September 2012

On September 27, 2012, California Governor Jerry Brown signed a bill that restricts employer access to the “personal social media” of employees and applicants for employment.

Assembly Bill 1844 (“AB 1844”) adds to the California Labor Code new section 980.  Under this section, an employer may not “require or request” an employee or applicant to do any of the following:

  • Disclose a username or password for the purpose of accessing personal social media;
  • Access personal social media in the employer’s presence; or
  • Divulge any personal social media, except in connection with the investigation of allegations of an employee’s misconduct or violation of applicable laws.

The exception for employee investigations applies if the employer reasonably believes that the personal social media is relevant to the investigation or to a related proceeding, and does not use the personal social media for any other purpose.

AB 1844 does not preclude an employer from requiring or requesting an employee “to disclose a username, password, or other method for the purpose of accessing an employer-issued electronic device.”

AB 1844 expressly prohibits retaliation against an employee or applicant who declines to comply with a request that violates the terms of AB 1844, but it does not immunize the individual from any adverse action that is otherwise permitted by law.

Notably, the state Labor Commissioner is not required to investigate or determine violations of AB 1844.

AB 1844, which passed in both the California Senate and Assembly by wide margins, is similar to recently enacted laws in Delaware, Maryland, and Illinois.  During this legislative season, at least 13 states have proposed legislation restricting employer access to employee social media accounts, including Massachusetts, Michigan, Minnesota, New Jersey, New York, Ohio, Pennsylvania, South Carolina, and Washington.

On September 5, 2012, the Federal Trade Commission (FTC) published a brief guide to assist developers of mobile applications, both large and small, in complying with truth-in-advertising, privacy, and data security principles. In publishing this advice, the FTC makes clear that its Section 5 enforcement powers against unfair or deceptive acts or practices apply in the mobile app arena, and with equal force to large and small developers.

The FTC’s guidance briefly lays out the practices developers should follow in order to avoid such enforcement, thereby suggesting that more enforcement is on the horizon. Indeed, it has already started: last August the FTC reached a settlement with W3 Innovations, LLC for alleged violations of the COPPA rule in its apps directed at children.

The guide, called “Marketing Your Mobile App: Get it Right from the Start,” explains general consumer protection principles, and applies them to the context of mobile applications. Although the title of the guide suggests that the advice is primarily about marketing the apps, the FTC also gives advice about the design and implementation of apps.

WHAT IS THIS GUIDE?

This is NOT a new FTC trade regulation carrying the force of law. This is guidance issued by the Commission for how it may apply its Section 5 authority to police deceptive and unfair practices in the app environment. The FTC expects that the industry will review this guidance and take it into account in developing and advertising their apps.

This guidance is also specifically directed at mobile app developers; it does not relate to the “In Short” Dot-Com Disclosures workshop held on May 30, 2012, which relates to proper disclosure techniques in all online commerce. Guidance arising from that workshop, which is expected to be far more fulsome, may be released as early as this fall.

WHAT COMPLIANCE STEPS IS THE FTC LOOKING FOR?

Substantiate Your Claims

The FTC advises that app developers advertise their apps truthfully, and explains that “pretty much anything” a company tells a prospective user about what the app can do, expressly or by implication, no matter the context, is an “advertisement” requiring substantiation for claims as they would be interpreted by the average user.

If Disclosures are Necessary, Make them Clearly and Conspicuously

If developers need to make disclosures to users in order to make their advertising claims accurate, the FTC notes, then those disclosures must be clear and conspicuous. Although this does not require specific type or font sizes, the disclosures must be large enough and clear enough that users both see and understand them. This means, according to the FTC, that disclosures cannot be buried behind vague links or in blocks of dense legal prose.

Incorporate Principles of “Privacy by Design” In Developing Apps

The FTC also gives advice to developers on how to avoid enforcement for violations of user privacy. First, it notes that developers should implement “privacy by design,” meaning that they should consider privacy implications from the beginning of the development process. This entails several elements:

  • Incorporate privacy protections into your practices;
  • Limit information collection;
  • Securely store held information;
  • Dispose of information that is no longer needed;
  • Make default privacy settings consistent with user expectations; and
  • Obtain express user agreement for information collection and sharing that is not apparent.

