges COPPA violations (compromising the privacy and safety of users under 13) but adds allegations that Epic violated teens’ privacy and safety, too. And the second case alleges unauthorized in-app purchases – not just by kids, which was the focus of earlier FTC cases, but by users of all ages. Both cases rely on unfairness theories in extending their reach. Both incorporate the (now ever-present) concept of dark patterns (generally defined as practices that subvert or impair user choice). And both got a 4-0 Commission vote, with a strong concurrence from Republican Commissioner Wilson explaining her support for the FTC’s use of unfairness here. Neither case names any individuals.
The privacy case
The FTC’s privacy case alleges that, for over two years following Fortnite’s launch in 2017, Epic allowed kids to register with no parental involvement, and for kids and teens to play the game with features enabling them to communicate in real time with anyone on the platform. According to the FTC, these practices subjected kids and teens to bullying, harassment, threats, and “toxic” content, including “predators blackmailing extorting, or coercing children and teens…into sharing explicit image or meeting offline for sexual activity.” Further, says the FTC, Epic knew about these problems, resisted fixing them and, when it finally took action, added controls that were hard to find and use, and failed to cure the violations.
The complaint includes two counts. First, it alleges that that EPIC violated COPPA because it operated a website directed to children (based on e.g., visual content and features, merchandising tie-ins, and audience composition); knew specific users were kids (based on player requests, reports, and complaints): and failed to comply with COPPA’s notice, consent, access, and deletion requirements.
Second, the FTC alleges that EPIC engaged in an unfair practice by operating a “ubiquitous, freely available” video game that was directed at children and teens and that, through default settings allowing real time social interaction, put children and teens at risk of substantial injury.
Under the order, Epic must (1) fully comply with COPPA; (2) delete data collected in violation of COPPA; (3) provide default settings that prevent interaction between minors and other users, unless Epic obtains affirmative express consent from parents or teens or, alternatively, the user identifies as 13 or older through a neutral age gate; (4) implement a privacy program with third party assessments for 20 years; (5) submit annual certifications from Epic’s chief executive (for not just Epic, but certain affiliated companies); and (6) pay $275 million in civil penalties. The order’s definition of “affirmative express consent” prohibits the use of dark patterns.
What’s new or notable here? For one thing, the case provides further insight into how the FTC analyzes the “directed to children” element of COPPA (and to a lesser extent, “actual knowledge”), with detailed discussion of the factors it considered in the analysis. For another, the penalty is the largest ever obtained in a COPPA case and, according to the FTC, in any FTC rule violation matter. Of perhaps greatest significance, though, is FTC’s decision to address teen privacy in this case. Indeed, amidst all of the public discussion and concern about teen privacy (and on the same day Congress declined to include kid/teen privacy legislation in the end-of year omnibus package), the FTC announced a teen privacy case based on its existing FTC Act authority, with a 4-0 vote.
The dark patterns case
The FTC’s second settlement with Epic, framed in the press release as an “illegal dark patterns case,” is strikingly similar to the FTC’s earlier cases against Apple, Google, and Amazon involving unauthorized in-app charges by kids, but with some new elements. (In a prior post, we said that those three cases were essentially dark patterns cases but without the “catchy term.” I guess we were prescient!)
In brief, the complaint here alleges that Epic charged accountholders for purchases that weren’t authorized – either because accountholders weren’t told about, and didn’t authorize, their kids’ purchases, or because they themselves incurred unwanted charges due to poor disclosures and a deliberately confusing purchase flow.
At the same time, the complaint alleges, Epic designed the process for canceling purchases and seeking refunds to be difficult and cumbersome, and even deactivated user accounts (removing allof the user’s content) when users attempted to dispute unauthorized charges. According to the FTC, users incurred billions of dollars in unwanted charges. Further, despite receiving thousands of complaints and acknowledging the issues in internal emails (and even after the FTC took action against Apple, Google, and Amazon for similar practices), Epic failed to correct the problem.
The complaint contains two counts. First, it alleges that Epic engaged in unfair billing practices by charging users for in-app purchases without express informed consent from the accountholder. Second, it alleges that Epic unfairly denied consumers access to their accounts after they disputed unauthorized charges.
The order, in turn: (1) prohibits charging any user without express informed consent; (2) in the case of consent for continuing charges, requires that consumers be able to revoke consent at any time, using a mechanism that isn’t difficult, costly, confusing, or time-consuming, and is as simple as the mechanism used to initiate the charges; (3) enjoins Epic from denying someone access to their account “for reasons that include” disputing a charge; and (4) obtains $245 million in refunds.
What’s new or notable in this case? First, as already mentioned, the case extends, not just to obviously-unauthorized in-app purchases by kids, but also to purchases by older users. Second, the FTC is once again focusing on ease of cancellation (see our post on the FTC’s Vonage settlement), requiring that cancelling recurring charges be just as simple and frictionless as signing up. Third, the FTC appears to be saying that deactivating accounts following the dispute of charges is per se illegal (and, due to the broad wording of the injunction, that companies can never cancel an account for this or any other reason).
Finally, this is an example of the FTC’s continuing ability to obtain consumer redress post AMG. In a case like this, where no rule violations have been alleged, the FTC would normally be forced to pursue redress using a two-step process – an administrative action, followed by a federal district court action. Here, Epic has simply agreed to pay redress in one step.
Why two cases and not one?
Some readers might be wondering why the FTC split this matter into two cases. Under the FTC Act, the agency must refer any civil penalty case (here, the COPPA/privacy case) to the Department of Justice for filing in federal district court. By contrast, as discussed above, the FTC must initiate an administrative action to obtain redress in non-rule matters (here, the dark patterns case). While there may be some theory for consolidating both cases into one DOJ action, that would be exceedingly complicated – even more so than the shortcut the parties agreed to here. These cases were also handled by two different FTC divisions, which also may have weighed in favor of bifurcation.
