On April 24, 2018, Senators Amy Klobuchar (D-MN) and John Kennedy (R-LA) introduced the Social Media Privacy and Consumer Rights Act of 2018.  The bill aims to protect consumers’ online data by increasing the transparency of data collection and tracking practices, and requiring companies to notify consumers of a privacy violation within 72 hours.

“Our bill gives consumers more control over their private data, requires user agreements to be written in plain English and requires companies to notify users of privacy violations,” Senator Kennedy explained. “These are just simple steps that online platforms should have implemented in the first place.”

Other features of the legislation include providing consumers a right of access to see what information about them has been collected and used, allowing consumers to opt out of data collection and tracking, and requiring online platforms to have a privacy program in place.  Senator Klobuchar explained that “[c]onsumers should have the right to control their personal data and that means allowing them to opt out of having their data collected and tracked and alerting them within 72 hours when a privacy violation occurs and their personal information may be compromised.” 
Continue Reading Senators Klobuchar and Kennedy Introduce Privacy Legislation

Senators Ed Markey (D-MA) and Richard Blumenthal (D-CT) reintroduced a pair of bills today relating to the cybersecurity of cars and aircraft, which would impose affirmative security, disclosure, and consent requirements on manufacturers and air carriers.  The Security and Privacy in Your Car (“SPY Car”) Act and Cybersecurity Standards for Aircraft to Improve Resilience (“Cyber AIR”) Act were each introduced but not enacted in a previous session of Congress.  In a joint press release, the Senators noted that the legislation was designed to “implement and improve cybersecurity standards for cars and aircraft.”

The SPY Car Act

The SPY Car Act would require cars manufactured for sale in the U.S. to comply with “reasonable measures to protect against hacking attacks,” including measures to isolate critical software systems from non-critical systems, evaluate security vulnerabilities, and “immediately detect, report, and stop attempts to intercept driving data or control the vehicle.”  It would also require “driving data” collected by cars to be “reasonably secured to prevent unauthorized access,” including while such data is in transit to other locations or subsequently stored elsewhere.  Violations of these cybersecurity requirements are subject to civil penalties of up to $5,000 per violation.
Continue Reading Senators Reintroduce Cybersecurity Legislation for Cars and Planes

On September 16, 2016, the Federal Trade Commission (“FTC”) hosted a workshop on the factors that may contribute to the effect disclosures have on consumer behavior. The workshop, “Putting Disclosures to the Test,” included speakers from a wide range of disciplines and industries, who remarked on aspects of disclosure such as consumer cognition, recognition, and comprehension, methodologies for measuring disclosure effectiveness, the impact of disclosures on consumer decision-making, and disclosure design.

In her introductory remarks, Lorrie Cranor, Chief Technologist at the FTC, espoused the benefits to privacy disclosures of studying research in other areas. Edith Ramirez, Chairwoman of the FTC, then opened the workshop with remarks on issues that are important to the FTC. The FTC’s primary task, she stated, is to ensure consumers have access to truthful and accurate information, to enable them to make decisions in the marketplace. Their focus, with respect to disclosure of information, is on the effect of disclosure on consumer welfare. They consider some disclosures necessary to prevent deception in advertising, or to communicate the risks of products, or choices consumers may have. With respect to privacy, the FTC encourages companies to disclose their data practices, so consumers have greater control over how their data is used. They require disclosures to be clear and conspicuous, so consumers can understand them and make informed decisions.
Continue Reading FTC Hosts “Putting Disclosures to the Test” Workshop

By Ani Gevorkian

On Monday, the Consumer Financial Protection Bureau (CFPB) finalized a rule that promotes more effective privacy disclosures and saves the financial services industry around $17 million dollars.  The new rule permits financial institutions that restrict data-sharing to post their annual privacy notices online rather than delivering them to customers individually.  The rule will be effective as soon as it is published in the Federal Register. 

Under the Gramm-Leach-Bliley Act (GBLA), a financial institution generally must send annual privacy notices to customers that describe whether and how the financial institution shares their nonpublic personal information.  An institution that shares this information with unaffiliated third parties generally must notify customers of their right to opt out of the sharing and provide instructions on how to do so.

Under the new rule, a financial institution may meet GBLA requirements by posting privacy notices online instead of distributing an annual paper copy, as long as the institution adheres to certain requirements.  For instance, the institution may not share data in ways that trigger customers’ opt-out rights.  They must also continue to send notices through existing delivery methods if the policies’ terms change or if a customer with limited internet access requests by phone to receive a notice.
Continue Reading CFPB Finalizes Rule to Allow Online Privacy Disclosures from Financial Institutions

Continuing our coverage of the flurry of bills signed into law by California Governor Jerry Brown last week, we turn now to AB 1710, an amendment to California’s data breach legislation. The data breach amendment makes three notable changes to existing laws regarding personal information privacy:

1.  Requires Companies that Maintain Personal Information to Implement and Maintain Reasonable Security Procedures and Practices.

