On November 26, 2021, the Court of Justice of the EU (“CJEU”) held in Case C-102/20 that the display of advertising messages in an electronic inbox in a form similar to that of an actual email constitutes direct marketing, and therefore is subject to EU Member States’ rules on direct marketing (see press release here
On September 16, 2020, the Spanish Supervisory Authority (“AEPD”) approved a “Code of Conduct for Data Processing in Advertising” (“Code”) (see the decision approving the code here). This is the first GDPR approved Code of Conduct with an accredited monitoring body in the European Union. The Code enters into effect on November 17, 2020, two months after its approval.
Below we provide a brief FAQ about the Code.
Cardi B might like it, but the Federal Trade Commission (“FTC”) did not. On March 5, 2020, the agency sent Cardi B and other high-profile influencers warning letters alleging that the influencers made inadequate disclosures in their endorsements of Teami tea. The letters followed on the heels of the FTC’s proposed order against Teami, LLC for allegedly making deceptive claims about weight loss and other health benefits in their advertisements and failing to adequately instruct influencers about how to comply with the law when endorsing Teami products.…
Continue Reading FTC Sends Warning Letters to Teami Tea Influencers
You may have heard the phrase “dark patterns” as shorthand for various user interfaces designed to influence users’ decisions. They can range from the perfectly innocent to the unethical, and even illegal. Whatever the form, dark patterns have recently drawn attention from the mainstream press.
Dark patterns are coming out from the shadows. And when that happens, class action lawyers can’t be far behind.
On February 12, the Federal Trade Commission (“FTC”) announced that, after a review of the Controlling the Assault of Non-Solicited Pornography and Marketing Act (“CAN-SPAM”) Rule as part of its periodic review of its regulations, it has determined that the Rule does not need to be modified at this time.
Continue Reading FTC Decides Not to Modify CAN-SPAM Rule
Just before the Thanksgiving holiday, the Federal Trade Commission (“FTC”) announced the issuance of consent orders involving Creaxion Corporation and Inside Publications, LLC to settle allegations that the companies misrepresented paid endorsements as independent opinions, and misrepresented paid commercial advertising as independent editorial content. As a result, these companies and their principals are now prohibited from making misrepresentations about the status of their endorsers, required to clearly and conspicuously disclose material connections with such endorsers, and are required to monitor their endorsers.
Continue Reading FTC Settles with PR Firm and Publisher Over Social Media Endorsements
By Kristof Van Quathem and Anna Sophia Oberschelp de Meneses
Exactly one month after the GDPR started applying, the French Supervisory Authority (“CNIL”) issued a formal warning to two companies in relation to their processing of localization data for targeted advertising (see here). The CNIL found that the consent on which both companies relied did not comply with the General Data Protection Regulation (“GDPR”). The CNIL also concluded that one of the companies was keeping geolocation data for longer than necessary.
Fidzup and Teemo offer a tool (“SDK-tool”) that allows their customers, mobile app operators, to collect geolocation data and to use this data to provide customized advertising to their app users. The two companies create profiles on the app users based on the users’ visits to certain points of interests identified by the customers, such as the physical stores of the customer (or of competitors). They then provide advertising in the form of pop-ups to the app users. Once a user downloaded a customer’s app, geolocation data is collected, irrespective of whether the app is running, and combined with other data collected about the app user, such as, an advertising ID and technical information about the device (e.g., MAC address). Both companies relied on user consent obtained by the app operator to process the personal data they collected. The agreements with Fidzup and Teemo required their customers to inform app users about the targeted advertising activities enabled by the SDK-tool and to obtain the app users’ consent.
The CNIL concluded that the consent obtained did not meet the requirements of the GDPR. Under the GDPR consent must be “freely given, specific, informed and unambiguous”. According to CNIL, the consent obtained did not meet any of these requirements.…
Continue Reading French Supervisory Authority Issues 2 GDPR Warnings
Companies that offer or are considering subscription-based plans should take note that new requirements for automatic renewal offers (“auto-renewals”) take effect in California on July 1, 2018. California Senate Bill No. 313 (“SB 313”) amends existing law to extend additional protections to consumers where an auto-renewal offer includes a free gift or trial or where promotional pricing will change once the promotional period ends. It also requires that certain consumers have the ability to opt-out exclusively online.…
Continue Reading Updates to California Auto-Renewal Law Take Effect on July 1, 2018
The UK Information Commissioner’s Office (ICO), which enforces data protection legislation in the UK, has fined a company £20,000 (approximately 24,000 USD / 23,000 EUR) for not exercising sufficient due diligence when buying and using marketing databases.
The ICO found that over 580,000 individuals’ contact details had been obtained by The Data Supply Company Ltd (“TDSC”) from sources such as financial institutions and competition websites, and then sold on to third parties. This had led to at least 21,045 unsolicited text messages and 174 complaints.
Because the data was used for direct electronic marketing (by email, SMS, etc.), TDSC was not entitled to rely on its data sources’ generic consent requests, such as “We may share your information with carefully selected third parties where they are offering products or services that we believe will interest you”, nor even fuller notices that disclosed “long lists” of general categories of possible recipients of the data.…
Continue Reading UK Company Fined For Buying And Selling Non-Compliant Marketing Databases
The Article 29 Working Party (“WP29”) – the representatives of national data protection regulators in the EU – has issued new guidance on three important aspects of the new General Data Protection Regulation (“GDPR”), which comes into force in May 2018.
This first salvo of GDPR-focused guidance concerns:
- the new “Right to Data Portability”, an obligation on companies and public authorities to build tools that allow users to download their data or transfer it directly to a competitor (the guidance is here, and an FAQ is here);
- the new obligation for organizations to appoint a “Data Protection Officer”, a quasi-independent role within companies that will be tasked with internal supervision and advice regarding GDPR compliance (guidance / FAQ); and
- the new “One Stop Shop” mechanism – helping companies identify which “lead” data protection authority will be their main point of contact for multi-country regulatory procedures (guidance / FAQ).
Despite the guidance having formally been “adopted”, the WP29 is nevertheless inviting stakeholder comments on the new guidance, until the end of January 2017. Indeed, the guidance takes a number of positions that could attract large volumes of comments ahead of the January 31 deadline.…
Continue Reading New EU GDPR Guidance: Data Portability, Data Protection Officers, and the One Stop Shop