* * *
One last thing – as if the cases themselves weren’t enough to digest, it’s worth taking a look at Epic’s post on the topic, explaining that the laws haven’t kept pace with technological developments but fully embracing the principles and requirements laid down in the settlements.
]]>Keep following us in 2023, and we’ll keep you posted on how these trends develop.
]]>Prohibiting junk fees may sound uncontroversial in the abstract, but what does it mean in practice? We concentrate here on the FTC’s ANPR given its potential breadth and impact on a host of industries including travel, delivery services and others in the gig economy, restaurants, and e-commerce sites.
What is a “Junk Fee”?
The ANPR uses the term “junk fees” to refer to “unfair or deceptive fees that are charged for goods or services that have little or no added value to the consumer, including goods or services that consumers would reasonably assume to be included within the overall advertised price.” According to the FTC, the term includes, but is not limited to “hidden fees,” which are fees disclosed only at a later stage of the customer experience or potentially not at all.
The ANPR references a host of industries that allegedly charge junk fees, such as hotels that charge “resort fees” and online ticket sellers that charge transaction fees. The Commission also cites specific enforcement actions as support for its initial conclusion that junk fees are “prevalent,” which as we’ve previously discussed is a requisite determination to proceed past the ANPR stage to a proposed rule under the FTC’s Magnuson-Moss Rule authority. Those enforcement actions date back 18+ years and include actions related to mobile cramming, connection and maintenance fees on prepaid phone cards, account fees, resort fees, membership programs, and merchandise fees.
What is the FTC Seeking Comment on?
The ANPR seeks comments on a host of issues related to the prevalence and justification for certain fee and disclosure practices, including:
Inherent in many of the FTC’s questions is the premise that fees harm consumers and competition, and that such fees do not serve legitimate business purposes. The ANPR also seems to assume without elaboration that consumers do not reasonably expect fees in certain industries, such that they are necessarily deceived when such fees are not clearly and conspicuously disclosed in advertisements. In addition to the issues specifically identified in the ANPR, these topics would be well-suited for comment prior to the January 9 comment deadline.
Potential Obstacles to a Far-Reaching “Junk Fees” Rule
As we’ve discussed in prior posts (see here and here), the FTC’s authority to promulgate rules is limited because it must meet a number of substantive and procedural requirements along the way, including making a finding that the prohibited unfair or deceptive practices are prevalent, explaining how the rule prohibits such prevalent unfair and deceptive practices, and analyzing the economic effect of the rule.
In a dissenting statement, Commissioner Wilson raised both procedural and substantive questions related to the ANPR. While noting her agreement in principle in ensuring that consumers (1) have access to sufficient information to make informed decisions and (2) are not charged for products or services they did not agree to purchase, Commissioner Wilson questioned the need for a rule, particularly one of the potential breadth suggested in the ANPR. Along those lines, the rule is likely to implicate “vast economic and political significance,” which could in turn raise constitutional questions under the Supreme Court’s recent decision in West Virginia v. EPA.
Commissioner Wilson also questioned whether a rule was necessary in the first place, given that the FTC has initiated enforcement actions to prevent unfair and deceptive fee practices and is specifically empowered under certain statutes like the Truth in Lending Act and the Restore Online Shoppers’ Confidence Act to obtain civil penalties for violations.
How Does this Relate to the CFPB’s Junk Fees Initiative?
The CFPB – with former FTC Commissioner Rohit Chopra at the helm – has previously led the charge against “junk fees.” Indeed, back in January 2022, the CFPB issued a request for information on back-end junk fees charged in connection with consumer financial products and services. And last month, the CFPB issued guidance warning companies that it planned to bring enforcement actions under its unfairness authority where companies charge overdraft and depositor fees that a consumer would not reasonably expect.
But, as recognized in the FTC’s ANPR, the CFPB’s authority is limited to consumer financial products or services. Enter Chair Khan and the FTC’s ANPR, which by its own account is intended to be far-reaching and address fees across a wide array of industries. Time will tell, but it’s possible that the CFPB charted the path for an FTC rule that will ultimately have a much more profound and widespread effect.
]]>Multistate Google Adtech Litigation Continues: A coalition of seventeen states, led by Texas Attorney General Ken Paxton, sued Google in December 2020 alleging antitrust and deceptive trade practice violations over the dominant role Google plays in the adtech market. That case was ultimately transferred to an MDL in New York along with other private actions brought against Google. On September 13, 2022 Judge Castel, who is overseeing the MDL, largely denied a motion to dismiss brought by Google, allowing all claims except one to continue. Attorney General Paxton declared a major victory with this continued case, claiming Google, “abused its monopoly power by harming consumers to reap billions in monopoly profits.” A lot is at stake in this case – not just for Google but for the entire adtech market.
California Sues Amazon: On September 14, 2022, California Attorney General Rob Bonta sued Amazon alleging it abused its market dominance and violated California’s Unfair Competition Law in its contracts with merchants selling on its platform. Specifically those agreements prohibit merchants from selling their goods through other channels at a lower price than on Amazon, and includes stiff penalties should a merchant do so. This case is similar to one brought by District of Columbia Attorney General Karl Racine – however that case was dismissed in early 2022. AG Racine has not given up the fight however, having filed a notice of appeal in August 2022.
