Photo of Julie O'Neill


Social media is all about innovation, so it is no surprise that social media marketers are always looking for innovative ways—such as courting social media “influencers” and using native advertising—to promote products and services to customers and potential customers. But, as the retailer Lord & Taylor recently learned, the legal rules that govern traditional marketing also apply to social media marketing.


Earlier this year, the Federal Trade Commission (FTC) reached a settlement with Lord & Taylor in a dispute involving its online advertising practices. According to the FTC’s Complaint, Lord & Taylor allegedly:

  • gifted a dress to 50 “fashion influencers” and paid them to post on their Instagram accounts photos of themselves in the dress during a specified timeframe; and
  • paid for, reviewed and preapproved Instagram posts and an article in an online magazine, Nylon.

In neither case, according to the FTC, was Lord & Taylor’s role in the promotional effort appropriately disclosed.

On these alleged facts, the FTC brought three counts alleging the following violations of Section 5 of the FTC Act’s prohibition on deceptive practices:

  • the failure to disclose that the influencers’ Instagram posts did not reflect their independent and impartial statements, but rather were specifically created as part of an advertising campaign;
  • the failure to disclose or adequately disclose that the influencers were paid endorsers; and
  • the failure to disclose that the Nylon materials were not independent statements and opinions of the magazine, but rather “paid commercial advertising.”

As has been widely remarked, this is not the first time the FTC has brought a case relating to social media advertising. The settlement, however, is noteworthy because it brings together issues relating to both native advertisements and endorsements. The FTC has been focusing on these issues since late 2014; its activities have included:

  • Settling with the advertising firm Deutsch LA, Inc. in late 2014 in connection with its allegedly deceptive activities relating to the promotion, on behalf of its client Sony, of the PlayStation Vita handheld gaming console through Twitter (we wrote about the Deutsch LA case on Socially Aware).
  • Settling in September 2015 with Machinima, Inc., an online entertainment network that allegedly paid video bloggers to promote the Microsoft Xbox One system (we also wrote about the Xbox One settlement on Socially Aware).
  • Issuing a closing letter, at the same time as the Machinima settlement, indicating that the FTC had investigated Microsoft and Microsoft’s advertising agency, Starcom, in relation to the influencer videos at issue in Machinima. The closing letter was significant because it suggested that the FTC was primed to take the position that a company whose products are promoted bears responsibility for the actions of its ad agencies—as well as the actions of those engaged by its ad agencies.
  • Releasing a policy statement and guidance on native advertising in late 2015, which warned companies—again—that it is deceptive, in violation of Section 5, if reasonable consumers are misled as to the true nature or source of an advertisement. (Our Client Alert on these materials can be read here.)

The compliance issue with native advertising is that content that does not appear to be advertising—such as an advertisement or promotional article in an online or print publication formatted to look like the non-advertising materials in the same publication—must be clearly and conspicuously disclosed as advertising. The relevant compliance issue with endorsements is that any payment or other compensation received by the endorser from the promoter must be appropriately disclosed.

The concept underlying native advertisements and endorsements is the same: Consumers must be aware that they are reviewing promotional material, not “native” or “organic” content, whether it is on a social media platform, a website or in a print publication.

The Lord & Taylor settlement is yet another clear signal that paid promotions of any kind, in any medium, must be disclosed. Given the FTC’s focus on these issues and the repeated enforcement actions, especially with respect to social media endorsements, it is likely that the FTC will continue to enforce in this area until it is convinced that the market understands the disclosure rules.

In light of the risk in this area, the Lord & Taylor Consent Order is noteworthy, as it provides valuable insight into how the FTC expects companies to avoid running afoul of the endorsement and native advertising rules.

For example, the Order requires Lord & Taylor to provide any endorser “with a clear statement of his or her responsibility to disclose, clearly and conspicuously,” the material connection between the retailer and the endorser in any advertisement and communication, and to obtain a signed and dated acknowledgment of receipt of this statement from the endorser. In addition, the Order requires Lord & Taylor to maintain a system to monitor and review its endorsers’ representations and disclosures. Taken together, these requirements essentially lay out components of a compliance program that any company using social media for advertising should consider.

Of course, any such program requires time and resources, and no company has those in infinite supply. But, moving beyond the FTC’s Complaint and Order, there are other noteworthy aspects of the social media endorsement issue that appear to have been overlooked.

