This posting requirement applies to bars, truck stops, massage parlors, job recruitment centers, emergency rooms, and various other establishments that trafficking victims might frequent.  It is intended to raise public awareness of the issue and to inform victims or potential victims of trafficking about their rights and about resources available to help them.

There are specific requirements for the notice, which must be 8 1/2 by 11 inches with 16-point font.  It must be posted near the public entrance or in some other conspicuous place.  It must be posted in both English and Spanish throughout California, but in certain counties, it must be posted in a third widely spoken language (e.g., Chinese in San Francisco).  The language requirement and model notices can be found here, and the model notices are here (English) and here (Spanish). 

Meanwhile, speculation continues about possible enforcement of California’s original groundbreaking requirement on human trafficking, the Transparency in Supply Chains Act (S.B. 657), which went into effect on January 1, 2012.  As noted previously in this space, many large manufacturers and retailers selling goods into California are required to post on their websites information concerning their efforts to combat human trafficking and other issues in their global supply chains.  The threshold for the reporting requirement is low, and covered companies should take steps now to meet the law’s requirements if they haven’t already done so.  California Attorney General Kamala Harris has made the issue of human trafficking a priority, as evidenced by this webpage, which collects information related to efforts on human trafficking and includes her commitment to “a sophisticated response from law enforcement and its partners to disrupt and dismantle” trafficking networks.

- Trent Norris, Samuel Witten, and Ginamarie Caya

A three-judge panel affirmed the district court’s ruling that the Nutrition Labeling and Education (NLEA) preempted the plaintiff’s claims.  The NLEA expressly preempts state food-labeling requirements that are not identical to the requirements in the Food, Drug and Cosmetic Act and its implementing regulations.  In this case, two federal regulations were directly on point and governed the statements regarding trans fat and cholesterol-lowering benefits.

FDA regulations require certain nutritional information on food packaging, including a statement of the number of grams of trans fat in a serving.  The regulations further require where a serving contains less than 0.5 grams of trans fat, the content should be expressed as zero.  The regulations deem these amounts to be “insignificant” for purposes of stating nutrition content.  FDA regulations also allow statements of “no fat” and “no saturated fat” when a product contains less than 0.5 grams per serving, an insignificant amount.  Relying on these regulations, the Third Circuit concluded that Benecol’s “No Trans Fat” claim is authorized by the NLEA.  Because the plaintiff was seeking to enforce a requirement different from what the NLEA allows, the panel found his claims expressly preempted.  This decision is in accord with the Ninth Circuit, which similarly held that a claim challenging a “No Trans Fat” statement was preempted when the amount of trans fat was required to be rounded to zero in the nutrition facts panel.  Carrea v. Dreyer's Grand Ice Cream, Inc., 475 Fed. Appx. 113, 115 (9th Cir. 2012).

Cholesterol claims are also governed by FDA regulations.  Specifically, the regulations provide for health claims “which summarize the relationship between diets that include plant sterol/stanol esters and the risk of [heart disease] and the significance of the relationship.”  The regulations further identify a threshold amount of plant sterols that a product must contain in order to make such a health claim.  Based on these regulations, the Third Circuit concluded that the cholesterol claims were authorized by statute, and thus the NLEA expressly preempted plaintiff’s attempt to bar those claims. 

This decision, cited as Young v. Johnson & Johnson, No. 12-2475, 2013 WL 1911177 (3d Cir. May 9, 2013), has been designated non-precedential.

- Angel Garganta & Jonathan Koenig

Last year -- driven in part by critics of a much-publicized seizure of illegal wood products from Gibson Guitar pursuant to the Lacey Act -- members of Congress proposed amendments that would change the scope and effect of the Act.  Specifically, Congress considered limiting the Lacey Act's application to plants and plant products imported before the effective date of the 2008 amendments, narrowing the categories of plant-related foreign laws that trigger Lacey Act violations, and altering the forfeiture provision to include an "innocent owner" defense.  Efforts to amend the Lacey Act fizzled after Gibson, with the United States Department of Justice reaching a Criminal Enforcement Agreement in which Gibson "accept[ed] and acknowledge[d] responsibility" for its actions and admitted that its management knew about the relevant Madagascar law that prohibited the export of most of the wood the U.S.  government had seized.  Gibson further conceded that it should have "exercised additional diligence."  See here, here, and here for some of our previous pieces on the Gibson case and its resolution.

While no specific bills are currently under consideration, this new hearing suggests there may be renewed interest in limiting the scope of the Lacey Act and altering the related forfeiture provisions.  Companies involved with wood or wood products (including paper) should stay tuned for a follow-up after the hearing.

-- Maxwell Preston, Katherine Ghilain, & Carmela Romeo

Razer is hardly the first online retailer to suffer such an advertising glitch. Zappos and others have found themselves in a similar predicament.  Generally, companies in that situation have wasted no time repudiating any obligation to honor purchases made at the erroneous price.  But Razer took a different tack. It quickly announced that it would honor those coupons tendered by customers who bought “single products for their own use,” as distinguished from those who bought multiple items (presumptively for the purpose of turning a quick buck).  It isn’t clear just how much this cost the company, but it cannot have been inconsequential.  On the other hand, for “doing right” by its customers, the company was lionized in the media and may well have made back that much and more in increased traffic, publicity and goodwill.

Putting aside the possible marketing advantages of acquiescing in such an error, what are the rules when a merchant accidentally advertises a lower price than intended?  What right, if any, does the online retailer have to repudiate the apparent deal?  After all, didn’t it make an offer to sell at a particular price that became a binding obligation when the buyer accepted the offer by tendering the purchase price?  Was Razer being benevolent, or just putting lipstick on the pig?

Well, it depends. 

In the first instance, there may or may not have been a binding offer and acceptance.  Contracts 101 teaches that whether a communication from one party to another constitutes an actionable offer, as distinguished from mere preliminary communications or an invitation to make an offer, is a fact-intensive inquiry, looking at all the circumstances.  Even generalizations aren’t particularly helpful.  For example, print advertisements such as those in newspapers and mail order catalogs are less frequently held to be offers than the prices posted in bricks-and-mortar stores.  To the extent this is a meaningful distinction, which is the appropriate analogy for an online retailer?  Is Amazon’s website more like a virtual catalogue or a virtual store? 

Some online retailers have adopted website terms and conditions that attempt to overcome such uncertainties by explicitly characterizing the customer’s order as the offer, thereby leaving the retailer free to reject it for any reason, including because the advertised price was erroneous.  Others simply reserve the right to cancel orders, either for any reason or specifically where the posted price was erroneous.  In addition, even absent such contractual hedges, under the common law doctrine of unilateral mistake of fact, a contract is voidable if its enforcement despite one party’s mistake regarding a material term such as price would be “unconscionable” or if the other party “had reason to know of the mistake . . . .”  Thus, at least where a posted price is so egregiously low—or, in Razor’s case, a coupon so dramatically over-generous—that a reasonable consumer would suspect it is a mistake, this doctrine would entitle the retailer to repudiate the contract. 

On the other hand, none of these safeguards is necessarily ironclad.  The unilateral mistake doctrine is so obviously fact-dependent that in all but the most egregious circumstances, its applicability is likely to be disputable.  Using agreed terms and conditions to avoid the otherwise-uncertain application of general contractual rules is a time-honored strategy.  But online terms and conditions are both adhesive in nature and subject to special FTC rules requiring that they be “clear and conspicuous.”  Thus, their enforceability is also inherently very fact-bound.  And whatever protection the common law and artful drafting might provide in other circumstances, some states impose particular obligations on retailers when it comes to honoring the prices they advertise, however egregious the error.

In short, quite apart from the resulting public relations bonanza, a retailer in Razer’s situation could hardly be faulted for concluding that the high road was also the prudent one.

Razer apparently managed to turn the sow’s ear of its pricing gaffe into a silk purse.  Mindful of this, some online marketing specialists are undoubtedly being tempted even as we speak to consider the deliberate use of such an “accidental” release scenario as a form of guerilla marketing: going viral, driving traffic to the site, and winning kudos for “voluntarily” honoring some part of the resulting uptake.  One word: badidea.  The saving grace of Razer’s gaffe was its inadvertence.  Deliberately posting a false discount to drive traffic, with the intent to honor only some of the resulting sales, would amount to a bait-and-switch, violate a plethora of state and federal laws prohibiting deceptive and misleading advertising, and likely leave the retailer in a world of hurt at the hands of regulators, prosecutors and the plaintiff’s class action bar.   

- Gabriel White and Dirk Schenkkan

Proposition 65 allows private enforcers to bring actions “in the public interest” without requiring any showing of harm.  Private enforcers can seek civil penalties of up to $2,500 per violation per day as well as injunctive relief.  Plaintiffs who settle or prevail in litigation can seek to recover reasonable attorneys’ fees.  Public enforcers like the California Attorney General can also enforce the law, but over 90 percent of cases are brought by private plaintiffs.  Millions of dollars change hands under Proposition 65, hundreds of lawsuits are filed each year, and signs are plastered all over California from parking garages to hotel lobbies, from restaurant entrances to Starbucks condiment stations.

The Governor has been a critic of certain aspects of Proposition 65 since his time as Attorney General.  In consultation with his successor as Attorney General, Kamala Harris, he has outlined concepts for reform, but he has not yet proposed specific language for the amendments.  Key features highlighted in the Governor’s press release are the following: 

• Place restrictions on attorney’s fees in Proposition 65 cases.
• Require stronger demonstration by plaintiffs that they have information to support claims before litigation begins.
• Require greater disclosure of plaintiff’s information.
• Set limits on the amount of money in an enforcement case that can go into settlement funds in lieu of penalties.
• Provide the State with the ability to adjust the level at which Proposition 65 warnings are needed for chemicals that cause reproductive harm.
• Require more useful information to the public on what they are being exposed to and how they can protect themselves.

These are fleshed out in somewhat greater detail in a white paper. In the coming weeks, the Governor’s office intends to convene “working groups” of “stakeholders” to consider these conceptual proposals.  Some may be implemented through changes to the Proposition 65 implementing regulations, while others will take legislation.  According to the ballot initiative, Proposition 65 can only be amended by a two-thirds vote of the State Assembly and the State Senate, and then only to “further its purposes.”  The Governor’s staff intends to press for changes to be adopted in 2013, apparently building on the momentum garnered by a narrowly tailored bill that has already been introduced to allow businesses time to “cure” alleged Proposition 65 violations once they are notified.

Since its passage by voter initiative over 25 years ago, Proposition 65 has been amended in significant part only once.  That amendment, which was intended to impose additional requirements on private plaintiffs, has not prevented shakedown lawsuits.  Moreover, those additional requirements have had the unintended consequence of increasing the attorneys’ fees demands made to companies and the time and expense involved in resolving Proposition 65 claims.

Although some of the reforms outlined by the Governor could be helpful to companies, they do not address a number of concerns raised by the business community in recent years.  Whether those concerns may be addressed in the working groups remains to be seen.  Moreover, the proposed reform for warnings could result in an overhaul of the longstanding ways in which thousands of companies doing business in California have designed their Proposition 65 compliance programs. 

Businesses should be engaged in and monitor the stakeholder discussions.  The devil will be in the details.

- Trent Norris, Sarah Esmaili, and Ginamarie Caya

Allegedly, crammers bill consumers for “premium services” like horoscopes, love tips, and other such information that consumers receive via text message a few times a week.  The FTC claims the problem is that many consumers didn’t actually opt in to receiving such texts, but were chosen at random, then billed monthly for the service.  At times, the FTC alleges, defendants did send text messages suggesting that people were getting a new service, but most people deleted the texts as spam.  In the rare instances that consumers texted back that they weren’t interested, apparently those requests were ignored and consumers were charged anyway.