Incorporate Transparency and Choice into Apps and Honor Users’ Choices

The FTC urges that developers be transparent about their data collection practices, informing users about what information the app collects and with whom that information is shared. Developers should also, according to the FTC, give users choices about what data the app collects, via opt-outs or privacy settings, and give users tools that are easy to locate and use to implement the choices they make.

Importantly, the FTC emphasizes that developers must honor the choices they offer consumers. This includes following through on privacy promises made. This also includes getting affirmative permission from users for material changes to privacy practices—simply editing the privacy policy is not enough, according to the FTC guide.

Apply COPPA Protections Where Appropriate

The FTC notes that there are special rules for dealing with kids’ information. Developers who aim their apps at children under 13, or know that children under 13 are using the app, must clearly explain their information practices and obtain verifiable parental consent before collecting personal information from children. The guide links to further advice for compliance with the Children’s Online Privacy Protection Act (COPPA).

Special Protections for Sensitive Information

Even for adults, the FTC urges developers to get affirmative consent before collecting “sensitive” information, such as medical, financial, or precise location information. For sensitive information, the FTC states that developers must take reasonable steps to ensure that it remains secure. The FTC suggests that developers:

  • Collect only the information needed;
  • Take reasonable precautions against well-known security risks;
  • Limit access to the data to a need-to-know basis; and
  • Dispose of data safely when it is no longer needed.

The FTC notes that these principles apply to all information the app collects, whether actively from the user, or passively in the background. In addition, any contractors that work with the developers should observe the same high security standards.

Plaintiffs’ attorneys seeking to cash in on grande class action lawsuits against companies that launch text message advertising campaigns suffered a setback in June as the U.S. District Court in the Southern District of California granted Taco Bell summary judgment in a lawsuit for Taco Bell’s alleged violation of the Telephone Consumer Protection Act (TCPA). The case, Thomas v. Taco Bell, was brought on behalf of a number of the 17,000 mobile phone owners in the Chicago area who received a text message in October 2005 encouraging them to purchase an order of delicious Nachos Bellgrande from their local Taco Bell franchises.  As unsolicited text message advertisements are often found to violate the TCPA, there may have been a case against the marketing company that actually sent the text messages, but the plaintiffs instead asserted their claim against the local Chicago franchisee association that ordered the advertisement and Taco Bell itself.  The case against the association was dropped for a lack of personal jurisdiction, while the court granted summary judgment to Taco Bell based on a finding that Taco Bell was not vicariously liable for the franchisee association’s texting campaign.

Using precedent from the Ninth Circuit, the court stated that vicarious liability for the text message campaign would have existed only if Taco Bell controlled the “manner and means” of the text message campaign.  Although the franchisee association did need to secure Taco Bell’s approval in order to receive reimbursement from Taco Bell for the campaign, the court held that control of the “purse strings” in this case did not constitute Taco Bell’s control of the manner and means of the advertising, particularly because the franchisee association could have launched the campaign with alternative funding without Taco Bell’s permission or any repercussions from the franchisor.  The court also rejected the plaintiffs’ argument that Taco Bell having one member on the franchisee association’s board (out of four) established control, as this minority interest was not controlling, and further stressed that approval by a company of an advertising campaign is not the same as the control required for liability.

This decision allows a little more breathing room for large franchisor companies, as it suggests that a franchisor-franchisee relationship does not automatically lead to vicarious liability for violations of the TCPA, which can carry penalties of up to $500 for each violation (a vast increase in cost over the usual five or so cents per text).  However, since the Ninth Circuit declared in Scatterfield v. Simon & Schuster, Inc. that text messages are tantamount to phone calls for the purposes of the TCPA, plaintiffs’ attorneys have been relentless in their attacks on companies that employ text message ad campaigns (as we previously pointed out in this blog, hockey fans are now suing their own beloved team for text-related TCPA violations).  In fact, the Thomas summary judgment was Taco Bell’s second favorable TCPA decision in a month, with a California District Court dismissing a claim that Taco Bell’s confirmatory opt-out messages violated the TCPA just one week earlier.  Despite these two victories for Taco Bell, with hundreds of companies launching thousands of advertising campaigns and promotions leading to the sending of millions of text messages, it seems unlikely that plaintiffs will have a shortage of TCPA claims any time soon.