Arizona Settles with Google: In very recent news, on October 4, 2022 Arizona Attorney General Mark Brnovich settled a 2020 lawsuit he brought against Google over its mobile geolocation tracking. In that suit, Arizona alleged that Google used “dark patterns” to make it difficult for consumers to turn off location tracking, and that even when settings were turned “off,” they still were able to track a user’s location. While there is no injunctive relief, the settlement requires Google to pay $85 million, $5 million of which is directed by the AG for educational purposes. This includes payment to “a bipartisan association or forum of state attorneys general that provides programming to current attorneys general regarding consumer protection issues, to develop programs to rectify alleged violations of consumer protection laws and, specifically, for programs to educate and assist state attorneys general regarding consumer fraud act cases and digital privacy” (an interesting component for those following several AGs’ recent criticism of the National Association of Attorneys General). The settlement value sets a new standard for AG enforcement actions against the company, with General Brnovich noting it is the highest per capita settlement against Google for consumer protection or privacy violations. That number becomes even more daunting when you consider that litigation continues in several other states against Google over similar allegations.
Content Moderation Laws Continue to be Subject of Legal Fights: We previously discussed the Texas and Florida laws that were designed to rein in the content moderation practices of large social media companies. In Texas the law broadly prohibits content moderation based on viewpoint, and in Florida the law prohibits deplatforming of political candidates. In May, the 11th Circuit Court of Appeals found the Florida law to be unconstitutional – as private actors, the State cannot tell companies what they must or can’t allow on their platform. In considering the Texas law however, the 5th Circuit reached a different conclusion in finding the law was constitutional and could be enforced, characterizing the social media companies’ conduct as censorship and noting there is no constitutional right to moderate content. The Supreme Court has already announced it will take up the boundaries of Section 230 immunity this term in the Gonzalez v. Google case, and it is likely that the Court, which has already expressed interest in these laws, will ultimately decide how to resolve these conflicting interpretations of the First Amendment.
AGs Focus on AI: State Attorneys General have made clear they intend to use their consumer protection authority to examine businesses’ use of automated decision making technology in delivering consumers goods and services. One area of focus especially for Democratic AGs is the potential for bias – for example California AG Bonta’s recently announced initiative in August to examine racial and ethnic bias in healthcare algorithms. Earlier in August, during a panel at the NAAG Presidential Initiative, AGs discussed other potential areas of concern, including the privacy implications of the collection and use of the data, and ensuring that consumers, and the companies themselves, understand how the technology works.
And these developments are all in addition to the ongoing work AGs have previously announced, including importantly investigations into Instagram and TikTok relating to potential harm to children using their platforms. All of these efforts will no doubt shape consumer protection priorities by the AGs for the rest of 2022 and for years to come, and we will keep you updated on their efforts.
]]>Responding to the industry’s need for a solution, the Interactive Advertising Bureau (IAB), working with various stakeholders, has prepared the Multi-State Privacy Agreement (MSPA). The MSPA is designed to help publishers, advertisers, agencies, and adtech intermediaries address some of these privacy contract and choice obligations throughout the supply chain, while also providing publishers and advertisers with flexibility in operationalizing on a national basis or apply state-specific approaches.
Please join us for a discussion on Thursday, September 29, at 1:00 pm Eastern with IAB’s Michael Hahn and Tony Ficarrotta to discuss the structure of the MSPA and how the MSPA solves significant digital advertising industry compliance challenges. The discussion will also cover the changing regulatory landscape, such as the California Privacy Protection Agency’s rulemaking process, and how the MSPA is positioned to respond to those changes.
Please register here to attend this event.
As workforces become increasingly mobile and remote work is more the norm, employers face the challenge of balancing the protection of their employees’ personal data and privacy against the need to collect and process personal data to recruit, support and monitor their workforces. Mounting regulations attempt to curb employers’ ability to gather and utilize employee data—from its historical use in processing employee benefits and leave requests to employers’ collection, use or retention of employees’ biometric data to ensure the security of the organization’s financial or other sensitive information systems. Learn what employers can do now to protect employee data and prepare for the growing wave of data privacy laws impacting the collection and use of employee personal data.
Avoiding Price Gouging Claims Wednesday, August 3 Recently State Attorneys General, the House Judiciary Committee, and many others have weighed in on rising prices in an attempt to weed out price gouging and other forms of what they deem “corporate profiteering.” States and federal regulators are carefully looking at pricing as consumers and constituents become more sensitive to the latest changes and price gouging enforcement is an avenue states may be able to use to appease the public. Unlike other emergencies in the past, the current state of supply chain and labor shortages, along with skyrocketing costs for businesses, make it unrealistic for companies to simply put a freeze on any price increases. This webinar will cover:
• The basics of price gouging laws and related state emergency declarations and how to comply • The differences and varied complexities in state laws • General best practice tips • How AGs prioritize enforcement
* * * *
Find more upcoming sessions, links to replays and more here
]]>State Attorneys General 101 Please join Kelley Drye State Attorneys General practice Co-Chair Paul Singer, Senior Associate Beth Chun and Abby Stempson, Director of the Center for Consumer Protection, National Association of Attorneys General (NAAG) for State Attorneys General 101. This webinar will cover the basics of State AG consumer protection powers, what to expect if you find yourself a target of attorneys general investigation, how to look to state attorneys general to stop improper actions of competitors, and more. RSVP HERE
IAB Public Policy & Legal Summit 2022 Kelley Drye is a premier sponsor of the IAB Public Policy & Legal Summit 2022, which brings together global leaders in advertising, media, technology, and the government to discuss how organizations can lean into the coming transitions and find solutions that will enable them to build a sustainable and consumer-centric media and marketing ecosystem. Privacy practice Chair Alysa Hutnik (Solving for State Privacy Law Complexity: CPA, VCDPA, UCPA, and Beyond) and Of Counsel Jessica Rich (The FTC During the Biden Administration) will speak at this free virtual summit today. REGISTER HERE
This complimentary event is by invitation only. If you or a colleague are interested in receiving an invitation, please contact [email protected].
