FTC Releases Report on the “Sharing Economy” for Internet-Based Services

Last month, the FTC released a staff report entitled “The ‘Sharing’ Economy: Issues Facing Platforms, Participants, and Regulators,” that assesses evolving business models relying on internet and app-based “sharing economy” platforms, such as peer-to-peer platforms (think, Airbnb), and their effects on more traditional industries. The 100-page report also discusses several “trust mechanisms,” such as reputation rating systems or money-back guarantees, which help develop a level of confidence between buyers and sellers.

The report summarizes an FTC public workshop held in June 2015 that highlighted a number of competitive benefits and potential consumer protection challenges posed by disruptive business models in markets such as for-hire-transportation and short-term lodging. In particular, the report discusses the economics underlying how these marketplaces operate and the platforms’ approaches to addressing consumer protection and other regulatory concerns through trust mechanisms. As the report explains, through sharing economy platforms, smaller sellers (e.g., individuals) can enter markets and access broad groups of potential buyers. These sellers are often able to use their own personal assets for service – such as a room in their house – which may make the cost of entry much lower than it has been for more traditional sellers.

The FTC also examines regulatory approaches to protect consumers and the public while still preserving the benefits of competition offered by these new and innovative sources of supply. The report states that, in the FTC’s view, any necessary regulations on these new platforms “should be flexible enough to allow new forms of competition” and “narrowly tailored to the specific public policy goals that have been identified” in order to avoid stifling competition.

Takeaway: While the FTC’s report does not propose specific solutions or next steps, it opens up a dialogue between regulators, economists, federal and state governments, industry participants and consumers about emerging platforms and the costs and benefits they carry for consumers and traditional industries.



Cell Phone Manufacturer and Firmware Provider Hit with Consumer Class Action Over Extracting and Transmitting User Information Without Consent

A recent class action lawsuit is alleging that cell phone manufacturer Blu Products, Inc. (“Blu”) and firmware providers Shanghai Adups Technology Co., Ltd. and Adups USA LLC (“Adups”) violated several federal privacy laws by selling cell phones containing firmware that collected user’s sensitive personal information and transmitted that information to servers in China. This complaint followed from a November 15, 2016 New York Times story, which reported that mobile security firm Kryptowire discovered several models of mobile devices that  were using Adups firmware to collect sensitive personal data about users and transmit that data to third-parties without user consent.

Kryptowire’s announcement of the discovery noted that the Adups firmware transmitted information such as “the full-body of text messages, contact lists, call history with full telephone numbers, [and] unique device identifiers including the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI).” In the New York Times report, Blu acknowledged that 120,000 phones were affected by this firmware and said that the impacted phones’ software was updated to eliminate the data collection feature. Blu Chief Executive Officer Samuel Ohev-Zion told the Times that the firmware issue “was obviously something that we were not aware of. We moved very quickly to correct it.”

The lawsuit is being brought by an Alabama man who purchased a Blu R1 cell phone on September 30, 2016, and is on behalf of purchasers or owners of certain Blu cell phones containing Adups firmware versions 5.0x to 5.3x. The suit claims that Blu and Adups purposely concealed the existence of the firmware from users and illegally collected and transmitted personal user data without consent. The plaintiff is seeking damages and injunctive relief for alleged violations of the Wiretap Act, the Electronic Communications Privacy Act, the Magnuson-Moss Warranty Act, as well as common law invasion of privacy and trespass to chattels.

Takeaway: Mobile device manufacturers and software providers should remain vigilant of the firmware in their devices and provide proper notice to consumers before collecting customer data.


Facebook Implements Additional Measures to Prevent Discriminatory Practices in Targeted Advertisements

Responding to news reports that journalists were able to purchase advertising on Facebook targeted to ethnic groups, Facebook announced several new changes to the company’s advertising products. The move highlights heightened scrutiny of advertising practices surrounding the increasing use of big data in many aspects of marketing and advertising.

