A child posted a photo on his Instagram account of himself and a cousin wearing 1 Hotel branded robes at one of their hotels. 1 Hotel commented on the post stating: “We love this photo! Reply to this comment with #sharemy1pic if you’re happy with us sharing your photo on our social channels.” The child’s account responded: “@1hotels thank you! #sharemy1pic.” 1 Hotel then used the photo on its Instagram account. It later also posted the photo on its website to sell the robes in the photo.

Two years after the photo was posted, the plaintiffs obtained a copyright registration for the photo. The plaintiff later filed a lawsuit against 1 Hotel in the Central District of California, alleging (among other things) that the hotel’s use of the photo constituted copyright infringement and unauthorized use of the child’s likeness. The hotel then filed a motion to dismiss.

All causes of action were dismissed for different reasons, but some will likely be revived because the plaintiffs were given the opportunity to amend a few of them so that they were passable under the applicable pleading standards. Importantly though, the court substantively determined that the exchange between the plaintiff and hotel on Instagram created an “implied license” to use the photo on the hotel’s “social channels.” (It’s not clear why the license was implied, rather than express.) However, the court found that the hotel may have exceeded the scope of that license by using the photo to sell robes on its website since the exchange never mentioned that. Accordingly, the court denied the hotel’s motion to dismiss the copyright claim on substantive grounds, because there is a material issue of fact as to whether the implied license extended to the sale of robes on a website.

The hotel sought to dismiss the misappropriation claim related to use of the minors’ likenesses by arguing (1) that the plaintiffs consented to the use of the photo, (2) the use was incidental, and (3) the children are not readily identifiable. The court rejected the first argument for the reasons mentioned above. Although the hotel may have had consent to post the photo on its social channels, it may not have had consent to post it on its website. The court also easily found that the use was not incidental and that the children were readily identifiable.

The causes of action referenced above may be litigated further if the Plaintiffs submit an Amended Complaint, but this present decision still includes some helpful lessons for companies that want to use content they find on social media. First, although getting a signed release is likely always the safest approach, companies can likely get consent in a less formal matter, such as the one illustrated above. However, when getting consent, it’s important to be clear about the scope of that consent. Make sure you’re clear about how and where you want to use content to help avoid any surprises (and lawsuits).

According to the Assurance of Discontinuance, the doctor and his wife conducted a variety of schemes to both inflate positive reviews and suppress negative ones. Among their most egregious alleged acts:

The settlement outlines ways in which patients were misled by these deceptive reviews noting that “prospective patients would have been able to ascertain some common complaints voiced by patients . . . including poor bedside manner, poor communication, surprise charges, and not listening to patient concerns.” As such, the prospective patients were “enticed” to book appointments based on “manipulated online profiles.”

The doctor and his practice are required to pay a $100,000 penalty and to take down all fake positive reviews, and use best efforts to notify those with connections asking to remove their reviews. Attorney General Letitia James stressed that these fake reviews were “illegal and unacceptable, particularly for critical services like medical care.”

Takeaways: As we continue to report, state AGs are not slowing down, and are at the front of the fight against fake reviews. But whether it is through a multistate, the FTC, or even a consumer watchdog (like Fake Review Watch which assisted NY AG on this investigation), all eyes are on using any kind of manipulation tactic on reviews.

Stay tuned for our next state AG webinar where we will interview representatives of the National Association of the Attorneys General (NAAG) and the Attorney General Alliance (AGA).

In taking this action, the FTC is relying on its administrative authority to “reopen and modify” orders to address alleged order violations, rather than to press its compliance case in federal court under the FTC Act. In doing so, the FTC seeks to significantly expand the scope and duration of the existing order to cover new conduct. Even against recent examples of aggressive FTC action (see examples here, here, and here), this one markedly stands out. And, in the face of mounting agency losses in challenges to its enforcement authority in Axon and AMG and its aftermath, the Proposed Order is extraordinary.

The Commission voted 3-0 to issue the Proposed Order and accompanying Order to Show Cause. Commissioner Bedoya issued a statement expressing reservations about the “monetization” restrictions described below, specifically questioning whether the provision related to minors’ data is sufficiently related to either the 2012 or 2020 violations or order. Meta has 30 days to answer the FTC’s proposal.

Order to Show Cause

The FTC’s 2020 Consent Order, which was obtained in federal court consistent with prior Commission practice, was itself a modification of a 2012 order. If the FTC adopts the Proposed Order, it would be the third order stemming from a single administrative complaint that was filed more than a decade ago. That alone sets the FTC’s action apart from any other Commission action in memory.

The heavily redacted Order to Show Cause alleges that Meta violated several obligations under the 2020 Consent Order. The FTC did not release its Preliminary Finding of Facts, but it is evident that the first report filed by the independent assessor, Protiviti, under the 2020 Consent Order, is the underlying source behind many of the FTC’s allegations. It is notable that the only unredacted conduct relates to practices that predate entry of the 2020 order, which is strange, given that 2020 order contained terms broadly releasing Meta from all pre-2020 order violations.

Specific alleged order violations include deficiencies in risk assessment and third-party risk management processes, security controls, and transparency practices, among others. The Order to Show Cause also asserts that Meta misrepresented the extent to which third-party developers would have access to users’ nonpublic information. The FTC acknowledges that Meta corrected one of these alleged instances by July 2019, but nonetheless alleges that Meta violated the 2012 Consent Order, Section 5 of the FTC Act, and the COPPA Rule (a Rule not included in the prior orders) during this time period. This, of course, raises the question of why the FTC is moving on this now, fully four years after it was corrected by Meta.

The Proposed Order

The FTC’s Proposed Order would expand the 2020 Consent Order by permanently prohibiting Meta from “[c]ollecting, using, selling, licensing, transferring, sharing, disclosing, or otherwise benefitting from Covered Information from Youth Users” except for specific purposes, such as operating a service, performing authentication, or maintaining security. “Youth Users” include not only children under the age of 13 but also minors who are ages 13 through 17.

This provision specifically prohibits using Youth Users’ information for targeted advertising or to train or improve algorithms models. Although the FTC’s press release focuses on stopping Meta from “monetizing” minors’ data, the Proposed Order goes further by prohibiting Meta from “benefitting” from minors’ data, except as permitted by this paragraph.