According to news reports and comments from Lord & Taylor, it appears that the company (and commentators) recognized the potential FTC compliance issue right after the ad campaign launched. The company reportedly stated, after the settlement, that “it came to our attention [a year ago] that there were potential issues with how the influencers posted about a dress in this campaign, [and] we took immediate action with the social media agencies that were supporting us on it to ensure that clear disclosures were made.” And, indeed, articles from the time of the advertising campaign noted, for example, that “the [endorsing] bloggers left out an important piece of information in their Instagram posts: a disclosure that they had been paid to post by Lord & Taylor.” Another website commented at the time that the bloggers “failed to mention they were paid,” and suggested that the company was getting away with violating the FTC Act (though it did note that many bloggers had gone back to add “#sponsored or #ad to their posts).” The immediate aftermath of the Lord & Taylor campaign that ultimately formed the FTC’s case suggests that awareness of the issues is rising among the public, and that even a quick fix can be too late.

In light of this awareness, the failure to disclose obvious ties between the endorser and the promoter can undermine a campaign. And, even though the FTC does not have the authority to impose civil money penalties for these types of violations of the FTC Act, state Attorneys General appear to be getting in on the act. Machinima, Inc., for example, settled allegations with the FTC regarding its use of influencers in promoting the Xbox One (as we noted above). A few months later, however, the company entered into a settlement with the New York Attorney General that included a penalty of $50,000 for its alleged failure to disclose payments to the influencers.

These events strongly suggest that ensuring appropriate disclosures is more than just an FTC compliance issue. While the FTC is actively enforcing in this space, the margin of error is shrinking not only because of the FTC, but also because of the increasing awareness of the public, and the new risk of enforcement (including financial penalties) by state Attorneys General.


*    *    *

For more information on potential legal hurdles for companies engaged in social media marketing, please see these related blog posts:

An FTC Warning on Native Advertising

FTC Continues Enforcing Ad Disclosure Obligations in New Media and Issues a Warning to Advertisers

FTC Enforcement Action Confirms That Ad Disclosure Obligations Extend to Endorsements Made in Social Media

Magnifying2In a new report, the Federal Trade Commission (FTC) declines to call for new laws but makes clear that it will continue to use its existing tools it to aggressively police unfair, deceptive—or otherwise illegal—uses of big data. Businesses that conduct big data analytics, or that use the results of such analysis, should familiarize themselves with the report to help ensure that their practices do not raise issues.

The report, titled “Big Data: A Tool for Inclusion or Exclusion? Understanding the Issues” grew out of a 2014 FTC workshop that brought together stakeholders to discuss big data’s potential to both create opportunities for consumers and discriminate against them. The Report aims to educate businesses on key laws, and also outlines concrete steps that businesses can take to maximize the benefits of big data while avoiding potentially exclusionary or discriminatory outcomes.

What Is “Big Data”?

The Report explains that “big data” arises from a confluence of factors, including the nearly ubiquitous collection of consumer data from a variety of sources, the plummeting cost of data storage, and powerful new capabilities of drawing connections and making inferences and predictions from collected data. The Report describes the life cycle of big data as involving four phases:

  • Collection: Little bits of data are collected about individual consumers from a variety of sources, such as online shopping, cross-device tracking, online cookies or the Internet of Things (i.e., connected products or services).
  • Compilation and Consolidation: The “little” data is compiled and consolidated into “big” data, often by data brokers who build profiles about individual consumers.
  • Data Mining and Analytics: The “big” data is analyzed to uncover patterns of past consumer behavior or predict future consumer behavior.
  • Use: Once analyzed, big data is used by companies to enhance the development of new products, individualize their marketing, and target potential consumers.

The Report focuses on the final phase of the life cycle: the use of big data. It explores how consumers may be both helped and harmed by companies’ use of big data.