Facebook’s response grew out of a ProPublica report published on October 28, 2015 detailing how journalists were able to purchase ads targeted to house hunters on Facebook, all while excluding specific “Ethnic Affinities,” such as African-American, Asian-American or Hispanic people.  The report raised significant ethical and legal questions on how the features that enable advertisers to target their ads can be misused for discriminatory purposes.  The potential for interactive computer service providers to violate anti-discrimination laws has drawn attention for several years, especially following the decision of the Ninth Circuit Court of Appeals in the Roommates decision, which held that the that immunity provided by the Communications Decency Act (CDA) for online operators did not apply to an online service that offered questionnaires and selections to online participants that could facilitate discrimination against protected classes. See Fair Hous. Council v. Roommates.com, LLC, 521 F.3d 1157, 1166 (9th Cir.2008) (en banc).

Risks for Interactive Computer Service Providers

Like the Roommates case, the news report triggered reactions from news outlets, policymakers and civil rights leaders.  Facebook responded by soliciting input from members of Congress and civil liberties organizations while it reviewed its anti-discrimination policies.  On November 11, 2016, Facebook’s Chief Privacy Officer and VP of US Public Policy published a blog post on the company website to introduce changes to the company’s advertising products.  The changes will include tools to detect and disable the use of ethnic affinity marketing for certain types of ads, such as those concerning housing, employment or credit.  The company is also updating its advertising policies to reflect a more proactive stance on prohibiting discriminatory advertising practices.  That said, the company will continue to allow advertisers to use such targeting features in other non-specified contexts.

FTC and White House Interests

The potential for data misuse in online advertising has been a growing concern of state and federal authorities. In January 2016, the Federal Trade Commission (“FTC”) issued a report entitled Big Data, A Tool for Inclusion or Exclusion?  The report identified a number of legal and ethical risks that companies should consider when handling consumers’ personal information, specifically warning against practices that could violate the Fair Credit Reporting Act (“FCRA”) or any of the equal opportunity laws that prohibit discrimination based on protected characteristics such as race, color, sex or gender, religion, age, disability status, national origin, marital status, and genetic information. The FTC also broadly noted that, any unfair or deceptive practices could be pursued under its authority in Section 5 of the FTC Act. The FTC Report also highlighted a 2014 White House report that sought to create a set of best practices around information collection and usage and placed a spotlight on potential dangers of misuse of consumer information. The White House published a follow up report in May 2016.

Inclusion v. Exclusion—Legitimate Advertising Purposes?

At the same time, there are a number of legitimate purposes for which companies or advertisers may want to target specific audiences based on demographic information, such as marketing specific products and services to individuals most likely to purchase them, or directing political ads to those most likely to be receptive to particular campaign agendas. From a privacy perspective, these uses often highlight how and whether these users have self-identified and whether they know, or could know, that this type of information might be used in these contexts. For nearly a decade, leading privacy professionals have highlighted that acting in ways consistent with consumer expectations is an important way to create and maintain trust (see, e.g., C-SPAN AMP Summit).

Practical Considerations

Therefore, while companies continue to use Big Data analytics and personal information to facilitate more tailored interactions with individuals, it increasingly makes sense to evaluate how such data can be utilized and take measures to prevent misuse of data, thinking in particular about the potential for allegations of discrimination or similar claims that may arise from use of information that may reflect on character, reputation or fitness of consumers for a particular good or service.  State and municipal laws frequently provide traps for unwary technology enterprises seeking to operate nationally, if not globally.  Some of the steps that companies increasingly consider as part of privacy-by-design may include:

  • Consumer Context. Understand the context in which personal information is collected and will be (or can be) used thinking from the perspective of consumers;
  • Notice and Consent. Ensure users are given adequate notice of the company’s data practices, which may evolve over time, and seek affirmative consent where warranted;
  • Training and Education. Insist that internal product teams and data owners understand the company’s privacy policies and collaborate with legal/privacy advisors;
  • Data Supply Chain Reviews. Assess the potential for third parties to misuse company data, and the risks to the company in providing access—even indirectly—to personal information;
  • Focus on “Sensitive” Information Accountability. Take extra precautions when handling sensitive personal information (e.g., race, religion, disability); and
  • Be Prepared. Issues will inevitably arise. Preparing for how to respond to criticism and public discussion of a company’s data practices is one of the easiest ways to anticipate and manage privacy-related data risks.

