Facebook Implements Additional Measures to Prevent Discriminatory Practices in Targeted Advertisements

Responding to news reports that journalists were able to purchase advertising on Facebook targeted to ethnic groups, Facebook announced several new changes to the company’s advertising products. The move highlights heightened scrutiny of advertising practices surrounding the increasing use of big data in many aspects of marketing and advertising.

Facebook’s response grew out of a ProPublica report published on October 28, 2015 detailing how journalists were able to purchase ads targeted to house hunters on Facebook, all while excluding specific “Ethnic Affinities,” such as African-American, Asian-American or Hispanic people.  The report raised significant ethical and legal questions on how the features that enable advertisers to target their ads can be misused for discriminatory purposes.  The potential for interactive computer service providers to violate anti-discrimination laws has drawn attention for several years, especially following the decision of the Ninth Circuit Court of Appeals in the Roommates decision, which held that the that immunity provided by the Communications Decency Act (CDA) for online operators did not apply to an online service that offered questionnaires and selections to online participants that could facilitate discrimination against protected classes. See Fair Hous. Council v. Roommates.com, LLC, 521 F.3d 1157, 1166 (9th Cir.2008) (en banc).

Risks for Interactive Computer Service Providers

Like the Roommates case, the news report triggered reactions from news outlets, policymakers and civil rights leaders.  Facebook responded by soliciting input from members of Congress and civil liberties organizations while it reviewed its anti-discrimination policies.  On November 11, 2016, Facebook’s Chief Privacy Officer and VP of US Public Policy published a blog post on the company website to introduce changes to the company’s advertising products.  The changes will include tools to detect and disable the use of ethnic affinity marketing for certain types of ads, such as those concerning housing, employment or credit.  The company is also updating its advertising policies to reflect a more proactive stance on prohibiting discriminatory advertising practices.  That said, the company will continue to allow advertisers to use such targeting features in other non-specified contexts.

FTC and White House Interests

The potential for data misuse in online advertising has been a growing concern of state and federal authorities. In January 2016, the Federal Trade Commission (“FTC”) issued a report entitled Big Data, A Tool for Inclusion or Exclusion?  The report identified a number of legal and ethical risks that companies should consider when handling consumers’ personal information, specifically warning against practices that could violate the Fair Credit Reporting Act (“FCRA”) or any of the equal opportunity laws that prohibit discrimination based on protected characteristics such as race, color, sex or gender, religion, age, disability status, national origin, marital status, and genetic information. The FTC also broadly noted that, any unfair or deceptive practices could be pursued under its authority in Section 5 of the FTC Act. The FTC Report also highlighted a 2014 White House report that sought to create a set of best practices around information collection and usage and placed a spotlight on potential dangers of misuse of consumer information. The White House published a follow up report in May 2016.

Inclusion v. Exclusion—Legitimate Advertising Purposes?

At the same time, there are a number of legitimate purposes for which companies or advertisers may want to target specific audiences based on demographic information, such as marketing specific products and services to individuals most likely to purchase them, or directing political ads to those most likely to be receptive to particular campaign agendas. From a privacy perspective, these uses often highlight how and whether these users have self-identified and whether they know, or could know, that this type of information might be used in these contexts. For nearly a decade, leading privacy professionals have highlighted that acting in ways consistent with consumer expectations is an important way to create and maintain trust (see, e.g., C-SPAN AMP Summit).

