We like to give you information that helps you stay off the radar of the Federal Trade Commission with posts like this, this, this, this, this and this.  But, what do you do if the FTC does investigate?  I asked newly-minted Gray Reed & McGraw shareholder Justice Jim Moseley to help us answer some questions.  Before serving on the Texas Court of Appeals in Dallas, Justice Moseley was the Regional Director of the FTC’s Dallas Regional Office during the Reagan Administration.

Q:           When and in what capacity does the FTC investigate?

A:            The FTC has enforcement authority under 70 different statutes and federal rules.  Many of its investigations are brought under the broad powers of Section 5 of the FTC Act which declares unlawful “unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45(a)(1).  Its trade regulation rules attempt to set forth what it considers to be “unfair or deceptive” in the context of a particular industry or particular type of consumer transaction.   In addition, the FTC is the primary enforcement arm responsible for privacy and false advertising.

FTC investigations are usually triggered by complaints from a consumer or from a competitor.  The FTC may start an informal investigation by sending an “access letter” which is a non-enforceable voluntary request for information.  However, it may also conduct a more formal investigation through the issuance of a “Civil Investigative Demand” or CID.

 

Q:           What should a company do if the FTC investigates?

A:            Although a response to an access letter is voluntary, if you refuse to cooperate the FTC is likely to follow up with a CID.  The CID is a judicially enforceable request for information much like a subpoena that you cannot ignore.

The first thing you should do is carefully read the demand and make sure you preserve your records on the topic of inquiry.  You are likely to get in more trouble if you attempt to hide or conceal evidence related to the investigation.   Special rules also apply to preserving electronically stored information (ESI).  Make sure your information technology personnel properly maintain the necessary ESI and revise any regular document or data retention procedures as necessary.

Next, you need to note the deadlines of compliance and consider contacting qualified experienced counsel immediately.   Now is not the time to attempt to save a few dollars.

 

Q:           What are my options?

A:            Most of the investigations will require you to produce documents and will often request a meeting with FTC personnel.  Normally, the most prudent course is to cooperate.  You do, however, have the option to try and limit the scope of the inquiry or quash the CID in its entirety.  Your ability to seek court intervention is often on a deadline, so you should not delay.

You are usually better off opening up a dialogue with the FTC to try and limit the scope and the scope of the CID if it is burdensome.  You can often learn more about their concerns and better address the FTC’s concerns by keeping open the lines of communications.  The FTC will often work with you to limit the parameters of the production or give you more time when the circumstances call for it. Likewise, if something comes up that causes a delay on your part, it is better to tell them in advance than leave them surprised and suspicious.

Although you are providing documents to a governmental entity, they will be treated as confidential and not subject to a FOIA request.  They can and will be used against you, however.  Someone from your company will usually also be asked to sign off on a certification of some kind that should be read carefully to avoid creating any personal liability that may not otherwise be there.  Finally, read the requests carefully and only produce what is being requested.  There is no need to give them additional fodder that may only open new lines of inquiry.  Then, you usually have to sit and wait for the FTC to review the materials and get back with you.

 

Q:           What are my risks?

A:            You can usually identify the FTC’s concerns in the CID or in follow-up communications to determine the law or regulation the FTC is pressing.  When evaluating whether a representation is deceptive under Section 5(a) of the FTC Act, for example, the FTC generally looks at three issues: (1) whether the respondent disseminated the representations alleged; (2) whether those representations were false or misleading; and (3) whether those representations are material to prospective consumers.

The FTC has broad authority to act against what it perceives to be deceptive practices under Section 5(a) of the FTC Act.  The FTC also has broad discretion in determining whether a proceeding brought by it is in the public interest.  The FTC has equally wide discretion in its choice of a remedy in addressing unlawful practices which can include injunctions, compliance orders and monetary damages.

Q:           What is the procedure?

A:            If the FTC staff concludes there has been a violation, it will usually push first for a “consent order” in which the company agrees to stop the harmful conduct and to pay consumer redress in the form of fines or civil penalties.  If no agreement can be reached, the FTC staff will ask the Commission itself to start a formal proceeding before an administrative law judge; this procedure is similar to a trial before a judge.

