2014 Predictions: Healthcare, Data Privacy and Bitcoin
Video 1 of 2
Hot Trends in Federal Enforcement on the Web in 2013 from Ifrah Law Partners
Video 2 of 2
Ifrah Law represents businesses and individuals in legal matters and disputes involving Internet advertising and marketing, direct and indirect online sales, electronic-payment processing and interactive gaming.
Collectively, the lawyers on our team have litigated a wide array of e-commerce cases, from defending affiliate advertisers from unscrupulous marketing agencies to preventing the government seizure of an e-payment processing company’s bank accounts. We have handled a number of high-profile FTC and CFTC investigations and enforcement actions involving Internet marketing campaigns and related issues such as the scientific substantiation of advertising claims. We also represent companies targeted by state attorneys general for matters relating to allegedly false or deceptive advertising.
Additionally, as the igaming industry has grown, our attorneys have developed alongside it, representing both companies and individuals in igaming related litigation and counseling. In late 2013, we were selected to serve as igaming legal advisors to the Delaware State Lottery.
Companies face many challenges regarding privacy matters, and Ifrah Law has extensive experience in this area, including drafting privacy policies, counseling on information rights and storage retrieval and litigating related issues.
Read More – Data Privacy
Ifrah Law has represented igaming companies in both criminal defense and civil litigation, Our experience with companies in the igaming space is unparalleled.
Read More – iGaming
We help clients navigate issues related to Internet advertising and marketing, direct and indirect online sales, electronic-payment processing and interactive gaming.
Read More – Internet Advertising
Ifrah Law’s telemarketing and Internet marketing law practice is aimed at avoiding and defending private lawsuits filed under the TCPA.
Read More – Mobile and Telephone Marketing
We understand the many risks that people and companies face as a result of the Internet and we represent clients in issues related to online piracy, online defamation, and domain name infringement.
Read More – Online Fraud and Abuse
The FTC’s complaint stated that Nomi’s technology (called its “Listen” service) allows retailers to track consumers’ movements through stores. The company places sensors in its clients’ stores, which collect the MAC addresses of consumers’ mobile devices as the devices search for WiFi networks. While Nomi “hashes” the MAC addresses prior to storage in order to hide the specific MAC addresses, the process results in identifiers unique to consumers’ mobile devices which can be tracked over time. Nomi provided its retail clients with aggregated information, such as how long consumers stayed in the store, the types of devices used by consumers, and how many customers had visited a different location in a chain of stores. Between January and September 2013, Nomi collected information on approximately 9 million mobile devices, according to the FTC’s complaint.
Nomi’s settlement does not require any monetary payment but prohibits Nomi from misrepresenting the options through which consumers can exercise control over the collection, use, disclosure or sharing of information collected from or about them or their devices. The settlement also bars Nomi from misrepresenting the extent to which consumers will be provided notice about how data from or about a particular consumer or device is collected, used, disclosed or shared. Nomi is required to maintain certain supporting records for five years. As is typical with FTC consent orders, this agreement remains in force for 20 years.
What can companies learn from Nomi’s settlement, even those not in the retail tracking business?
- While this is the first FTC action against a retail tracking company, the FTC has repeatedly stated that it will enforce the FTC Act and other laws under its jurisdiction against emerging as well as traditional technologies.
- The FTC noted that Nomi had about 45 clients. Most of those clients did not post a disclosure or notify consumers regarding their use of the Listen service, and Nomi did not mandate such disclosures by its clients. The FTC did not address what, if any, obligation, these businesses may have to make such disclosures. Will it become common/mandated to see a sign in a retail location warning that retail tracking via mobile phones is occurring (similar to signs about video surveillance)? One industry group’s self-regulatory policy requires retail analytics firms to take “reasonable steps to require that companies using their technology display, in a conspicuous location, signage that informs consumers about the collection and use of MLA [mobile location analytics] Data at that location.” This issue will become more prevalent as more retailers and other businesses use tracking technology.
- Interestingly, the FTC brought this action even though traditional “personal information” was not collected (such as name, address, social security number, etc.). Organizations should not assume that collecting IP addresses, MAC addresses, or other less personalized information presents no issues. The FTC takes privacy statements seriously, whatever the information collected (though certainly there is more sensitivity toward certain categories such as health, financial, and children’s information).
The bottom line is “do what you say” when it comes to privacy practices. All companies should evaluate their privacy policies at least every six months to ensure that they remain accurate and complete, have working links (if any), and reflect a company’s current practices.
