Attorneys

Michelle Cohen Member

/ P (202) 524-4149

LinkedIn connect on LinkedIn / Twitter @MichelleWCohen

  • Michelle Cohen: Internet Privacy Lawyer on Internet Marketing

    Video 1 of 3

  • Attorney Michelle Cohen: Increased Federal Enforcement of Mobile Commerce in 2013

    Video 2 of 3

  • What to do if you think your company has had a data breach

    Video 3 of 3

Michelle’s unfailing dedication to her clients is evidenced by the fact that her first client, whom she worked with as a first-year associate over 20 years ago, remains an active client. She establishes strong and lasting relationships by committing herself to client service. Michelle understands her clients’ business goals, guides them in their use of new technologies, and communicates with them as their business activities unfold.

Michelle’s practice is focused on helping her clients establish powerful and lasting relationships with their customers and prospects. Regardless of industry – technology, manufacturing or education – companies need to maintain contact with their clients and prospects while ensuring that their communications comply with the laws and regulations regarding marketing and privacy – whether through sweepstakes/contests, telemarketing, email marketing or beyond. Michelle’s communications experience includes licensing, enforcement, contracts, rulemaking and advocacy.

When clients find themselves involved in an enforcement matter with the Federal Trade Commission, Federal Communications Commission or state agencies, Michelle’s deep knowledge in these areas and her strong footing in the privacy community help her to resolve issues in the most expedient manner possible. Michelle also advises clients as to what policies and procedures can be put in place to show a company’s good faith efforts, should the government come knocking. When companies are involved in potential data or security breaches, Michelle knows which questions to ask to ensure they have a sound legal strategy. She works with the company step-by-step to resolve the situation from both the government’s, and her clients’ as well as their customers’ points of view. Michelle has extensive experience defending individual and class actions in the consumer protection context, including dozens of Telephone Consumer Protection Act cases.

In addition to having received the prestigious Martindale-Hubbell AV rating, Michelle has received certification as a Certified Information Privacy Professional (CIPP-US) from the International Association of Privacy Professionals (IAPP). The IAPP’s extensive training and continuing education in the area of privacy ensures that Michelle stays abreast of developments in the U.S. and abroad, so that she can provide the up-to-date information her clients need.

Previously, Michelle was a partner at Thompson Hine where she was a member of their telecommunications, corporate transactions & securities and emerging technologies groups. She began her legal career in the litigation department at Paul Hastings, where she spent seven years honing her litigation skills, prior to moving into their corporate practice. Her litigation experience gives her a solid foundation for helping clients avoid litigation as well as in advising them when they are faced with litigation. This litigation experience, coupled with her regulatory and corporate experience, allow Michelle to offer her clients a full complement of services.

Awards + Recognition

  • ALM 2013 Washington DC's Women Leaders in the Law
  • ALM 2012 Top Rated Lawyer - Technology Law
  • Certified Information Privacy Professional (CIPP) certification, International Association of Privacy Professionals
  • Martindale-Hubbell AV Preeminent Peer Review Rating
  • Editorial Board Member, E-finance & Payments Law & Policy
  • Editorial Board Member, E-Commerce Law & Policy