If the administrative law judge rules in favor of the FTC, a “cease-and-desist order” is usually issued.  The company can appeal an adverse decision by the judge to the full Commission. If either party is not satisfied with the outcome at that level, it can appeal the Commission’s decision in the federal courts.   In cases where the FTC believes the respondent knew or should have known the conduct was “dishonest or fraudulent,” the FTC may follow up the administrative proceeding by asking a federal court to order consumer redress, such as an order to pay monetary restitution to victims of the violation.

The FTC also has the ability to go straight to a federal court to seek an immediate order to stop ongoing consumer fraud and to seek to freeze the assets of the defendant.  The FTC will often seek to hold individuals financially responsible for any egregious acts.

 

I’ve hesitated to write this post because the law is always changing and you can’t cover it all in one blog post (thank goodness for linking).  I did a presentation to the Houston Interactive Marketing Association this week which forced me to boil it down to digestable bites.  If I had to give you three simple rules they would be:

1. Disclose what you do in plain English;

2. Avoid storing or transmitting Personal Health Information if you can; and

3. Avoid marketing to minors if you can.

At the presentation, we identified the numerous laws and regulations marketers had to know about including at least COPPA, HIPAA, the FTC’s guidelines, Self Regulatory Organization Guidelines, Cal-OPPA and the EU Safe Harbor status.

COPPA

Regarding the Children’s Online Privacy and Protection Act and marketing to minors, you should check out my five-part series here.  COPPA only applies if you collect personal information from children under 13, but the determination of whether you market to minors is not as clear as you might think.  Last year, the FTC allowed private companies to send in suggestions on how to satisfy the parental notification requirement.  The FTC recently rejected the idea of using the social graph.

HIPAA

In September, there were changes to HIPAA – the law governing the privacy of health information.  If you are marketing for a medical practice or anyone that may retain Personal Health Information, unless you want to make medical a core business segment, you may want to avoid becoming what the law calls a “Business Associate.”  If you are a Business Associate, you have to comply with HIPAA and compliance can be a pain.

A Business Associate is defined as someone or a company that provides “consulting, data aggregation, management, [or] administrative . . . services” to or for a Covered Entity, where the provision of the service involves the disclosure of protected health information from the Covered Entity, or from another business associate of such Covered Entity, to the person.

So the issue becomes whether you store or otherwise have access to Personal Health Information.  Again, the analysis is not that simple.  See here.  You need to know both email and IP addresses are covered which is pretty basic information for online marketers.

The specifics of your marketing strategy will determine whether you need to be concerned.  The point of this blog post is to make you think about it.  Here is one marketer’s take on the issue.   If you do a lot of marketing work for medical practices, doctors or hospitals, you should confer with a good HIPAA lawyer.  If you have one medical practice as a client in an otherwise hearty stable of clients, you may want to consider whether that one client is worth the headaches and the risk.

The FTC

The Federal Trade Commission is the agency insisting you disclose, disclose and disclose. The FTC’s more recent focus has been on mobile including this report from February 2013.

The more recent interesting drama has come from the W3C group’s unsuccessful attempts to come up with some “Do Not Track” proposals.  The powerful Digital Advertising Alliance recently backed out leaving the ability of the W3C to promulgate suggestions in jeopardy.

Several years ago, the FTC urged private organizations to make some proposals.  I previously warned the industry needed to police itself or the government would make their own regulations and you can read my 5-part series on Do Not Track here.  For now, there is no Do Not Track law.  You can still do it – as long as you disclose what you are doing and don’t mislead people.  That was Google’s $17 million mistake.

You can read the DMA’s guidelines for online behavorial advertising which is a pretty good place to start.  For mobile, check out the NAI Code of Conduct.

In the meantime, Wyndham Hotels is challenging the FTC’s authority to enforce alleged misrepresentations regarding privacy in a case we are watching.  The court recently heard oral arguments on Wyndham’s motion to dismiss but no ruling has been made yet.

Cal-OPPA

That’s where California comes in and strikes a middle ground.  California did not ban tracking.  But, effective January 1, 2014, if you retain personally identifiable information of a Californian, you will have to disclose how you respond to Do Not Track requests.  I earlier posited that many companies will have to amend their privacy policies because of Cal-OPPA.