Prop 65
Our friends at Kelley Green Law Blog get the starting position for this issue by highlighting a precipitous uptick in the number of Prop 65 filings over the prior year. While the Covid-19 pandemic caused all sorts of disruptions to society and the economy, at least one area of business has thrived over the last two years: private plaintiff enforcement of California Proposition 65. In 2020-2021, over 40% more Prop 65 actions were brought by private plaintiff “bounty hunters” than in the two years prior to the pandemic (2018-2019). Compared to a decade ago, private plaintiff groups now initiate three times more Prop 65 actions each year, and five times more than in 2008. Learn more here about the most frequently cited chemicals and those that are emerging, including PFAS.
Notable Dishes From the Food Court
The close of 2021 included two notable class action decisions for the food industry. In the first, Bolden v. Barilla America, Inc., the Northern District of Illinois denied a motion to dismiss various state law consumer fraud and express warranty claims alleging that Barilla deceptively labeled its pasta sauces as containing no preservatives, even though the products contain the known preservative citric acid. However, the court granted Barilla’s motion to dismiss the implied warranty claim for lack of privity, and as also dismissed the negligent misrepresentation claim because it was barred by the economic loss doctrine. The court also denied the plaintiffs’ request for injunctive relief, ruling that they could avoid Barilla’s allegedly deceptive products by purchasing other branded sauces.
In the second, Warren v. Whole Foods Market Group, Inc., the Eastern District of New York dismissed claims that Whole Foods Markets tricked consumers into believe its instant oatmeal product was sugar-free or low in sugar by using allegedly misleading phrases such as “dehydrated cane juice solids” and displaying picture of fresh raspberries on the label. The court found that, in the absence of any express claim that the product was sugar-free or low in sugar, consumers are “trained to look” to the ingredient list, which disclosed the use of dehydrated cane juice solids, and found it “improbable” that reasonable consumers would gloss over the words “Sugar 11 g,” which were prominently displayed in the nutrition panel immediately next to the ingredient list and, in the court’s view, “hard to miss.”
In January, the Southern District of New York followed the overwhelming number of courts that dismissed “vanilla” claims throughout 2021. In this most recent case, Santiful v. Wegmans Food Markets, Inc., the plaintiffs had alleged that the use of the words “vanilla” and “naturally flavored” on the label of Wegmans’ Gluten Free Vanilla Cake Mix misled consumers into believing that the product was flavored mainly from vanilla beans when it allegedly contained artificial flavors. The court disagreed, finding that the vanilla representations conveyed to consumers the flavor of the product rather than the specific ingredients used to impart that flavor. As to the artificial flavoring aspect of the complaint, the court held that that because the ingredients that contributed to the vanilla flavoring (ethyl vanillin, vanillin, maltol and piperol) can be artificial or natural depending on how they are derived, the plaintiffs were required to allege exactly how these ingredients were derived for this product. Because they had not done so, the court dismissed the complaint but permitted the plaintiffs to file an amended complaint.
Food Filings Trends
Furthering one of the growing trends of the last year, 2021 ended and 2022 started with a number of new “ingredient” class actions, including three suits challenging the use of non-dairy ingredients in “fudge”-based products, as well as others challenging the use (or rather, lack of use) of real cinnamon in cinnamon-flavored cereal, the lack of butter in “butter snaps pretzels,” and the minimal use of whole grains in various cracker products. We also saw a number of new “natural” and “preservative-free” lawsuits, and multiple new lawsuits challenging “healthy” marketing claims and protein content claims.
Hot Tip: For those reviewing or refreshing food labels, here are a couple of practical watch-outs:
What’s in a name? NAD determined that Goli Nutrition had a reasonable basis for use of the name Apple Cider Vinegar (ACV) Gummies but also found that the advertiser could not substantiate that the gummies provided the health benefits typically associated with ACV and thus recommended that the advertiser qualify the use of ACV – including in the product name – to avoid conveying unsupported health benefit claims.
In a challenge brought by Bragg Live Food Products, maker of a competing apple cider vinegar shot, Bragg took issue with Goli’s use of “apple cider vinegar” in the product name, alleging that they do not contain enough acetic acid to qualify as apple cider vinegar or an ACV supplement. As such, Bragg also alleged that Goli's use of the term "vinegar" in the product name and labeling runs afoul of FDA labeling requirements and Goli’s gummies have little chemical similarity to apple cider vinegar or a true ACV supplement.
More specifically, Bragg alleged that Goli’s gummies did not have sufficient acetic acid to be labeled “vinegar” per FDA’s regulations and also fell short of the 5% naturally occurring acetic acid concentration found in traditional ACV. Goli countered that its ingredient is made from dehydrated apple cider vinegar. In support of its argument, Goli submitted Specification and Cook Sheets indicating that the apple cider vinegar powder component contained 5.88% acetic acid along with multiple laboratory tests demonstrating acetic acid at 25-33 mg. Based on this, NAD determined that Goli had established a reasonable basis for its product name.
NAD then examined Goli’s advertising for its ACV product, which “created a powerful connection between the product and the expected health benefits of ACV” based on the combination of visual imagery and product scenes featured in ads. In evaluating the substantiation for those claims, NAD noted that the accepted threshold dose of liquid apple cider vinegar is one tablespoon, which delivers 750 mg of acetic acid. When consumed as directed or even at a modified dose, NAD found that the Goli gummies provided far less than 750 mg of acetic acid and that the advertiser did not provide support for a health benefit below that level. As such, NAD recommended that Goli discontinue or modify its advertising to avoid conveying the unsupported message that the amount of ACV contained in its gummies are associated with the health benefits of traditional liquid ACV. NAD noted that this includes modifying or qualifying the use of “Apple Cider Vinegar,” “ACV,” or “Vinegar” including in its product name when in the context of the challenged advertising so as to avoid conveying an unsupported implied health message.