Professional + Community

  • Women in Cable and Telecommunications Past Board Member Washington, D.C. - Baltimore Chapter
  • Federal Communications Bar Association
  • District of Columbia Bar
  • New York State Bar Association
  • Women's Bar Association of DC
  • Volunteer, Special Olympics
  • Brandeis University Alumni Admissions Council
  • Volunteer, Arlington County Public Schools, Virginia
  • Pro Bono Volunteer through the District of Columbia Bar
Michelle Cohen, Speaker, "Lotteries and Social Media" National Council of Legislators from Gaming States, 2015 Winter Conference, Las Vegas, NVJanuary 2015
"FTC Staff Recommendations for Mobile Financial Services," E-Finance & Payments Law & PolicyOctober 2014
"The FTC Releases Staff Report on Mobile Shopping Apps," E-Commerce Law & PolicySeptember 2014
"What’s Legal in Text Marketing!," Hybrid Telephony Summit 2014, Chicago, ILSeptember 22, 2014
"Managing Litigation in the Small Law Department Environment," WMACCA Small Law Department Initiative, McLean, VASeptember 11, 2014
"U.S. Banking Regulators to Review Laws," E-Finance & Payments Law & PolicyJune 2014
"The Wild World of Witnesses: When Good Witnesses Go Bad," WMACCA Litigation Forum, McLean, VAJune 26, 2014
"Zealous Counsel or Unethical Social Media Maven – How Far Can a Lawyer Go?," WMACCA E-Newsletter May 9, 2014
"Net Neutrality – Verizon v. Federal Communications Commission," E-Commerce Law ReportsFebruary 18, 2014
"Oral Arguments Heard in the FCC’s ‘Open Internet’ Dispute," E-Commerce Law ReportsDecember 2013
"Data Security: FTC v. Wyndham Corporation," E-Commerce Law ReportsOctober 3, 2013
Michelle Cohen, Speaker, "Don’t Litigate, Mediate: Here’s How," WMACCA Litigation Forum, McLean, VASeptember 11, 2013
"Mobile Advertising and Messaging: Litigation Under the TCPA," E-Commerce Law ReportsJuly 2013
"Smart House, Smart Car, Smartphones. The FTC Examines the ‘Internet of Things," E-Commerce Law ReportsJune 2013
"FTC issues privacy focused mobile payments report," E-Finance & Payments Law & PolicyMarch 2013
"FATCA: the end of hiding US accounts in foreign banks?," E-Finance & Payments Law & PolicyMarch 2013
Michelle Cohen, Speaker, "Trash Talk? Viral Leaks? What to do When Employees and the Public Take to the Internet Town Square," WMACCA Technology and IP Forum, McLean, VAFebruary 19, 2013
"Editor’s Insight – Mobile Marketing and Privacy," E-Commerce Law & Policy February 7, 2013
"The FTC reports to the US Congress on Dodd-Frank," E-Finance & Payments Law & PolicyJanuary 2013
"Visa/MasterCard Antitrust Litigation," E-Commerce Law ReportsSeptember 2012
Michelle Cohen, Presenter, "The Consumer Financial Protection Bureau: The Financial Industry’s New Watchdog," LeadsCon East Conference Presentation, New York City, New YorkJuly 2012
"Best Offense Is a Good Defense," Inside Supply ManagementMarch 2012

Successfully Negotiating the Sale of Assets During a Government Investigation

When a company that is under investigation for money laundering decides to sell its assets, what was once a straightforward sales process becomes a complex negotiation. That is what happened with our client, a provider of diagnostic testing equipment.

Ifrah Law and Michelle Cohen represented the company in its sale of radiology and cardiology diagnostic services equipment, which involved numerous challenges. Understandably, the buyer was concerned about the ongoing criminal investigation, and Michelle worked closely with them to address their concerns about representations and warranties and possible post-sale seizure from the government. Additionally, since there were bank liens on some of the assets, Michelle worked with the bank’s outside counsel to arrange a prompt payoff, obtain a satisfactory pay-off letter and secure a release of the liens in order to close the deal. Michelle also worked with the buyer to create a creditor payment plan that would payoff unsecured creditors and obtain releases from them in order to address the buyer’s concerns about unsecured creditors seeking relief from the buyer. Finally, she created an employee fund (funded by the buyer) to pay for uncompensated leave time.

These complicated issues were resolved in less than two weeks, as a result of Michelle’s skilled negotiations with all parties. The buyer was represented by Delaware’s largest law firm.

 

Successful Resolution of a TCPA Class Action

Michelle Cohen’s client, a publicly-traded enhanced messaging provider, was involved in a large-scale class action alleging violations of the TCPA’s unsolicited facsimile advertising rules. In addition to having provided the client with TCPA advice for over 15 years, Michelle represented them in enforcement matters before the FCC, including obtaining the rescission of an FCC citation, a highly unusual ruling from the FCC, finding that the client had a valid defense to the citation.

This TCPA case involved the alleged sending of 125,000 unsolicited faxes. The class was suing for triple damages of $1500 per violation – up to $180 million. Michelle and her team handled discovery, including depositions and motions. When the other parties decided to enter mediation, Michelle represented her client through the mediation, to the settlement agreement and ultimate dismissal of the case. Given the damages at stake, this case was successfully resolved for Michelle’s client, whose settlement contribution fell below the limits of their insurance policy.

 

Ensuring TCPA Compliance for a Global Provider of Customer Management Services

On behalf of our client, a leading provider of customer management services with call centers around the world, Ifrah Law led a full-scale review of its customer communications to ensure that they comply with federal and state requirements, including those of the TCPA and the FTC’s Telemarketing Sales Rule (TSR). We addressed the many different types of calls that the company undertakes on behalf of its varied customer base – service calls, appointments, live sales calling and pre-recorded calls – to ensure that its call centers are using consistent protocols and controls in the United States, and that these protocols are in compliance with the TCPA and TSR. Our client trusted Ifrah Law with this extensive project due to our long history with managing TCPA matters – we have been involved with the TCPA since its inception in 1991 – and due to our prior work for the client, including successfully representing the client in two FCC inquiries.