Copyright Office Starts New Process for DMCA Safe Harbor Registration Today

Last month, the Copyright Office issued a final rule governing the designation of agents to receive notifications of claimed infringement under the Digital Millennium Copyright Act (“DMCA”). To help streamline the process, the Copyright office created a new, electronic filing system so that brands and advertisers can efficiently submit and update their designated agent.  The online process is open for filing today.

Any company that has previously filed a designated agent form with the Copyright Office will have until December 31, 2017 to submit a new form electronically through the new online registration system. As part of the transition, the public directory of designated agents will be phased out on December 31, 2017.  Until that time, an accurate designation in the old paper-generated directory will continue to satisfy the company’s obligations under the DMCA.

TAKEAWAY:  Don’t panic!  Advertisers may start updating their policies at the copyright office starting today.  Companies will not lose their status, but they will need to update their records with the Copyright office before December 2017.

Michigan Attorney General Intervenes in Suit Against Consumer Reports to Defend Constitutionality of Michigan Privacy Laws

Michigan Attorney General Bill Schuette filed a brief this week intervening in a federal lawsuit between a subscriber of Consumer Reports magazine and publisher Consumers Union of the United States (“Consumers Union”) to defend the constitutionality of the Michigan Preservation of Personal Privacy Act. The Act prohibits businesses “engaged in the business of selling at retail . . . books or other written materials” from disclosing customer information to third parties. The Act contains numerous exceptions, including allowing disclosure of customer data for the purpose of marketing directly to that customer where the customer has been given written notice and an opportunity to have her or his name removed.

This dispute arose when a subscriber to Consumer Reports magazine alleged in a class action lawsuit that Consumers Union was disclosing subscriber names and addresses to data mining companies and other third parties without providing proper notice and obtaining subscriber consent in violation of the Michigan Preservation of Personal Privacy Act. Consumers Union moved to dismiss the action on numerous grounds, including that the Act violates First Amendment free speech protections. The court adjudicating this suit allowed Attorney General Schuette to intervene on behalf of the plaintiff to defend the constitutionality of the Act.

A federal court must now decide whether the Act’s consumer privacy protections are a valid regulation of commercial speech and if the Act unacceptably prohibits a substantial amount of protected speech in relation to the law’s legitimate sweep.

Takeaway: Though the court has yet to rule, this suit reflects a modern trend of state and federal governments taking a stronger stand in protecting consumer privacy. This court’s decision will be important to help guide advertisers on the line between First Amendment speech and state laws protecting consumer privacy.


Former Member of The Commodores Sued For Using Band’s Name to Promote Solo Career

A Florida federal court enjoined Thomas McClary, an original member of famed Motown band the Commodores, from branding himself as “COMMODORES’ Founder Thomas McClary” in his booking advertisements for solo gigs. McClary left the band in 1984 to pursue a solo career.

In 2014, Commodores Entertainment Corporation (“CEC”), the band’s legal entity, filed suit against McClary for trademark infringement, trademark dilution, passing off, false advertising, unfair competition, and deceptive trade practices when it was discovered that McClary was advertising and booking performances under the names “The Commodores featuring Thomas McClary” and “The 2014 Commodores.” In that case, CEC obtained a permanent injunction preventing McClary from using either name.

In the motion decided this week, CEC sought to enforce its existing injunction to prevent McClary from branding himself with the Commodores’ name.  McClary argued that the revised name was permitted under the doctrines of classic or normative fair use.  But the court held that McClary’s use of “COMMODORES Founder” suggested an endorsement by the band and “continues to cause a likelihood of confusion between the two bands.” Although the court enjoined the revised branding, it found that McClary may use the “Commodores” name so long as it is “preceded by the historically accurate reference” and is “not more prominent than other words contained in the band name.”