Unsurprisingly, Goli is appealing the decision to the NARB. Given the popularity of ACV and gummies generally, this is one to watch.
***
Across the pond, the UK’s ASA roasted Oatly’s climate-friendly claims for conveying messages beyond the limits of the substantiation. If you aren’t already following the trends regarding green claims and false advertising litigation, check out these posts to help get up to speed on related NAD decisions regarding sustainability in the fashion industry, a new California recycling law, and litigation around corporate aspirational environmental statements. These trends are only going to continue.FDA
The big news at FDA is that the agency finally has a confirmed commissioner after over a year without one. Dr. Robert Califf was narrowly confirmed by the Senate earlier this week.
In a sign of things getting back to “normal,” FDA also announced that it will be resuming in-person inspections for domestic facilities.
FDA released a list of guidance topics that the FDA Foods Programs expects to publish by the end of December 2022, which includes the following:
***
The FTC and State AGsThe FTC and state attorneys general are also hard at work. Companies that offer a subscription service or autoship options will want to pay attention to guidance and enforcement regarding allegedly deceptive practices, now branded as “dark patterns”. See here and here for our expert analysis on these topics.
And finally, in-house counsel should check on whether their marketers may be cherry-picking reviews in a way that could be deceptive. The FTC’s settlement with Fashion Nova regarding failure to post negative reviews is a helpful lesson for any company that curates reviews, whether manually or by algorithm.
***
We’ll see you next month with more developments. In the meantime, check out Ad Law Access, Cannabis Law Update, and Kelley Green Law blogs for regular updates. ]]>Need Help Talking To Dad About Milk?
The UK’s Advertising Standards Authority (ASA) recently investigated advertising by Oatly for advertisements that allegedly overstated the environmental benefits of the popular oat-based beverage. Here’s an example:
The first TV ad, seen on January 16 2021, featured a man sneaking into his home and putting a bottle of milk in the fridge. He was interrupted by his son who said, “What have we here? Cow’s milk? Really?” Large, on-screen text stated “NEED HELP TALKING TO DAD ABOUT MILK?”. Smaller text at the bottom of the screen stated “Oatly generates 73% less CO2e vs. milk, calculated from grower to grocer. To verify see www.oatly.com/helpdad”.
The ASA found the “Need Help Talking to Dad About Milk” ad to be misleading not because the life cycle assessment conducted to support the claims was not sufficiently robust to support a benefit. Rather, the substantiation was limited to Oatly’s Barista Edition but the ad and the disclosure could reasonably be understood to apply to all Oatly products. Because of this gap, the ASA found the ads misleading.
What’s the takeaway? The ASA’s decision, which also covers four other ads, is worth a read by any food company considering how to substantiate environmental claims. There are valuable insights from a technical perspective, including detailed discussion of life cycle analyses for Oatly’s product as well as the dairy, meat, and transportation industries.
There is also a focus on less complex but equally important features for food marketers – such as the consumer understanding of what is included in references to the “meat industry” or the “dairy industry”. Because consumers could interpret “dairy and meat” more narrowly than how Oatly did, the ASA found the claim "Today, more than 25% of the world's greenhouse gases are generated by the food industry, and meat and dairy account for more than half of that" to be misleading.
Stepping back, the biggest issue with Oatly’s advertising wasn’t that the company didn’t have robust substantiation for some claims. It appears that they did. The claims reasonably conveyed didn’t match the limitations and definitions in their substantiation, though, and this wasn’t made clear to consumers.
]]>In Part One of this discussion, we provided background on the concept of dark patterns and analyzed some recent examples from State AG enforcement. We concluded that, in alleging dark patterns, State AGs are building primarily on existing precedent governing deception and unfairness but also are trying to push the envelope. Whereas earlier precedent mostly focused on false and hidden information, some of the State’s current allegations lean more towards coercion and the impairment of voluntary action.
In this post (Part Two), we examine the FTC’s approach to this issue, now and in the past. Here, we conclude that, despite the new terminology, the practices that comprise today’s dark patterns have been core elements of FTC law and policy for years. So far – and we emphasize so far – dark patterns is a catchy (and catch-all) name for a variety of longstanding and well-known practices that trick people into making choices that they would not otherwise make.
Dark Patterns Today
During the last year, the main actions the FTC has taken on dark patterns were to (1) hold a workshop on the topic (2) issue a policy statement on their use in negative option marketing, and (3) announce that the FTC’s planned rulemaking on “surveillance-based business models” will address dark patterns.
The workshop identified a range of conduct classified as dark patterns, some of which is classic deception (e.g., not disclosing up-front fees) and some of which would be more of a stretch under existing law (e.g., language denigrating a particular choice, like “no thanks, I don’t want to save money.”) As of this writing, the FTC hasn’t issued a report on the workshop and hasn’t announced any cases challenging practices in the “stretch” category.
Meanwhile, the policy statement on negative option marketing (described in the FTC’s press release as part of a “ramp up” on dark patterns) is largely a summary of prior cases based on the FTC Act, the Restore Online Confidence Act, the Telemarketing Sales Rule, and other laws and rules. The extensive precedent it cites – which includes dozens of cases addressing misleading or hidden disclosures, as well as burdensome cancellation and refund procedures – demonstrates the FTC’s long track record of addressing dark patterns, by whatever name.
Finally, the rulemaking to address “surveillance” and dark patterns has not yet been initiated.