We worked with the company’s Director of Privacy to develop a thorough understanding of the types of calls that the company makes for its customers, and the contractual protections that are in place and which could be revised to protect the company further. A critical aspect of this project was to educate leaders within the company that there are different TCPA requirements based on the type of call: technology used, person being called, whether the call is pre-recorded or live; mobile or business. We also wrote the call center guidelines and controls to ensure that all employees – from those being trained to the marketing team – had the same information regarding how to handle different types of customer call projects.

This large-scale process took a year to complete. Once the documentation was finalized, our client was ready to begin a company-wide training program on the guidelines, well in advance of TCPA rule changes.

 

Telemarketing Tips: What We Can Learn From Caribbean Cruise Lines’ Excursion With The FTC

iStock_000013768185_Large

The FTC’s “Do Not Call” and “robocall” rules do not apply to political survey calls.  So, if Hillary Clinton sought to “voice blast” a survey about international issues, she could do so without violating the Telemarketing Sales Rule (“TSR”).  (Though under FCC rules she would have an issue calling wireless numbers).  However, companies may not telemarket under the guise of exempt political calls.  Caribbean Cruise Lines (CCL) and several other companies working with CCL recently learned this lesson the hard way. The FTC and a dozen state attorneys general sued CCL and others for offering cruises and vacation “add ons” following purported political calls.  CCL settled, agreeing to pay $500,000 of a $7.2 million dollar penalty, and to comply with multiple compliance mechanisms.

CCL and the other defendants implemented an extensive calling campaign involving 12 to 15 million calls per day for approximately ten months offering a political survey.  However, the survey calls invited consumers to “press one” to receive a “free” two-day cruise to the Bahamas (port taxes would apply).  A live telemarketer working on behalf of CCL then offered consumers pre-cruise hotels, excursions, and other value packages.

While political calls remain exempt under the TSR’s robocall and Do Not Call provisions, if a caller offers a good, product or service during an otherwise exempt call, an “upsell” has occurred and the call is now telemarketing.  FTC rules prohibit robocalls to telemarket except with prior express consent.  Thus, the FTC asserted that CCL violated the TSR’s robocall provision since the called parties had not consented to the recorded sales calls.  While the calls started as political survey calls, they were actually standard telemarketing, subject to all TSR telemarketing rules.  The FTC also alleged violations of the Do Not Call rules, the caller identification rules, and the “company-specific Do Not Call requirements,” among other violations.

In addition to the reminder about “upsells” or “mixed messages,” this action highlights several important TSR enforcement lessons:

bulletThe FTC and State Attorneys General work closely in telemarketing enforcement – in this action, ten state attorneys general joined the FTC’s action.

bulletMany of the State AGs involved tend to be those most active in telemarketing litigation– Florida, Indiana, Mississippi, North Carolina, Ohio, and Washington State.

bulletThe FTC does not require a company to actually make the prohibited calls. An enforcement action will lie where a company paid or directed others to make calls in violation of the TSR.

bulletThe TSR also bars third parties from providing “substantial assistance” to others who violate the rule. Here, the FTC’s complaint charged a group of five companies and their individual owner with assisting and facilitating the illegal cruise calls, by providing robocallers with telephone numbers to use in the caller ID field, to hide the robocallers’ identities.

bulletAs part of its settlements, the FTC may impose a variety of remedies, including requiring the seller (here, CCL) to monitor its lead generators.

bulletThe FTC may also bar the seller from purchasing leads from a lead generator who is determined by the seller to obtain leads through unlawful TSR calling.

bulletThe FTC will carefully review, and proceed against companies who violate other TSR provisions, including caller ID requirements, scrubbing of the federal Do Not Call database, and the company-specific Do Not Call list.

bulletA settlement often requires ongoing recordkeeping. Here, the FTC required CCL to create records for ten years (and retain each one for 5 years), including records of consumer complaints and documentation of all lead generators.

bulletThe FTC and state AGs may proceed against individuals as well as companies.

bulletMany states have their own “do not call” laws, caller ID requirements and TSR-similar rules which can be used to bolster claims and penalties.

*                                  *                                              *

            While it should not come as a surprise that a “mixed message” call must comply with the TSR, the recent joint case against CCL and others serves as a potent reminder that the FTC and state attorneys general continue to monitor robocalling and other mass telemarketing campaigns. Further, the enforcers will use the full panoply of legal requirements and enforcement mechanisms to address telemarketing violations.  The seller, the telemarketer, the lead generator, the caller ID provider, and any other party providing substantial assistance may find themselves at the receiving end of a call from the FTC if they fail to follow each of the TSR’s obligations or engage in activities that the TSR prohibits.