Benefits and Risks of Big Data

The Report emphasizes that, from a policy perspective, big data can provide significant opportunities for social improvements: big data can help target educational, credit, health care, and employment opportunities to low-income and underserved communities.  For instance, the Report notes that big data is already being used to benefit underserved communities, such as by providing access to credit using nontraditional methods to establish creditworthiness, tailoring health care to individual patients’ characteristics, and increasing equal access to employment to hire more diverse workforces. Continue Reading Big Data, Big Challenges: FTC Report Warns of Potential Discriminatory Effects of Big Data

brand advertising word cloud

“Native advertising”—ads that may blur the distinction between advertising and editorial, video or other content—has been a hot topic in recent years for both marketers and regulators. It is popular with marketers because it is apparently an effective advertising model. The Federal Trade Commission (FTC), on the other hand, contends that it may be deceptive when the advertising content is not readily identifiable to consumers as such, and it has just issued guidance on how advertisers can stay on the right side of the law. On December 22, 2015, the FTC released an Enforcement Policy Statement on Deceptively Formatted Advertisements that focuses in particular on “native” advertising, along with guidance for businesses on native advertising that further fleshes out the FTC’s expectations.

The Enforcement Policy Statement defines “natively formatted advertising” as communications “that match the design, style, and behavior of the digital media in which it is disseminated.” For example, an advertisement may be integrated into a newspaper website, with a “headline” and then a few lines of text, so that it appears similar to substantive, publisher-generated news articles posted on the website. Native advertisements may also appear on social media platforms and may be delivered as videos or through other media.

Regardless of format, the rule is the same. As the Statement puts it:

Deception occurs when an advertisement misleads reasonable consumers as to its true nature or source, including that a party other than the sponsoring advertiser is the source of an advertising or promotional message, and such misleading representation is material.

In light of this principle, the FTC may deem an advertisement that looks like an ordinary news article to be deceptive if consumers are not provided with sufficient information to differentiate the advertisement from publisher-generated, non-advertising content. This information may be inherent in the nature of the advertisement, or it may require a separate disclosure indicating that the advertisement is a marketing communication. For example, in FTC v. Coulomb Media, Inc., as well as other cases, the FTC alleged that defendants deceptively used fake news websites to market açai berry products. Similarly, and more recently, in FTC v. NourishLife, LLC, the FTC alleged that the defendants misrepresented that a so-called research website was an independent source for information about the speech disorder apraxia, when in fact the website advertised the health benefits of the company’s products.

A disclosure may be important because, even if the substance of the natively formatted advertisement is not deceptive, the nature of the advertisement itself can be deceptive. In this regard, the FTC has recently brought enforcement actions and warned about advertising that appears to be user-generated commentary about a product or service but is in fact marketing content created by or on behalf of an advertiser. You can read more about these enforcement actions here and here.

To put it another way, the Enforcement Policy Statement holds that “an ad is deceptive if it promotes the benefits and attributes of goods and services, but is not readily identifiable to consumers as an ad.” But what, exactly, does that mean? The Policy Statement and the guide for businesses offer some considerations of what may make an advertisement “readily identifiable.” The guidance lists 17 mini case studies that provide examples of what does and does not require a disclosure. (The fact that 17 examples are necessary suggests the potential complexity in determining what does or does not constitute an advertisement that requires a disclosure.) The recurring theme of the examples is whether the consumer can reasonably ascertain that the advertisement is paid marketing material and not content organically generated by the publisher (or by a user in the case of social media or video-hosting websites).

For cases in which native advertising requires a disclosure, the new guidance recaps the FTC’s .com Disclosures guidance for businesses, which lays out basic requirements for making “clear and prominent” disclosures. The guidance also adds some new considerations, such as the need to disclose that the native content is advertising near the focal point of the ad, or in front of or above the “headline” of the native advertisement. (This disclosure needs to convey to the consumer that the material is advertising before the consumer clicks through the ad to the main advertising page.) In addition, the guidance suggests that, for multimedia ads (such as videos), the disclosure should be made in the video itself before the consumer receives the advertising message. That is, if the advertisement is only a small part of the overall video, the disclosure must be “delivered as close as possible to the advertising messag[e]” itself. Finally, the guidance affirms that the disclosures should include terms likely to be understood, such as “Ad,” “Advertisement,” or “Paid Advertisement,” and not terms such as “Promoted” or “Sponsored,” which are ambiguous in this context and could imply, for example, that a sponsoring advertiser funded the content but did not create or influence it.