The Proposed Order also would require specific safeguards and assessment requirements concerning Youth Users and “enhanced monitoring of higher risk Covered Third Parties” at least once per year.

And, remarkably, it would prohibit Meta from releasing new or modified products, services, or features without written confirmation from the assessor that the Meta privacy program complies with the order’s requirements and presents no material gaps or weaknesses. This is an extraordinary provision that would essentially turn the independent privacy assessor into the master of all new launches on Facebook, Instagram, WhatsApp, and Oculus, among other services.

Why Isn’t this in Federal Court?

The FTC’s authority to reopen an administrative order stems from Section 5(b) of the FTC Act:

[T]he Commission may at any time, after notice and opportunity for hearing, reopen and alter, modify, or set aside, in whole or in part any report or order made or issued by it under this section, whenever in the opinion of the Commission conditions of fact or of law have so changed as to require such action or if the public interest shall so require, . . .

In the past, the FTC has touted how it eases conditions in its orders in response to changes in legal or factual circumstances, usually in response to a respondent’s petition. One relatively recent example comes from 2018, when the FTC granted Sears’ petition to modify its 2009 order to exempt certain first-party, mobile app-based data collection from the order’s opt-in consent requirements. The FTC agreed to modify the definition of “Tracking Application” to exclude software programs that only engage in types of tracking consumers have come to expect, citing changes to the mobile application marketplace that make the collection and transmission of certain types of consumer data critical to support application features expected by consumers. In light of market realities and consumer expectations, the FTC recognized that the original notice and consent requirements were burdensome, unnecessary, counterproductive, and potentially confusing to consumers, who might mistakenly fear that Sears’ applications were unusual or used consumer data in unusual ways.

This decidedly is not what is happening here. The FTC is leveraging § 3.72(b) to attempt to impose new and onerous obligations – without having to make its case in federal court -- based on what it perceives as changed circumstances, not to ease an order obligation as warranted by changed facts and the public interest.

What Happens Next?

The FTC’s Rules of Practice provide scant details about what happens next. According to 16 C.F.R. § 3.72(b), after receiving an answer from Meta, the FTC may determine whether the matter “raises issues of fact to be resolved” and order a hearing. If the briefs for a hearing raise “substantial factual issues,” the Commission may order an evidentiary hearing. It is then up to the Commission to determine whether modifying the order is “in the public interest” – a determination that a court of appeals may review.

At this point, the reach of any such modification is anyone’s guess. The Order to Show Cause asserts that the “changed conditions” include not only violations of FTC orders but also violations of “Section 5, COPPA, and the COPPA Rule,” and that it has “good cause to believe the public interest” and these “changed conditions” require modifying the 2020 Consent Order.

In the end, it may be up to a federal court of appeals to determine whether these assertions are correct. It is also possible, however, that the Supreme Court’s recent decision in Axon clears a path to an early challenge to the Proposed Order in federal district court. In a statement released on the same day as the FTC’s announcement, Meta stated that “[w]e will vigorously fight this action and expect to prevail.”

Overview of the FTC’s Broad View of “Health Information”

BetterHelp is an online counseling service that has registered more than 2 million users since its 2013 inception. When a consumer visits the site, the FTC alleges that she is “immediately prompted to begin” Better Help’s intake questionnaire that asks questions about the consumer’s history of therapy, current mental state, and religious beliefs among other characteristics, and then provides an email address and other information to create an account.

According to the FTC’s complaint, the company violated the FTC Act through its use of advertising pixels or web beacons and by uploading consumers’ “health information” to ad platforms for retargeting and to reach additional prospects. In the FTC’s view, the “health information” that BetterHelp disclosed not only included information about consumers’ past use or current enrollment in the company’s services but also their interest in obtaining therapy. This information was sufficient to “reveal” that consumers were “seeking mental health treatment.”

Specifically, the FTC alleges that the company disclosed consumers’ email addresses, IP addresses, and information about their interest or enrollment in BetterHelp’s services. For instance, BetterHelp made available certain “event” information, such as when consumers “answered certain questions . . . in a certain way” or “when” they enrolled in the company’s services. The FTC also alleges that the company disclosed the contents of certain intake questionnaire responses, such as whether an individual had previously been in counseling and how they answered questions about their financial status.

The complaint implicitly rejects counterarguments that the identifiers at issue were not “personal” information in the first place. For example, BetterHelp “hashed” consumers’ email addresses – converting email addresses “into a sequence of letters and numbers through a cryptographic tool.” The complaint asserts that ad platforms were able to “effectively undo” the hashing and match the underlying email addresses with platform user IDs. The complaint also states, without explanation or qualification, that IP addresses are sufficient to identify individuals, at least within the context of BetterHelp’s practices. The complaint points to a variety of BetterHelp’s past privacy representations, including that the company would “never sell or rent any information you share with us” and that it would share only “anonymous background information” about users. As a result, the FTC alleges, BetterHelp injured consumers and broke its promises that it would not share certain information with third parties or use it for advertising purposes.

No Violation of the Health Breach Notification Rule

Count I of the FTC’s complaint is based on unfairness; it contends that BetterHelp’s failure to employ reasonable measures to protect health information “result[ed] in the improper and unauthorized disclosure of that information to numerous third parties,” which “caused or [is] likely to cause substantial injury to consumers.” To a casual reader, these allegations might seem like they are describing the breach of health information. The FTC, however, did not allege that BetterHelp violated the Health Breach Notification Rule (HBNR). Commissioner Wilson’s concurring statement explains that there are at least two reasons the Commission decided against pursuing an HBNR count: (1) BetterHelp’s conduct ended before the FTC issued its September 2021 HBNR Policy Statement (which we wrote about here); and (2) BetterHelp’s service does not include “records that can be drawn from multiple sources,” as required by the HBNR. This leaves us to wonder whether companies operating in the health space will know whether their apps or services are drawing from multiple sources, subjecting them to potential liability under the HBNR?