Read More

Employers Running Background Checks: Top 10 Tips to Avoid Joining the Fair Credit Reporting Act Litigation “Club”

Human resources and CRM

What do Whole Foods, Chuck E. Cheese, Michael’s Stores, Dollar General, Panera, Publix, and K-Mart have in common?  Each of these companies has faced lawsuits (including class actions) under the Fair Credit Reporting Act (“FCRA”).  Although Congress passed the FCRA way back in 1970 and litigation has focused on credit reporting agencies’ duties under the law, class action plaintiff firms have recently focused on the FCRA’s employer-related provisions.  Several large settlements (such as Publix’s $6.8 million class action settlement, Dollar General’s $4 million, and K-Mart’s $ 3 million) have spurred further litigation.  While some of the alleged FCRA violations may appear minor or technical in nature, these “technical violations” still result in costly lawsuits.  Employers should re-familiarize themselves with the FCRA to avoid becoming class action defendants.

The FCRA’s Employer-Related Provisions

Many employers understandably want to conduct background checks on prospective employees, or current employees who may be obtaining new responsibilities or accessing sensitive information.  In particular, companies in the retail and restaurant sectors, whose employees have access to cash receipts and credit card account numbers, want to guard against employees whose background checks may reveal issues of concern.  Further, organizations whose employees enter homes and businesses (such as service providers – e.g., carpet cleaners, plumbers, contractors) have additional concerns about potential liability.

The FCRA is usually thought of as a federal law that regulates consumer reporting agencies, like credit bureaus.  However, the FCRA also prescribes certain requirements for employers who use consumer reports.  The FCRA broadly defines the term “consumer reports” as information prepared by a consumer reporting agency “bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for—credit or insurance to be used primarily for personal, family, or household purposes; employment purposes” or other permitted purposes. This definition draws in more than a traditional credit report. It can include driving records, civil lawsuits, and reference checks, among other information.

Disclosure and Consent

Employers may not obtain a consumer report from a consumer reporting agency unless they first make a “clear and conspicuous” written disclosure to the prospective employee/employee.  The disclosure document must consist “solely” of the disclosure that a consumer report may be obtained.  The job applicant/employee must provide written permission for the employer to obtain a consumer report.  The FTC has indicated the disclosure form may include a signature line for the individual’s consent.  (In 2001, the FTC also issued an opinion letter stating it believes such consent can be obtained electronically, consistent with the federal E-Sign law).  The employer further certifies to the consumer reporting agency that is has a permissible purpose for the report and that it has complied with the FCRA and applicable equal opportunity laws.

These steps sound simple enough, however, litigation has ensued based upon employers’ alleged failures to comply.  For instance, in the Whole Foods case in federal court in California, the plaintiffs claim the online application process included a liability waiver in the disclosure form for the background check, allegedly violating the FCRA requirement that a disclosure form not include other information.  In a separate case in federal court in Florida involving retailer Nine West, the plaintiff alleges he did not receive a separate form, and that the background check authorization was on a web page with various other types of information.

Adverse Action Based on Report

If the employer intends to take “adverse action” against the prospective employee/employee (based even in part on the information in the report), the FCRA requires the employer to follow certain additional steps. The term “adverse action” includes “a denial of employment or any other decision for employment purposes that adversely affects any current or prospective employee.”

Before the employer takes the adverse action, it must provide a “pre-adverse action” notice to the affected person. This notice must include a copy of the consumer report and a statutory “Summary of Rights.” (This is an updated form, required since January 2013 by the new Consumer Financial Protection Board, which now has responsibility for FCRA rulemaking).  The purpose of this notice requirement is to permit the individual to discuss the report with the employer before the employer implements the adverse action.

Next, if the employer intends to take the adverse action, the FCRA requires the employer to provide an adverse action notice to the individual.  This notice must contain certain information, including:this is a test one

 bulletthe name, address, and telephone number of the consumer reporting agency that provided the report;

 bulleta statement that the consumer reporting agency did not make the adverse decision and is not able to explain why the decision was made;

bulleta statement setting forth the applicant’s or employee’s right to obtain a free disclosure of his or her report from the consumer reporting agency if the individual      requests the disclosure within 60 days; and

bulleta statement regarding the individual’s right to dispute directly with the consumer reporting agency the accuracy or completeness of any information contained in the       report.