Practical Considerations

Therefore, while companies continue to use Big Data analytics and personal information to facilitate more tailored interactions with individuals, it increasingly makes sense to evaluate how such data can be utilized and take measures to prevent misuse of data, thinking in particular about the potential for allegations of discrimination or similar claims that may arise from use of information that may reflect on character, reputation or fitness of consumers for a particular good or service.  State and municipal laws frequently provide traps for unwary technology enterprises seeking to operate nationally, if not globally.  Some of the steps that companies increasingly consider as part of privacy-by-design may include:

  • Consumer Context. Understand the context in which personal information is collected and will be (or can be) used thinking from the perspective of consumers;
  • Notice and Consent. Ensure users are given adequate notice of the company’s data practices, which may evolve over time, and seek affirmative consent where warranted;
  • Training and Education. Insist that internal product teams and data owners understand the company’s privacy policies and collaborate with legal/privacy advisors;
  • Data Supply Chain Reviews. Assess the potential for third parties to misuse company data, and the risks to the company in providing access—even indirectly—to personal information;
  • Focus on “Sensitive” Information Accountability. Take extra precautions when handling sensitive personal information (e.g., race, religion, disability); and
  • Be Prepared. Issues will inevitably arise. Preparing for how to respond to criticism and public discussion of a company’s data practices is one of the easiest ways to anticipate and manage privacy-related data risks.

Copyright Office Starts New Process for DMCA Safe Harbor Registration Today

Last month, the Copyright Office issued a final rule governing the designation of agents to receive notifications of claimed infringement under the Digital Millennium Copyright Act (“DMCA”). To help streamline the process, the Copyright office created a new, electronic filing system so that brands and advertisers can efficiently submit and update their designated agent.  The online process is open for filing today.

Any company that has previously filed a designated agent form with the Copyright Office will have until December 31, 2017 to submit a new form electronically through the new online registration system. As part of the transition, the public directory of designated agents will be phased out on December 31, 2017.  Until that time, an accurate designation in the old paper-generated directory will continue to satisfy the company’s obligations under the DMCA.

TAKEAWAY:  Don’t panic!  Advertisers may start updating their policies at the copyright office starting today.  Companies will not lose their status, but they will need to update their records with the Copyright office before December 2017.

Michigan Attorney General Intervenes in Suit Against Consumer Reports to Defend Constitutionality of Michigan Privacy Laws

Michigan Attorney General Bill Schuette filed a brief this week intervening in a federal lawsuit between a subscriber of Consumer Reports magazine and publisher Consumers Union of the United States (“Consumers Union”) to defend the constitutionality of the Michigan Preservation of Personal Privacy Act. The Act prohibits businesses “engaged in the business of selling at retail . . . books or other written materials” from disclosing customer information to third parties. The Act contains numerous exceptions, including allowing disclosure of customer data for the purpose of marketing directly to that customer where the customer has been given written notice and an opportunity to have her or his name removed.

This dispute arose when a subscriber to Consumer Reports magazine alleged in a class action lawsuit that Consumers Union was disclosing subscriber names and addresses to data mining companies and other third parties without providing proper notice and obtaining subscriber consent in violation of the Michigan Preservation of Personal Privacy Act. Consumers Union moved to dismiss the action on numerous grounds, including that the Act violates First Amendment free speech protections. The court adjudicating this suit allowed Attorney General Schuette to intervene on behalf of the plaintiff to defend the constitutionality of the Act.

A federal court must now decide whether the Act’s consumer privacy protections are a valid regulation of commercial speech and if the Act unacceptably prohibits a substantial amount of protected speech in relation to the law’s legitimate sweep.

Takeaway: Though the court has yet to rule, this suit reflects a modern trend of state and federal governments taking a stronger stand in protecting consumer privacy. This court’s decision will be important to help guide advertisers on the line between First Amendment speech and state laws protecting consumer privacy.

 

Former Member of The Commodores Sued For Using Band’s Name to Promote Solo Career

A Florida federal court enjoined Thomas McClary, an original member of famed Motown band the Commodores, from branding himself as “COMMODORES’ Founder Thomas McClary” in his booking advertisements for solo gigs. McClary left the band in 1984 to pursue a solo career.