The FTC’s Theories of Unfairness

The FTC’s complaint advances at least two theories of consumer injury. First, the complaint alleges that BetterHelp’s disclosure of mental health-related information “is likely to cause [consumers] stigma, embarrassment, and/or emotional distress” and “may also affect [their] ability to obtain and/or retain employment, housing, health insurance, or disability insurance.” Although mental health treatment has been long recognized as deserving special protection, the FTC’s allegations do not distinguish between a consumer’s interest in BetterHelp and the fact that they are receiving mental health services from BetterHelp. This distinction is significant in advertising industry standards and practices, but the FTC’s complaint does not recognize the distinction and offers no limiting principle to apply in other settings or with different types of health information.

Second, the FTC alleges that consumers who enrolled in BetterHelp’s services suffered financial injury. Consumers allegedly paid a “price premium” for the company’s services based on its privacy representations, and “would not have been willing” to pay the going rate for these services had they fully understood the company’s data practices.

These theories of harm underlie the FTC’s two unfairness claims, but the claims do not track with the alleged different injuries. Instead, Count I alleges that BetterHelp’s overall “fail[ure] to employ reasonable measures to protect consumers’ health information” – including insufficient training and third-party contractual data use limitations, and the lack of opt-in consent – was overall unfair. Separately, Count II of the complaint charges that BetterHelp was required to have obtained affirmative express consent before “collecting, using, and disclosing” this information to third parties.

Redress Theory

As part of its settlement, BetterHelp will pay $7.8 million. The proposed settlement order describes the settlement funds as payable to an FTC redress fund, which the FTC explains it will use to “provide partial refunds to people who signed up for and paid for BetterHelp’s services between August 1, 2017 and December 31, 2020.” The legal theory for this relief is not described in the settlement package, although the complaint described the “price premium” BetterHelp theoretically charged for its alleged deceptive privacy assurances. While the Supreme Court’s holding in AMG Capital Management v. FTC prevents the FTC from using its Section 13(b) authority for monetary remedies, parties are free to agree to settlement terms, including regarding redress.

What’s Next?

The FTC is signaling through this settlement and recent actions that using consumer information related to health for advertising purposes without at least enhanced notice and consent risks violations of Section 5. Companies offering health-related products or services should consider:

• If you have a full inventory of the information you’re sharing with third parties through pixels or otherwise.
• Whether you are defining “health information” consistently with where the FTC is drawing lines today.
• Will your existing consumer disclosures withstand the close scrutiny of a regulatory review. For example, do you promise anonymity or privacy?

What's the policy?

Twitter prohibits the promotion of drugs and drug paraphernalia.

Examples of drugs and drug paraphernalia include:

• Illegal drugs
• Recreational and herbal drugs
• Accessories associated with drug use
• Drug dispensaries
• Depictions of hard drug use

United States

We permit approved Cannabis (including CBD– cannabinoids) advertisers to target the United States, subject to the following restrictions:

• Advertisers must be licensed by the appropriate authorities, and pre-authorized by Twitter.
• Advertisers may only target jurisdictions in which they are licensed to promote these products or services online.
• Advertisers may not promote or offer the sale of Cannabis (including CBD– cannabinoids)
  • Exception: Ads for topical (non-ingestible) hemp-derived CBD topical products containing equal to or less than the 0.3% THC government-set threshold.
• Advertisers are responsible for complying with all applicable laws, rules, regulations, and advertising guidelines.
• Advertisers may not target customers under the age of 21.

Any advertisement for Cannabis (including CBD– cannabinoids) content that is allowed, subject to the above restrictions, must in addition:

• Not appeal to minors in the creative, and landing pages must be age gated and sales must be age verified.
• Not use characters, sports-persons, celebrities, or images/icons appealing to minors.
• Not use minors or pregnant women as models in advertising.
• Not make claims of efficacy or health benefits.
• Not make false/misleading claims.
• Not show depiction of cannabis product use.
• Not depict people using or under the influence.
• Not encourage transport across state lines.

Contact Twitter if you are interested in this option.

**

As with so many issues in the cannabis space, this policy raises questions about federal law, which expressly prohibits advertising sale of a Schedule I narcotic. The federal Controlled Substances Act states: “It shall be unlawful for any person to place in any newspaper, magazine, handbill, or other publicatio[n], any written advertisement knowing that it has the purpose of seeking or offering illegally to receive, buy, or distribute a Schedule I controlled substance.” The act goes on to state that it is also illegal to use the internet for such purposes.

Importantly, although the provision refers to “advertisement” in “its ordinary meaning” the prohibition on advertising includes an exception. The CSA states: “[t]he term “advertisement” does not include material which merely advocates the use of a similar material, which advocates a position or practice, and does not attempt to propose or facilitate an actual transaction in a Schedule [1] I controlled substance.” In addition, a separate exception states that Section A (the prohibition) does not apply to material that “merely advocates the use of a controlled substance or includes pricing information without attempting to facilitate an actual transaction involving a controlled substance.”

Based on the plain language, Twitter’s policies attempt to respect these limitations, which have not been the subject of federal enforcement despite the exponential growth in the cannabis industry in recent years. In addition, Twitter’s updated policies also convey general consistency with the patchwork of state cannabis advertising laws, to the extent they allow for digital advertising. Nevertheless, even if law enforcement and regulators do not raise an eyebrow, one must wonder whether blue chip companies will risk returning to Twitter if their logo may be featured next to a marijuana brand. The answer may depend on whether other social media platforms follow Twitter’s lead.

The Supreme Court’s 5-4 decision stemmed from NetChoice LLC and the Computer and Communications Industry Association’s appeal of the Fifth Circuit decision staying the original injunction issued by the District Court. Their argument was that rather than promoting free speech, Texas’ law is requiring social media platforms to promote speech they don’t agree with. Justice Alito in his dissent discussed social media’s transformative impact on communication and stated that while he does not have “a definitive view on the novel legal questions that arise from Texas’ decision to address the ‘changing social and economic’ conditions it perceives,” he believes the District Court’s original injunction was a “significant intrusion on state sovereignty”.