In a case involving Domino’s Pizza employees, the company settled a class action that included allegations that it took adverse employment actions against certain individuals based on information contained in consumer reports without providing those individuals the required notice and a copy of such reports in advance.  K-Mart settled a class action suit based upon allegations that the statement of consumer rights provided to individuals after a background check contained outdated disclosures, among other alleged FCRA failures.

Liability and Enforcement

Plaintiffs can pursue a private right of action against employers for negligently or willfully violating the FCRA.  Claims regarding negligent violations allow actual damages and reasonable attorneys’ fees and costs.  Willful violations can result in actual damages or statutory damages ranging between $100 and $1,000, plus punitive damages and attorneys’ fees and costs.  The Federal Trade Commission (“FTC”) has also brought actions against employers for FCRA violations.

10 Steps to Avoid Becoming a FCRA Defendant When Using Employment Background Checks

1.       Review your current background check practices for prospective and current employees, including any online application materials.

2.      Review disclosure/consent forms for compliance. Ensure you are presenting applicants or current employees with a simple, one page disclosure form. The form should inform individuals that you intend to obtain a consumer report for employment purposes.

3.      You must obtain consent from the prospective employee/employee. You may include a line on the disclosure form for the individual to acknowledge and grant consent.  Do not include other material, such as liability waivers, confirmation of at-will employment, or seek other consents.

4.      If your application process is online, ensure the disclosure/consent is displayed separately, on one screen, without other content.

5.      If you intend to conduct background checks periodically during an individual’s employment, state that in the disclosure and consent form.

6.      Do not seek consent verbally. FCRA requires “written” consent (though FTC has stated it may be electronic).

7.      Maintain backup of the disclosure and consent forms for at least 5 years from the date they were provided. (Lawsuits must be brought by the earlier of two years after the date of the plaintiff’s discovery of the violation, or five years after the date on which the violation occurred).

8.      If you intend to take adverse action based on information in the consumer report, you should be providing the individual with a pre-adverse action notice, a copy of the consumer report, and the “Summary of Rights.” Ensure you are using the most updated “Summary of Rights.”

9.      You should wait a reasonable amount of time (at least 5 days) before issuing an adverse action notice. Your company’s adverse action notice must contain the information required under the FCRA (see bulleted information, above).

10.    Check state law regarding background checks for the states in which you operate/solicit employees. Some states have similar requirements to FCRA; others may further restrict the types of information you can request.

 

*                                  *                                  *

The FTC/EEOC have issued a joint statement on background checks.  While many employers need to conduct background checks to avoid liability and risks to their businesses, employers also need to follow the FCRA’s mandates to avoid the deep end of litigation “pool.”

Read More

International Data Privacy Day: Our Top 10 Data Privacy Tips

iStock_000052810800_Large

It’s International Data Privacy Day!  Every year on January 28, the United States, Canada and 27 countries of the European Union celebrate Data Privacy Day.  This day is designed to raise awareness of and generate discussion about data privacy rights and practices.  Indeed, each day new reports surface about serious data breaches, data practice concerns, and calls for legislation.  How can businesses manage data privacy expectations and risk amid this swirl of activity?

Here, we share some tips from our firm’s practice and some recent FTC guidance.  We don’t have a cake to celebrate International Data Privacy Day but we do have our “Top 10 Data Privacy Tips”:

1. Review Your Organization’s Privacy Policy. Remember that privacy policy you had counsel prepare a few years ago?  It’s a good time to review it and assess whether it still reflects company practices.  What kind of personal information does your company collect? How does it move through your business?  How is it shared?  Has your organization’s policy on sharing personal information changed?  Does the privacy policy reflect legal changes in the states where you operate?  Privacy policies are not meant to be stagnant documents.  You should review them at least twice a year to ensure they are accurate. Even something as simple as the privacy officer’s contact information may need an update.

2. Do What You Say.  When you post a privacy policy, you are committing to the practices in the policy.  If your policy says “we will never share your information with third party marketers” – then you shouldn’t be sharing with third party marketers.  Common sense?  Yes, but companies have faced enforcement actions and litigation for pledging to “never share” when they did share.  Other companies like Snapchat settled with the FTC over statements in their privacy policies concerning how their apps operate and secure information that the FTC claimed were not true. Privacy policies should carve out disclosures for sharing information where sharing is likely to take place, such as in response to legal process, like a court order.  We also recommend a carve out in the event of a sale or reorganization of the business or of its assets. Other carve-outs may be warranted.

