Advertising

Just before the Thanksgiving holiday, the Federal Trade Commission (“FTC”) announced the issuance of consent orders involving Creaxion Corporation and Inside Publications, LLC to settle allegations that the companies misrepresented paid endorsements as independent opinions, and misrepresented paid commercial advertising as independent editorial content.  As a result, these companies and their principals are now prohibited from making misrepresentations about the status of their endorsers, required to clearly and conspicuously disclose material connections with such endorsers, and are required to monitor their endorsers.
Continue Reading FTC Settles with PR Firm and Publisher Over Social Media Endorsements

By Kristof Van Quathem and Anna Sophia Oberschelp de Meneses 

Exactly one month after the GDPR started applying, the French Supervisory Authority (“CNIL”) issued a formal warning to two companies in relation to their processing of localization data for targeted advertising (see here).  The CNIL found that the consent on which both companies relied did not comply with the General Data Protection Regulation (“GDPR”).  The CNIL also concluded that one of the companies was keeping geolocation data for longer than necessary.

Fidzup and Teemo offer a tool (“SDK-tool”) that allows their customers, mobile app operators, to collect geolocation data and to use this data to provide customized advertising to their app users.  The two companies create profiles on the app users based on the users’ visits to certain points of interests identified by the customers, such as the physical stores of the customer (or of competitors).  They then provide advertising in the form of pop-ups to the app users.  Once a user downloaded a customer’s app, geolocation data is collected, irrespective of whether the app is running, and combined with other data collected about the app user, such as, an advertising ID and technical information about the device (e.g., MAC address).  Both companies relied on user consent obtained by the app operator to process the personal data they collected.  The agreements with Fidzup and Teemo required their customers to inform app users about the targeted advertising activities enabled by the SDK-tool and to obtain the app users’ consent.

The CNIL concluded that the consent obtained did not meet the requirements of the GDPR.  Under the GDPR consent must be “freely given, specific, informed and unambiguous”.  According to CNIL, the consent obtained did not meet any of these requirements.
Continue Reading French Supervisory Authority Issues 2 GDPR Warnings

Companies that offer or are considering subscription-based plans should take note that new requirements for automatic renewal offers (“auto-renewals”) take effect in California on July 1, 2018.  California Senate Bill No. 313 (“SB 313”) amends existing law to extend additional protections to consumers where an auto-renewal offer includes a free gift or trial or where promotional pricing will change once the promotional period ends.  It also requires that certain consumers have the ability to opt-out exclusively online.
Continue Reading Updates to California Auto-Renewal Law Take Effect on July 1, 2018

The UK Information Commissioner’s Office (ICO), which enforces data protection legislation in the UK, has fined a company £20,000 (approximately 24,000 USD / 23,000 EUR) for not exercising sufficient due diligence when buying and using marketing databases.

The ICO found that over 580,000 individuals’ contact details had been obtained by The Data Supply Company Ltd (“TDSC”) from sources such as financial institutions and competition websites, and then sold on to third parties.  This had led to at least 21,045 unsolicited text messages and 174 complaints.

Because the data was used for direct electronic marketing (by email, SMS, etc.), TDSC was not entitled to rely on its data sources’ generic consent requests, such as “We may share your information with carefully selected third parties where they are offering products or services that we believe will interest you”, nor even fuller notices that disclosed “long lists” of general categories of possible recipients of the data.
Continue Reading UK Company Fined For Buying And Selling Non-Compliant Marketing Databases

The Article 29 Working Party (“WP29”) – the representatives of national data protection regulators in the EU – has issued new guidance on three important aspects of the new General Data Protection Regulation (“GDPR”), which comes into force in May 2018.

This first salvo of GDPR-focused guidance concerns:

  1. the new “Right to Data Portability”, an obligation on companies and public authorities to build tools that allow users to download their data or transfer it directly to a competitor (the guidance is here, and an FAQ is here);
  2. the new obligation for organizations to appoint a “Data Protection Officer”, a quasi-independent role within companies that will be tasked with internal supervision and advice regarding GDPR compliance (guidance / FAQ); and
  3. the new “One Stop Shop” mechanism – helping companies identify which “lead” data protection authority will be their main point of contact for multi-country regulatory procedures (guidance / FAQ).

Despite the guidance having formally been “adopted”, the WP29 is nevertheless inviting stakeholder comments on the new guidance, until the end of January 2017.  Indeed, the guidance takes a number of positions that could attract large volumes of comments ahead of the January 31 deadline.
Continue Reading New EU GDPR Guidance: Data Portability, Data Protection Officers, and the One Stop Shop

As announced last week, the European Data Protection Supervisor (“EDPS”) released on September 23, 2016 an opinion on “coherent enforcement of fundamental rights in the age of big data.”  This opinion follows an earlier Preliminary Opinion on privacy and competitiveness in the age of big data, published in 2004 (see our previous blog post here).

According to the EDPS, data-driven technologies and services are important for economic growth, but the users of those services are generally unaware of the nature and extent of the “covert tracking”  that fuels the sector.  The growing imbalance between consumers and service providers would diminish choice and innovation and threaten the privacy of individuals.  In fact, the rights of individuals enshrined in the EU Charter of Fundamental Rights would be threatened by “normative behavior and standards that now prevail in cyberspace.”    At the same time, EU rules on data protection, consumer protection, and antitrust and merger control are applied in silos, despite their common objectives.
Continue Reading EDPS Issues Opinion on Big Data and Enforcement

On September 16, 2016, the Federal Trade Commission (“FTC”) hosted a workshop on the factors that may contribute to the effect disclosures have on consumer behavior. The workshop, “Putting Disclosures to the Test,” included speakers from a wide range of disciplines and industries, who remarked on aspects of disclosure such as consumer cognition, recognition, and comprehension, methodologies for measuring disclosure effectiveness, the impact of disclosures on consumer decision-making, and disclosure design.

In her introductory remarks, Lorrie Cranor, Chief Technologist at the FTC, espoused the benefits to privacy disclosures of studying research in other areas. Edith Ramirez, Chairwoman of the FTC, then opened the workshop with remarks on issues that are important to the FTC. The FTC’s primary task, she stated, is to ensure consumers have access to truthful and accurate information, to enable them to make decisions in the marketplace. Their focus, with respect to disclosure of information, is on the effect of disclosure on consumer welfare. They consider some disclosures necessary to prevent deception in advertising, or to communicate the risks of products, or choices consumers may have. With respect to privacy, the FTC encourages companies to disclose their data practices, so consumers have greater control over how their data is used. They require disclosures to be clear and conspicuous, so consumers can understand them and make informed decisions.
Continue Reading FTC Hosts “Putting Disclosures to the Test” Workshop

The UK’s data protection regulator, the Information Commissioner’s Office (“ICO”), has imposed a fine of £350,000 on Prodial Ltd (“Prodial”) for making over 46 million unsolicited automated telephone calls to generate leads in relation to payment protection insurance refunds.  This is the highest fine issued by the ICO to date.
Continue Reading Company Receives Record Fine from UK Regulator For Cold Calling

On Tuesday, the FTC announced the agenda for PrivacyCon, which is being billed as a “first-of-its-kind event” that will facilitate discussions between researchers and academics about privacy and security.  The FTC also released abstracts for the research that will be presented at the conference, scheduled for January 14.  PrivacyCon follows a call from the FTC last summer to “white hat” researchers and academics for papers on new vulnerabilities and how they might be exploited to harm consumers, as well as research in the area of big data, the Internet of things and consumer attitudes towards privacy.
Continue Reading FTC Releases Agenda for First-Ever PrivacyCon