The subject of phone bill cramming is not new, but this is the FTC’s first foray into the mobile area.  To address some of these issues, The Commission is hosting a “Mobile Cramming Roundtable” on May 8.  The discussion will be free and open to the public at the FTC’s Conference Center in Washington.  FTC Commissioner Maureen Ohlhausen is slated to provide opening remarks and various panelists will discuss the state of mobile cramming today, including strategies on how to prevent and respond to the practice.  The agenda for the roundtable can be found here.  We will of course keep our readers updated on any new developments in this area, but the message from the FTC is loud and clear.  As technology gets more sophisticated, so do scammers, but the regulators are taking note and planning countermoves of their own.  Stay tuned!

- Danielle Garten 

Some of the more notable questions answered by the FAQs are:

Will the new Rule prevent children from lying about their age?

No.  If an operator of a general audience web site or online service screens its users for age, the operator may rely on the ages provided, including an age that is inaccurate as long as the web site or service operator does not have actual knowledge that a child under 13 is the person providing such information.  If an operator learns after-the-fact that a specific user is actually a child under age 13, COPPA’s notice and consent provisions apply.  

Does ‘personal information’ include passive information collection technologies, like ‘cookies,’ ‘GUIDs,’ and ‘IP addresses’?

Yes, the new Rule modifies the definition of ‘personal information’ to include any ‘persistent identifier’ that allows recognition of the user over time and across different web sites or online services, such as a customer number in a cookie, an IP address, or a device serial number. 

If I have an app directed to children, where do I need to post my privacy policy? 

The new Rule generally requires that a privacy policy be posted on the home or landing screen of an app, but the FTC encourages operators of child-directed apps also to post the privacy policy at the point of purchase.  And if a child-directed app is designed to collect personal information as soon as it is downloaded, it is necessary to provide direct parental notice and obtain verifiable consent at the point of purchase.   

If I have an online service for teenagers, how does the new Rule affect me?

Even if a site or service is intended to be directed to teenagers, if a significant number of children under 13 also visit the site or use the service, it may be considered ‘directed to children’ under the Rule.   In most instances, a web site or service ‘directed to children’ must treat all visitors as children under 13 and provide COPPA’s protections to all users of the site.  Such sites and services may not block children under age 13 from using the site/service.

If I want to offer a child-directed app that would allow children to post pictures of their favorite pets or places, how does the new Rule apply to me?

 The new Rule considers photos, videos, and audio files that contain a child’s image or voice to be “personal information,” as are any persistent identifiers of a child.  Geolocation data allowing for the identification of a street and city or town is also “personal information.”  Operators must therefore (i) pre-screen and delete any photos that contain personal information, including geolocation data and persistent identifiers; (ii) give parental notice and obtain consent before allowing children to upload photos of themselves or other children, or (iii) ensure that any persistent identifiers collected pursuant to the child’s upload are used only to support internal operations of the app.

 What should I do about information I collected from children prior to the effective date of the new Rule that is now considered ‘personal information’?

The answer depends on the type of “personal information” collected by a site or online service operator:

• Geolocation Information:  if you collected geolocation information of a child without parental consent, you must obtain that consent immediately.
• Photo, Video, or Audio Files Containing a Child’s Image or Voice: you do not need to obtain parental consent for such files collected prior to the new Rule’s effective date, but must do so for any collected as of July 1, 2013. 
• Screen Name or User Name: the new Rule considers a screen name or user name to be personal information if it “permits direct contact with a person online.” If you have (or will have) collected such a screen name or user name prior to July 1, 2013, you must obtain parental consent for that collection, and, as of that date, you must also obtain such consent before using any previously-collected screen name or user name by associating new personal information.     
• Persistent Identifiers: Parental consent is not required to use a persistent identifier collected prior to the effective date, but if you collect or associate new information with such an identifier as of July 1, 2013, you must obtain such consent.

The new COPPA FAQs cover a variety of other issues and merit careful review by operators in consultation with their legal counsel.  The new Rule’s provisions are complex and, even as clarified by the revised FAQs, contain ambiguities, and given the FTC’s aggressive posture with respect to COPPA enforcement, the FAQs and the Rule itself demand substantial attention.

- Nancy Perkins and Brittany McClure

On April 29, 2013, FDA Deputy Commissioner for Foods and Veterinary Medicine Michael Taylor issued this brief statement:

The only time that FDA explicitly approved the added use of caffeine in a food was for cola and that was in the 1950s. Today, the environment has changed. Children and adolescents may be exposed to caffeine beyond those foods in which caffeine is naturally found and beyond anything FDA envisioned when it made the determination regarding caffeine in cola. For that reason, FDA is taking a fresh look at the potential impact that the totality of new and easy sources of caffeine may have on the health of children and adolescents, and if necessary, will take appropriate action.

Deputy Commissioner Taylor was responding to a new product launched by Mars Inc.’s Wrigley brand -- a caffeinated gum called Alert Energy. Each Alert Energy package claims that the caffeine in one piece of gum is the equivalent of half-a-cup of coffee, giving each eight-piece pack the potency of four cups of coffee. While the use of caffeine additives in a wide range of products is not new, the introduction of caffeinated gum may represent the tipping point when the proliferation and ubiquity of caffeinated products, from jelly beans to potato chips to trail mix, has simply overwhelmed the long-standing regulatory status quo. 

Though Wrigley’s Alert Energy website states that the gum is “[n]ot recommended for children or persons sensitive to caffeine,” Deputy Commissioner Taylor expressed concerns about “the totality of new and easy sources of caffeine . . . .” Interpreting exactly what his statement means or exactly what FDA will do next requires reading some tea leaves. Broadly speaking, however, Deputy Commissioner Taylor’s statement suggests that before changing its overall regulatory strategy or enforcement priorities, FDA will undertake a comprehensive review of categories of commonly caffeinated foods to determine the cumulative potential effects of these products. On May 3, FDA announced it will undertake this review, considering factors like consumption levels, rates and, patterns among specific populations, particularly children and adolescents.  The review will likely consider other information such as the available scientific data on toxicity, behavioral effects, and other health effects across the specific categories of foods with caffeine additives.

It is unclear at this point what, if any, “appropriate action” FDA may take if it makes adverse findings regarding the health effects of caffeine additives on children. FDA could, for example, impose more stringent requirements on the marketing and sale of products containing caffeine additives. FDA may also increase enforcement activity against particular products that raise health concerns related to caffeine additives. This Blog will continue to monitor the FDA’s progress and provide updates on developments as they occur.

Update (5/9/2013): Following discussions with FDA, Wrigley announced on May 8 that it would voluntarily and temporarily suspend the production and sale of Alert Energy gum.  Wrigley explained that this decision was designed to give the FDA space to develop a new regulatory framework for caffeine additives. The President of Wrigley North America, Casey Keller, stated, “There is a need for changes in the regulatory framework to better guide the consumer and the industry about the appropriate level and use of caffeinated products.” Deputy Commissioner Taylor lauded Wrigley’s decision, which he believed “demonstrates real leadership and commitment to public health.”  He expressed hope that others would follow Wrigley’s lead. 

- Vernessa Pollard and Seth Wiener

The Opinion reflects the fact that apps have become increasingly popular in recent years, with a reported 1,600 new apps being added to app stores daily and with the average smart device users downloading 37 apps.  Reams of personal data may be processed when users use a mobile app, from the personal data contained on the smart device on which the app is loaded and from the app itself (e.g. photos, contacts, location data, billing information, browsing hisroty, email, SMS, call log etc.).  Developers may be able to collect personal data continuously and seamlessly and access and write contact data, send email, SMS, record audio, use the camera and prevent the smart device from sleeping via mobile apps.  However, despite apps processing significant volumes of personal data, the Working Party considers that many apps and app developers are not complying with EU data protection legislation, particularly rules on consent, transparency and security. Indeed, a study commissioned in June 2012 showed that only 61.3% of the top 150 apps had a privacy policy at all.

To that end, the Working Party has put forward a range of recommendations for each of the parties involved in the development and distribution of apps, from the app developers to the smart device and operating system (e.g. Android, Win8) manufacturers and the app stores.

You are an app developer based outside the EU, do you need to comply?

In a word, yes. A key finding of the Working Party is that the EU rules (currently Directive 95/46/EC as implemented by the 27 EU Member States’ national laws) do apply to any app which is targeted at users within the EU, regardless of the location of the app developer or app store. This is because the Directive (and the national legislation implementing the Directive) bites where data controllers use “equipment” in the EU for the processing of personal data and, in the case of mobile apps, the smart device on which the app is installed and used is treated as the relevant “equipment” for processing personal data.  Therefore a US app developer offering its app for sale/download to customers within the EU would need to comply with EU rules.

 What are the key findings/recommendations?

• Clear information: the Working Party is concerned with the lack of information about data processing made available to users (e.g. the types of data processed, the purposes for processing and data retention periods). This should be made available in a clear and unambiguous format prior to installation of the app (e.g. in the app store) and apps/app developers should not alter the purposes or types of data collected without seeking further consent from the end-user. Essential information about data processing should also be contained within the app following installation, for example in a privacy policy. A layered or “granular” approach for data protection notices is preferable (e.g. several pop-up boxes allowing users to consent to processing of certain types of data but refusing others).
• Consent: when installing an app, certain information may placed on the device (e.g. “cookies” or similar tracking technology). Users should be given the choice to accept or refuse these and to accept or refuse the processing of their personal data, e.g. via a “Yes, I accept” option during installation of the app.
• Security: app developers, app stores, operating system and device manufacturers and third parties should ensure that they have appropriate organisational and technical measures to ensure the security of the data they process. They should adopt a “privacy by design” and “by default” approach.  
• Outsourcing arrangements/arrangements with third parties: app developers may outsource some or all of their data processing activities to a third party (e.g. external data storage provider, customer service provider, analytics providers etc.). Data controllers must ensure that the third party complies with applicable EU rules when it processes data on their behalf, for example via a data processing agreement.
• Children: the Working Party appreciates that certain apps are designed for and target children specifically. However, app developers and other data controllers should pay attention to national age limits for processing personal data without parental consent (this may vary between 12 and 18 depending on the EU Member State) and consider the child’s level of understanding of data processing. Where relevant, parental consent to processing should be obtained.

The Opinion offers some useful guidance for all the relevant players involved in app development and distribution, in particular the need to provide clear and unambiguous information about data processing up front (on the app store and in app) and to ask for consents prior to installation, but perhaps of most interest is the confirmation that non-EU apps must comply with the EU rules where they are installed/used by users in the EU. The Opinion also refers specifically to the new concepts of “privacy by default” and “by design” which were introduced by the draft data protection Regulation (which will, if and when adopted, replace Direct 95/46/EC), and which would broadly require app developers to build in compliance with the EU data protection law by design, rather than tacked on as an afterthought. 

- Richard Dickinson and Gemma Davies

To conduct its study, the Commission arranged for unaccompanied 13-to 16-year-old “mystery shoppers” to attempt to purchase tickets to R-rated movies, R-rated DVDs, unrated DVDs that were R-rated when first released in theaters, music CDs bearing a Parental Advisory Label (PAL) for explicit content, and M-rated video games from theaters and major retailers across the country.  These voluntary ratings are developed and administered by self-regulatory bodies of the movie, music, and electronic game industries, including the Motion Picture Association of America (MPAA), the Recording Industry Association of America (RIAA), and the Entertainment Software Rating Board (ESRB), respectively.

The study found that video game retailers were the strongest enforcers of industry ratings, with only 13 percent of underage shoppers able to purchase M-rated video games, as was the case in 2010.  Movie theaters showed significant improvement, with 24 percent of underage shoppers able to purchase tickets to R-rated movies, down from 33 percent in 2010.  Thirty percent of underage shoppers were able to buy R-rated DVDs, versus 38 percent in 2010, and 30 percent were able to buy unrated DVDs, versus 47 percent in 2010.  Finally, 47 percent of underage shoppers were able to purchase PAL-labeled CDs, down from 64 percent in 2010 and 72 percent in 2009.