3. Ensure Your U.S.-E.U. Safe Harbor Is Up-to-Date. Last year, the FTC took action against several companies, including the Atlanta Falcons and Level 3 Communications, for stating in their privacy policies that they were U.S.-E.U. Safe Harbor Certified by the U.S. Department of Commerce when, in fact, the companies had failed to keep their certification current by reaffirming their compliance annually. While your organization is not required to participate in Safe Harbor, don’t say you are Safe Harbor Certified if you haven’t filed with the U.S. Department of Commerce. And, remember that your company needs to reaffirm compliance annually, including payment of a fee.  You can check your company’s status here.

4. Understand Your Internal Risks. We’ve said this before – while malicious breaches are certainly out there, a significant percentage of breaches (around 30 percent, according to one recent study) occurs due to accidents or malicious acts by employees.  These acts include lack of firewalls, lack of encryption on devices (such as laptops and flash drives), and failing to change authentications when employees leave or are terminated.  Many data breaches are While you are at it, review who has access to confidential information and whether proper restrictions are in place.

5. Educate Your Workforce. While today is International Data Privacy Day, your organization should educate your workforce on privacy issues throughout the year. Depending on the size of the company and the type of information handled (for instance, highly sensitive health information versus standard personal contact details), education efforts may vary. You should review practices like the confidentiality of passwords, creating a secure password and changing it frequently, and avoiding downloading personal or company sensitive information in unsecured forms.  Just last week, a security firm reported that the most popular passwords for 2014 were “123456” and “password.”  At a minimum, these easily guessed passwords should not be allowed in your system.

6. Understand Specific Requirements of Your Industry/Customers/ Jurisdiction. Do you have information on Massachusetts residents?  Massachusetts requires that your company have a Written Information Security Program.  Does your company collect personal information from kids under 13?  The organization must comply with the federal Children’s Online Privacy Protection Act and the FTC’s rules.  The FTC has taken many actions against companies deemed to be collecting children’s information without properly seeking prior express parental consent.

7. Maintain a Data Breach Response Plan. If there were a potential data breach, who would get called?  Legal?  IT?  Human Resources?  Public relations?  Yes, likely all of these. The best defense is a good offense – plan ahead.  Representatives from in-house and outside counsel, IT/IS, human resources, and your communications department should be part of this plan. State data breach notification laws require prompt reporting. Some companies have faced lawsuits for alleged “slow” response times.  If there is potential breach, your company needs to gather resources, investigate, and if required, disclose the breach to governmental authorities, affected individuals, credit reporting agencies, etc.

8. Consider Contractual Obligations. Before your company commits to data security obligations in contracts, ensure that a knowledgeable party, such as in-house or outside counsel, reviews these commitments.  If there is a breach of a contracting party’s information, assess the contractual requirements in addition to those under data breach notification laws. The laws generally require notice to be given promptly when a company’s data is compromised while under the “care” of another company. On the flip side, consider the service providers your company uses and what type of access the providers have to sensitive data. You should require service providers to adhere to reasonable security standards, with more stringent requirements if they handle sensitive data.

9. Review Insurance Coverage. While smaller businesses may think “we’re not Target” and don’t need cyber insurance, that’s a false assumption. In fact, smaller businesses usually have less sophisticated protections and can be more vulnerable to hackers and employee negligence.  Data breaches – requiring investigations, hiring of outside experts such as forensics, paying for credit monitoring, and potential loss of goodwill – can be expensive. Carriers are offering policies that do not break the bank. Cyber insurance is definitely worth exploring.  If you believe you have coverage for a data incident, your company should promptly notify the carrier. Notice should be part of the data breach response plan.

10. Remember the Basics! Many organizations have faced the wrath of the FTC, state attorneys general or private litigants because the companies or its employees failed to follow basic data security procedures. The FTC has settled 53 data security law enforcement actions. Many involve the failure to take common sense steps with data, such as transmitting sensitive data without encryption, or leaving documents with personal information in a dumpster. Every company must have plans to secure physical and electronic information. The FTC looks at whether a company’s practices are “reasonable and appropriate in light of the sensitivity and amount of consumer information you have, the size and complexity of your business, and the availability and cost of tools to improve security and reduce vulnerabilities.” If the FTC calls, you want to have a solid explanation of what you did right, not be searching for answers, or offering excuses.  Additional information on the FTC’s guidance can be found here.

*                            *                            *

 Remember, while it may be International Data Privacy Day, data privacy isn’t a one day event. Privacy practices must be reviewed and updated regularly to protect data as well as enable your company to act swiftly and responsively in the event of a data breach incident.