In 2014, Commodores Entertainment Corporation (“CEC”), the band’s legal entity, filed suit against McClary for trademark infringement, trademark dilution, passing off, false advertising, unfair competition, and deceptive trade practices when it was discovered that McClary was advertising and booking performances under the names “The Commodores featuring Thomas McClary” and “The 2014 Commodores.” In that case, CEC obtained a permanent injunction preventing McClary from using either name.

In the motion decided this week, CEC sought to enforce its existing injunction to prevent McClary from branding himself with the Commodores’ name.  McClary argued that the revised name was permitted under the doctrines of classic or normative fair use.  But the court held that McClary’s use of “COMMODORES Founder” suggested an endorsement by the band and “continues to cause a likelihood of confusion between the two bands.” Although the court enjoined the revised branding, it found that McClary may use the “Commodores” name so long as it is “preceded by the historically accurate reference” and is “not more prominent than other words contained in the band name.”

Takeaway: Artists who wish to advertise new ventures while reminding consumers of their association to a prior group must take care to use the proper advertising language.

A Gentle Reminder from the FCC: Autodialed Text Messages Fall Under TCPA Restrictions

Last week, the FCC’s Enforcement Bureau issued an enforcement advisory reiterating its position that autodialed text messages must comply with requirements set forth in the Telephone Consumer Protection Act (TCPA).  Though it is unclear what prompted this specific advisory (perhaps, the upcoming holiday season), the Enforcement Bureau issued the warning in order to promote understanding of the clear limits on the use of autodialed text messages, also known as “robotexts.”

The FCC has previously articulated in its 2015 Declaratory Ruling and Order that restrictions on making autodialed calls to cell phones encompass both voice calls and texts.  The TCPA bars autodialed calls or texts to mobile devices without prior express written consent, unless they are (i) made for emergency purposes; (ii) free to the end user and have been exempted by the Commission; or (iii) made solely to collect on debts “owed to or guaranteed by the United States” (i.e., federal debt collection calls).  Further, the term “automatic telephone dialing system” (i.e., “ATDS” or “autodialer”) covers any equipment that has the capacity to store or produce numbers to be dialed and dial them without human intervention, but does not need to have the present ability to do so.

Takeaway: Text message campaigns by advertisers have been the subject of FCC actions in the past few months. Prior express written consent may be required for autodialed texts that include or introduce an advertisement. Advertisers which engage in such campaigns should keep a record of consent provided by consumers, as companies bear the burden of proving that they obtained such consent.

FTC’s New Guidelines Provide Agency View on Data Breach Response

On October 25, the Federal Trade Commission released “Data Breach Response: A Guide for Business,” its latest guidance on data privacy and security regulation. The Guide seeks to help businesses comprehend the Agency’s understanding of both legal requirements and best practices, although what is legally required versus what is encouraged continues to be challenging for many companies to identify in these pronouncements.

Although the Guide is not a regulation, the Commission has historically used such guidance to help signal where its enforcement efforts might focus as it evaluates companies’ conduct. The introduction suggests that the FTC considers following its advice to be at least one way to “make smart, sound decisions.”

The Guide outlines tasks for companies affected by a breach:

  • Secure Your Operation
  • Fix Vulnerabilities
  • Notify Appropriate Parties

Secure Your Operations.  Each section provides further guidance on what the FTC considers wise in that circumstance. In the Secure Your Operations section, the Guide recommends assembling a team of experts to conduct a comprehensive breach response, with the size and composition of the team determined by the features of the organization. It includes straightforward recommendations, such as securing physical areas and stopping additional data loss.  Significantly, the Guide cautions that you should not destroy evidence.  While this may seem obvious, it can often occur in unplanned and unforeseen ways.  Whether or not inadvertent destruction of evidence or failure to preserve evidence will likely be an area of prosecution is too early to tell.

Fix Vulnerabilities. The Fix Vulnerabilities section recommends checking the security of service providers and working with forensics experts to analyze the extent of the breach and initiate remedial efforts. It seems likely that issues such as time to detection and speed of response will remain uncertain, and it is difficult for companies to know when “soon enough” is adequate or “reasonable,” which has been the touchstone of the agencies’ approach (and which it characterizes as “flexible”).