Photo at vi.wikipedia.org
A recent legal case in the UK between singer Rihanna and fashion retailer Topshop has highlighted differences between publicity rights in the UK and some US jurisdictions. Rihanna sued Topshop for its sale of a t-shirt bearing a large photograph of her. Rihanna had not approved or endorsed the sale of the t-shirt; rather, an independent photographer had taken the picture and licensed it for use on the shirts.
In the United States, many jurisdictions have laws governing the right of publicity; that is, the right to control the use of your image for commercial gain, or to be compensated for the commercial use of your image. The UK, however, does not have corresponding laws on image rights. Instead, Rihanna had to allege that Topshop engaged in “passing off” the shirts as being endorsed by the singer, thereby damaging her goodwill and business. In support, Rihanna argued that the circumstances of the sale of the shirts were likely to mislead customers into thinking that she had endorsed the product because the photograph was similar to those used in official album promotions, the nature of the shirt itself, and the fact that Topshop is a major and reputable retailer.
The lower court considered Rihanna’s prior connections to the store in considering whether passing off occurred. It noted that Topshop had previously run a competition in which the winner was awarded with a shopping trip to Topshop. Also, only weeks before the shirts went on sale, Topshop tweeted that Rihanna was shopping at one of its locations. Against that background, the court noted that the particular photograph on the shirt could have led her fans to believe that it was associated with the marketing campaign for the album, since the particular hairstyle and scarf worn by Rihanna in the photograph were widely used in a music video and associated publicity.
Ultimately Rihanna’s passing off arguments were successful, and the court granted an injunction prohibiting Topshop from selling the shirts without informing customers that they had not been approved or authorized by Rihanna. However, it is interesting to think what the result might have been in an instance where it was more obvious that Rihanna had not endorsed the product; for instance, if the t-shirts were sold, not through a trusted retailer which has been associated with the singer but instead by an independent seller hawking t-shirts on the street corner. In such circumstances the case in favor of passing off may have been weaker and Rihanna might not have been able to control the use of her image.
In contrast, the outcome under such a scenario might be very different in a state like California, which has strong right of publicity laws. California Civil Code §3344(a) forbids the use of another’s likeness “on or in products, merchandise, or goods, or for purposes of advertising or selling, or soliciting purchases of, products, merchandise, goods or services, without such person’s prior consent…” The law establishes liability $750 or actual damages, whichever is greater, as well as “any profits from the unauthorized use that are attributable to the use and are not taken into account in computing the actual damages.” Punitive damages and attorney’s fees and costs are also available under the statute.
While Rihanna’s victory in UK court does not establish a right of publicity in the country, it does provide an interesting case study in the workarounds that celebrities must use in order to protect their image from being improperly used in jurisdictions which do not have a right of publicity.
In August, the Federal Trade Commission (“FTC”) released a staff report concerning mobile shopping applications (“apps”). FTC staff reviewed some of the most popular apps consumers utilize to comparison shop, collect and redeem deals and discounts, and pay in-store with their mobile devices. This new report focused on shopping apps offering price comparison, special deals, and mobile payments. The August report is available here.
Popularity of Mobile Shopping Apps/FTC Interest
Shoppers can empower themselves in the retail environment by comparison shopping via their smartphones in real-time. According to a 2014 Report by the Board of Governors of the Federal Reserve System, 44% of smartphone owners report using their mobile phones to comparison shop while in retail store, and 68% of those consumers changed where they made a purchase as a result. Consumers can also get instant coupons and deals to present at checkout. With a wave of a phone at the checkout counter, consumers can then make purchases.
While the shopping apps have surged in popularity, the FTC staff is concerned about consumer protection, data security and privacy issues associated with the apps. The FTC studied what types of disclosures and practices control in the event of unauthorized transactions, billing errors, or other payment-related disputes. The agency also examined the disclosures that apps provide to consumers concerning data privacy and security.
Apps Lack Important Information
FTC staff concluded that many of the apps they reviewed failed to provide consumers with important pre-download information. In particular, only a few of the in-store purchase apps gave consumers information describing how the app handled payment-related disputes and consumers’ liability for charges (including unauthorized charges).
FTC staff determined that fourteen out of thirty in-store purchase apps did not disclose whether they had any dispute resolution or liability limits policies prior to download. And, out of sixteen apps that provided pre-download information about dispute resolution procedures or liability limits, only nine of those apps provided written protections for users. Some apps disclaimed all liability for losses.
Data Security Information Vague
FTC staff focused particular attention on data privacy and security, because more than other technologies, mobile devices are personal to a user, always on, and frequently with the user. These features enable an app to collect a huge amount of information, such as location, interests, and affiliations, which could be shared broadly with third parties. Staff noted that, “while almost all of the apps stated that they share personal data, 29 percent of price comparison apps, 17 percent of deal apps, and 33 percent of in-store purchase apps reserved the right to share users’ personal data without restriction.”