As the FTC continues to scrutinize various mechanisms for delivering advertising online, companies should make sure that consumers are aware when they are being marketed to, even as the participants in the digital advertising ecosystem come up with new and innovative ways to deliver those marketing messages. All participants, including the companies whose products are being marketed, are potentially at risk of an FTC enforcement action if their advertisements are found to be deceptive, and thus every participant should pay heed to the FTC’s recent statements and guidance. In light of the FTC’s aggressive approach in this area, making sure that innovative forms of advertising meet the FTC’s timeless disclosure standards should be on every company’s radar.

Word Cloud with Influence related tags

In an age of explosive growth for social media and declining TV viewership numbers, companies are partnering with so-called “influencers” to help the companies grow their brands. Popular users of Instagram, Vine, YouTube and other social media sites have gained celebrity status, generating millions of views, impressions and “likes” with every upload.

Capitalizing on the shift from traditional media to online platforms, advertisers have begun to engage influencers in marketing campaigns. In a May 2015 study, 84% of marketers said they expect to launch at least one influencer marketing campaign in the next 12 months. Of those who had already done so, 81% said influencer engagement was effective. In a separate study, 22% of marketers rated influencer marketing as the fastest-growing online customer-acquisition method.

So what is an influencer, anyway? By its broadest definition, an influencer is any person who has influence over the ideas and behaviors of others. When it comes to social media, an influencer could be someone with millions of followers or a user with just a few loyal subscribers. One thing that all influencers seem to have in common is that their audiences trust them. As such, influencers can be powerful advocates, lending credibility, increasing engagement and ultimately driving consumer actions.

Influencer marketing can be an effective tool, but it’s important to do right. As recent Federal Trade Commission (FTC) and Food and Drug Administration (FDA) investigations demonstrate, online advertising is an area of relatively active enforcement, and influencer marketing presents a number of potential legal issues. The following tips can help companies lead successful influencer marketing campaigns while lessening the risk of liability.

Disclosure Is Key

In September, the FTC settled a case with Machinima, a company that paid popular video bloggers to promote Microsoft’s Xbox One system through YouTube. Despite the hefty sums paid out to the gamers (one of whom pocketed $30,000), Machinima did not require them to make any disclosures. The FTC alleged that the failure to disclose the relationship between Machinima and the gamers was deceptive, in violation of Section 5 of the FTC Act. In its Endorsement Guides, the FTC has taken the position that a failure to disclose unexpected material connections between companies and the individuals who endorse them is deceptive.

This case raises two important questions: (1) when is a disclosure required and (2) what constitutes adequate disclosure? Continue Reading Influencer Marketing: Tips for a Successful (and Legal) Advertising Campaign

Woman using multiple devices phone laptop and tablet lying in a wood bench in a park

Cross-device tracking is a hot new issue for regulators. Companies engaged in the practice should take note of two recent developments. On November 16, 2015, the Federal Trade Commission (FTC) hosted a workshop on the issue and, perhaps not coincidentally, on the same day the Digital Advertising Alliance (DAA) addressed the applicability of its interest-based advertising (IBA) self-regulatory regime to the practice.

Cross-device tracking enables companies to ascertain—either definitively or with a high degree of probability—that multiple devices are connected to the same person. There are two ways to do this.

The first way is through deterministic identifiers, such as login information. For instance, if a user logs into web-based email on two devices (a laptop and mobile phone, for example), the email service can determine that the two devices belong to the same user.

The second way is probabilistic identification, which uses information collected from separate devices (such as an IP address, location, and activities on those devices) to infer that the devices are used by the same person.

At the FTC workshop, panelists, FTC staff and FTC Chairwoman Edith Ramirez all expressed concern that cross-device tracking is inherently different from tracking users on a single device. In particular, they noted that, while the technology provides benefits to consumers (such as a seamless cross-device experience), it has the potential to be harmful from a privacy perspective because it crosses physical borders that consumers may intentionally establish between their devices. That is, consumers may not want anybody to know that their work devices, their personal laptops, and their tablets all reflect activities by the same person.

The FTC seemed to differentiate two aspects of information collection and use related to cross-device tracking: (1) information collected and used for the purposes of tying two or more devices to the same user and (2) information collected and used for IBA purposes, which may include information collected to tie devices together.