So, for now Texas cannot enforce this statute. Will they if the injunction is lifted? The Texas Attorney General is empowered to bring an action to enjoin a violation and collect attorneys’ fees and investigative costs. We know that office is particularly focused on Big Tech issues, having sued multiple targets on issues ranging from antitrust, to privacy, to deceptive advertising. The reinstatement of the injunction presents an opportunity to pause and take a closer look at HB 20 and what future enforcement could look like in Texas and other states.

Social Media Platforms General Provisions

The new statutes include more than just the controversial censorship chapter. A social media platform is defined as “an Internet website or application that is open to the public, allows a user to create an account, and enables users to communicate with other users for the primary purpose of posting information, comments, messages or images.” The exclusions from the definition includes ISPs, email services, and direct news sources with comment features. Further the applicability of these statutes applies only to those who have more than 50 million active users in the United States in a month, indicating a focus on “Big Tech” only.

These platforms are required to disclose on a public website accurate information about how it curates, targets, places, moderates, and promotes content including its own; how it uses algorithms to determine results on the platform; and how it provides users’ performance data.

Further, the law requires the platform to publish an easily accessible acceptable use policy which informs users about the content allowed, explains compliance with the policy, and the means to notify the platform of violations. The platform must make a good faith effort to evaluate complaints of illegal activity within 48 hours with reasonable exceptions.

They also must report every 6 months on the total number of instances of policy violations by users, employees, or automated tools they were alerted to and how many times the platform took action including content removal, demonetization, deprioritization, or assessment; and account suspension, removal, or other action consistent with their acceptable use policy.

When a platform takes an action under their policy they must notify the user who provided the content and explain the reason, allow an appeal, and provide written notice of the outcome of the appeal. The exception to this is if they are unable to contact the user after reasonable steps or know that the content is part of an ongoing law enforcement investigation.

Discourse on Social Media Platforms

Censorship under this statute includes any action to alter or remove or deny access to or otherwise discriminate against expression. Expression includes any perceivable communication. Social media platforms are prohibited from censoring a user or their expression or ability to receive an expression based on viewpoint or geographic location, regardless of the medium the viewpoint is expressed. This applies to users who reside in Texas, do business in Texas, or share or receive expressions in this state.

They are allowed to censor anything specifically authorized by federal law, at the request of an organization to protect exploitation, that directly incites criminal activity or has specific threats of violence, or is unlawful. Additionally, users can censor expression on their own page. Users may also seek injunctive relief and the statute specifically notes that users may bring action regardless of whether a court has enjoined the AG or has declared the chapter unconstitutional. The court can hold the platform in contempt if they fail to comply with court order and can use “all lawful measures” to secure compliance including “daily penalties sufficient to secure immediate compliance.” Platforms cannot enforce a waiver of the protections of this statute by contract.

Bottom Line?

Carefully examine what you tell users about your moderation practices, and how they are applied to users. While the constitutionality of HB 20 and similar laws is a decision for another day, the increased scrutiny of platforms’ (both large and small) content moderation practices is already forcing platforms to make clearer acceptable use policies and publicly clarify their practices. Such representations may ultimately become the focus of UDAP investigations in states, something we’ve already seen in Texas and Indiana. Just like any other public facing policy – establishing clear and neutral rules of the road and following those standards will help minimize AG attention to your practices. And even if HB 20 doesn’t impact your business – following this and similar cases will help to shed light on how far future legislatures can go to regulate the practices of platforms going forward.

* * * *

October 13 Futureproofing Privacy Programs Building a successful privacy program requires much more than compliance with data protection laws. To thrive in today’s global, data-driven environment, companies also need to understand the political environment and public attitudes surrounding privacy in the countries in which they operate. Of course, companies must anticipate and adapt to changing privacy regulations as well.

In conjunction with Canadian firm nNovation LLP, Privacy and Information Security practice chair Alysa Hutnik and partner Aaron Burstein will present strategies to help meet these challenges, with a focus on setting up structures to join local awareness with global compliance approaches.

Register Here

October 20 New Frontiers of the Intersection Between Privacy Laws, Antitrust and Misleading Advertising Enforcement Canadian Bar Association (CBA) 2020 Fall Competition Law Conference The Bureau is pushing the boundaries of the intersection between competition and privacy laws, and the pandemic has accelerated pre-existing trends in digital enforcement. The FTC is similarly continuing to pursue robust enforcement in cutting-edge areas such as data privacy and fintech. Join Alysa Hutnik and a host of others for this session for a conversation on misleading advertising priorities in Canada and the U.S. in the digital economy.

Register Here

November 10 Nuts and Bolts of Basic Advertising: Substantiation, Disclosures and Social Media 2020 ANA/BAA Marketing Law Conference: A Virtual Experience

Join partner Gonzalo Mon for this session, which will cover important principles of advertising law, including prerequisites to prove your claims, the type of proof required, how to make disclosures, and application of these principles to social media. In addition, it will cover options for challenging competitors. Whether new or experienced to advertising, this session will give you down-to-earth information you need to put later sessions into context. This presentation will put a great new spin on important topics.

Register Here

October 21 2020 Election Outlook: An In-Depth Analysis of the Race for the White House and Congress Please join Kelley Drye's Government Relations and Public Policy Group as we present a bipartisan assessment of the upcoming 2020 elections. Election analysts Greg Speed and Jim Ellis will provide a detailed and data-packed assessment of the current state of play in the race for the White House. In addition, they will cover key Senate and House races and the prospects for control of both chambers in the upcoming 117th Congress.

Register Here

November 10, 2020 The Future of Consumer Protection and Privacy - What to Expect from the FTC As the election approaches, our government prepares for a transition – either to the second term under President Trump or to the Biden Administration. As this is occurring, consumer protection law also finds itself in transition. Partners Christie Grymes Thompson and John Villafranco will focus on what this means, in terms of recent enforcement activities and priorities related to privacy, data security, marketing, advertising, and other areas of consumer protection.

Register Here

For on-demand webinar replays and other content organized around Advertising and Marketing Standards, Privacy and Data Security and Consumer Product Safety, visit the Advertising and Privacy Law Resource Center microsite. Available via www.KelleyDrye.com, the site provides practical, relevant information to help in-house counsel answer the questions and solve the problems that they face on a daily basis.