This is the Commission’s seventh such survey since its initial report to Congress in 2000 on the marketing of violent entertainment to children by the movie, music, and electronic game industries.  In the 2000 report, the FTC recommended that the industries enhance their self-regulatory programs by (1) prohibiting target marketing to children and imposing sanctions for violations; (2) increasing compliance with rating systems at the retail level; and (3) increasing parental understanding of the ratings. Since then, the Commission has monitored the industries’ progress and in 2009, then-Chairman Leibowitz commended the strides made by the movie and game industries, which included theaters and game retailers “significantly stepp[ing] up their enforcement of the ratings.”  The Commission this year noted that “for first time since the FTC began its mystery shop program in 2000, music CD retailers turned away more than half of the undercover shoppers.”  Overall, it appears that the industries’ efforts to enhance their self-regulatory programs in connection with the FTC’s recommendations have produced results, as the Commission found “continued progress” in reducing sales to underage shoppers.

- Anita Kalra

The FTC warns parents of “4 things your kid’s apps might do--but might not tell you”:

• Mobile apps may collect and share personal information.  The FTC’s second survey on mobile apps marketed to children found that while 59% of the apps surveyed collected and shared personal information, only 11% disclosed that fact.

• Even free apps may permit children to make in-app purchases.  Fully 84% of children’s apps that enable purchases within the app are free for the initial download.

• While 54% of the apps surveyed contained advertisements within the app, only 9% disclosed the presence of ads.

• Similarly, 22% of apps link to social media sites such as Facebook and Twitter, but only 9% of the apps surveyed disclosed this practice.

The FTC advises parents to review carefully the content of the app, change phone or tablet settings to prevent children from downloading inappropriate content or making inadvertent purchases, and spend time using the app with children.

While the graphic does not provide any truly new information, its release is noteworthy because it is one in a number of FTC efforts over the past couple years regarding mobile app privacy and marketing concerns (see our previous posts here, here, here, here, and here).  With so much focus on the mobile apps marketplace, it is an ideal time to remind app developers and would-be-developers that, as the FTC warned in its December 2012 Report, the agency is launching non-public investigations to determine if there have been any violations of the Children’s Online Privacy Protection Act or Section 5 of the FTC Act in the marketplace, and that companies that have failed to implement the recommendations from the FTC’s February 2012 Report may find themselves facing potential deceptive practices claims.  So, while the target audience of the new information graphic is consumers, as the FTC recommends “savvy app developers will want to take a look, too.”

- Lauren Peay

ICANN has launched a Trademark Clearinghouse to help trademark owners protect their trademarks. A trademark owner who submits its registered trademark to the Trademark Clearinghouse via ICANN’s website will be provided with two useful services. The first of these services, called the “Sunrise Service,” gives trademark owners a head start by allowing them to register domain names incorporating their trademarks and a new gTLD before anyone else. The second service, the “Trademark Claims Service,” notifies a third party if it is registering a domain name in which the letters to the left of the “dot” are identical to a trademark recorded in the Trademark Clearinghouse. Although the Trademark Claims Service does not block a third party from registering a domain name that incorporates a trademark, it places potential infringers on notice that their domain name does include a trademark.  The owner of the trademark recorded in the Clearinghouse is then notified of the potentially infringing domain name.  

More details about ICANN’s Trademark Clearinghouse are available in a recent Arnold & Porter advisory, available here.

- Roberta Horton & Amie Medley

The FTC launched this challenge in response to a growing number of complaints by American consumers facing a tireless barrage of unwanted, and often deceptive, prerecorded telephone messages called robocalls. Companies today are using sophisticated computer software, namely autodialers, to send thousands of these prerecorded telephone calls every minute for a low cost.  Both the FTC and FCC regulate robocalls.

In 2012, the FCC adopted changes to its telemarketing rules to align them with the FTC’s rules.  (We blogged about these proposed changes here.)  In short, companies who want to make prerecorded commercial telemarketing calls must have written permission to do so even if there is an established business relationship. Some calls, such as purely informational calls, political calls, and calls from charities themselves, for example, do not fall under the robocall rules. Not only are commercial robocalls illegal and annoying, but the FTC warns consumers they may be scams offering fraudulent credit card services, auto warranty protection, or grant procurement programs. What about the national Do Not Call Registry, you might ask?  According to the FTC, scammers ignore such social conventions. 

With new technology making illegal robocalls pervasive comes the possibility of innovative ideas to combat the problem. Serdar Danis and Aaron Foss tied for the grand prize of Best Overall Solution, after an evaluation based on three criteria: (i) whether the proposal works (ii) whether it is easy to use, and (iii) whether it can be implemented. Each will receive $25,000 for his proposal, which both work by intercepting and filtering “blacklisted” robocaller phone numbers, thus preventing the illegal calls from ringing through to the end user.  Mr. Danis’s proposal, Robocall Filtering System and Device with Autonomous Blacklisting, Whitelisting, Graylisting and Caller ID Spoof Detection, uses software which could be implemented as a mobile app, an electronic device in a user’s home, or a feature of a provider’s telephone service to analyze and block illegal robocalls.  Mr. Foss’s proposal, Nomorobo, suggests using a cloud-based solution with “simultaneous ringing,” allowing incoming telephone calls to be routed to a second phone line that would identify and hang up on illegal robocalls before they reach the end user. 

Additionally, Daniel Klein and Dean Jackson from Google won the Robocall Challenge Technology Achievement Award, a non-cash prize available to organizations that employ 10 or more people, with their Crowd-Sourced Calls Identification and Suppression Solution.  All three winning proposals would use automated algorithms to identify spam callers.  It is unclear at this time whether any of the winning ideas will be developed to combat the problem of illegal robocalls.

- Brittany McClure and Michael Levin

In an opinion authored by Justice Scalia and joined by Chief Justice Roberts and Justices Kennedy, Thomas and Alito, the Court began by reaffirming the standards that apply when determining whether Rule 23’s requirements are satisfied.  In accord with its 2011 decision in Wal-Mart v. Dukes, the Court explained that parties must satisfy the requirements for class certification with “evidentiary proof” and that courts must undertake a “rigorous analysis” when evaluating whether those requirements are met, even if that analysis overlaps with the merits in the case. The Court continued by holding that a party seeking class certification must offer a class-wide means for calculating damages. The Court then explained that the plaintiffs in Comcast had failed to do this.  As the Court explained, “under the proper standard for evaluating certification, respondents’ model falls far short of establishing that damages are capable of measurement on a classwide basis.” 

Comcast is a profoundly significant and positive development for companies facing class actions.  In holding that a plaintiff seeking certification of a damages class under Rule 23(b)(3) must establish, through “evidentiary proof,” that damages can be measured on a classwide basis, Comcast imposes a significant hurdle to certification in cases where individual damage calculations are required.  Comcast also makes clear that the trial court must probe the merits of the claim at the certification stage to ensure that the method for measuring damages (or for proving other elements of their claims) fits the plaintiffs’ theories of liability and is not arbitrary.  The Court’s decision will make it substantially more difficult for many purported class actions to obtain certification, and will render vulnerable many classes that have already been certified. 

Comcast also should make it more challenging for plaintiffs bringing consumer fraud claims to obtain class certification. Indeed, earlier this week, the Supreme Court confirmed that Comcast is relevant outside of the antitrust context and could present obstacles to class-wide treatment of consumer protection claims when it vacated the decision in In re Whirlpool Corp. Front-Loading Washer Products Liability Litigation and instructed the Sixth Circuit to revisit, in light of Comcast, whether that case could go forward as a class action.

Whilrpool is a lawsuit brought by purchasers of certain Whirlpool washing machines who claim those machines were defective. The lawsuit claims that, as a result of certain design features, residue accumulates in the brands of washing machines which can cause mold and mildew to grow inside the machines, resulting in ruined laundry and offensive odors. The trial court certified a class of all Ohio consumers who had purchased these washing machines for domestic use.  Whirlpool argued that treating all purchasers of these washing machines on a class-wide basis would be improper for several reasons, including that many consumers never experienced a mold problem and that consumers’ laundry habits and experiences with the machines varied widely. Despite such differences, the lower courts concluded that class certification was appropriate. The trial court explained that whether some consumers had not experienced a mold problem was a merits question that did not prevent it from certifying a class.  The Sixth Circuit also rejected Whirlpool’s argument that many consumers never experienced a mold problem, explaining that “the class plaintiffs may be able to show that each class member was injured at the point of sale upon paying a premium price” even if their machines had not manifested a defect. 

Although it is not entirely clear what the Sixth Circuit will do now that the Supreme Court has returned the case to it, defendants certainly have arguments that the lower courts’ approach violated the standard set forth in Comcast. For instance, Comcast holds that plaintiffs must come forward with “evidentiary proof” to satisfy the requirements of Rule 23, and cannot offer only an assurance that they “may be able” to prove something at trial. Moreover, Comcast holds that, for a class action seeking damages to proceed, those damages must be capable of class-wide resolution. The company thus can argue that individual damages questions, among other things, prevent plaintiffs’ claims from proceeding on a class-wide basis.  

Whatever direction the Sixth Circuit takes, the fact that the Supreme Court sent the case back to the lower courts based on Comcast makes one lesson clear: Comcast will have significant implications for class actions seeking monetary damages in many contexts, including consumer fraud cases. 

- Jamie Speyer, David Kouba, and Kelly Smith

Recent SEC regulations require a broad range of consumer products companies in industries from electronics and manufacturing to retailers to trace through their calendar-year 2013 supply chains and determine whether certain minerals in their products originated in the Democratic Republic of Congo or surrounding countries. Come learn about how to comply with these regulations, the current state of litigation, and what your company can do to stay ahead of the curve, including considerations around the independent private sector audit (IPSA) requirement. The seminar will answer the following questions:

• How does my company determine whether it is subject to the conflict minerals regulations?
• If it is, what should my company do to comply with those regulations?
• Has my company put adequate procedures in place to ensure it has enough information to complete an SEC filing on the issue if necessary?
• What are the latest developments in industry relating to compliance with the regulations?

The event features John Gabriel, Manager, Supply Chain Social Responsibility at IBM & Immediate Past Chair of the Electronics Industry Citizenship Coalition, Inc., and, Kristen Sullivan, Partner, Deloitte & Touche LLP. Also on the panel will be Mara V.J. Senn, Partner at Arnold & Porter. The event will be moderated by Sam Witten, Counsel at Arnold & Porter.

The event will take place on April 9, 2013 at 8:30am EDT. If you interested in viewing the event via webinar or attending in-person at Arnold & Porter's New York Office, click here. New York CLE Credit is pending.

Similar to the original guidance, the updated version emphasizes that consumer protection laws apply across all marketing platforms and devices, including print, TV, Smartphones, Facebook, and Twitter.  Just because our ads are coming to us on shinier, smaller, or faster devices, some things will remain old school--like Section 5 of the FTC Act.  Advertisers should not lose sight of the most basic principles, like clear and conspicuous disclosures, simply because the mediums on which they advertise have changed and continue to change.  

Sticking with the basics, the new guidance reminds advertisers that disclosures that must be made in order to keep claims from being deceptive must be clear and conspicuous and made prior to a consumer’s decision to buy (i.e., before they click “Add to Cart”).  Although there is no one-size-fits-all approach to disclosures, the following factors come into play:  proximity; placement; prominence; presence of distracting elements; the need for repetition; and using language understandable to the intended audience.

In a new take on the old, the guidelines state that if a disclosure won’t work because of the device or platform on which the claim is being advertised, the claim should be modified or shouldn’t be made on that device or platform.  Advertisers should also evaluate how their ads look across a range of devices, and create mobile versions or use responsive design when necessary.  In short, if the disclosure won’t fit, you must quit (considering that ad).  Simple as that--technological limitations will not be an excuse for running afoul of basic truth-in-advertising principles. 