Read More

Report from an Energized Brand Activation Association Marketing Law Conference

Group Of Multi-Ethnic People Social Networking

Ifrah Law is a proud member the Brand Activation Association (“BAA”). This week, we attended the BAA’s 36th annual BAA Marketing Law Conference in Chicago.  Just as “Mad Men” reflects the 1960’s era advertising business, this year’s BAA conference demonstrated this generation’s marketing dynamic – where mobile is key, privacy concerns abound, and the Federal Trade Commission (“FTC”) and other agencies are watching and enforcing. Other key “take aways” from the conference are that sweepstakes, contests, and other promotions remain hugely popular via mobile devices and social networks.

Digital Rules

Advertisers representing top brand names made clear that companies must reach consumers through various digital devices.  Smartphones, tablets, and wearable technologies each represent ways to advertise a product or service.  Today’s consumers, especially younger consumers, rely extensively mobile devices. Many actually welcome behavioral and other advertising.  Consumers in the U.S. and abroad have shown receptiveness to “flash sales,” instant coupons and other deals, including those geared to their geo-location.

Emerging Privacy and Consumer Protection Trends

While advertisers interact with consumers and many consumers welcome offers and information, regulators’ and individuals’ concerns with the privacy of personal information dominate the landscape.  Almost a year after the notorious Target data breach, and with the holiday shopping season approaching, all stakeholders are understandably cautious about how to utilize various methods of marketing while securing consumer information.  Even assuming a network is secure, the FTC, state attorney generals, foreign regulators, consumer advocacy groups and consumers want to know how personal data is being collected, utilized and shared.  In the consumer protection context, the FTC actively enforces the Federal Trade Commission Act’s prohibition on “deceptive acts and practices,” requiring that advertisers have substantiation for product claims.

Two Significant Forces – the FTC and California’s Attorney General

Top representatives from the FTC and the California Attorney General presented at the conference.  Both representatives asserted their agencies remain active in enforcing their consumer protection and privacy laws, especially as to certain areas.  Jessica Rich, Director, Bureau of Consumer Protection at the FTC, discussed the agency’s focus on advertising substantiation, particularly as to claims involving disease prevention and cure, weight loss, and learning enrichment (such as the “Your Baby Can Read “ case).

On the privacy side, Ms. Rich also noted the FTC’s specialized role in enforcing the Children’s Online Privacy Protection Act (“COPPA”).  The FTC’s recent action against Yelp demonstrates that the FTC will not hesitate to enforce COPPA even where a website is not a child-focused website, per se. If a website or online service (such as a mobile app) collects personal information from children under 13, it must comply with COPPA’s notice and consent requirements. The agency is also exploring the privacy and consumer protection concerns associated with interconnected devices, known as “the Internet of Things.”

The representative from the California Attorney General’s office noted that California has a keen interest in mobile apps, as demonstrated by its action against Delta for allegedly failing to have a privacy policy available through its mobile app.  California is also gearing up for its “Eraser Law,” set to go in effect on January 1, 2015. This law provides an opportunity for young people under 18 to “erase” embarrassing or damaging content they posted online, including on social media.

Promotions – Sweepstakes, Contests, Games

While some may think sweepstakes and contests are outdated, the opposite is true. Companies are utilizing mobile and social networks to engage with consumers through promotions.  Facebook and Pinterest-based sweepstakes and contests continue to grow in popularity. Advertisers also increasingly look to “text-based” offerings.

These promotions can generate great marketing visibility and grow consumer relationships. However, advertisers need to be aware of many legal minefields.  First and foremost is the federal Telephone Consumer Protection Act (“TCPA”), which requires prior express “written” consent for advertisements sent to mobile phones via text or calls utilizing an autodialer or prerecorded message.  Plaintiffs’ lawyers continue to file hundreds of TCPA class actions based on texts without consent.  Second, the social networks have their own policies. For instance, Facebook now bars advertisers from requiring consumers to “like” a company Facebook page in order to participate in a promotion.

Take Aways

BAA conference sessions were packed – many standing room only.  The popularity of programs about comparative advertising, native advertising, sweepstakes and contests, and enforcement trends demonstrates that advertisers are finding innovative ways to reach consumers across devices. These marketing initiatives face a host of federal, state, and international laws and regulations, as well as restrictions imposed by social networks and providers.  It’s an exciting and complex juncture in global marketing.

Read More

Federal Trade Commission Checks Out Mobile Shopping Apps

Happy young Asian woman shopping.

In August, the Federal Trade Commission (“FTC”) released a staff report concerning mobile shopping applications (“apps”).  FTC staff reviewed some of the most popular apps consumers utilize to comparison shop, collect and redeem deals and discounts, and pay in-store with their mobile devices.  This new report focused on shopping apps offering price comparison, special deals, and mobile payments. The August report is available here.