The complaint filed last week targets Airbnb’s “risk assessment score,” which EPIC alleges is based off an algorithm that uses personal information obtained from third parties, including “personal data collected from web pages, information from databases, posts on the person’s social network account, posts on a blog or a microblog account of the person, a comment made by the person on a website, or a directory listing for a company or association.” To support its allegations, EPIC cites a patent obtained by the company Trooly, which purports to “determin[e] trustworthiness and compatibility of a person.” Airbnb acquired Trooly in 2017.

According to the patent, the algorithm uses information collected from third parties to try to identify “negative traits” and assign “trustworthiness” scores based on personality and behavior traits that “predict the likelihood of the person being a positive actor in an online or offline person to-person interaction.” EPIC alleges that the system is “biased, unprovable, and not replicable” because an algorithm cannot assess a particular individual’s relative “goodness” or “badness.” Because these algorithms are likely to cause substantial injury to consumers (i.e., prospective renters who are denied short-term rental properties as a result of a negative score) that is not reasonably avoidable and not outweighed by countervailing benefits, EPIC alleges that Airbnb has committed unfair practices in violation of the FTC Act. EPIC further alleges that Airbnb violated FCRA because the “trustworthiness scores” are consumer reports under FCRA that bear on the individuals’ “character,” “general reputation,” and “personal characteristics,” but that lack reasonable procedures to ensure accuracy.

The FTC does not generally respond publicly to complaints from third parties like EPIC. The complaint is an important reminder for companies that use, aggregate, or disclose data to consider the legal and regulatory implications under the host of relevant federal and state laws. The FTC’s 2016 Big Data Report provides a helpful overview of what the agency views as the benefits and risks of data aggregation, along with legal considerations for companies using big data.

LendEDU runs a website that compares student loans and other financial products. Although they advertised that the ratings are on the site are “completely objective and not influenced by compensation,” the FTC argued that this wasn’t true. Instead, LendEDU based rankings on how much companies paid them per click. After LendEDU became aware of the FTC investigation, it added a disclosure suggesting that the money it receives from companies may affect their ratings, but the FTC found that was not sufficient.

The FTC also investigated the reviews about LendEDU’s that appeared on third party sites, such as Trustpilot. It determined that 111 of the 126 reviews that appeared on Trustpilot were actually written by LendEDU employees or their friends or family members. LendEDU highlighted some of these fake reviews on its own site, with headings such as “See What Our Customers Have to Say.” And, to make things worse, the company made up testimonials from non-existing customers and posted them on its site.

The proposed settlement would prohibit the company and its operators from making the same types of misrepresentations cited in the FTC’s complaint. In addition, the company is required to pay $350,000. Andrew Smith, Director of the Bureau of Consumer Protection, said: “These misrepresentations undermine consumer trust, and we will hold lead generators like LendEDU accountable for their false promises of objectivity.”

Although this case shouldn’t hold any surprises for readers of this blog, it demonstrates that the FTC continues to be focused on the issue of fake reviews.

• California Consumer Privacy Act (CCPA) CCPA was far and away the most popular topic of 2019 and, as mentioned in one of our last posts of the year, “businesses and privacy professionals would do well to catch their breath over the holiday season. Next year is going to need focus and investment to reach the [CCPA] finish line (which, yes, will continue to move because this is privacy law, after all).​” Here are a few CCPA related posts you may want to read if you haven’t already:
  • Broad Range of Implementation Worries Surfaces at CCPA Rulemaking Hearing in LA December 5

• • Be Careful What You Say About the CCPA November 12

• • CCPA Update: California Attorney General Issues Draft Privacy Rules October 11

• • CCPA Update: Legislature Amends the CCPA to Exclude Employee Data, B2B Communications for One Year September 15

• The FTC’s Powers Under Section 13(b) The continuing questions over the extent of the FTC’s enforcement authority to obtain monetary relief under Section 13(b) were a popular topic with Ad Law Access readers. So popular that we created a Section 13(b) sub-blog:
  • Direct Seller Stands Its Ground: Neora Seeks Declaratory Judgment Against the FTC, Challenging the Agency’s Section 13(b) Authority November 5
  • Business As Usual? FTC Practice in the Wake of Shire ViroPharma and Credit Bureau Center October 22
  • A Potential New Fight Over FTC’s 13(b) Authority May 19

Other posts that resonated with readers:

• FTC Releases New Guide for Influencers November 9
• CBD and False Advertising: Lessons Learned From The Food Court August 9
• Nevada and Maine Advance Legislation Addressing the “Sale” of Personal Data June 4
• FDA and FTC Issue Joint Warning Letters to Three Online CBD Marketers April 2
• FTC to Use 6(b) Authority to Examine Tech Companies’ Data Practices March 22
• Taking Stock of the TCPA in 2019: What is an “Autodialer”? March 4
• The Direct Selling Self-Regulatory Council: What it Means for Multi-Level Marketers January 10

AD LAW ACCESS PODCAST

2019 also saw the launch of the Ad Law Access podcast. Top episodes included:

• CCPA Update: Legislature Amends the CCPA to Exclude Employee Data, B2B Communications for One Year
• Privacy Update: The Terms of the Facebook Settlement; CCPA Amendments Advance in Calif. Senate
• Cause Marketing - Commercial Co-Ventures: What You Need to Know Before Getting Started (12:30)
• CCPA Update (Amendments, Draft Regulations, and Classification issues) (12:00)
• Texting 101 - The Hot Button Issues to Consider When Running a Texting Campaign (11:25)
• Challenging Competitors' Claims
• Making it in the USA – When Product Origin and Origin Marketing Claims Matter (13:00)
• Influencers Gone Wrong (10:30)
• Influencers and Endorsers: Understanding the Upfront Legal Requirements (9:10)

The FTC alleged that company managers, including Ms. Riley herself, posted reviews of the company’s products on Sephora.com, and asked other employees do the same. When Sephora removed some of the reviews, managers suspected it was because Sephora recognized they were coming from IP addresses associated with the company. Rather than pull the plug on the scheme, managers obtained an Express VPN account to “allow us to hide our IP address and location when we write reviews.”