Dark Patterns of Yesteryear
A trip down memory lane reveals an abundance of other FTC actions (beyond negative option marketing) to address the tricks and obfuscation now known as “dark patterns.” Here are just some of them:
Of course, the fact that “dark patterns” aren’t new at the FTC doesn’t mean they’re not important. To the contrary, it means that the FTC’s renewed interest in this area rests on solid precedent and deserves attention. Just as we stated with respect to State efforts here, companies should take extra care in designing their disclosures, purchases flows, cancellation methods, and other communications to steer clear of marketing techniques that cross the line into dark patterns.
We will continue to monitor this issue on both the state and federal fronts and post updates as they occur.
What are “Dark Patterns?”
There are a number of definitions of “dark patterns” that are bandied about. Darkpatterns.org calls them, “tricks used in websites and apps that make you do things that you didn’t mean to, like buying or signing up for something.” In the Colorado Privacy Act, dark patterns are defined as, “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice.” And in the recent Google lawsuits, each State defined dark patterns as, “deceptive design choices that take advantage of behavioral tendencies to manipulate users to make choices for the designer’s benefit and to the user’s detriment.”
In other words, “dark patterns” are practices or formats that manipulate or mislead consumers into taking actions they would not otherwise take, or want to take. In part one of our analysis, we’re going to take a closer look at a couple of recent State Attorney General (AG) multistate actions to see whether “dark patterns” is really a new concept.
Examples from Recent State AG Enforcement
In 2019, the District of Columbia and Nebraska AGs sued Marriott and Hilton respectively alleging deception in their charging of “resort fees.” In neither suit will you find the phrase “dark pattern,” but both cases allege that hotel chains designed the online customer flow to obscure fees, impairing consumers’ ability to comparison shop and ultimately affecting their ability to make an informed choice. While these cases are still pending, the basic deception theory asserted is similar to past AG actions, for example in the subscription service space, where AGs alleged that sales flows that steer consumers into a subscription while failing to prominently disclose the recurring nature of the charge is a violation of their unfair and deceptive trade practice laws.
Last week’s Google lawsuits have a very similar feel. Many of the factual allegations described as “dark patterns” fall cleanly in a traditional deception analysis – for example allegations that Google fails to adequately disclose location collection settings or uses misleading in-product prompts that misrepresent the need for location information or the effect on the functionality of the product. But what about some of the other factual allegations found in the lawsuits, such as Google, “repeatedly ‘nudging’ users to enable Google Account settings” or that Google fails to sufficiently emphasize the advertising and monetary benefits to Google of obtaining location information? Indiana and the District of Columbia both allege that Google is engaging in an unfair practice by “employing user interfaces that make it difficult for consumers to deny Google access to and use of their location information, including making location-related user controls difficult to find and repeatedly prompting users who previously declined or disabled location-related controls to enable those controls.”
But despite calling it a dark pattern – two core components of these allegations hold true in all the enforcement actions discussed: 1) the conduct was allegedly the result of affirmative intentional conduct in designing the product or service, and 2) there was a necessary impact on consumers, impairing their ability to make an informed choice. In other words, it isn’t just that pop-ups or even multiple notices try to persuade consumers to make a choice. Rather, the pop-ups and notices are designed in a way that impairs the consumer’s ability to voluntarily make that choice.
It remains to be seen whether the States will be successful in the actions discussed here, but one should not assume that their use of the phrase “dark patterns” will create a new standard under the law. Indeed, courts will analyze the facts under the legal standard alleged (deception or unfairness) just as they always did. Nevertheless, companies should take note that States may be putting a renewed emphasis on practices and formats that undermine choice, and be sure to seek counsel in designing their purchase flows, cancellation methods, and other consumer communications so they don’t subject themselves to similar allegations.
Stay Tuned for Part Two
In part two, we’ll look at recent FTC enforcement trends and whether or not “dark patterns” are creating a new standard in the federal arena.
Subscribe to Kelley Drye's Ad Law Access blog here.
]]>Background
On Tuesday, Congressional Democrats unveiled a new bill to outlaw a wide swath of targeted advertising. The Banning Surveillance Advertising Act would prohibit ad tech companies from using consumers’ personal information to target ads, with limited exceptions. It also would prohibit advertisers from using third party data, or data about a person’s membership in a protected class, to target ads. The bill would authorize the FTC, state attorneys general, and private litigants to enforce the law, and the FTC to write rules implementing it.
The effort, led by Senator Cory Booker (D-NJ) and Congresswomen Anna Eshoo (D-CA) and Jan Schakowsky (D-IL), arrives at a time of unprecedented regulatory developments impacting the ad tech industry – most notably, the enactment of new state privacy laws in California, Virginia, and Colorado with provisions regulating the industry. While these privacy laws have focused on giving consumers the opportunity to make choices about data sharing for purposes of targeted advertising, the Banning Surveillance Advertising Act would place blanket prohibitions on such advertising. As we describe here, the FTC has also announced that it is developing a rule targeting “surveillance-based business models,” though the contours of that rule are still unknown.
In a press release, Senator Booker explained his view that “surveillance advertising is a predatory and invasive practice. The hoarding of people’s personal data not only abuses privacy, but also drives the spread of misinformation, domestic extremism, racial division, and violence.” Echoing Booker, Rep. Eshoo said that the practice “fuels disinformation, discrimination, voter suppression, privacy abuses, and so many other harms.” Rep. Schakowsky, who chairs the House Energy and Commerce Consumer Protection Subcommittee, said the practice “exacerbates manipulation, discrimination, misinformation, and extremism.”
Given the dramatic changes that the bill would impose on the marketplace, it is not surprising that industry groups have already criticized it forcefully. In a press release today, IAB stated that the bill would “disenfranchise businesses that advertise on the Internet, and hundreds of millions of Americans who use it every day to find exactly what they need, quickly,” and that it could “eliminate the commercial internet almost entirely.”