Takeaway: Artists who wish to advertise new ventures while reminding consumers of their association to a prior group must take care to use the proper advertising language.

A Gentle Reminder from the FCC: Autodialed Text Messages Fall Under TCPA Restrictions

Last week, the FCC’s Enforcement Bureau issued an enforcement advisory reiterating its position that autodialed text messages must comply with requirements set forth in the Telephone Consumer Protection Act (TCPA).  Though it is unclear what prompted this specific advisory (perhaps, the upcoming holiday season), the Enforcement Bureau issued the warning in order to promote understanding of the clear limits on the use of autodialed text messages, also known as “robotexts.”

The FCC has previously articulated in its 2015 Declaratory Ruling and Order that restrictions on making autodialed calls to cell phones encompass both voice calls and texts.  The TCPA bars autodialed calls or texts to mobile devices without prior express written consent, unless they are (i) made for emergency purposes; (ii) free to the end user and have been exempted by the Commission; or (iii) made solely to collect on debts “owed to or guaranteed by the United States” (i.e., federal debt collection calls).  Further, the term “automatic telephone dialing system” (i.e., “ATDS” or “autodialer”) covers any equipment that has the capacity to store or produce numbers to be dialed and dial them without human intervention, but does not need to have the present ability to do so.

Takeaway: Text message campaigns by advertisers have been the subject of FCC actions in the past few months. Prior express written consent may be required for autodialed texts that include or introduce an advertisement. Advertisers which engage in such campaigns should keep a record of consent provided by consumers, as companies bear the burden of proving that they obtained such consent.

FTC’s New Guidelines Provide Agency View on Data Breach Response

On October 25, the Federal Trade Commission released “Data Breach Response: A Guide for Business,” its latest guidance on data privacy and security regulation. The Guide seeks to help businesses comprehend the Agency’s understanding of both legal requirements and best practices, although what is legally required versus what is encouraged continues to be challenging for many companies to identify in these pronouncements.

Although the Guide is not a regulation, the Commission has historically used such guidance to help signal where its enforcement efforts might focus as it evaluates companies’ conduct. The introduction suggests that the FTC considers following its advice to be at least one way to “make smart, sound decisions.”

The Guide outlines tasks for companies affected by a breach:

  • Secure Your Operation
  • Fix Vulnerabilities
  • Notify Appropriate Parties

Secure Your Operations.  Each section provides further guidance on what the FTC considers wise in that circumstance. In the Secure Your Operations section, the Guide recommends assembling a team of experts to conduct a comprehensive breach response, with the size and composition of the team determined by the features of the organization. It includes straightforward recommendations, such as securing physical areas and stopping additional data loss.  Significantly, the Guide cautions that you should not destroy evidence.  While this may seem obvious, it can often occur in unplanned and unforeseen ways.  Whether or not inadvertent destruction of evidence or failure to preserve evidence will likely be an area of prosecution is too early to tell.

Fix Vulnerabilities. The Fix Vulnerabilities section recommends checking the security of service providers and working with forensics experts to analyze the extent of the breach and initiate remedial efforts. It seems likely that issues such as time to detection and speed of response will remain uncertain, and it is difficult for companies to know when “soon enough” is adequate or “reasonable,” which has been the touchstone of the agencies’ approach (and which it characterizes as “flexible”).

Notification.  The Notify Appropriate Parties section reminds companies to determine their legal requirements for notifying law enforcement, businesses, and individuals. It also provides a sample breach notification letter for an incident in which Social Security numbers have been hacked.  Given the many competing breach notification standards, identifying a “breach,” and determinations regarding whether notification is legally required or in hindsight was legally desirable, will likely continue to be an area of careful attention for companies.  The role of forensic investigators working alongside skilled counsel will likely continue to be important for many companies, especially those facing a significant incident or those that have not encountered an incident before.  The Guide suggests that law enforcement be notified “immediately,” but whether that means when an incident is suspected or upon determination of a “breach” is unclear.  Nevertheless, the Agency appears to strongly suggest that it believes law enforcement can and should play an active role in incident response.  In this area, as in some others, the Guide’s effort to educate and issue-spot could lead easily to oversimplification and unnecessary over-notification.  Similarly, the Guide appears to favor “quick” notification, but does not address the competing policy benefits of certainty and avoiding false positives – something many forensics teams often highlight as an unintended consequence of “quick” notification, where the risk to individuals arising from the misuse of their information may be slight.

