Photo of Adam Fleisher

In the last few years, as advertising has followed consumers from legacy media such as television to online video and social media platforms, the Federal Trade Commission has been attempting to ensure that participants in this new advertising ecosystem understand the importance of complying with the FTC’s “Guides Concerning the Use of Endorsements and Testimonials in Advertising,” or the endorsement guides. The endorsement guides require advertisers and endorsers (also referred to as influencers) to, among other things, clearly and conspicuously disclose when the advertiser has provided an endorser with any type of compensation in exchange for an endorsement.

A failure to make appropriate disclosures may be a violation of Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive acts or practices. In recent enforcement actions, press releases, guidance, closing letters and letters sent directly to endorsers (including prominent public figures), the FTC has made clear its belief that: (1) appropriate disclosures by influencers are essential to protecting consumers; and (2) in too many instances, such disclosures are absent from celebrity or other influencer endorsements.
Continue Reading

With much fanfare, the Federal Trade Commission (FTC) continues to take actions relating to so-called “social media influencers” who allegedly fail to disclose material connections to the products or brands they endorse. Recurring enforcement actions and guidance—and the FTC’s ongoing promotion of its own efforts, such as through Twitter chats—make it clear that the FTC believes that its message has still not been heard by all of the players in this advertising ecosystem, including influencers themselves.

In short, any endorsements in any medium where the endorser has a material connection of any kind to the endorsed advertiser must be disclosed.

The most recent developments include an enforcement action against a company—and two of its officers—in connection with endorsements of the company made by the officers in YouTube videos and in social media.  Before turning to this case, however, we provide a brief overview of how the FTC has gotten here.
Continue Reading

Recent challenges to the Federal Trade Commission’s (FTC) authority to police data security practices have criticized the agency’s failure to provide adequate guidance to companies.

In other words, the criticism goes, businesses do not know what they need to do to avoid a charge that their data security programs fall short of the law’s requirements.

A series of blog posts that the FTC began on July 21, 2017, titled “Stick with Security,” follows promises from acting Chair Maureen Ohlhausen to provide more transparency about practices that contribute to reasonable data security. Some of the posts provide insight into specific data security practices that businesses should take, while others merely suggest what, in general, the FTC sees as essential to a comprehensive data security program.
Continue Reading

GettyImages-538899668-600pxWith corporate data security breaches on the rise, the New York State Department of Financial Services (NYDFS) has adopted rules requiring financial institutions to take certain measures to safeguard their data and inform state regulators about cybersecurity incidents. Intended to thwart future cyberattacks and protect consumers, those “Cybersecurity Requirements for Financial Services Companies” (the “Cybersecurity Rule” or “Rule”) finally took effect on March 1, 2017. The NYDFS has released guidance on how to follow the Rule, it comes in the form of frequently asked questions (FAQs) and a summary of key compliance dates. Although the guidance is apparently intended to assist covered financial institutions as the clock ticks towards the first of the Rule’s phased compliance deadlines less than six months away, the guidance is unlikely to make the implementation challenges many financial institutions will face any less daunting.

The Cybersecurity Rule requires that covered financial institutions, among other things, adopt detailed programs, policies and procedures to protect Information Systems (which are defined to include essentially any computer or networked electronic system) and certain sensitive business and consumer information (“Nonpublic Information”) from cybersecurity threats.

The Rule is narrower and less prescriptive than the original proposal from September 2016 (and largely the same as the second proposal from December 2016). Nonetheless, covered financial institutions now have less than six months to establish compliance with the first of the Cybersecurity Rule’s requirements. This means covered financial institutions will quickly need to: (1) assess the current state of their information security programs and what modifications may be required based on the specific policies and controls required by the Rule; and (2) consider the new processes that may need to be created to meet the Rule’s reporting, recordkeeping and certification requirements.
Continue Reading

BigBrotherEye-GettyImages-149355675-600pxIf your company collects information regarding consumers though Internet-connected devices, you will want to take note of the Federal Trade Commission’s (FTC) recent privacy-related settlement (brought in conjunction with the New Jersey Attorney General) with smart TV manufacturer Vizio, Inc. The settlement is significant for four reasons:

  • The FTC reinforces the position it has taken in other actions that the collection and use of information in a way that would surprise the consumer requires just-in-time notice and choice in order to avoid a charge of deception and/or unfairness under Section 5 of the FTC Act.
  • The FTC takes the position that television viewing activity constitutes sensitive data. This marks a departure from its approach of limiting sensitive data to information that, for example, can facilitate identity theft, precisely locate an individual, is collected online from young children or relates to matters generally considered delicate (such as health information).
  • The settlement includes a payment of $1.5 million to the FTC (as well as payment of civil penalties to New Jersey), but the legal basis for the FTC payment is not stated. This could suggest that the FTC will more aggressively seek to obtain injunctive monetary relief in Section 5 cases.
  • Acting Chairwoman Maureen Ohlhausen explicitly noted in a concurring statement her skepticism regarding both the allegation that TV viewing data is “sensitive” and that the FTC’s complaint adequately established that the practices at issue constitute “substantial injury” under the unfairness prong of Section 5.

Leaving aside what the chairwoman’s concurrence may portend for future enforcement efforts, the FTC again seems to be using allegedly bad facts about privacy practices to push the envelope of its authority. Accordingly, with the Internet of Things boom fueling a dramatic increase in the number of Internet-connected devices, companies that either collect information via such devices or make use of such collected information should consider the implications of this enforcement action.


Continue Reading

Devices_482856241Well over a year after holding a workshop addressing privacy issues associated with cross-device tracking, Federal Trade Commission (FTC) staff have issued a report. The report sets the stage by describing how cross-device tracking works, noting its “benefits and challenges,” and reviewing (and largely commending) current industry self-regulatory efforts.

The report also makes recommendations, which—while building upon the staff’s traditional themes of transparency and choice—do not introduce any materially new suggestions for compliance.

The staff’s recommendations do not have the force of law, but they do indicate the steps that the staff believes a company should take in order to avoid a charge of unfairness or deception under Section 5 of the FTC Act.

A Quick Review of Cross-Device Tracking

As more consumers utilize multiple devices in their daily lives, more and more companies are using new technologies to attempt to ascertain that multiple devices are connected to the same person. This is generally done through the use of either deterministic information (e.g., by recognizing a user through the log-in credentials he or she uses across different devices) or probabilistic information (i.e., by inferring that multiple devices are used by the same person based on information about the devices, such as IP address, location, and activities on the devices).


Continue Reading

Abstract futuristic blurred background with envelope symbols (fast mail and modern communication concept)

As a result of the Second Circuit’s recent opinion in Microsoft v. United States, the U.S. government likely can no longer use warrants issued pursuant to the Stored Communications Act (“SCA”) to compel U.S.-based companies to produce communications, such as emails, that are stored in a physical location outside of the United States—at least for now. Instead, the government will likely need to rely on Mutual Legal Assistance Treaties, which provide a framework for states to, among other things, provide assistance to one another to obtain and execute search warrants in their respective jurisdictions.

Nevertheless, it is likely that the U.S. government will seek an alternative, which could include appealing the case to the Second Circuit en banc or pursuing legislation in Congress to amend and update the SCA in light of new digital realities.

Background on the SCA and the Microsoft Dispute

The SCA, which limits service providers’ disclosure of the user data they store, provides that a service provider may disclose to the government certain information, such as the stored contents of a customer’s emails, only if the government first obtains a warrant requiring the disclosure. Microsoft v. United States arose out of Microsoft’s dispute over the scope of one such warrant, which sought information about an email account that Microsoft determined was hosted in Dublin.

Microsoft moved to quash the warrant with respect to the actual emails in the account on the grounds that the SCA does not authorize a search and seizure outside of the territory of the United States, which is where the emails were stored.


Continue Reading

Recent enforcement decisions within the digital advertising industry indicate a shift in—and a clarification of—the required disclosures for companies engaged in interest-based advertising (IBA).

In particular, these decisions, taken together, indicate that an app developer’s link to its privacy policy at the point of app download may be deemed insufficient, unless the link points

iStock_000042592376_IllustrationIn May 2014, in a decision attracting worldwide attention, the European Court of Justice (ECJ) held that a European individual’s privacy rights include the “right to be forgotten,” requiring Internet search engine providers to honor an individual’s request to remove certain search results relating to him or her. Specifically, individuals may request deletion of links

Social media is all about innovation, so it is no surprise that social media marketers are always looking for innovative ways—such as courting social media “influencers” and using native advertising—to promote products and services to customers and potential customers. But, as the retailer Lord & Taylor recently learned, the legal rules that govern traditional