Additionally, the new guidance says that disclosures should be “as close as possible” to the triggering claim they qualify.  Ideally, qualifying information should be incorporated into the claim itself.  If that isn’t practical, .com Disclosures provides guidance on making effective disclosures.  For example, building on past guidance regarding the use of hyperlinks to lead consumers to relevant disclosures, the new guidance recommends that advertisers label hyperlinks as specifically as they can to make their importance and relevance clear and make them effective across various media and devices.  Moreover, using links may not be sufficient, particularly if the advertised product is available in brick-and-mortar stores or from online retailers other than the advertiser--consumers should be presented with relevant disclosures in the ad text itself before going shopping in a store or at another online retailer.  In addition, the FTC cautions against putting disclosures in pop-ups, which may be blocked or just ignored.  In keeping with the original guidance, advertisers are also advised to avoid using hyperlinks for disclosures integral to the claim, such as those about product costs or health and safety issues.  The guidelines also caution advertisers about consumers needing to scroll to find disclosures.  According to the guidance, consumers shouldn’t have to scroll down the page to find disclosures.  But, if scrolling is necessary, the ad should contain visual cues to prompt consumers to scroll down or make the disclosures unavoidable--i.e., require the consumer to scroll through them before moving on.  Finally, although the guidelines say that advertisers are not required to utilize tools that can help monitor the effectiveness of disclosures, such as hyperlink click-through rates, the FTC advises advertisers not to ignore the data they do have.

The new guidelines include examples specific to the world of “tweeting.”  Using a fictional celebrity endorser, the .com Disclosures note that a tweet endorsing a product with merely a link to the product’s website is insufficient.  Celebrity tweeters still have to follow the requirements laid out in the Endorsement and Testimonial Guides, which we blogged about here and here.  Those Guides state that celebrities have a duty to disclose their relationships with advertisers outside the context of traditional ads (like Twitter).  It should be clear to followers if a celebrity is being compensated for a product or service they’re talking about on social media.  According to the FTC, these types of endorsements should clearly denote that it they are advertisements.  The new guidelines go further, noting that using “Ad” or “Sponsored” at the beginning of a tweet would likely be sufficient, but that the use of hashtags to indicate that a tweet or post is sponsored (i.e., #spon, #paid or #samp) may not be.  Depending on the content of the sponsored tweet, the tweet may also need to disclose typical results for the product in accordance with the Endorsement Guides.  Using links to make disclosures in tweets may not be sufficient for the reasons discussed above.

In recent years, the FTC has made an effort to update various guidance documents to account for changes in the mobile marketplace and advancements in advertising that have arisen in the new digital age. The new .com Disclosures specifically address some of the issues advertisers face in this age of new technology and social media.  While acknowledging that these guidelines will prove challenging to advertisers, the agency has stuck to its consistent message--necessary disclosures are required, regardless of how you’re conveying your message and deceptive advertising will not be tolerated.            

- Matthew Shultz & Danielle Garten

In the decision, Justice Milton Tingling of the State Supreme Court was persuaded by arguments made by the petitioners seeking to enjoin the implementation and enforcement of § 81.53 of the New York City Health Code. Justice Tingling first found that the regulation violates the constitutional separation of powers in New York State, as governed by the Boreali v. Axelrod. The court noted that “[t]he Rule would not only violate separation of powers doctrine, it would eviscerate it.”  Id. at 35.

Justice Tingling went on to hold that the administrative regulation was “arbitrary and capricious because it applies to some but not all food establishments in the City, it excludes other beverages that have significantly higher concentrations of sugar sweeteners and/or calories on suspect grounds, and the loopholes inherent in the Rule, including but not limited to no limitations on re-fills, defeat and/or serve to gut the purpose of the Rule.”

While the Bloomberg administration decides whether to appeal the decision, legislators in Mississippi are doing their best to ensure that a regulation like the Portion Cap Rule never sees the light of day in their hometowns. Last Tuesday, the Mississippi legislature passed a bill, known as the “Anti-Bloomberg Bill,” barring counties and towns from enacting rules that require the posting of calorie counts, cap portion sizes, or prohibition of “consumer incentive items” such as toys in kids’ meals.  The bill is expected to be signed by the Mississippi governor Phil Bryant.

We have previously reported on the struggles of implementing government regulation on food, including the FDA’s recent national menu labeling and calorie content rules. It remains to be seen whether the apparent failure of Mayor Bloomberg’s initiative is a mere hiccup in an increasing trend of government intervention in public health, or whether the decision (and measures such as those potentially implemented in Mississippi) signals a stronger backlash against such government regulation.

The question of a zip code’s status was among three questions certified to the Court in Tyler v Michaels Stores, a class action filed in federal district court by a plaintiff who claimed the defendant retailer illegally collected and used her zip code information to send her unsolicited marketing materials.  According to the complaint, a Michaels Stores employee asked the plaintiff for her zip code while she was using her credit card to pay for a retail purchase. Allegedly under the mistaken impression that the zip code was required to complete the credit card transaction, the plaintiff provided her zip code.  Michaels allegedly used the plaintiff’s zip code, together with the plaintiff’s name, to find her address in publicly available databases, and then mailed her unwanted and unsolicited marketing materials. 

The federal district court, taking the allegations of the complaint as true for threshold legal interpretive purposes, held that Michaels Stores’ alleged conduct violated a Massachusetts statute prohibiting a business from recording on a credit card transaction form any “personal identification information” not required to complete the credit card transaction. However, the district court determined that the state law interpretations required to reach that holding were sufficiently complex and important to merit consideration by the state’s highest court. The district court thus certified the zip code status question, as well as two other questions (“may a plaintiff bring an action for this privacy right violation absent identity fraud?” and “may the words ‘credit card transaction form’ refer equally to an electronic or paper transaction form?”) for review by the state court.

In its recent decision, the Massachusetts Supreme Judicial Court found that a consumer’s zip code constitutes “personal identification information” for several reasons, largely informed by current-day realities of information availability and the public policy goals underlying the Massachusetts statute.  The statute lists addresses and telephone numbers as non-exhaustive examples of “personal identification information.”  The court reasoned that the purpose of the statute -- to protect consumer privacy -- would be undermined by interpreting “personal identification information” to exclude a consumer’s zip code, as that would effectively mean a merchant could simply collect a consumer’s zip code and use it, together with the consumer’s name, to identify through publicly available databases, and then record and use, the consumer’s address or telephone number. (On the other two certified questions, the court held that a consumer may bring a claim under the statute even if she is not the victim of identity fraud (but cannot prevail without showing actual injury from the unlawful collection of the zip code) and that the statute applies equally to both written and electronic credit card transactions.)

The reasoning of the Massachusetts Supreme Judicial Court in Michaels Stores is similar to that of the California Supreme Court in its 2011 decision in Pineda v. Williams-Sonoma Stores, Inc. In Pineda, the California Court similarly opined that permitting a retailer to obtain a consumer credit card holder’s zip code, when obtaining the consumer’s address or phone number is an express violation of state privacy law, would allow an “end-run” around that law, because zip code information could then “easily be used to locate the cardholder’s complete address or phone number.” As we wrote at the time, the Pineda decision has “broad exposure implications” for business, as it means that virtually any information pertaining to a consumer may be “protected” under state credit card privacy laws.  The Massachusetts decision underscores this point, and indicates that courts may be increasingly willing to interpret consumer privacy laws broadly to take account of the possibilities for accessing extensive personal information using bits and pieces of data that, in and of themselves, may be innocuous from a privacy perspective.

- Nancy Perkins and Daniel Stuart

Image courtesy of Brianga via Wikipedia Commons / CC-BY-SA-3.0

Under the agency’s proposed regulation, a food may be labeled “gluten-free” if it contains less than 20 parts per million (ppm) gluten.  The < 20 ppm standard is based in part on the lowest level at which currently available test methods can reliably detect gluten (although FDA has indicated in a Q&A document that it would be open to reconsidering the threshold if more sensitive methods become available). It is also consistent with the 20 ppm standard adopted by the European Union.

FDA first proposed its definition in January 2007. After years passed without any further rulemaking, and in the face of mounting criticism including by two US senators,FDA re-opened the proposed rule to public comment in August 2011. Simultaneously, the agency invited comment on its study of the adverse health effects of gluten exposure to individuals with CD, which found that a 0.01 ppm threshold would be protective of even the most highly sensitive individuals. As explained in the proposed regulation, FDA concluded that the study should not be used to define “gluten-free” because “the estimation of risk to individuals with celiac disease associated with very low levels of gluten exposure may be conservative and highly uncertain.”  FDA expressed concern that a threshold lower than < 20 ppm could cause food manufacturers either to label fewer foods as gluten-free or raise the price of foods so labeled, thereby making it harder for people with CD to adhere to a gluten-free diet.

The proposed rule is now with OIRA for final approval before it can be enacted.  The rule has been deemed “economically significant,” meaning that it is expected to have annual impact on the economy of $100 million or more.  While this designation may prioritize review of the rule, it may also invite greater scrutiny. 

- Anita Kalra and Matthew Shultz 

To avoid false or misleading claims about your app, the FTC recommends:

• Telling the truth about what your app does.
• Having a reasonable basis for the claims you make about the app.  The level of proof this requires varies.  For example, health-related claims generally require competent and reliable scientific evidence, which could mean clinical studies.
• Clearly and conspicuously disclosing important information about your app (i.e., not buried in fine print or hidden behind vague links).  This may include important terms and conditions for your app, risk information or limitations on use, or clarifying information necessary to avoid making a misleading claim.
• Looking at your app from the perspective of a reasonable consumer, when evaluating your app against these recommendations.

• Practice privacy by design by incorporating privacy concepts throughout the app’s lifecycle.  When setting defaults, ask whether a reasonable consumer would expect such information to be collected by your app as the default.
• Be clear and transparent about what data the app collects and uses, and what you do with the data -- and live up to the promises you make.
• Offer consumers choices about their privacy, and get affirmative consent to collect sensitive information, such as medical, financial, and geolocation information, or before making material changes to your privacy practices.
• Protect consumer’s privacy by taking reasonable precautions to known security threats, limiting access to data to a need-to-know basis, limiting the data collected, and safely disposing of data when it is no longer needed.

While there is nothing earth-shattering in the video, it is a short and informative summary of consumer protection principles applicable to mobile apps that is well worth app developers’ time.  If anything, the video illustrates FTC’s continued interest in mobile app marketing, which may signal greater enforcement in the coming months.

- Vernessa Pollard & Matthew Shultz

Beyond the costs of paying for the text messages, the FTC is also upset over the mechanisms used by the marketers to extract sensitive information from these consumers through deceptive messages about “free gifts.”  The schemes allegedly worked like this: consumers get a text message telling them they are the lucky winners of a free prize like a gift card to a big name retailer like Best Buy or Target.  After clicking on the link in the text to claim the gift, consumers are plunged into a confusing morass of offers and sign-ups.  After being sent to a third party site (which still promised the amazing prize), consumers were forced to participate in various other offers, many of them requiring sensitive personal information, or even a credit application.  According to the Agency, consumers were often required to sign up for over 10 other offers in order to qualify for the ultimate prize.  In some situations, in order to get their gift card, consumers had to find three other people to sign up for the same offers.  In most instances, it wasn’t possible for people to access the promised gift without paying money for some other, unaffiliated offer. 

The Agency is alleging that these marketers violated the FTC Act by not telling consumers about the various conditions required to access their “free” gift, including the fact that they might actually have to spend their own money.  The sensitive information gathered by the third party site was, according to the FTC, sold to other entities for marketing purposes, meaning consumers were allegedly further deceived as to the actual use of the information collected.  None of this information was disclosed in the original text message.

One of the defendants, Philip Flora, was previously barred for life from sending spam text messages like these.  The FTC is pursuing a separate contempt action against him for allegedly being part of this current scheme as well. 

According to the FTC, the defendants who sent the texts were paid by those that run the “free gift” websites based on how many people actually entered their personal information.  These operators were paid by the businesses who gained subscriptions or customers through the various offers consumers signed up for in order to try to claim their prize.  As noted in this blog previously on multiple occasions, those who offer “free” merchandise or services need to take care to follow FTC guidelines on making such offers, on pain of possible unfair practice charges.  These complaints also point out the importance of living up to promises made about how consumers’ information is used. 