Popularity of Mobile Shopping Apps/FTC Interest

Shoppers can empower themselves in the retail environment by comparison shopping via their smartphones in real-time.  According to a 2014 Report by the Board of Governors of the Federal Reserve System, 44% of smartphone owners report using their mobile phones to comparison shop while in retail store, and 68% of those consumers changed where they made a purchase as a result.  Consumers can also get instant coupons and deals to present at checkout.  With a wave of a phone at the checkout counter, consumers can then make purchases.

While the shopping apps have surged in popularity, the FTC staff is concerned about consumer protection, data security and privacy issues associated with the apps. The FTC studied what types of disclosures and practices control in the event of unauthorized transactions, billing errors, or other payment-related disputes.  The agency also examined the disclosures that apps provide to consumers concerning data privacy and security.

 Apps Lack Important Information

FTC staff concluded that many of the apps they reviewed failed to provide consumers with important pre-download information.  In particular, only a few of the in-store purchase apps gave consumers information describing how the app handled payment-related disputes and consumers’ liability for charges (including unauthorized charges).

FTC staff determined that fourteen out of thirty in-store purchase apps did not disclose whether they had any dispute resolution or liability limits policies prior to download.  And, out of sixteen apps that provided pre-download information about dispute resolution procedures or liability limits, only nine of those apps provided written protections for users.  Some apps disclaimed all liability for losses.

Data Security Information Vague

FTC staff focused particular attention on data privacy and security, because more than other technologies, mobile devices are personal to a user, always on, and frequently with the user. These features enable an app to collect a huge amount of information, such as location, interests, and affiliations, which could be shared broadly with third parties.  Staff noted that, “while almost all of the apps stated that they share personal data, 29 percent of price comparison apps, 17 percent of deal apps, and 33 percent of in-store purchase apps reserved the right to share users’ personal data without restriction.”

Staff concluded that while privacy disclosures are improving, they tend to be overly broad and confusing. In addition, app developers may not be considering whether they even have a business need for all the information they are collecting.  As to data security, staff noted it did not test the services to verify the security promises made.  However, FTC staff reminded companies that it has taken enforcement actions against mobile apps it believed to have failed to secure personal data (such as Snapchat and Credit Karma).  The report states, “Staff encourages vendors of shopping apps, and indeed vendors of all apps that collect consumer data, to secure the data they collect.  Further those apps must honor any representations about security that they make to consumers.”

FTC Staff Recommends Better Disclosures and Data Security Practices

The report urges companies to disclose to consumers their rights and liability limits for unauthorized, fraudulent, or erroneous transactions.  Organizations offering these shopping apps should also explain to consumers what protections they have based on their methods of payment and what options are available for resolving payment and billing disputes.  Companies should provide clear, detailed explanations for how they collect, use and share consumer data.  And, apps must put promises into practice by abiding by data security representations.

Consumer Responsibility Plays Role, Too

Importantly, the FTC staff report does not place the entire burden on companies offering the mobile apps. Rather, FTC staff urge consumers to be proactive when using these apps.  The staff report recommends that consumers look for and consider the dispute resolution and liability limits of the apps they download.  Consumers should also analyze what payment method to use when purchasing via these apps. If consumers cannot find sufficient information, they should consider an alternative app, or make only small purchases.

While a great “deal” could be available with a click on a smartphone, the FTC staff urges consumers to review available information on how their personal and financial data may be collected, used and shared while they get that deal.  If consumers are not satisfied with the information provided regarding data privacy and security, then staff recommends that they choose a different app, or limit the financial and personal financial data they provide.  (Though that last piece of advice may not be practical considering most shopping apps require a certain level of personal and financial information simply to complete a transaction).

Deal or No Deal?  FTC Will be Watching New Shopping Apps

               FTC Staff has concerns about mobile payments and will continue to focus on consumer protections.  The agency has taken several enforcement actions against companies for failing to secure personal and payment information and it does not appear to be slowing down.  While the FTC recognizes the benefits of these new shopping and payment technologies, it is also keenly aware of the enormous amount of data obtained by companies when consumers use these services. Thus, companies should anticipate that the FTC will continue to monitor shopping and deal apps with particular attention on disclosures and data practices.

Read More

Information on www.ifrahlaw.com is for general use and is not intended as legal advice. Sending an e-mail through this Web site, and receipt of same, does not constitute an attorney-client relationship. Information sent via e-mail is not considered confidential or privileged unless we have agreed to represent you. By sending this e-mail, you confirm that you have read, understand and agree to this notice.

Accept Cancel

iGaming Report