California’s existing data breach law requires companies that own or license personal information to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information . . . .” Under existing law, the terms “own” and “license” include personal information retained as a part of a business’s internal customer accounts or for the purpose of using the information in transactions.

AB 1710 extends this requirement to companies that merely “maintain” personal information about Californians. The bill defines maintain information in the negative, as information that a business does not own or license.

For purposes of implementing and maintaining reasonable security procedures and practices, California defines “personal information” as an individual’s first name (or first initial) and her last name in combination with her social security number, driver’s license or California ID number, any medical information, or a financial account number (such as a credit or debit card number) and the associated access code. Cal. Civ. Code § 1798.81.5(d)(1).
Continue Reading California Amends Data Breach Legislation

Today, the Federal Trade Commission (“FTC”) issued a staff report examining the consumer-protection implications of popular shopping apps.  These services are intended to ease and enhance the shopping experience by allowing consumers to, for example, compare prices in-store across retailers, collect and redeem deals, or pay for purchases while shopping in brick-and-mortar stores.  The FTC

Recent discoveries of data security breaches have raised a perennial question for public companies:  are public companies required by law or practice to provide material updates to their investors when bad things happen?  The answer can be quite surprising. 

Disclosure at the Time of the Event

As a threshold matter, federal securities law does not explicitly impose an affirmative duty on issuers to disclose data security breaches or failed attempts to breach a company’s data security.  There is no specific line item in any SEC disclosure document, rule or regulation that specifically requires such disclosures.  In this regard, federal securities law does not require the disclosure of this, or other information, solely because it might be “material.”  Instead, the determination of whether material information is required to be disclosed depends on whether such information is required to be disclosed in the applicable form, or is necessary to make other statements made not misleading. 

For example, Form 8-K, the form that is generally used to provide markets and investors with current information, is only required to be filed when one of the specific items included in the form are triggered.  These include things such as entry or termination of material contracts, the acquisition or disposition of a material business or a material amount of assets, the appointment or termination of executive officers or directors and similar occurrences.  Any events that do not involve one of the enumerated triggers may be filed under Item 8.01 as an “Other Event” or under Item 7.01 as “Regulation FD Disclosure,” which is intended to allow companies to comply with Regulation FD, which generally requires that companies publicly disclose information that they intend to disclose privately to investors or others.  Form 8-K does not include a specific line item relating to data security breaches or similar events – even if such events are material.


Continue Reading When are Public Companies Required to Disclose that They Have Experienced a Material Data Security Breach?

In a closing letter declining to bring enforcement action against shoemaker Cole Haan, FTC staff stated that it believes “Pins” on Pinterest featuring a company’s products can constitute an endorsement of those products, and that if the pins are incentivized by the opportunity to win a significant prize in a contest, contestants should be instructed to label their pins appropriately. 

The closing letter follows an investigation into whether Cole Haan violated Section 5 of the Federal Trade Commission Act in connection with its “Wandering Sole” Pinterest Contest.  Section 5 of the FTC Act protects consumers from “unfair or deceptive acts or practices.”  Pursuant to its Section 5 authority, the FTC requires disclosure when there exists a connection between a product endorser and the seller of the advertiser product that might materially affect the weight or credibility of the endorsement (i.e., the connection is not reasonably expected by the audience). 

For a chance to win a $1,000 shopping spree, Wandering Sole contestants were instructed to create Pinterest boards that included five re-pins of shoe images from Cole Haan’s Wandering Sole Pinterest Board.  According to the FTC, these re-pinned images featuring Cole Haan shoes constituted product endorsements that were “incentivized by the opportunity to win” a shopping spree, therefore creating a material connection requiring disclosure.  The contest rules directed contestants to caption each pin with “#WanderingSole,” but the FTC determined that the hashtag was not adequate in communicating the material connection — i.e., financial incentive — between Cole Haan and its contestants.  The FTC concluded that “entry into a contest to receive a significant prize in exchange for endorsing a product through social media constitutes a material connection that would not reasonably be expected by viewers of the endorsement.”


Continue Reading FTC Cole Haan Closing Letter: Encouraging Pinterest “Pins” in a Contest Can Trigger Endorsement Guidelines

Yesterday, the FTC held a public workshop titled “In Short: Advertising & Privacy Disclosures in a Digital World.”  The workshop explored whether and how the FTC should revise its 2000 guidance concerning advertising and privacy disclosures in the new era of online and mobile technology.