- Danielle Garten and Gabriel White

The FTC has defined mobile payments broadly to “include[ ] technologies and products in which a payment is made using a mobile device, such as payments made through Near Field Communication (NFC) technologies, mobile apps, online checkout wallets, and mobile carrier billing.”  At the April 26 workshop, participants identified multiple ways in which these technologies benefit consumers.  In addition to the convenience of payment, mobile payment makes it easier for consumers to use coupons or loyalty programs. In the new report, FTC staff also acknowledged that “[m]obile payments . . . may provide under-served communities with greater access to alternative payment systems.”  An alternative payment system also benefits businesses, who may see lower transaction costs thanks to consumers choosing to pay with their mobile devices, not their credit or debit cards.  More broadly, “[m]obile payments may also spur competition among payment methods, benefitting consumers and merchants alike.”

Where the workshop took a balanced approach to benefits and drawbacks, the new report focuses almost entirely on the risks and concerns the workshop panelists identified: dispute resolution; consumer data security; and privacy. One of the greatest benefits mobile payments provide to both consumers and businesses -- flexibility -- is the source of the problem for dispute resolution, specifically the web of statutory requirements that may protect some consumers or businesses, but not others, and certainly not in the same ways. For example, a fraudulent transaction involving a credit card has a statutory liability cap of $50, but if the same transaction involves a gift card, the FTC Act, the FTC’s general consumer protection mandate, is the sole statutory protection (the Consumer Financial Protection Bureau has proposed a rule related to gift card laws and the FTC has commented). The FTC is evaluating whether to implement “consistent protections across mobile payments,” and, as it does, urges businesses to “develop clear policies regarding fraudulent and unauthorized charges and clearly convey these policies to consumers.”

The FTC singles out mobile carrier billing for special attention. Like gift cards, there are no specific statutory protections for consumers who find fraudulent third-party charges on their phone bills, a practice known as “cramming.” The new report notes an FTC comment to the Federal Communications Commission (“FCC”) that “consumers should be able to block all third party wireless charges” and should have “clear[ ] and prominent[ ]” service provider information about third-party charges and how to block any unwanted charges.  The FTC also wants providers to establish a clear dispute resolution system.  The FTC will host a workshop on mobile cramming on May 8 to assess the breadth of potential solutions to cramming, including those that industry stakeholders have provided to the FCC. 

The FTC report also refers to a Federal Reserve study that found data security to be a chief consumer worry related to mobile payments. The FTC encourages “all companies in the mobile payments chain” to adopt safeguards like end-to-end encryption and dynamic data authentication, reminding businesses that harm to consumers due to a data breach can not only harm the reputation of the business, but also can trigger liability under state or federal data security laws. 

A frequent concern of the FTC, the report highlights the privacy anxieties associated with the distinction between data collection capabilities in “traditional” and mobile payments.  In a traditional payment, data is split among the merchant (purchase) and the credit card company or bank (contact information; location of purchase). No one entity has all of the purchaser’s information. Mobile payments add many new players at each step of the payment chain and provide a “mobile payments ecosystem to gather and consolidate personal and purchase data in a way that was not possible under the traditional payments regime.” Such collection and consolidation is not inherently bad, but it does raise the potential for increased risks to consumer data privacy. To help protect consumer privacy and ease privacy concerns, the FTC previously offered three privacy principles in its March 2012 report Protecting Consumer Privacy in an Era of Rapid Change (as this blog described).  The FTC continues to encourage businesses to follow these principles of “privacy by design,” consumer choice, and transparency in a new mobile payments report.  

As it develops a more complete framework for mobile payments, the FTC is looking to the experiences of other countries for both the manner in which the mobile payments systems operate as well as the manner of their regulation.  The new report includes short descriptions of practices or policy proposals in other countries and by multinational organizations, indicating which models the FTC may explore in determining how to address the consumer privacy, security, and trust issues that arise as mobile payment technology develops.

- Nancy Perkins and Seth Wiener

The Oceana study, conducted from 2010 to 2012, is one of the largest reported seafood fraud investigations to date. The group collected 1,247 samples from 674 retail outlets in 21 states. Genetic identity was determined for 1,215 of the samples, and of those, it was found that approximately one-third were mislabeled.  Mislabeling rates varied greatly among the types of seafood involved, with fish sold as “tuna” and “snapper” having the highest mislabeling rates.

In describing the methods used for the study, Oceana stated that it considered a fish sample to be mislabeled if “seafood substitution occurred or if retailers were not following the [FDA] Seafood list.”  The FDA’s Guide to Acceptable Market Names for Seafood Sold in Interstate Commerce provides guidance to the seafood industry on the labeling of different species. The FDA makes it clear that its Seafood List does not establish legally enforceable responsibilities per se in labeling. However, seafood mislabeling can be actionable under the Misbranding Section of the Federal Food, Drug, and Cosmetic Act, and under state statutory and regulatory provisions, as well as the common law.

Some critics of the study have suggested that Oceana overstates the mislabeling issue, noting that different vernacular names are used for the same type of fish in different regions of the country.  In fact, this illustrates the pitfalls that even well-meaning retailers may face in attempting to label their seafood so as not to mislead. Thus, the FDA itself comments that a vernacular name, even if common in a particular region, may not be acceptable as a market name for use in interstate commerce.  When it comes to seafood, it’s not only the quarry, but the name of the quarry that can be elusive. 

The obvious injury from seafood mislabeling is that customers will be duped into paying more than they should for what they are actually getting. But depending on the particular species involved, mislabeling can also defeat customer attempts to choose sustainable seafood options. Fishery sustainability is a growing concern of many conservation-minded consumers. In response, conservation organizations have published pocket guidelines for consumers to use in making their seafood choices; and some grocery stores and restaurant groups have taken to promoting  their seafood sourcing policies to attract environmentally-conscious customers.  In a prior post, we discussed how seafood sustainability certifications themselves may be misleading consumers in this regard.  Inasmuch as any certification process necessarily depends on accurate labeling of the product being sold, seafood mislabeling has the potential to exacerbate the problem.

- Christina Brenha and Dirk Schenkkan

What is online behavioural advertising?

Online behavioural advertising (OBA) is the use by advertisers of information collected about a web user’s online behaviour, for example what websites they browse, links and adverts they click on, search terms entered etc., to generate adverts tailored to that individual’s identified interests and preferences. In practice it means that one user will be served different website advertising to another based on their previous browsing history.

OBA is usually done through the use of “cookies” (small data files which are served on users’ browsers and devices when they visit a website), so these new rules, which will be enforced by the UK Advertising Standards Authority (ASA), work to supplement and complement existing legislation on cookies and other tracking technologies, namely the E-Privacy Directive (2009/136/EC) which is implemented in the UK via the Privacy and Electronic Communications (EC Directive)-Amendment Regulations 2011 (the PEC Regulations). Broadly, the PEC Regulations require that cookies and any similar tracking technology can only be placed on computers/devices where the user has given their informed consent (e.g., via an ‘opt-in’) to the collection of their data in this way (see our previous blog on cookies and the Directive here). In addition, those collecting users’ personal information for OBA must also comply with data protection/privacy laws.

What are the main requirements?

The new OBA rules (contained in Appendix 3 to the UK Code of Non-broadcast Advertising, Sales Promotion and Direct Marketing (CAP Code)) implement the EU Framework for Online Behavioural Advertising launched by the Internet Advertising Bureau (IAB) in April 2011. The EU-wide regulation of OBA means that companies using behavioural advertising as a tool across the EU will also need to comply.

Most of the new obligations fall on “third parties”, those organisations that engage in OBA via websites other than their own. This means that retailers whose goods are the subject of the targeted adverts on other websites (i.e. not their own) are not directly on the hook under the new rules, but they may be expected to cooperate with the ASA in cases where the ASA is unable to track down the third party OBA provider. 

Broadly, the main requirements are that consumers/web users should be offered the choice to opt-out of being targeted using OBA. If consumers do opt out, their information will not be collected for OBA purposes and they will not be served targeted ads (although they would still see non-tailored ads). To achieve this, adverts delivered using OBA must have a notice in or around it telling users that they are collecting and using web viewing behaviour data and third parties must give a clear a comprehensive notice about the collection and use of data for the purposes of OBA on its own website. Both of these notices should provide a mechanism enabling the user to opt-out.

Other requirements are that OBA should not be targeted at children aged 12 or under and explicit consent is required if third parties use technology to collect and use all data traffic from users on a particular computer (i.e. website history across all websites captured). This type of OBA is usually carried out at ISP level and is the most controversial form of OBA.

Interestingly, the new rules do not apply currently to mobile phones or other handheld devices (e.g. e-readers and tablets) although it seems likely that the rules will be extended at some point in the near future.

Enforcement

The CAP Code (including the new OBA rules) is enforced by the ASA, which is a self-regulatory body. The ASA can take steps to remove or have amended any adverts that breach the rules.

Arguably the new rules have a lot less bite than other existing regulations regarding the use of cookies and data protection, particularly as they are aimed predominantly at third party OBA providers and are part of the self-regulatory CAP Code. However advertisers, retailers and website operators who do not deliver their own OBA should bear them in mind and, in particular, keep an eye on any third parties they use for OBA.

Additional useful guidance in this area includes: CAP Guidance and European Advertising Standards Alliance (EASA) Best Practice Recommendation.

- Richard Dickinson, Gemma Davies, and Katie Woodhouse

The FTC alleged that HTC failed to employ reasonable and appropriate security practices in at least five ways:

1. failure to adequately assess the security of its products;
2. failure to adequately train its engineering staff on privacy and security issues;
3. failure to conduct assessments to identify potential security vulnerabilities;
4. failure to follow well-known security practices that would have ensured that applications would only have access to consumer information with their consent; and
5. failure to have a process to address reported privacy and security concerns.

More specifically, the complaint alleges that customized applications pre-installed by HTC to differentiate its products from other devices running Google’s Android operating system and Microsoft’s Windows Mobile and Windows Phone operating systems failed to include adequate “permission check code[] to protect th[e] pre-installed application from exploitation.”  For example, a third-party application could have commanded one of the pre-installed applications to download and install additional apps without the user’s knowledge or permission -- in other words, without the “permission check code” that the complaint alleges is “simple, well-documented software-code.”  Then these new applications could have accessed, among other information, financial account numbers, user names and passwords, text messages, photographs, and physical location information, as well as sensitive device functionality like the microphone.  FTC also noted a particular concern with malware that could have led to “text message toll fraud,” which occurs when text messages are sent to a premium number without the user’s consent in order to charge fees to the user.

As summarized in the complaint, “[i]n effect, this vulnerability undermines all protections provided by Android’s permission-based security model.”  The FTC alleged that HTC could have prevented these security issues, which were present in approximately 18.3 million devices, through implementation of “readily-available, low-cost measures.” 

In addition to charging that HTC’s failure to implement reasonable security practices was an unfair or deceptive act, the Commission also charged HTC with making at least two false or misleading representations in its user manual.  First, the complaint alleged that the manual’s representation that a user would be notified when a third-party application requested access to personal information was undermined by the vulnerabilities discussed above.  Second, the complaint alleged the user manual was false and misleading by representing that a user’s location data would not be sent to HTC along with an error report unless the user specifically checked a box marked “Add location data.” The complaint alleged that because of the security vulnerabilities discussed above, location data was sent to HTC even where the user did not check the box granting permission.

Shortly after announcing the settlement, the FTC hosted a Twitter chat to answer questions about the highly publicized settlement.  In response to a question about whether there was any evidence that consumer data had been lost, the FTC said that it brought the case because of the “risk” of substantial harm to consumers as well as HTC’s allegedly deceptive practices.  It also reiterated that “consumer privacy continues to be a top priority for FTC.”