The complaint also quotes from e-mails Ms. Riley wrote to employees instructing them in detail about how they could leave reviews, directing employees to focus on certain products that should always have five stars, and instructing employees to dislike negative reviews posted by others. “If you see a negative review – DISLIKE it,” Ms. Riley wrote. “After enough dislikes, it is removed. This directly translates into sales!!”

The proposed order prohibits the company and CEO from misrepresenting that a review was written by an independent consumer and requires them to clearly disclose any unexpected material connection between a reviewer and the company. Moreover, the company must instruct employees and agents about their responsibilities to clearly disclose their connections to the company in any endorsements.

If you read this blog, you already know that you shouldn’t post fake reviews, but do other people in your company know that, too? Now may be a good time to look through your employee policies to see if they address these types of issues.

Earlier today, the FTC announced a settlement with Devumi and its CEO over these practices. For example, the FTC alleges that the company sold more than 58,000 Twitter followers, 4,000 YouTube subscribers, 32,000 YouTube views, and 800 LinkedIn followers. The company’s clients included not only influencers and celebrities, but also various professionals. By selling and distributing fake indicators of social media influence, the FTC alleged that the defendants provided customers with the means and instrumentalities to commit deceptive acts or practices.

The proposed court order settling the FTC’s charges bans the defendants from selling (or assisting others in selling) social media influence to users of social media platforms and from making misrepresentations about social media influence. Although Devumi is reportedly out of business, the order imposes a partially suspended $2.5 million judgment against the company’s CEO. (If the FTC later learns that he misrepresented his financial condition, the FTC can ask the court to impose the full amount.)

What you should take away from these cases depends on your place in the industry. If you help companies boost their social media presence, take a close look at this settlement and make sure you’re not engaging in the practices that were challenged. If you’re hiring a company to boost your presence, ask that company some questions about how they plan to achieve results. And if you pay influencers based on the number of followers they have, investigate whether those followers are real people. Bots can lead to all sorts of trouble.

And it is. The terms of the Federal Trade Commission’s (FTC) $5 billion, twenty-year settlement Order reached with Facebook on Wednesday is the agency’s most prescriptive privacy and data security agreement ever. The Order comes just three days shy of the seventh anniversary of the FTC’s original 2012 settlement with Facebook, where the FTC ordered Facebook to comply with its privacy commitments.

This week, the FTC confirmed what was already widely reported – from the Cambridge Analytica scandal to a series of other press reports on privacy mishaps – the agency’s determination that Facebook’s data practices did not comply with the FTC’s 2012 Order.

Almost immediately, the Order was attacked by critics insisting that the Commission let Facebook off the hook too easily, for, among other reasons, not obtaining an admission of guilt or liability, not restricting data flows or integration among its companies, and not obtaining an even higher monetary penalty. Commissioner Slaughter wrote that although the Order is exceptional, the “facts and defendant before us are exceptional as well,” and that she did not believe the “combined terms would effectively deter Facebook from engaging in future law violations and send the message that order violations are not worth the risk.” Supporters of this view are likely to point to Facebook’s second quarter earnings results indicating a 28 percent revenue increase compared with 2018.

In contrast, Commissioner Noah Phillips, who supported the settlement, defended the outcome. “I am absolutely certain that the deal we struck today is better than the relief that we might have achieved had we gone to court,” Commissioner Phillips told CNN. In particular, Phillips and other Republican Commissioners point to extensive, precedent-setting monetary relief, as well as injunctive relief that dictates a new detailed accountability process for how Facebook’s privacy (and information security) decisions and oversight will function for the next twenty years.

Here’s a rundown of key terms in the Order:

#1: Liability Limitations

• Terms: Facebook neither admits nor denies any of the allegations against it. In exchange for agreeing to the Order and paying $5 billion in civil penalties, the FTC agrees that the Order resolves “any and all claims that Defendant, its officers, and directors” violated the 2012 settlement order and Section 5 of the FTC Act.
• Context: In his dissent, Commissioner Rohit Chopra criticized the liability terms because Facebook received what he characterized as a “legal shield” covering a wide range of conduct not addressed in the Complaint or Order. “I have not been able to find a single Commission order – certainly not one against a repeat offender – that contains a release as broad as this one,” Chopra wrote.
• Exceptional? In 2012, Commissioner J. Thomas Rosch dissented because the FTC’s 2012 settlement allowed Facebook to expressly deny the allegations in the Complaint. In the 2019 Order, Facebook neither admitted nor denied the allegations. Kelley Drye View: Not exceptional.

• Terms: Facebook may not make misrepresentations about privacy and information security in connection with its products and services. The Order sets limits and rules around how Facebook may use telephone numbers provided for account authentication, facial recognition templates, and private user information. Facebook is required to ensure that when a consumer deletes information or content, the data are in fact deleted and not accessible to third parties.
• Context: These are familiar terms. When the FTC identifies a violation of its Act or a prior Order, the FTC seeks settlement terms that directly prohibit a company from re-engaging in the offending activity. In its statement in support of the settlement, the majority of commissioners led by Chairman Joe Simons wrote, “Collectively, these requirements will not only alter the way Facebook does business, but also send an important signal to the marketplace about privacy and security best practices.” The majority also pointed out that this is “the first FTC order to address biometric information, requiring Facebook to get consumers’ opt-in consent before using or sharing” facial recognition templates.
• Exceptional? The 2012 settlement mirrored many of these terms, especially with regard to misrepresentations in privacy statements and deletion of personal information. The FTC has also conveyed its expectations that when collecting and using sensitive personal information (such as biometric information) in a manner that may surprise consumers, a company should obtain an opt-in. Kelley Drye View: Not exceptional.

• Terms: Facebook will be required to maintain an information security program to protect the security of user information, including passwords. The company will be required to scan for plaintext files with user passwords, and report to the government any data breaches impacting 500 or more users.
• Exceptional? The FTC regularly mandates information security programs, especially in cases involving data breaches. Earlier this year, in the Lightyear Dealer Technologies case involving exposure of personal information, the FTC mandated a detailed information security program complete with regular independent evaluations, internal assessments, and annual certifications. What is exceptional here is that, now, every Facebook data compromise involving 500 or more users’ information will be closely reviewed by both the DOJ and FTC. Kelley Drye View: Exceptional.