Staff concluded that while privacy disclosures are improving, they tend to be overly broad and confusing. In addition, app developers may not be considering whether they even have a business need for all the information they are collecting. As to data security, staff noted it did not test the services to verify the security promises made. However, FTC staff reminded companies that it has taken enforcement actions against mobile apps it believed to have failed to secure personal data (such as Snapchat and Credit Karma). The report states, “Staff encourages vendors of shopping apps, and indeed vendors of all apps that collect consumer data, to secure the data they collect. Further those apps must honor any representations about security that they make to consumers.”
FTC Staff Recommends Better Disclosures and Data Security Practices
The report urges companies to disclose to consumers their rights and liability limits for unauthorized, fraudulent, or erroneous transactions. Organizations offering these shopping apps should also explain to consumers what protections they have based on their methods of payment and what options are available for resolving payment and billing disputes. Companies should provide clear, detailed explanations for how they collect, use and share consumer data. And, apps must put promises into practice by abiding by data security representations.
Consumer Responsibility Plays Role, Too
Importantly, the FTC staff report does not place the entire burden on companies offering the mobile apps. Rather, FTC staff urge consumers to be proactive when using these apps. The staff report recommends that consumers look for and consider the dispute resolution and liability limits of the apps they download. Consumers should also analyze what payment method to use when purchasing via these apps. If consumers cannot find sufficient information, they should consider an alternative app, or make only small purchases.
While a great “deal” could be available with a click on a smartphone, the FTC staff urges consumers to review available information on how their personal and financial data may be collected, used and shared while they get that deal. If consumers are not satisfied with the information provided regarding data privacy and security, then staff recommends that they choose a different app, or limit the financial and personal financial data they provide. (Though that last piece of advice may not be practical considering most shopping apps require a certain level of personal and financial information simply to complete a transaction).
Deal or No Deal? FTC Will be Watching New Shopping Apps
FTC Staff has concerns about mobile payments and will continue to focus on consumer protections. The agency has taken several enforcement actions against companies for failing to secure personal and payment information and it does not appear to be slowing down. While the FTC recognizes the benefits of these new shopping and payment technologies, it is also keenly aware of the enormous amount of data obtained by companies when consumers use these services. Thus, companies should anticipate that the FTC will continue to monitor shopping and deal apps with particular attention on disclosures and data practices.
Congress enacted the Telephone Consumer Protection Act (“TCPA”) to protect consumers from unwanted telemarketing, fax marketing, and prerecorded/auto-dialed phone calls. Recently, there has been an explosion in TCPA litigation, including class action litigation. In response, several parties have asked the Federal Communications Commission (“FCC”) to clarify certain of the agency’s TCPA rules to provide relief from TCPA liability in certain enumerated circumstances. Two recent FCC rulings allow certain business communications under the TCPA.
The Cargo Airline Association (“CAA”), a trade association representing companies that deliver packages, filed a petition seeking clarification of the TCPA’s application to auto-dialed or prerecorded package delivery notification calls made to consumers’ wireless phones. The CAA asserted that the FCC should recognize the public interest in receiving time sensitive package notifications. Revised FCC rules that went into effect in October generally require that the sender of prerecorded or auto-dialed calls and text messages to mobile numbers have prior consent from the recipient to receive such calls and texts. If the calls or texts constitute telemarketing, prior express written consent is required.
The FCC granted the CAA’s request to exempt its notifications to consumers subject to certain conditions. In the order, the FCC observed that these notifications “are the types of normal, expedited communications the TCPA was not designed to hinder . . . we believe that consumers generally desire, expect, and benefit from, package delivery notifications.” The FCC order requires that the text messages must be sent only to the telephone number provided by the package recipient, and identify the name and include the contact information of the delivery company sending the message. Furthermore, the FCC’s order limits companies to sending one text message per package per delivery attempt. The notifications also cannot contain any advertising content and must provide consumers the ability and information on how to easily opt out of receiving future notifications.
In the second ruling, the FCC granted a petition by GroupMe concerning how consent is obtained. GroupMe is an app that allows users to create text message based group chats. A user who wants to create a group chat using GroupMe’s service must register with GroupMe and agree to its terms of service. The terms of service require the group creator to represent that each individual added to the group chat has consented to receive the text messages. In its petition to the FCC, GroupMe asked the FCC to clarify that consent to receive certain calls or text messages could be given through an intermediary, such as a group chat organizer.