EU-Safe Harbor

Finally, there is the EU requirements on privacy.  Generally speaking, the E.U. prohibits the transfer of personal data to non-European Union countries that do not meet the European Union “adequacy” standard for privacy protection as directed in the European Union Directive on Data Protection of 1995. The U.S. is not on that list.

Generally, to comply with existing E.U. guidelines you need to:

1. Give a notice of what you collect and what you do with it and how individuals can ask about it.

2. Give individuals the chance to opt-out of disclosure to third parties for reasons outside of the main purpose.

3. Ensure that the company to whom you transfer data also had adequate protections.

4. Provide users access to the data you have about them.

5. Initiate adequate security, data integrity and enforcement procedures.

If you deal with customers in Europe you should consider looking into the Commerce Department’s Safe Harbor provisions that works like a Good Housekeeping Seal of Approval for dealing with the information of European consumers.

This post does not and cannot answer every question.  Hopefully, now, however, you realize you may need to think a little more about the law when you start storing information about visitors to websites.

Usually, the first the outside world hears about a Federal Trade Commission privacy investigation is when the FTC announces a settlement.  The FTC normally notifies a company they are under investigation,everyone cooperates and there is a settlement.

The FTC’s Authority

This time, the FTC has filed suit.  The target is Wyndham Hotels.  You can read the claim here and the press release here.  Wyndham claims it is going to fight the case which means it should all be aired in public. 

The FTC’s authority to file suit about online privacy comes through Section 5 of the FTC Act (15 U.S.C. § 45) which prohibits ‘‘unfair or deceptive acts or practices in or affecting commerce.’’  This gives the FTC broad powers.

What did Wyndham do?

Like most companies, Wyndham has a privacy policy on its website.  It states: 

We safeguard our Customers’ personally identifiable information by using standard industry practices.  Although “guaranteed security” does not exist on or off the Internet, we take commercially reasonable efforts to create and maintain “fire walls” and other appropriate safeguards to ensure that to the extent we control the Information, the Information is used only as authorized by us and consistent with this Policy, and that Information is not properly altered or destroyed.

Despite the assurances in the privacy policy, Wyndham suffered three separate privacy breaches that allowed hackers to access customer credit card data.  Hackers used a “brute force attack” which means they guessed multiple user ID’s and passwords on a local hotel network that connected to the national database.  The second and third breach occurred when a service provider’s adminstrative access was hacked.   

The FTC claims Wyndham was deceptive and injured consumers because Wyndham:

-failed to use firewalls between various networks

-stored credit card info in clear readable text

-failed to implement adequate security policies

-failed to remedy known vulnerabilities

-used well-known default ID’s/passwords with access to entire network

-allowed for easy ID’s/passwords with access to entire network

-failed to inventory connections to manage devices

-failed to employ reasonable measures to detect and prevent

-failed to follow proper incident responses

-failed to restrict third-party access

The FTC is seeking an injunction and “such relief as the Court finds necessary to redress injury to consumers” which could mean millions.

What does this mean to you?

The primary lesson is to use reasonable security measures if you collect credit card info.  This means things like firewalls, reasonable password protections (don’t allow anyone to have a password of “password”), ecrypt information, monitor and inventory your network for intrusions and fix them if it does happen.   Had Wyndham been victimized just once, the FTC would probably not be interested.  Because it happened three times, the FTC stepped in.

Second, and applicable to everyone, don’t cut and paste you privacy policy.  The FTC’s authority to sue relates to deceptive acts.  If you promise not to share information or that you have certain safeguards in place, make sure you do.  Your privacy policy should be a combined effort from both legal and IT to make sure it is correct and legally sufficient.

Webinar on Cyber Insurance

You can learn more about this case and other cyber-security risks and insurance issues at the Monday, August 27 live Webcast from 11:00-1:00 CDT entitled: Cyber Insurance: What You Need to Know in 2012 LIVE Webcast.  You can use this link for free registration if there are limited free Looper Reed passes still left.

While I am in the shameless self-promotion mood, you can also vote for my SXSWinteractive panel on Crowdfunding with my Looper Reed colleague Mark Wigder.