• Terms: The Order indicates that aside from providing documents to the FTC, Facebook must provide copies of reports, assessments, notifications, certifications, and other mandated filings to the Department of Justice.
• Context: The FTC has limited manpower and staff (and more importantly, a constrained budget) to address every concerning privacy and data security matter. Adding a second government agency increases oversight (and enforcement) potential. Kelley Drye View: Neutral (and potentially Exceptional if the settlement were to motivate Congress to increase allotted FTC Budget, in which case extra oversight and resources likely would translate to more active enforcement).

• Terms: The FTC mandates that Facebook implement safeguards to ensure protection of user information. These safeguards require Facebook to conduct extensive privacy reviews prior to rolling out new services, with a more in-depth review required for services that present a “material risk to the privacy, confidentiality, or Integrity of” user information. The settlement also requires Facebook to develop safeguards regarding facial recognition technology and affiliate sharing.
• Context: The terms respond to ongoing concerns that Facebook rolls out new products or services without sufficiently considering the impact on privacy. These safeguards do not restrict Facebook from taking actions with new, material privacy implications, but slows down and opens the process to a deliberative review. Kelley Drye View: Neutral.

• Terms: Facebook is required to design and implement safeguards that require vetting, monitoring and enforcement against third parties that use Facebook user information for their own consumer applications and websites. These safeguards include mandating each such party to provide a self-certification on compliance with Facebook’s terms. They also require Facebook to conduct ongoing compliance monitoring and to enforce compliance terms, including by restricting access to Facebook data if there are instances of non-compliance, and to take other appropriate disciplinary measures that are commensurate with the violation gravity and prior history of compliance.

• Exceptional? The extent and specificity of the FTC’s third party vetting terms are unique to this case and go beyond the FTC’s prior examples. It remains to be seen if these are more robust “fencing-in relief,” or if they are a preview of what FTC will demand in other cases involving third party compliance, including with respect to telemarketing and lead generation. Kelley Drye View: Exceptional.

• Terms: The FTC has implemented overlapping “channels of compliance” to hold Facebook accountable for privacy and data security related decisions and practices. First, Facebook must create an independent privacy committee. Second, Facebook’s CEO and compliance officers will be required to submit quarterly compliance certifications vouching for the company’s compliance with the Order. Third, Facebook will face monitoring by independent assessors (who Facebook cannot claim privilege over their work product) and the FTC.
• Exceptional? The FTC’s majority statement emphasizes the overlapping channels of compliance, and they are no small feat. Facebook has agreed to twenty years of extensive auditing at multiple levels. While many FTC decisions may include some of these compliance checks, the Order’s inclusion of all of these is significant. Kelley Drye View: Exceptional.
• Caveat: Earlier this week, the FTC settled charges with Equifax over a data breach that impacted 147 million people. That agreement included yet another channel of compliance: it set up its own FTC email hotline for Equifax employees to submit complaints or concerns about the company’s information security practices to the FTC, and a process for reviewing, addressing, and escalating those complaints. This type of process is notably absent from the Facebook settlement.

• Terms: In a remarkable example of government intervention in a public company’s operations, the FTC includes as Exhibit 1 to the Order a new article to be inserted into the Facebook corporate charter. The article states that no director serving on the independent privacy committee may be removed for reasons related to their duties on that committee.
• Exceptional? This is a unique provision designed to protect the integrity of the independent privacy review process that is a cornerstone of the settlement agreement. Kelley Drye View: Exceptional.

At bottom, there is no longer a status quo in the United States when it comes to data practices and standards. This settlement, the California Consumer Privacy Act’s looming compliance deadline, and the ongoing debate over whether there should be a comprehensive federal privacy law are all developments that underscore one take-away: most companies’ data practices can benefit from a fresh review and consideration for how to plan for the future.

To discuss how the settlement could impact your business, please contact attorneys in the Privacy and Information Security practice at Kelley Drye.

This workshop will be open to the public but registration is required. Register here.

Agenda Highlights

Marketing with influencers and celebrities can help companies capture consumer attention, but there are enough legal headaches to make you dizzy. Not only do companies need to worry about complying with the law, they need to worry about whether the talent will do anything to harm their brands. Although there isn’t a one-size-fits-all solution to these issues, we will discuss the key legal requirements and provide practical tips for your campaigns.

FTC Update

Now that the FTC has a full slate of new commissioners, and is nearing conclusion of hearings examining the agency’s past and future policy and enforcement approach, what can businesses expect to see from the FTC in terms of policy and enforcement changes? This session will discuss these updates and the practical ramifications for industry.

Privacy Strategy: Planning for California’s CCPA and Beyond

The California Consumer Privacy Act (CCPA) takes effect January 1, 2020. A number of states are following with efforts to enact their own comprehensive privacy laws. Federal legislation that preempts such state laws also remains a possibility. This session will focus on practical steps that companies can take now to address their privacy compliance obligations in the United States, along with best practices for data risk management.

Class Action Update

The plaintiffs' bar is more active than ever. This session will discuss current issues and trends in consumer protection litigation, with a particular focus on Telephone Consumer Protection Act (TCPA) class actions.

Advertising Technology: Key Legal and Self-Regulatory Developments

Recently-enacted laws with global impact and high-profile privacy and data security events with associated industry scrutiny have major implications for companies that create and support targeted advertising and those that leverage the resulting insights. This session will provide strategies to carefully navigate the increasingly complex legal, regulatory, and self-regulatory AdTech landscape.

Consumer Protection and Privacy Panel

Update on some of the other significant developments that companies should have on their radar.

Questions, please contact [email protected]

This week, the New York Attorney General announced a settlement with Devumi over its practices. Among other things, the company is prohibited from selling fake followers, likes, and other types of social media interactions. And to the extent Devumi works with real influencers, it must take steps to ensure they clearly disclose any connections they have to the companies they endorse. The AG said that this settlement sends “a clear message that anyone profiting off of deception and impersonation is breaking the law and will be held accountable.”

Although this may be the first case that addresses the sale of fake followers, it’s not the first case that addresses companies using shady techniques to boost their reputations online. For example, in 2013, the New York AG announced settlements with 19 companies after a year-long undercover investigation into the reputation management industry. During the investigation, the AG learned that some agencies that promised to boost companies’ presence online did to so posting fake reviews.