Notification.  The Notify Appropriate Parties section reminds companies to determine their legal requirements for notifying law enforcement, businesses, and individuals. It also provides a sample breach notification letter for an incident in which Social Security numbers have been hacked.  Given the many competing breach notification standards, identifying a “breach,” and determinations regarding whether notification is legally required or in hindsight was legally desirable, will likely continue to be an area of careful attention for companies.  The role of forensic investigators working alongside skilled counsel will likely continue to be important for many companies, especially those facing a significant incident or those that have not encountered an incident before.  The Guide suggests that law enforcement be notified “immediately,” but whether that means when an incident is suspected or upon determination of a “breach” is unclear.  Nevertheless, the Agency appears to strongly suggest that it believes law enforcement can and should play an active role in incident response.  In this area, as in some others, the Guide’s effort to educate and issue-spot could lead easily to oversimplification and unnecessary over-notification.  Similarly, the Guide appears to favor “quick” notification, but does not address the competing policy benefits of certainty and avoiding false positives – something many forensics teams often highlight as an unintended consequence of “quick” notification, where the risk to individuals arising from the misuse of their information may be slight.

Putting It All Together. The Guide provides a broad summary of the Agency’s view of how companies should react in the case of a breach, and comes squarely from the FTC’s perspective as the nation’s largest consumer protection law enforcement agency. Notably, the Guide focuses on prevention, detection, and response issues related primarily to personal information, and sensitive personal information in particular. Companies that collect and retain personally identifiable information, whether for employment, financial, health care, or other reasons, increasingly engage outside counsel to assist them in planning for and testing their response processes. This advance preparation may include not only assessment of the underlying systems and processes for security and incident response, but also undertaking inventories of the relevant types of information assets that may be at risk, and evaluating how peers in the industry are responding to similar threat profiles. The Guide is silent on the role and value of table-top exercises, a tool that many larger organizations have found to be a useful way to test their preparedness. It also does not address the relationship between security and IT, and the role of the board of directors, both areas of increasing attention among corporate governance experts. Finally, many organizations find that security breaches require them to quickly become acquainted with the realities of their insurance coverage in such a scenario, and that is a key area that organizations should anticipate, but that the Guide does not cover.

The FTC Guide deserves praise as an initial effort to call attention to this important area, and to help make accessible information and strategies on incident response that may be especially useful as a starting point for many companies as they begin to evaluate how to plan for and respond to security incidents. At the same time, the breadth and complexity of incident response and changing threat vectors make it likely that the Agency will need to regularly update its recommendations in the Guide, and otherwise supplement them based on experience.

FTC Settles With Sales Lead Generators For $100,000

Last week, the Federal Trade Commission (“FTC”) settled a claim against the Consumer Education Group for $100,000 regarding alleged violations of the FTC’s Telemarketing Sales Rule (“TSR”) and Section 5(a) of the FTC Act. The FTC alleged that Consumer Education Group made millions of illegal telemarketing calls, including unlawful robocalls, to consumers in an effort to generate sales leads for third parties.  Additionally, the FTC alleged that Consumer Education Group invited consumers to sign up for information regarding solar panels, reverse mortgages, and bathtubs, only to later find that Consumer Education Group collected the information to be sold as leads to third parties.  The settlement bars the organization from continuing its telemarketing campaign, requiring it to comply with the TSR on a going-forward basis, and pay a $100,000 civil penalty.

Takeaway: Online advertisers should clearly and conspicuously disclose how information they collect is stored and maintained via their privacy policy.  Additionally, advertisers engaging in a telemarketing campaign should be aware of the rules set forth in the TSR, as well as the Telephone Consumer Protection Act.