Putting It All Together. The Guide provides a broad summary of the Agency’s view of how companies should react in the case of a breach, and comes squarely from the FTC’s perspective as the nation’s largest consumer protection law enforcement agency. Notably, the Guide focuses on prevention, detection, and response issues related primarily to personal information, and sensitive personal information in particular. Companies that collect and retain personally identifiable information, whether for employment, financial, health care, or other reasons, increasingly engage outside counsel to assist them in planning for and testing their response processes. This advance preparation may include not only assessment of the underlying systems and processes for security and incident response, but also undertaking inventories of the relevant types of information assets that may be at risk, and evaluating how peers in the industry are responding to similar threat profiles. The Guide is silent on the role and value of table-top exercises, a tool that many larger organizations have found to be a useful way to test their preparedness. It also does not address the relationship between security and IT, and the role of the board of directors, both areas of increasing attention among corporate governance experts. Finally, many organizations find that security breaches require them to quickly become acquainted with the realities of their insurance coverage in such a scenario, and that is a key area that organizations should anticipate, but that the Guide does not cover.

The FTC Guide deserves praise as an initial effort to call attention to this important area, and to help make accessible information and strategies on incident response that may be especially useful as a starting point for many companies as they begin to evaluate how to plan for and respond to security incidents. At the same time, the breadth and complexity of incident response and changing threat vectors make it likely that the Agency will need to regularly update its recommendations in the Guide, and otherwise supplement them based on experience.

FTC Settles With Sales Lead Generators For $100,000

Last week, the Federal Trade Commission (“FTC”) settled a claim against the Consumer Education Group for $100,000 regarding alleged violations of the FTC’s Telemarketing Sales Rule (“TSR”) and Section 5(a) of the FTC Act. The FTC alleged that Consumer Education Group made millions of illegal telemarketing calls, including unlawful robocalls, to consumers in an effort to generate sales leads for third parties.  Additionally, the FTC alleged that Consumer Education Group invited consumers to sign up for information regarding solar panels, reverse mortgages, and bathtubs, only to later find that Consumer Education Group collected the information to be sold as leads to third parties.  The settlement bars the organization from continuing its telemarketing campaign, requiring it to comply with the TSR on a going-forward basis, and pay a $100,000 civil penalty.

Takeaway: Online advertisers should clearly and conspicuously disclose how information they collect is stored and maintained via their privacy policy.  Additionally, advertisers engaging in a telemarketing campaign should be aware of the rules set forth in the TSR, as well as the Telephone Consumer Protection Act.



Still On The Line: FCC Refuses to Hang Up $20 Million Fine for False Advertising Levied Against Calling Card Companies

Last week, the FCC decided not to reduce the $20 million in fines it levied against four pre-paid calling card companies in 2015. The fines arise out of the companies’ deceptive marketing practices whereby they marketed calling cards that would provide thousands of minutes for low, prepaid prices.  The FCC found, however, that consumers were required to use all of their minutes in a single call to avoid the hidden fees and surcharges that were not conspicuously displayed on the companies’ marketing materials.

To assert jurisdiction, the FCC categorized the companies as common carriers primarily because the companies set calling card rates and minutes, designed and printed calling cards, and because the cards provided international toll voice service—a common carrier activity requiring authorization under Section 214 of the Communications Act. 

Takeaways: Advertisers that sell prepaid calling cards or similar services should clearly and conspicuously disclose the costs associated with their services on marketing materials.