 
This post will highlight the morning workshop sessions on usability research, cross-platform advertising disclosures, and social media advertising disclosures.  A second post will recap the afternoon’s discussions on mobile advertising and privacy disclosures.
 
Presentation on “Usability Research.”  After introductory remarks by Commissioner Ohlhausen, Jennifer King, a Ph.D. candidate at the University of California-Berkeley, briefly presented on “usability research,” an emerging body of research that examines the qualitative aspects of what disclosures users read—and what they ignore—in the online space.  One of the overarching findings she discussed is that Internet users are goal-oriented and will largely focus only on those items that are necessary for completing the task at hand.  Building upon this principle, King proposed that relevant disclosures should be part of the user’s task flow (for example, built into the checkout process) for maximum visibility.  King’s presentation can be viewed on her blog.
 
Panel 1:  Universal and Cross-Platform Advertising Disclosures.  After her presentation, King joined the first panel of the day on “Universal and Cross-Platform Advertising Disclosures,” at which moderator Michael Ostheimer asked questions aimed at determining whether — and how —  the 2000 Dot Com Disclosures guidance should be updated.  A large part of the discussion centered on the use of links to make disclosures in online advertisements and on e-commerce sites.  Three of the panelists — Sally Greenberg, Executive Director of the National Consumers League, Paul Singer, Office of the Texas Attorney General, and King — questioned whether generic links (titled “Disclosure,” for example) are sufficient to put consumers on notice that important terms and conditions attach to the use or purchase of a product.  
 
Other panelists more broadly questioned the utility of guidelines that focus on things like the use and formatting of hyperlinks and the design of banner ads.  Comments from Linda Goldstein,  Promotion Marketing Association, and Steve DelBianco, NetChoice, tended to suggest that the Dot Com Disclosures guidance is outdated and a more flexible approach is appropriate.  Singer, however, championed the guidance’s focus on clarity and prominence, saying these are valuable principles for companies hoping to avoid regulatory scrutiny.
 
Panel 2:  Social Media Advertising Disclosures.  The second panel addressed “Social Media Advertising Disclosures.”  The FTC’s blogger endorsement guidelines were discussed first, and the panelists were largely in agreement on Moderator Richard Cleland’s hypotheticals, concluding as a general matter that if a blogger receives an incentive to review or recommend a product, the blogger should disclose that connection at the same time and in the same space as the endorsement.  
 
When the conversation turned to advertising disclosures on social media platforms like Twitter, the panelist views varied.  A debated issue was how an endorser using Twitter should disclose an arrangement with a company within the platform’s space constraints.  Robert Weissman, President of Public Citizen, said the use of the #spon hashtag — a convention in the Twitter sphere — was not enough, because average consumers do not understand its significance.  Stacey Ferguson, a representative of the blogging community, agreed that a plain language approach is the solution, even at the cost of valuable real estate.  But Malcolm Faulds, a member of the Word of Mouth Marketing Association (but speaking on behalf of BzzAgent, Inc.), disagreed, noting that WOMMA recommends the use of Twitter hashtags like #spon to its members.
 
Ferguson then suggested that the platform itself should be responsible for enabling users to make ad disclosures in a meaningful and clear way.  For example, she noted that Twitter could change the color of tweets that featured advertising.  Other panelists, however, disagreed.  Susan Cooper, Advertising and Product Counsel at Facebook, pointed out the near-impossibility of the Facebook platform to distinguish when a user “likes” a product on her own, and when a user “likes” a product because she has an incentive to do so.  Weissman echoed this sentiment, noting that the “duty lies with the advertiser, not with the platform.”
 
Although the discussion was based largely on hypotheticals, larger themes developed.  Weissman took the position that advertising disclosure guidelines should not cater to the constraints of a specific platform.  “Advertising has to adapt to the existing law, not the other way around,” he argued.  Cooper, however, emphasized that social media advertising disclosures cannot be one-size-fits-all.  “Social media is an umbrella term used broadly to identify several different types of platforms.”  Cooper cautioned that despite the use of a single term to describe the platforms, “the way that users are consuming social media is very different.”  
 
Susan Shook, counsel at Procter & Gamble, suggested that a more flexible approach to advertising disclosures be considered, one that would permit endorsements in an individual’s own words and would allow advertisers to transition easily to new media outlets

This post will highlight the morning workshop sessions on usability research, cross-platform advertising disclosures, and social media advertising disclosures.  A second post will recap the afternoon’s discussions on mobile advertising and privacy disclosures.


Continue Reading What Happened at the FTC Advertising and Privacy Workshop? (Part 1 of 2)