What you should take away from these cases depends on your place in the industry. If you help companies boost their social media presence, take a close look at these settlements and make sure you’re not engaging in the practices that were challenged. If you’re hiring a company to boost your presence, ask that company some questions about how they plan to achieve results. And if you pay influencers based on the number of followers they have, investigate whether those followers are real people. Bots can lead to all sorts of trouble.

Billy MacFarland and Ja Rule wanted to host a luxury festival on a deserted island. They found an island that belonged to Pablo Escobar, and secured a lease on the condition that they wouldn’t mention the drug lord’s name. Not long after that, Fyre used Escobar’s name in a social media post. And not long after that, the company was forced to find a new deserted island – or find a way to make an inhabited one look deserted. (They chose option B.)

Meanwhile, a group of over 60 influencers – including Kendall Jenner and Emily Ratajkowski – got to work promoting the festival on Instagram, without disclosing that they had been paid to do so. (According to some reports, the initial group of influencers were paid between $20,000 and $250,000 each.) This resulted in over 300 million impressions in 24 hours. The hype worked, and people started paying up to $12,000 for tickets.

Things on the ground were going less smoothly. When guests arrived, instead of finding the luxury accommodations, gourmet food, and big-name bands they were promised, they found FEMA tents, a food shortage, and none of those bands. If you’re wondering whether any of this is fraud, Ja Rule directly addressed that question in the Netflix documentary. During a phone call, he assured his colleagues that it’s not fraud – it’s just "false advertising." (Note to Mr. Rule’s lawyer: maybe keep him off the witness stand.)

As MacFarland sits in jail and Ja Rule and his colleagues fight lawsuits, a federal judge gave a bankruptcy trustee permission to subpoena Kendall Jenner’s company, some of the agencies that represented other influencers, and other vendors who were paid to organize or promote the festival. It’s too early to tell what will happen next, but these developments are likely to lead to more scrutiny about how companies advertise on social media and use influencers.

We’ve posted about these issues many times before. To summarize:

1. Social media posts are subject to advertising laws, so those posts must be truthful and not misleading;
2. Influencers need to disclose their connections to the companies they are promoting; and
3. Companies need to take steps to manage their influencers.

This is not the first time that consumer groups have pushed the FTC to investigate influencer campaigns. And if this is like any of the previous pushes, it’s likely that some of the posts don’t actually violate the law. For example, some groups have misstated the legal requirements in this area and have identified posts that didn’t violate the law. That led the FTC to send warning letters to individuals who actually had no connections to the brands mentioned in their posts. Nevertheless, there are various examples in this letter that may be problematic and potential targets for enforcement.

Apart from the endorsement issues, the letter goes on to describe other problems with the content of the posts, including “kids in Ciroc ads, Ciroc-fueled misogynistic ads, a recipe for cannabis-infused strawberry lemonade with Ciroc, and even a booze-drinking Santa who needs to spread the ‘liquid love.’” (There is also an image of a toddler holding a baby bottle of Ciroc.) To make matters worse, the influencers did not use age-gating features, so that minors were able to view the ads. As TINA.org points out, these practices are likely to violate the Distilled Spirits Council’s Code of Responsible Practices for alcohol ads.

TINA.org has asked the FTC to investigate Diageo and to take appropriate enforcement action.

It’s too early to tell what will happen here, but it will be interesting to see how the FTC reacts. Although companies that market age-restricted items should pay particular attention, this action holds lessons for any company that works with influencers. If you haven’t evaluated how your company manages influencer campaigns recently, now may be a good time to do that.

Khaled Khaled, better known as music producer DJ Khaled, and professional boxer Floyd Mayweather Jr. both allegedly promoted investments in ICOs for Centra Tech Inc. in 2017 without disclosing the compensation they received in exchange for their endorsements ($50,000 for Khaled and $100,000 for Mayweather). This triggered a violation of the anti-touting provision of the federal securities laws.

A few examples of these endorsements include Khaled referring to Centra’s ICO as a “Game changer” on various social media accounts, and Mayweather tweeting that Centra’s ICO “starts in a few hours. Get yours before they sell out, I got mine…”

Mayweather also allegedly failed to disclose his relationship with two other ICOs that paid him $200,000 for posts such as, “You can call me Floyd Crypto Mayweather from now on.”

In settling the charges, Khaled agreed to pay $152,725 in disgorgement, penalty, and prejudgment interest, while Mayweather agreed to pay $614,775 for the same. Mayweather and Khaled also agreed not to promote any securities, digital or otherwise, for three and two years, respectively.

Although proper disclosures in social media endorsements have been an area of concern for the FTC for years, this settlement indicates that the SEC is just as interested in making sure consumers understand when they’re seeing sponsored content in the marketing of financial products.

For more information on this topic, check out our earlier post on SEC activity and our webinar, “Advertising Under the Influence.”

Creaxion, a PR agency, was tasked with creating a campaign to promote a client’s new mosquito repellent product around the time the press was reporting about the mosquito-borne Zika virus during the 2016 Summer Olympics. As part of the campaign, the agency partnered with the publisher of Inside Gymnastics magazine to secure athlete endorsers and run stories about the product.

Together, the companies paid two gold medalists to promote the product, and the athletes posted endorsements on social media, without disclosing that they had been paid. The publisher re-posted those endorsements in its magazine, again without a disclosure. Inside Gymnastics also ran paid ads for the product that, in the eyes of the FTC, were made to look like independent news stories.

As part of the settlements, the companies are prohibited from misrepresenting that influencers are independent consumers. Any connections between an influencer and the companies whose products they endorse must be clearly disclosed. To that end, the companies agreed to institute procedures designed to ensure that influencers make these disclosures, including notifying influencers of their responsibilities, monitoring compliance, and terminating influencers who fail to comply.

The companies are also prohibited from expressly or implicitly misrepresenting that paid ads reflect the opinions of an independent or objective publisher or source. Although the settlement doesn’t go into details on this point, this requirement likely means that ads that appear near new stories need to be clearly labeled as ads, as the FTC has advised in its native advertising guidance.