 

I did a Lawlines CLE entitled Online Marketing to Minors: Legal Pitfalls & Ramifications.  Over the next couple of weeks, I will be posting some clips from the presentation here that should give you a good idea of proposals the FTC is making to update the Children’s Online Privacy and Protection Act. For a basic introduction of COPPA, go here.

I opened the presentation with a Contracts 101 lesson about why courts refuse to honor contracts with minors and invalidate them.  This first clip takes a look at how this accepted rule comes into play in a more modern online world.

We’ve discussed on here before that it is almost better to have no privacy policy than an incorrect privacy policy.  I learned today, however, Google may be dinging some sites for not having policies.  This is one area where cut and paste simply does not cut it. 

Your privacy policy has to be accurate and match what you actually do.  This means your legal counsel has to work with the people who know what happens on your website. 

ScanScout

The FTC’s recent settlement with ScanScout should give you enough pause to make sure your privacy policy is correct and you know what you are talking about.  According to the FTC Complaint, ScanScout said users could opt-out of tracking cookies by utilizing the off the shelf tools on most web browsers–a pretty standard term on many policies.

It’s fairly standard because it is probably true for most web, or HTML cookies.  ScanScout used Flash cookies.  These allow the site to track user behavior and could not be blocked by the opt-out options on the standard web browsers.  

The settlement requires ScanScout to stop making misrepresentations in its privacy policies and to keep documentation regarding complaints and compliance for at least five years. 

Thanks to Stephen Spagnolo of the Chronicle of Data Protection Blog for his post on this which also includes a description of how a site that describes itself as the Facebook for kids ran into to COPPA problems.  Go figure that the FTC would keep a close eye on that site.

If you thought this was going to be a post about my favorite chocolate chip cookie recipe or how Looper Reed lawyer Stephen Cooney’s wife makes delicious cookies (reminder that Christmas is coming, Stephen), the FTC’s helpful www.OnguardOnline.gov provides some background on cookies and privacy.

Family Radio’s Harold Camping predicted the apocalypse was going to happen on May 21 2011-last Saturday.  Despite the description of many that the blogosphere is Hell on Earth, you are reading this . Therefore, the prediction was obviously wrong.  Good thing too, because all the work on the redesign of this blog would have been for not.  (Too busy to read the rest? listen to my radio interview on the topic with Scott Braddock of KRLD Radio Rapture Radio Interview KRLD)

AdWeek’s Tim Nudd asked whether people could sue for false advertising.  The FTC, afterall, has general authority under Section 5 to pursue claims for false and misleading advertising.  As explained by attorney Michael McSanus @AdLawGuy, however, it does not appear the folks behind the advertisement were telling people to send them money because of the claim, or that they did not genuinely believe their own prediction.   Most “predictions” are not actionable.  Otherwise, people who lost money gambling on football could sue Lee Corso every Saturday for his failed college football predictions. 

In addition to false advertising, Texas recognizes a claim for detrimental reliance which requires a the defandant to make promise foressing the plaintiff will rely on the promise and the plaintiff detrimentaly relying on the promise.  The textbook example is when someone offers you a job so you quit your existing one, move your entire family and then find out there is no job when you arrive in the new city.  It is foreseeable that some people did some crazy things relying on the prediction.  The problem with such a claim in this case is that your reliance on the promise has to be reasonable.  

People have done a lot of crazy things relying on a lot of religions, but no court wants to get mixed up in these issues.  The Supreme Court of Texas has written: “To avoid conducting ‘heresy trials,” a court may not adjudicate the truth or falsity of relgious doctrines or beliefs.”   

In the Adweek post, McSanus joked, “To be safe they should have put some disclaimers on the billboards—like ‘Date subject to change without notice,’ ‘Additional terms and conditions apply. See Bible for complete details.”  Being an online attorney, I checked the referenced website (sorry no links for them) to see what the terms of service might include by way of disclaimers.   I didn’t spend much time on the site in case the rapture came to my laptop, but the site was interestingly devoid of any terms of service or any other disclaimers. 

Apparently, they are now predicting the end of the world is coming in October.  They have time to lawyer up and ad some disclaimers.

For a humorous look at the probate ramifications, check out David Shulman’s South Florida Estate Planning Law Blog’s take on it.