This case illustrates the close connection between security practices and representations about privacy; promises about privacy rest in part upon a company’s ability to design, deliver, and support functionality with a privacy and security architecture that delivers upon those promises.  Put another way, design supports privacy.

- Ronald Lee and Daniel Stuart

The plaintiffs claim that Anheuser Busch possesses the technology to measure alcohol content with precision but, instead of using it to convey accurate information to consumers, the company used this technology to “shave” the amount of alcohol in its beverages during the brewing process.  According to the plaintiffs, Anheuser-Busch uses a brewing process with a “high gravity” approach that keeps the alcohol content (and other things) at specifications that are higher than what the final product ultimately will have, until the last stage of the brewing process when water and carbon dioxide are normally added.  It is during this final stage that plaintiffs claim the company waters down its products.  The end result of this process, according to the complaints, is that the percentage of alcohol by volume in each can or bottle of beer is less than the can or bottle says it is on the label (although plaintiffs are not clear as to how much less). 

The lawsuits allege that it is the alcohol in Anheuser-Busch products that creates the demand for these products and the lowered alcohol content results in a product that is worth less to consumers.  The plaintiffs claim that the amount of alcohol in their Anheuser-Busch brands of choice was a consideration when they purchased those brands and they would not have purchased these beers if they had known what their true alcohol content was.  The plaintiffs intend to ask the courts to certify classes that include anyone who purchased any one of the brands at issue in a particular state after a certain date (which varies depending on the case).  The individuals bringing these cases want the courts not only to require Anheuser-Busch to pay monetary damages but also to require the company to stop engaging in the alleged misconduct and to provide corrective advertising. 

Before the plaintiffs receive any such relief, however, they will need to overcome a number of obstacles.  As an initial matter, they must convince the courts that the claims of all purchasers are sufficiently similar to be resolved in class actions.  Anheuser-Busch should be able to offer several possible reasons why the case cannot go forward on behalf of all purchasers, including that many consumers do not read the labels on beer cans and bottles and do not care what the exact alcohol content of their beer is.  In addition, even if one or more of these plaintiffs can convince a court that a class action is appropriate, they would still have to prove their claims on the merits, including showing that Anheuser-Busch actually engaged in the alleged misconduct.  Although it’s early, and Anheuser-Busch’s responses to these complaints are not even due yet, one can anticipate that Anheuser-Busch would offer a number of arguments as to why it did not water down its beers in the manner that the lawsuits claim or otherwise act improperly and why the plaintiffs should not receive the relief they seek.  We will continue to monitor these cases for future developments. 

- David Kouba

Identity theft, which is defined in the report as “[w]hen someone appropriates your personal identifying information (like your Social Security number or credit card account number) to commit fraud or theft,” is likely to remain a top concern for the FTC, especially as an increasing amount of sensitive consumer information moves to mobile devices and the “cloud.”  This is evident from the FTC’s recent release of security recommendations for mobile app developers, as well as its settlement with HTC over concerns about the security of consumer information collected by mobile software applications. 

• Consumers reported paying over $1.4 billion in the over one million fraud cases contained in the report, with a median amount paid of $535.
• Though it’s buried in a footnote, Washington, DC had the highest per capita rate of fraud complaints at 752.1 complaints per 100,000 residents.  The nation’s capital was third in per capita identity theft complaints at 169.1 complaints per 100,000 residents.
• Florida was second to DC in per capita fraud complaints (693.5 per 100,000) and was by far the number one state for identity theft complaints at 361.3 per 100,000 residents. In fact, ten of the top eleven metropolitan areas for identity theft are in Florida. 
• South Dakota had the lowest per capita rate of both fraud and identify theft complaints. 
• For fraud complaints, the most popular method of contacting consumers was via email (38%) followed closely by phone (34%). 

The full report is available for download here. 

- Daniel Stuart

According to the MSC’s Certification Requirements, certification and the accompanying label communicates that a particular fishery adheres to the MSC’s standards for sustainability, including the use of fishing practices that will not deplete fish populations. If a fishery wishes to become certified by the MSC, it must bring in an auditor to assess its fishery according to MSC standards. Fisheries with a score of 80 or better out of 100 are granted unconditional certification.  A fishery that scores between 60 and 80 may be granted conditional certification, contingent on the fishery making improvements to its fishing practices in order to reach a score of 80 within five years. The MSC’s Certified Sustainable Seafood label does not differentiate between conditionally and unconditionally certified fisheries.  Therefore, critics contend that consumers may be getting seafood that is less sustainable than they believe and spending more at the seafood counter without actually achieving any environmental benefit. 

This controversy is a reminder that marketers using or who want to use environmental seals or certification should pay close attention to the FTC’s revised Green Guides. The FTC declined to specifically address “sustainability” claims in the Green Guide because it found through consumer research that the term does not have a single meaning understood by a significant number of consumers. However, marketers are still responsible for substantiating any claims that would be reasonably understood by consumers, even those conveyed by the use of third-party certifications. Moreover, the Green Guides warn marketers to avoid making “unqualified general environmental benefit claims” and notes that such claims are “difficult to interpret and likely convey a wide range of meaning.”

Although the Green Guides don’t provide guidance for sustainability claims, they do provide guidance on the use of environmental seals and certifications like the Certified Sustainable Seafood label. According to the Green Guides, the use of a seal or certification likely conveys a general environmental benefit, unless it conveys the basis for the award. MSC requires marketers to print text along with the label that explains that the label means that the fishery meets MSC’s standards and provides MSC’s web address, an approach used in the Green Guides’ examples. The question in that and similar situations would be whether it adequately conveys the basis for the award and the limits of the potential environmental benefits. 

- Matthew Shultz and Amie Medley

The FTC’s report was issued pursuant to the Fair and Accurate Credit Transactions (FACT) Act of 2003, which requires the FTC to conduct a study of consumer credit rating accuracy and to report to Congress on its findings every two years, which the FTC has done since 2004.  The most recent report (the fifth in the series) focuses on the ability of consumers to locate and correct errors in their credit reports.  Each credit report provides a summary of a consumer’s credit history, including an overall “score” assigned based on that history.  The most widely used score is the “FICO” score created by the Fair Isaac Corporation, which is used by all three of the major CRAs.  The FICO score, which measures the degree of credit risk a consumer poses based on the likelihood that the consumer will meet his or her credit obligations, runs from 300 to 850; the higher the score, the lower the risk.

The FICO score takes into account current and past credit card usage and payment history, loans, and mortgages, public records of bankruptcy, foreclosures and similar proceedings, and unpaid debts.  Each time a consumer requests access to credit, such as applying for a credit card, that is registered in the score.  The length of credit history is incorporated as well.  The approximately 30,000 sources of this information include financial institutions, insurance companies, government agencies, creditors, and collection agencies (collectively known as “data furnishers”).  The FTC engaged data furnishers in producing the February 11 study, along with consumers, the CRAs, and the Fair Isaac Corporation.

To conduct its study, the FTC randomly selected 1,001 participants from consumers with credit histories generated by the three national CRAs.  The participants were asked to review their credit reports for accuracy and, to help them spot errors, a trained study associate was provided.  When errors were found, the participant was urged to challenge any material errors – i.e., errors sufficiently serious to affect the consumer’s credit score – under the dispute resolution mechanism established by the Fair Credit Reporting Act (FCRA).  Participants received a provisional FICO score when initiating the challenge and, when the dispute resolution process was complete, they were provided new credit reports and new credit scores.  The FTC then used the provisional score, the new report, and the new score for each participant to measure the influence of the errors (actual and potential) on the participant’s credit.

The FTC found that 1 in 4 of consumers (262 participants) discovered a material error in at least one of their three credit reports.  (Errors in the “header information” (e.g., addresses, age, employment) are not considered material because this information is not used in determining a consumer’s credit score.)  All of these consumers challenged these errors, but only 1 in 5 of them (206 participants) received some kind of credit report change.  Of these 206 consumers, the CRAs corrected all the material errors in the reports of 97 consumers.  For 109 of them, the CRAs corrected only a portion of the identified errors, and for 56 participants, the CRAs did not correct any errors.  When the CRAs did not correct the identified errors, the CRAs informed the 56 participants that the party that had furnished the data denied the existence of any inaccuracy.

After the CRAs corrected the verified material errors and produced revised credit scores, more than 1 in 10 of the participants received a changed credit score.  Among those receiving a changed score, the majority saw a change of less than 25 points; however, 1 in 20 had a change of more than 25 points.  A small minority – just 1 in 250 – saw their score change by more than 100 points.  When the FTC applied the changed score data to auto loan tiers, they found that 16.4% of reports contained changes sufficiently great to change the consumer’s loan tier, suggesting that some consumers would have obtained more favorable loan terms (including loan approval where a loan had been denied) if their credit reports had been free of the inaccuracies that the report uncovered.

Although not highlighted in the FTC report, it is certainly possibly that there are errors in credit reports favorable to consumers that are also going uncorrected.  Heighted consumer awareness may not necessarily lead to correction of those errors, as individual consumers have an understandable incentive to keep quiet about errors in their favor. 

While this report was focused on the CRA-consumer relationship, the FTC did briefly address data furnishers as well.  Not all errors are attributable to data furnishers, as furnishers may provide correct data that is then improperly processed by the CRA.  The FTC, however, has recognized that some errors are present in the data collected and provided by furnishers, and the FACT Act was designed in part to provide mechanisms to ensure that furnishers investigate any disputed data and correct any errors they identify.  Data sources must perform this duty whether the request to correct an error comes from the CRA or from the consumer directly.

The FTC’s report is the final interim report in the series required by the FACT Act.  The next report, due in 2014, will be the FTC’s final report.

For the full text of the recently released report, please click here.

- Nancy Perkins and Seth Wiener

The draft Consumer Product Safety Regulation (CPSR) applies to consumer products, which it defines as products intended for consumers; likely to be used by consumers even if not intended for them; or to which consumers are exposed in the context of a service provided to them.  Key changes include:

• The GPSD term ‘producer’ has gone - economic operators are now named i.e. manufacturer, distributor etc. and owe specific obligations.  This change brings the regime for general product safety in line with that which is already in place in other product sectors, such as toys.
• New measures are included to enhance product identification and traceability, such as indication of origin labelling.

The general product safety requirement (i.e. the obligation only to place ‘safe’ products on the market) is retained. Like the GPSD, the CPSR will apply save where sector-specific legislation provides equivalent protection. 

To an extent ‘proportionate to the potential risks’ of their products, manufacturers will be obliged to: 

1. Carry out sample testing of products made available on the market;
2. Investigate complaints and keep a register of complaints, non-conforming products and product recalls;
3. Keep distributors informed; and
4. Establish technical documentation regarding their products which must contain the necessary information to prove that their product is safe.

Although enforcement should be more consistent, given the overarching Regulation, penalties for infringement will be set by Member States. They are required to lay down rules establishing penalties that are “effective, proportionate and dissuasive”, which distinguish between sizes of economic operator, and may include criminal sanctions for serious infringements.

The proposed Market Surveillance Regulation seeks to make enforcement more uniform and streamline market surveillance procedures by bringing them together in a single instrument. It is planned that it will apply to all consumer products other than food and medicines. 

The legislative package envisages simplifying the process of updating standards and aligning the new CPSR rules with market surveillance rules for all consumer products.  The measures are expected to come into force circa 2015.

The EU Commission has also announced a “Multiannual action plan for market surveillance covering the period 2013-2015. This contains 20 proposed actions, including expanding the use of cross-national web-based databases (i.e. RAPEX and the ICSMS database) to exchange and record product safety information; a more sizeable central bureaucracy; more multinational cooperation and taskforces; a research focus on internet selling; and more joined up and effective use of customs procedures to control products entering the EU.