Contextual Ads Would Be Permitted
In a background brief, the legislators wrote that they recognize certain benefits of advertising online, but believe that advertisers do not need to use personal data to effectively target advertising. “Advertising enables many of the ‘free’ internet products that exist today, and it enables small businesses, nonprofits, and challenger politicians to cheaply reach customer, funders, and voters,” the legislators wrote. But, according to the brief, “targeted ads only yield a 4% bump in efficacy for advertisers over contextual ads” (i.e., ads based on the content of a website the consumer is viewing, as opposed to the consumer’s personal information or browsing history). As a result, the bill would allow contextual advertising.
Some First-Party Ads Would Be Permitted
As drafted, the bill focuses primarily on banning targeted advertising based on third party data rather than first party data. For example, brands would be able to target their own customers using first party data but not third party data. Brands also would be able to provide ad tech companies with first party data for targeted advertising (including for purposes of re-targeting), as long as the advertiser certifies to compliance with the proposed law. However, the bill would strictly prohibit any targeting by advertisers that is based on an individual’s membership in a protected class.
The bill also focuses on targeting consumers based on “personal information,” defined as data linked or reasonably linkable to an individual or a connected device. This definition appears to leave room for targeted advertising based on data that has been de-identified in some form.
Here’s a summary of what would be banned and permitted under the new legislation:
Summary of Conduct that Would Be Banned
Summary of Conduct that Would Be Permitted
* * *
The prospects for Congress actually enacting this bill (or a similar one) are not at all clear at this time. However, the bill is yet another sign that digital advertising is under scrutiny, and that policymakers are pushing companies to provide greater transparency and more robust privacy protections for the collection, use, and sharing of consumers’ personal data for advertising purposes.
We will continue to track data privacy bills as they make their way through the legislative process and post updates here.
Privacy Priorities for 2022: Legal and Tech Developments to Track and Tackle Wednesday, January 26 at 4:00pm ET/ 1:00pm PT
Privacy compliance is a daunting task, particularly when the legal and tech landscape keeps shifting. Many companies are still updating their privacy compliance programs to address CCPA requirements, FTC warnings on avoiding dark patterns and unauthorized data sharing, and tech platform disclosure, consent, and data sharing changes. But in the not too distant future, new privacy laws in California, Colorado, and Virginia also will go into effect. Addressing these expanded obligations requires budget, prioritizing action items, and keeping up to date on privacy technology innovations that can help make some tasks more scalable.
This joint webinar with Kelley Drye’s Privacy Team and Ketch, a data control and programmatic privacy platform, will highlight key legal and self-regulatory developments to monitor, along with practical considerations for how to tackle these changes over the course of the year. This will be the first in a series of practical privacy webinars by Kelley Drye to help you keep up with key developments, ask questions, and suggest topics that you would like to see covered in greater depth.
Similar to the FTC’s Mail Order Rule, Section 17538(a) of California’s Business Code requires that companies offering products online ship products within 30 days and, if they can’t meet that timing, they must provide a refund, send equivalent or superior replacement products, or provide the buyer with a written notice regarding the delay. The delay notices must include information like the expected duration of the delay and an offer of a refund, upon request.
The state also alleges that the defendants made untrue or misleading statements regarding the ability to ship products within a certain timeframe, particularly where customers paid an additional charge for expedited shipping, in violation of Business and Professions Code section 17500. In addition, the Complaint includes allegations that the companies failed to disclose logistical limitations to consumers, in violation of California Civil Code section 1770.
We have previously warned about FTC scrutiny regarding shipping delays, particularly regarding COVID-related products, and this case is a reminder that states are also watching. As the holiday season approaches, companies should review current shipping representations and related notices for compliance and consider modifications in anticipation of unexpected delays.
Update: On November 8, the Los Angeles County District Attorney's Office announced that Yeezy had agreed to pay $950,000 to settle the lawsuit.
]]>Jessica and Laura join our impressive list of former FTC officials, including the firm’s managing partner, Dana Rosenfeld, who served as Assistant Director of BCP and attorney advisor to FTC Chairman Robert Pitofsky, former Bureau Directors Bill MacLeod and Jodie Bernstein, as well as Aaron Burstein, having served as senior legal advisor to FTC Commissioner Julie Brill.
Jessica served at the FTC for 26 years and led major initiatives on privacy, data security, and financial consumer protection. She is credited with expanding the FTC’s expertise in technology and was the driver behind FTC policy reports relating to mobile apps, data brokers and Big Data, the Internet of Things, and federal privacy legislation. She also directed the agency’s development of significant privacy rules, including the Children’s Online Privacy Protection Rule and Gramm-Leach-Bliley Safeguards Rule. She is a recipient of the FTC Chairman’s Award, the agency’s highest award for meritorious service and the first-ever recipient of the Future of Privacy Forum’s Leadership Award. Jessica is also a fellow at Georgetown University’s Institute for Technology Law & Policy. Prior to joining Georgetown, she was an Independent Consultant with Privacy for America, a business coalition focused on developing a framework for federal privacy legislation.
Laura also brings significant experience to Kelley Drye. As Assistant Director for the FTC’s Division of Privacy & Identity Protection, Laura led the investigation and prosecution of matters relating to consumer privacy, credit reporting, identity theft, and information security. Her work included investigation initiation, pre-trial resolution, trial preparation, and trial practice relating to unreasonable software security, mobile operating system security update practices, and many other information privacy and identity protection issues. She joins the firm from AT&T where she served as an Assistant Vice President – Senior Legal Counsel advising business clients on consumer protection risks, developing and executing strategies in response to regulatory inquiries, and participating in policy initiatives within the company and across industry.
Jessica and Laura are an impressive duo and are sure to be an asset to our clients as they prepare for the future of privacy and evolving consumer protection law.