The FCC granted GroupMe’s petition allowing for consent to be obtained through an intermediary. Interestingly, the FCC acknowledged in its order that “the TCPA is ambiguous as to how a consumer’s consent to receive an auto-dialed or prerecorded non-emergency call should be obtained.” However, the FCC stressed that this ruling does not mitigate the duty to obtain prior express consent of the called party. Further, a company can still be held liable even when relying on the assertion of an intermediary that a consumer has consented. The order states that, “[w]e further clarify that where the consumer has agreed to participate in a GroupMe group, agreed to receive associated calls and texts, and provided his or her wireless telephone number to the group organizer for that purpose, the TCPA’s prior express consent requirement is satisfied with respect to both GroupMe and the group members regarding that particular group, but only regarding that particular group.” Companies seeking to obtain consent through an intermediary should consider this potential liability when deciding if, or how to, rely on consent given by an intermediary. Companies may want to consider contractual representations and warranties and indemnifications where a third party obtains consent.
These two orders by the FCC represent positive news for businesses that utilize texts and prerecorded/auto-dialed communications. The orders eliminate some of the uncertainty surrounding compliance with the TCPA in the circumstances addressed by the FCC. While the agency has taken numerous enforcement actions against TCPA violators and promulgated strict rules, these recent rulings indicate that the FCC recognizes that there are circumstances in which strict interpretations of the TCPA and/or FCC rules do not comport with the realities of business communications. Companies should note, however, that these rulings are limited to the particular situations presented by the petitioners. Due to the enormous potential liability for violating the TCPA, companies should continue to review their policies and practices and make sure they are in compliance with all regulations before initiating any covered TCPA communications, including prerecorded and auto-dialed calls and texts to mobile phones, prerecorded telemarketing to residential lines, facsimile advertising, and live telemarketing.
A federal court in California recently ruled that a plaintiff who was required to enter her phone number to purchase a plane ticket online had consented to receive a text message, and dismissed her claim under the Telephone Consumer Protection Act (TCPA). A plaintiff’s prior express consent is a major issue in TCPA litigation and this decision represents a victory for companies that obtain phone numbers from consumers who are purchasing goods or services from them.
The plaintiff, Shaya Baird, booked flights online for herself and her family on the Hawaiian Airlines website. During the purchase, Baird was required to enter her contact information. The website required at least one phone number, which Baird provided by entering her mobile phone number. A few weeks later Baird received a text message inviting her to reply “yes” if she wanted to receive flight notification services. Baird did not respond and she did not receive any more text messages.
Baird then filed suit alleging that Sabre, which contracted with Hawaiian Airlines to provide traveler notification services to passengers, violated the TCPA by sending her the unsolicited text message. The TCPA bars the sending of autodialed or prerecorded “calls” (which the Federal Communications Commission (“FCC”) has interpreted to include text messages) to mobile numbers without “prior express consent.” An individual’s granting of consent to receive texts constitutes an affirmative defense in a TCPA lawsuit.
Sabre moved for summary judgment on the ground that Baird consented to receive its text message when she made her flight reservation on the Hawaiian Airlines website. Baird responded that she did not voluntarily provide her cell phone number, but was instead told that she was required to enter a phone number. She further argued that she was not informed that by providing her cell phone number she was consenting to receiving text messages.
The court rejected Baird’s argument and found that although she was required to provide her phone number to book a flight on the Hawaiian Airlines website, the act of providing her phone number was a voluntary act. Baird was not forced to book a flight on the Hawaiian Airlines website. The court found that under the FCC’s interpretation of the TCPA, Baird had consented to be contacted on her cell phone about flight related matters. The court looked to the FCC’s 1992 Order implementing the TCPA to determine if the act of providing a cell phone number in connection with a transaction constitutes the required consent under the TCPA to receive autodialed calls. The court found that since it was undisputed that Baird “knowingly released” her cell phone number when she booked her tickets, under the FCC’s 1992 TCPA Order she had consented to receiving text messages.
This decision represents a victory for TCPA defendants. TCPA litigation has been increasing significantly in the past few years and recent changes have gone into effect that placed stricter requirements on businesses that engage in marketing via mobile messaging and prerecorded telephone calls. While we recommend businesses obtain “prior express written” consent for TCPA-covered calls and texts, now at least one court has recognized the knowing provision of a mobile number as consent. However, companies engaging in text messaging should proceed cautiously as the new rules do impose strict requirements when it comes to telemarketing messages in particular, different from the informational text messages Ms. Baird received here. Under the new TCPA rules purely informational calls/texts and calls/texts to mobile phones for non-commercial purposes require prior express consent – oral or written. “Telemarketing” calls/texts to mobile phones require prior express written consent. Covered telemarketing calls include those made by advertisers that offer or market products or services to consumers and calls that are generally not purely informational (such as “mixed messages” containing both informational content and offering a product, good, or service for sale).