 

 

Still On The Line: FCC Refuses to Hang Up $20 Million Fine for False Advertising Levied Against Calling Card Companies

Last week, the FCC decided not to reduce the $20 million in fines it levied against four pre-paid calling card companies in 2015. The fines arise out of the companies’ deceptive marketing practices whereby they marketed calling cards that would provide thousands of minutes for low, prepaid prices.  The FCC found, however, that consumers were required to use all of their minutes in a single call to avoid the hidden fees and surcharges that were not conspicuously displayed on the companies’ marketing materials.

To assert jurisdiction, the FCC categorized the companies as common carriers primarily because the companies set calling card rates and minutes, designed and printed calling cards, and because the cards provided international toll voice service—a common carrier activity requiring authorization under Section 214 of the Communications Act. 

Takeaways: Advertisers that sell prepaid calling cards or similar services should clearly and conspicuously disclose the costs associated with their services on marketing materials.

 

Today’s Hot Topic: Public Symbols

From time to time I like to remind clients of specific network guidelines to keep in mind when developing advertising. One such guideline involves the use of public symbols in advertising.

According to network standards, heads-of-state, other public officials, religious leaders, and public buildings and/or monuments must be treated with appropriate respect and dignity when mentioned or depicted in advertising.

The following guidelines apply to advertising that features public symbols:

  1. Unless authorized in writing by the Office of the White House Counsel, the use of the name or likeness of the President or Vice President of the United States and their families, as well as the Presidential Seal, is generally not acceptable for advertising purposes.
  2. Unless expressly permitted by its duly authorized representatives, the use of the White House in advertising is generally not acceptable.
  3. Other national buildings and monuments may be used in advertising provided the use is incidental to the advertiser’s promotion of a product or service and is in good taste.
  4. The networks recognize the “Flag Code,” which serves as a guide to the use of the American Flag and state statutes governing the American Flag’s use in advertising. As a general rule, the appearance of the flag may be acceptable in advertising provided that it is treated in a dignified manner and displayed with proper respect, is incidental to the main thrust of the commercial and in a natural setting, and is not employed in an attempt to enhance the advertised product or service. Rules governing the use of flags of foreign countries in advertising vary from country to country. Advertisers are required to provide evidence from a country’s consular service to support the use of that country’s flag.
  5. Use of the United Nations flag in connection with advertising is not permitted.
  6. Religious leaders may not be mentioned or depicted in any advertising without their consent.
  7. Absent special public policy considerations, the National Anthem of the United States and “Hail to the Chief” are not permitted in advertising.  However, music of a traditional or patriotic nature is permitted in advertising, provided it is used with dignity.
  8. Use of official military uniforms or vehicles is permitted subject to prior approval of the Department of Defense.

The networks have strict policies regarding the use of public symbols in advertising. So, if you have plans to create advertising which features public symbols, make sure the advertising complies with the network guidelines.  And remember, when it doubt, ask questions.

Marilyn Colaninno is Director of Rights and Clearances for Reed Smith and is responsible for clearing commercials for the firm’s many clients in the advertising industry. If you have specific questions, please contact Marilyn directly at 212-549-0347 or at mcolaninno@reedsmith.com.

 

 

 

Three Reed Smith Attorneys Will Speak At The 2016 ANA/BAA Marketing Law Conference

Reed Smith attorneys John Feldman, Jason Gordon and Stacy Marcus will be speaking at the 2016 ANA/BAA Marketing Law Conference in Chicago on November 9-11, 2016. John will be speaking on Promotional Tactics – Coupons, Rebates, and Experiential Marketing/Pokémon GO.  Stacy will be presenting updates to the 2016 SAG-AFTRA Commercials Contract.  Jason will be speaking about the latest updates in Loyalty Programs.

Additionally, Reed Smith will be hosting a cocktail party for clients and friends on Thursday, November 10, 2016 from 7:00-9:00 PM at The Watershed (601 N. State St.) – just two blocks from the BAA Conference. Click Here for details and to RSVP for the party.

LexBlog