- Alison Brown (EU), Tom Fox (EU) and Eric Rubel (US)

As you will recall, the Fred Meyer Guides are an agency guidance document designed to help businesses comply with certain parts of the Robinson-Patman Act.  The Robinson-Patman Act prohibits various types of business discrimination and the Fred Meyer Guides provide direction to manufacturers and wholesalers as to how they can provide advertising allowances and other promotional services to retailers without violating the Act. 

Public comments can be submitted online or in hard copy, using the instructions listed in the Federal Register Notice.  All comments will be posted on the FTC’s website.     

- Danielle Garten and Matthew Shultz

The FDA’s proposed rule would require calorie labels on menus and menu boards in chain restaurants and retail food establishments − including grocery and convenience stores as well as coffee and pastry shops − with 20 or more locations nationwide. The FDA’s existing food labeling regulations already mandate that pre-packaged food include nutrition information labels, but this new rule would require grocery stores “clearly and prominently” to label the calorie content of prepared, unpackaged food such as soups, salad bar items, baked goods and other ready-made snacks.For such food on display, calories would have to be posted either per item or per serving on a sign next to the food. I know what you’re thinking: now I’m going to be forced to confront the waistline implications of that gooey chocolate donut with cream filling before I enjoy it, or feed it to my kids as a weekend treat?  Unfortunately, that’s the point. 

To help consumers understand the significance of this information, a statement concerning daily recommended calorie intake would also be on display.  Additionally, supplemental written nutrition information −  such as calories from fat, total fat, saturated fat, trans fat, cholesterol, sodium, total carbohydrates, sugars, dietary fiber, and protein − would be available upon request for standard menu items. 

The proposed rule stems from a provision of the Patient Protection and Affordable Care Act requiring restaurants and vending machines with 20 or more locations nationwide to post nutrition content for standard menu items. The FDA’s rule extends that mandate to cover establishments that sell restaurant-type food and whose primary business activity is the sale of food to consumers. Under the rule, an establishment’s “primary business activity” is the sale of food to consumers if greater than 50 percent of the establishment’s total floor area is used for the sale of food. This includes grocery and convenience stores, but excludes establishments such as movie theatres, bowling alleys, and airplanes. 

The FDA reasons that this rule is aimed at helping Americans live healthier lives by informing them about how prepared foods they purchase fit in to their overall nutrition needs. Seeing calorie content may incentivize some shoppers to choose the three-bean salad over the higher-calorie mac and cheese.  Critics of the rule claim that it would overburden thousands of grocers and convenience store owners by requiring investment in either expensive software or off-site laboratory testing to determine the nutrition content of food. The FDA estimates an initial cost of $315 million to comply with the proposed regulation, while critics of the rule warn that compliance could weigh in at a hefty $1 billion in the first year alone. That cost, some argue, will inevitably be passed on to consumers in the form of plumper prices at the checkout. 

Let the FDA know where you fall on the scale. The FDA invites public comments to the proposed rule, which it says will be taken into account when drafting the final rule to be issued this spring.  Until then, grocers and other store owners that may be affected by this rule should plan for a possible new expense. 

- Brittany McClure

Companies who want to make an unqualified “Made in U.S.A.” claim -- whether on packaging or in advertising -- must be careful to comply with relevant federal and state standards, particularly California’s.  As we have previously blogged, the FTC’s “Made in U.S.A.” standard, while seemingly straightforward, is very stringent and can be challenging to meet for many manufacturers.  The FTC’s “all or virtually all” made in the United States standard requires that “the final assembly or processing of the product must take place in the United States” as a minimum threshold.  But satisfying this threshold alone is not enough.  The FTC also considers the “portion of the product’s total manufacturing costs that are attributable to U.S. parts and processing.”  While the FTC makes this determination on a case-by-case basis, the percentage of the manufacturing costs that that must be attributable to U.S. parts and processing is very high--often 90% or more.  And, companies cannot just buy a component from a U.S. supplier and “simply assume that the component is 100% U.S. made.”  The standard considers that remoteness of any foreign content in the finished product, and the FTC’s guidance suggests that the company should at least find out how much of the component is U.S. made.  While the FTC last filed a “Made in U.S.A.” complaint in 2009, that does not mean that the FTC has been inactive.  As the USA Today article notes, FTC staff report receiving “several complaints each month.”

However, companies whose marketing or products reach California -- and given the size of California’s market, as a practical matter that means just about any business that sells to American consumers --  must contend with an even more stringent standard.  As we have blogged, the California standard, as interpreted by California courts, goes well beyond the FTC standard and prohibits “Made in U.S.A.” claims if the product “or any article, unit, or part thereof,” is “entirely or substantially made, manufactured, or produced outside of the United States.”  In practice, this has meant that “Made in U.S.A.” labels are prohibited if any part of the product--even a small component such as a light bulb or O-ring in a flashlight that cannot be sourced domestically-- is “substantially” made overseas.  The impact of this standard, which effectively prevents many products that otherwise meet the FTC standard from being marketed in California as “Made in U.S.A.,” has not escaped the attention of the business community and legislators.  Last year, a bill to amend the California law to bring it in line with the FTC standards passed the California Assembly unanimously.  But, faced with what has been described as “heavyweight opposition from consumer groups and personal injury attorneys,” the bill was defeated in the California Senate Judiciary Committee. 

So, while the desire to capitalize on consumers’ love of all things American is unlikely to cool anytime soon, companies who make unqualified “Made in U.S.A.” claims should tread cautiously, particularly in California.

- Lauren Peay and Angel Garganta

The case originated in 2010, when the FTC’s Complaint Counsel brought suit alleging that POM Wonderful violated Sections 5(a) and 12 of the FTC Act by making false or misleading claims in their advertisements for POM products, including POM Wonderful juice and POMx supplements. Specifically, the Complaint alleged that POM Wonderful made unsubstantiated claims that POM products treat, prevent, or reduce the risk of heart disease, prostate cancer, or erectile dysfunction, and that clinical proof established the efficacy of POM products for such purposes.  The FTC challenged a total of 43 advertising and promotional materials, such as the ones seen here, here,and here.

The Commission agreed with the ALJ’s finding that POM Wonderful’s claims were not backed by competent and reliable scientific evidence, and expanded from 19 to 36 the number of ads it found to be false or misleading.  However, the Commission held that in light of POM Wonderful’s “serious disease claims,” RCTs were required for substantiation.  First, the Commission found that some of the ads conveyed claims that POM Wonderful had clinical proof supporting its claims. The Commission concluded that such claims require proof sufficient to satisfy the relevant scientific community (i.e., experts in heart disease, prostate cancer, and erectile dysfunction) of the claims’ truth, in the form of RCTs.  Second, the Commission concluded that to satisfy the requirement that an advertiser have a “reasonable basis” supporting objective performance or efficacy claims, RCTs are also required.

The Commission found that these disease-related claims were conveyed  through the use of the word “disease” and reference to specific diseases or symptoms (e.g., “cancer,” “prostate cancer,” “erectile dysfunction,” “coronary heart disease”); medical imagery  (e.g., the caduceus symbol of the medical profession, the image of a POM bottle connected to electrocardiogram leads); references to physicians and medical research (as opposed to nutritional or other research); and references to quantifiable results (e.g., “eight ounces of POM a day can reduce plaque in the arteries by up to 30%!”). The Commission found that that the juxtaposition of these elements would convey to at least a small minority of reasonable consumers that POM products treat, prevent or reduce the risk of certain diseases and, for many of the ads, that such efficacy was scientifically established.

The Commission found that the ALJ improperly relied on expert testimony regarding the level of substantiation that would support general health benefit claims rather than focusing on the substantiation needed to support POM Wonderful’s specific disease treatment and prevention claims. It further found that the relevant expert testimony established that RCTs -- specifically, randomized, placebo-controlled, double-blind trials yielding statistically significant results -- were necessary to substantiate POM Wonderful’s claims.

While the Commission decided that it did not need to make a finding as to the required number of RCTs necessary to substantiate the claims, the final order contains fencing-in relief that prohibits POM Wonderful from making disease-related claims about any food, drug, or dietary supplement unless the claims are backed by at least two RCTs. The Commission found that this was appropriate for two reasons:  (1) it is consistent with FTC precedent, such as Thompson Medical, and with expert testimony about the need for consistent results, and (2) POM Wonderful’s tendency, in the view of the FTC, to misrepresent research outcomes.  The Commission did not go so far as to require POM Wonderful to obtain FDA approval before making disease-related claims, a remedy sought by Complaint Counsel, because it found that requiring two RCTs accomplished the benefits of FDA pre-clearance, including establishing a clear and easily enforceable standard. 

The Commission explicitly limited its ruling to POM Wonderful’s disease treatment, prevention and risk reduction claims. As the Commission explained “[t]he need for RCTs is driven by the claims Respondents have chosen to make (i.e., establishment claims about a causal link between the Challenged POM Products and the treatment or prevention of serious diseases).” It refrained from deciding the level of substantiation required to support other health claims involving food products, other than to reiterate the “competent and reliable scientific evidence” standard, which it described as “tests, analysis, research, studies or other evidence based on the expertise of professionals in the relevant area, that have been conducted and evaluated in an objective manner by persons qualified to do so, using procedures generally accepted in the profession to yield accurate and reliable results.”  However, as the Commission noted, this decision indicates how  it is likely to analyze other health claims in the future.

POM Wonderful has indicated that it will appeal the Commission’s decision in federal court.  For now, food product advertisers should carefully evaluate whether their advertising conveys disease treatment or prevention claims to avoid the time and expense of meeting the Commission’s substantiation requirements for such claims or responding to an FTC inquiry.

- Anita Kalra and Matthew Shultz

On December 21, 2012, after an 11-day trial, the jury convicted Executive Recycling, Inc. and two of its executives on multiple criminal counts, including illegal hazardous waste export. Executive Recycling is an e-waste recycling company headquartered in Englewood, Colorado, which collects e-waste from businesses, government entities, and private households.  Although the company had stated that the waste would be safely and legally disposed within the United States, the government alleged that Executive Recycling sent more than 300 shipments of e-waste overseas, including more than 100,000 lead-containing CRTs. 

The Resource Conservation and Recovery Act (RCRA), prohibits the export of hazardous waste from the United States without express permission from Environmental Protection Agency (EPA) and the receiving nation’s competent authority.  Although twenty-five e-waste recycling laws have been enacted at the state and local level since 2003, there has been no comparable e-waste-specific legislation at the federal level.  Two Congressional bills prohibiting the export of a large category of e-waste were introduced in the House and Senate in 2011, but remain in Committee.  Proponents of broader e-waste regulations are hopeful that the Executive Recycling case will spur federal legislative activity in 2013.

In the meantime, manufacturers and retailers of electronic devices would be wise to exercise careful due diligence when contracting with e-waste recyclers.  Some strategic options to consider include the following:

• Investigate whether EPA or any federal, state, or local agency has sanctioned an e-waste recycler for illegal exportation prior to engaging that recycler;
• Add provisions to service contracts with e-waste recyclers prohibiting the exportation of e-waste and indemnifying the customer from liability in the event that e-waste is nevertheless exported;
• Include an assessment of e-waste recycling procedures as part of environmental, health, and safety audits, with an emphasis on verifying that documentation from recycling companies reflects domestic recycling; and/or
• Provide customers and retailers that purchase electronic devices manufactured, assembled, or sold by your company with a list of recycling companies that are willing to certify that they will not export e-waste.

For a more extensive description of this case, go here.

UPDATE (4/10/2013): Criminal enforcement authorities have brought additional cases against companies for violating environmental laws governing e-waste. For more information, read here.