* * *
Subscribe here to Kelley Drye’s Ad Law News and Views newsletter to see another side of Jessica, Laura and others in our second annual Back to School issue. Subscribe to our Ad Law Access blog here. ]]>Competitors were quick to flag the claim, and many touted their own successes in a similar manner. For example, Ole Miss Football tweeted that “an Ole Miss Rebel has won every Super Bowl,” but added its own fine-print qualifier: “Except for the ones they didn’t.”
The Nittany Lions took the jokes in stride, and later tweeted an updated graphic with a clearer disclosure, noting that “no magnifying glass [was] needed for this one.” No harm, no foul.
Had Penn State’s tweet been an advertisement, this case could have turned out differently. Companies can face legal consequences for making exaggerated claims in ads, and fine print disclosures are unlikely to save them.
Laugh now, and feel free to create your own memes. But when you go back to drafting ad copy, remember the wise words of Lesley Fair: “What the headline giveth, the footnote cannot taketh away.”
]]>These cases are notable because they are the first cases but also because it took the Commission over 5 years to bring the first leaving the Act completely unenforced for years. While the release suggests the investigation was complex, detection was likely easy. Brokers are usually fairly visible to the public. The Commission likely found them online, subpoenaed their records and software, and hired a forensic specialist to peel apart the code. These cases raise serious issues for brokers who use automated purchasing software to purchase tickets for resale although it remains to be seen whether these enforcement actions will be a one-off signal to brokers that the Commission is watching or something more common. Acting Chair Slaughter’s concurring statement would seem to suggest that there will be more during her tenure.
For more information on the FTC, advertising, marketing, and privay law, subscribe to Kelley Drye's Ad Law Access blog and podcast and visit the Advertising and Privacy Law Resource Center. Additional Kelley Drye resources can be found here.
]]>October 13 Futureproofing Privacy Programs Building a successful privacy program requires much more than compliance with data protection laws. To thrive in today’s global, data-driven environment, companies also need to understand the political environment and public attitudes surrounding privacy in the countries in which they operate. Of course, companies must anticipate and adapt to changing privacy regulations as well.
In conjunction with Canadian firm nNovation LLP, Privacy and Information Security practice chair Alysa Hutnik and partner Aaron Burstein will present strategies to help meet these challenges, with a focus on setting up structures to join local awareness with global compliance approaches.
October 20 New Frontiers of the Intersection Between Privacy Laws, Antitrust and Misleading Advertising Enforcement Canadian Bar Association (CBA) 2020 Fall Competition Law Conference The Bureau is pushing the boundaries of the intersection between competition and privacy laws, and the pandemic has accelerated pre-existing trends in digital enforcement. The FTC is similarly continuing to pursue robust enforcement in cutting-edge areas such as data privacy and fintech. Join Alysa Hutnik and a host of others for this session for a conversation on misleading advertising priorities in Canada and the U.S. in the digital economy.
Join partner Gonzalo Mon for this session, which will cover important principles of advertising law, including prerequisites to prove your claims, the type of proof required, how to make disclosures, and application of these principles to social media. In addition, it will cover options for challenging competitors. Whether new or experienced to advertising, this session will give you down-to-earth information you need to put later sessions into context. This presentation will put a great new spin on important topics.
October 21 2020 Election Outlook: An In-Depth Analysis of the Race for the White House and Congress Please join Kelley Drye's Government Relations and Public Policy Group as we present a bipartisan assessment of the upcoming 2020 elections. Election analysts Greg Speed and Jim Ellis will provide a detailed and data-packed assessment of the current state of play in the race for the White House. In addition, they will cover key Senate and House races and the prospects for control of both chambers in the upcoming 117th Congress.
November 10, 2020 The Future of Consumer Protection and Privacy - What to Expect from the FTC As the election approaches, our government prepares for a transition – either to the second term under President Trump or to the Biden Administration. As this is occurring, consumer protection law also finds itself in transition. Partners Christie Grymes Thompson and John Villafranco will focus on what this means, in terms of recent enforcement activities and priorities related to privacy, data security, marketing, advertising, and other areas of consumer protection.
For on-demand webinar replays and other content organized around Advertising and Marketing Standards, Privacy and Data Security and Consumer Product Safety, visit the Advertising and Privacy Law Resource Center microsite. Available via www.KelleyDrye.com, the site provides practical, relevant information to help in-house counsel answer the questions and solve the problems that they face on a daily basis.
]]>According to the lawsuit, Dunkin’ customers with “DD Perks” accounts were first targeted in early 2015 in a series of “credential stuffing attacks” — which were automated attempts to gain access to accounts using usernames and passwords stolen through security breaches of other unrelated websites.
Allegedly, the maker of the Dunkin app repeatedly warned Dunkin of these attacks, but Dunkin' failed to conduct an investigation into the attacks to identify which accounts had been compromised, what customer information may have been acquired, and whether customer funds had been stolen. The lawsuit alleged that that the 2015 incident impacted nearly 20,000 customers and the subsequent 2018 hack affected another roughly 300,000 customers.
Dunkin provided a statement on Tuesday refuting the claims and stating that they provided notifications and reset passwords for many affected by these breaches. They also state that they increased their security measures prior to the settlement.
Under the terms of the settlement with the Attorney General, Dunkin will be required to notify customers impacted by the attacks, reset those customers’ passwords, and provide refunds for any unauthorized use of customers’ stored value cards. The company must also maintain safeguards to protect against similar attacks in the future, follow incident response procedures when an attack occurs, and pay $650,000 in penalties and costs to New York state.
The full text of the settlement is available here. This case is a good reminder for companies to ensure they have an appropriate data security program in place to address and respond to breaches should the need arise, including those that may be limited to online account credentials.
For more information on this and other topics, visit:
]]>