 - Peggy Otum and Jeremy Peterson

The complaint, filed by the Skin Cancer Foundation, urges the FTC to investigate the conduct of MTV in encouraging and promoting “cancer causing behavior without a warning of the risk.”  Specifically, the Foundation alleges that MTV’s youth-oriented show portrays “excessive tanning . . . as a socially enhancing, safe and beneficial activity while omitting its dangerous, cancer causing effects . . . .”  In its marketing of the “Jersey Shore,” and the related tanning or GTL merchandise and promotions, MTV allegedly failed to warn viewers properly of the risks and harms associated with tanning, including cancer.  Instead, the Foundation claims MTV refused to provide such warnings following a formal request by the Foundation.  Although MTV does not operate tanning salons, the Foundation asserts that MTV’s failure to provide such warnings increases the risk of cancer to the public, particularly the younger viewers of the “Jersey Shore,” because MTV “portray[s] tanning as beneficial and safe, in violation of Section 5 of the Federal Trade Commission Act.”  The Foundation’s complaint alleges this practice is deceptive.

In asserting its Section 5 claim, the Foundation relied on the FTC’s Policy Statement on Deception, which provides, in short, that advertisers should not convey through admission or omission an inaccurate impression of the safety, benefits or risks of a product, service or procedure.  The Foundation also drew parallels between the MTV’s portrayal of tanning and the portrayal of alcohol and tobacco in movies and on television prior to the FTC’s recommendation of advertising limitations for alcohol and the prohibition of tobacco advertising on television. 

The complaint also cites an earlier FTC enforcement actions related to tanning.  A little over three years ago, as this blog reported, the FTC settled claims against the Indoor Tanning Association, which conducted a national advertising campaign touting the lack of increased cancer risk, the health benefits, and relative safety of indoor tanning compared to outdoor tanning. That consent decree required the Association to cease making these claims and to warn consumers that “exposure to ultraviolet radiation may increase the likelihood of developing skin cancer and can cause serious eye injury.” 

The Foundation urges the FTC to require MTV to provide a clear and conspicuous warning of the risks associated with tanning on all “Jersey Shore” broadcasts, websites, advertisements, tanning-related games, and GTL merchandise.  MTV has responded that it “regularly engages its audience on a whole host of youth related issues, including sexual health, mental health, dating abuse, skin cancer and others. . . . Ultimately, we’ve seen time and time again that our audiences can be trusted to understand the difference between entertainment and responsible and safe behavior to act accordingly.”

It is not clear at this point whether the FTC will act. MTV’s business may have expanded far beyond broadcasting music videos, but the lack of MTV Tanning Salons may be enough to stave off FTC action.  We will be sure to let readers know about any FTC action taken on this complaint. For more information about the Jersey Shore, please consult your local celebrity gossip site.

- Seth Wiener and Matthew Shultz

The report builds on the FTC’s previous work on privacy issues, including the FTC’s March 2012 privacy report; the FTC’s February 2012 report and December 2012 follow-up report regarding mobile apps for children; and the FTC’s May 2012 workshop regarding mobile privacy. It also takes into account and favorably endorses the California Attorney General’s January 2013 recommendations regarding “Privacy on the Go” for app developers, platform providers, ad networks, mobile carriers, and operating system developers.  (For previous posts regarding privacy issues in this blog, see here). 

The new report provides guidance to various participants in the mobile device ecosystem, including platform providers (e.g., Apple, Google, Amazon, Blackberry, and Microsoft), app developers, trade associations representing the developers, and third parties such as ad networks and analytics companies.

For platform providers, the FTC staff recommends the following actions:

• developing a “do-not-track” mechanism for mobile devices, similar in function to do-not-track controls already implemented in the leading internet browsers;
• providing “just-in-time” disclosures when apps attempt to collect sensitive data, to allow consumers to decide whether to allow the collection;
• developing a “privacy dashboard,” such as that already used by some platforms, to assist consumers in determining and reviewing which apps have access to which data;
• using icons, as some platforms already do, to signal to consumers when apps are accessing geolocation information;
• increasing platform supervision and regulation of app providers, including through contractual provisions requiring privacy measures;
• increasing transparency of the app review process, to allow consumers to better understand the extent platforms review apps prior to making them available in app stores, as well as any later compliance checks or reviews undertaken by platforms.

For app developers, the new report recommends:

• developing a privacy policy, and making it easily available to consumers through the platform’s app store;
• providing just-in-time disclosures and obtaining affirmative express consent when collecting sensitive information, to the extent the platform does not already do so;
• improving coordination with ad networks and other third-parties, to ensure that the app developers understand what information the third party is collecting and how that information is being used, so that the app developer can provide truthful disclosures to consumers.

With respect to developers’ trade associations, the report suggests they could help design standardized icons and “badges” or other similar short, standardized disclosures to depict app privacy practices.  Finally, for advertising networks and other third parties, the report urges efforts to improve coordination and communication with app developers regarding privacy protection and assistance to platforms in developing and implementing an effective do-not-track system for mobile apps.

The recommendations in the FTC staff report, while not legally binding, merit very close attention by all four groups of players mentioned in the report. The report itself emphasizes the FTC’s past enforcement activities in the data privacy and security arena, and the FTC’s suit against Path is confirmation that those activities will be aggressive in the area of mobile apps. Platforms and developers, in particular, that fail to attend to the report’s recommendations will invite unnecessary liability exposure, which can be avoided by taking the report seriously and being proactive in all areas reasonably applicable to their role in the mobile app ecosystem. 

UPDATE (2/12/2013): If you want a more in-depth article on this topic, click here.

- Nancy Perkins and Gabriel White

The VPPA requires the express consent of a consumer before sharing information about his or her video-viewing habits. The VPPA was originally designed to protect customers of brick-and-mortar video rental shops, and did not contemplate today’s environment of abundant consumer-driven information sharing.  Prior to the amendment, “video tape service providers” (which includes providers of on-line video services) could not share a consumer’s viewing history without obtaining that consumers consent each time the information was shared. This made it difficult to share consumer video-viewing information with social media platforms, even if the consumer wanted such sharing to occur. 

With the enactment of the VPPA amendment, consumers more readily may provide their consent for the disclosure of their video-viewing information. The amendment does the following:

• It clarifies that consumers may give their consent on-line.

• It allows consumers to give consent in advance, for up to two years or until they revoke their consent, whichever is sooner.  It also provides, however, that consumers must have the alternative of consenting on a case-by-case basis.

• It requires that the consent be distinct and separate from any other agreements or policies.

• It requires that the consumer be given a clear and conspicuous opportunity to withdraw his or her consent, either with respect to any and all sharing of their video-viewing information, or on a case-by-case basis (for example, not sharing that they viewed a particular video).

In order to share its consumers’ video-viewing information, a video tape service provider will need to take care in complying with the new consent requirements.  Among other things, a video tape service provider will need to: (a) draft an appropriate consent, separate from the other agreements and policies governing the video service or site; (b) present consumers with all appropriate information when their consent is requested (such as with whom their information will be shared); (c) give consumers the option to withhold consent, or only provide consent in a given instance; (d) provide consumers a clear method for withdrawing consent; (e) track the expiration and withdrawal of consents; and (f) immediately cease sharing once consents have expired or been withdrawn.  Noncompliance could be costly, since the VPPA, in addition to imposing criminal liability, provides for a private cause of action and damages of at least $2,500 per person (plus attorneys fees and costs). Nonetheless, providers of video services have welcomed the VPPA amendment as providing them new opportunities for integrating video-viewing information with social media platforms where few existed previously.

- Megan Brodkey and Tom Magnani

Background

It is nearly 20 years since the original Data Protection Directive (Directive 95/46/EC) was implemented in the EU and the Regulation aims to make data protection laws more relevant to today’s world where individuals voluntarily share a vast amount of personal information online, for example, through social networking sites.

The Commission wants to encourage ‘e-business’ by building trust in the online environment and one way of accomplishing this, they hope, is by protecting individuals against threats to their personal privacy associated with this ‘online world’.

Social networking sites and your personal data

Many websites, including social networking sites, rely on information gleaned from user data (for example users’ preferences) which is sold to generate ad revenue. Generally, users consent to the use of their personal information for such purposes when they access the site and sign up (consents often being contained in the site’s relevant T&Cs) and sites can change their T&Cs to modify how they use personal data after users have signed up.

How might the Regulation (as currently drafted) affect social networking sites?

Sites will be restricted as to the type of data that can be collected. This must be limited to the minimum necessary and collected only for specific, explicit, limited, legitimate purposes. So collecting data on users’ preferences to generate ad revenue may not be considered ‘legitimate’.

Users will be entitled to ‘privacy by default’ (which, in the context of social networking, would mean that the default settings must protect the privacy of users and users would be required to take an active role in what they choose to share in the online environment of the networking site) and sites will not simply be able to claim the right to use personal data merely because a user has ‘consented’ through accepting a site’s T&Cs. Additionally, sites will not be able to change these T&Cs after users have signed up in order to give themselves greater rights over personal data.

Users will also be able to withdraw their consent to the processing of their personal data and request that it be deleted/removed permanently. Undoubtedly this would create additional costs and burdens for website owners, who will not be allowed to charge a fee to carry out the request, particularly as there would also be an obligation to track down and inform third parties of the user’s request where the website owner has made the personal data public.

The upshot of these proposed changes is that if sites cannot use personal information in a way that is profitable or useful for advertising purposes, users may have to pay to use such sites. Charging may also be necessary to cover the hefty fines (up to 2% of annual worldwide revenues) companies may face for breaking the rules.

Next steps

The European Parliament will shortly vote on the adoption of the General Data Protection Regulation (2012/0011) which will replace the existing Personal Data Protection Directive. Once adopted, the Regulation is expected to come into force later this year and member states will then have 2 years to enforce the legislation.

- Gemma Davies, Katie Woodhouse, and Richard Dickinson

The retailers’ complaints were filed in Michigan, Illinois, Pennsylvania, Missouri, Florida and New Jersey pursuant to those states’ various false advertising or anti-deceptive advertising statutes.  Although laws can vary significantly by state, most state false advertising laws have a few main elements in common: all statements in an advertisement, whether express or implied must be truthful, and must not reflect an effort to deceive the consumer.  The complaints are apparently in various stages of review and investigation and it remains unclear how the attorneys general will proceed. 

Best Buy claims that Wal-Mart’s advertisement offering a Dell laptop computer for $251 less than Best Buy was misleading because it did not compare the two retailers’ prices for the same product.  According to Best Buy, the Dell laptop Best Buy offered for the price cited in Wal-Mart’s advertisement had different specifications and longer battery life than the one offered at Wal-Mart.  Best Buy also alleged that Wal-Mart advertised the iPhone 5 for $150 even though it had an insufficient stock of the iPhones.  Best Buy states that it lost several thousands of dollars because it was forced to sell the iPhone 5 for $150 due to its price matching policy.

Toys ‘R’ Us similarly claims that Wal-Mart heavily advertised one of the season’s hottest toys, the Fijit, even though the toy was not available through Wal-Mart’s website and was out of stock at several of its stores.  Other retailers dropped their prices in response to the advertisements.  Toys ‘R’ Us also claims that Wal-Mart’s advertisements for the Fisher-Price Surprise Kitchen and Table Set and the Holiday Barbie incorrectly stated the price of the toys at Toys ‘R’ Us.

In 1994, Wal-Mart settled a dispute involving similar claims with Michigan’s attorney general.  Following complaints by Target Corp., Meijer Inc., and Kmart Corp., Wal-Mart agreed to make changes to its price comparison advertisements, including no longer comparing dissimilar products.

The FTC has guidance in this area. The Guides Against Deceptive Pricing permit retail price comparisons where the comparison is “based upon fact” and is not “fictitious or misleading.” This means, among other things, that the products being compared must be comparable or competing -- i.e., of like grade and quality.  The Guides Against Bait Advertising prohibit a retailer from advertising merchandise unless it has sufficient inventory to satisfy reasonably anticipated demand, or clearly disclose that supplies are limited or that the merchandise is available only at certain locations.

Wal-Mart stands by its price comparison advertising campaign, and the company has responded to attorneys general in four states, addressing complaints by Toys “R” Us and regional supermarkets. The flurry of complaints by Wal-Mart’s competitors serve as a reminder that businesses should exercise caution in verifying not only express price comparisons but also those that are implied. 

- Christina Brenha and Amie Medley