At its workshop, the FTC appeared to signal that it expects companies to provide a robust notice and choice regime not only with respect to the ways in which data is collected and used to facilitate cross-device tracking (i.e., to simply tie devices together), but also with respect to the use of data collected and collated across devices for IBA purposes. That is, first parties (such as website publishers and apps) should disclose that information may be collected from users for purposes of cross-device tracking, and users should be able to opt out of the collection of information from a device for purposes of linking it to other devices—and not just for purposes of IBA.

Furthermore, FTC staff also suggested that a failure to precisely describe the scope of an opt-out (such as by suggesting that opting out of cross-device tracking by a user from one device would propagate to all of the user’s devices) may be considered an unfair or deceptive practice in violation of Section 5 of the FTC Act.

The new DAA cross-device principles do not go as far as the FTC would appear to like, but they do apply the DAA notice and choice regime to cross-device tracking. (For more on this regime, see our June 19, 2015 Privacy Minute on the DAA’s mobile guidance.) As a result, the new guidance require entities that collect data for IBA purposes from one device for use on a different device to provide notice that, among other things, “data collected from a particular browser or device may be used with another computer or device that is linked to the browser or device on which such data was collected.” In other words, users need to be provided with notice if their browsing activity on one device may be used to deliver advertising to them on another device.

In addition, the principles affirm that users must be provided with choice regarding the collection and/or use of their information for IBA from a particular device or from sharing with another party. That is, instead of requiring a global opt-out, which is what the FTC seems be advocating, the DAA requires only a device specific opt-out from: (1) collecting data on the device to deliver IBA on another device and (2) delivering IBA on a device based on information collected on another linked device.

In light of the DAA’s foray into cross-device tracking, and the FTC’s heightened interest in this space, companies should tread cautiously if they track and/or target users across devices.

California State on vector technology pattern BackgroundLast week was a big one for California’s privacy regime.

In a landmark move, Governor Jerry Brown signed into law four bills further protecting Californians’ privacy rights: Three strengthen the state’s data breach notification statute and impose restrictions on operators of automated license plate recognition systems (ALPRs), and one requires law enforcement to obtain a warrant for the collection of digital records and location.

A.B. 964, S.B. 570 and S.B. 34

California passed the nation’s first data breach notification law in 2003, and it has since incrementally increased the scope of personal data subject to the law and heightened obligations in the event of a breach.

Continuing this trend, on October 6, 2015, Governor Brown signed into law three amendments.

The first, A.B. 964, adds to the law a definition for the term “encrypted.” According to Assemblyman Ed Chau, the addition is meant to encourage businesses to adopt encryption standards.

The second amendment, S.B. 570, specifies the form and content of the notices that must be sent to consumers in the event of a breach. Notices must, for example, be titled “Notice of Data Breach” and present information under prescribed headings, such as “What Happened,” “What We Are Doing,” and “What You Can Do.”

The last bill in the trifecta, S.B. 34, includes information collected from ALPRs, when used in combination with an individual’s name, within the scope of personal information that falls under the breach notification law. That bill also requires ALPR operators to have reasonable security procedures and practices, as well as a privacy policy. S.B. 34 provides for a private cause of action for individuals harmed by violations.

S.B. 178

Just two days later, on October 8, 2015, Governor Brown signed CalECPA, which bars a state law enforcement agency or other investigative entity from compelling a business to turn over any metadata or digital communications—including emails, texts, or documents stored in the cloud—without a warrant.

The law also requires a warrant to track the location of electronic devices like mobile phones, or to search them.

Though a handful of states have warrant protection for digital content or for GPS location tracking, California is the first to enact a comprehensive law protecting location data, content, metadata, and device searches.

Federal Trade Commission Doorway Sign

In December 2014, we noted that the Federal Trade Commission’s (FTC) settlement with advertising firm Deutsch LA, Inc. was a clear signal to companies that advertise through social media that they need to comply with the disclosure requirements of Section 5 of the FTC Act. On September 2, 2015, the FTC announced a settlement along the same lines with Machinima, Inc., a company promoting the Xbox One system. This new action indicates that the FTC is serious about enforcing compliance in this space, so companies need to make sure that their advertising and marketing partners understand their obligations under Section 5.

A Quick Refresher on Online Advertising Disclosure Requirements

As we explained in our previous alert, the FTC’s Endorsement Guides describe how advertisers using endorsements can avoid liability under Section 5 for unfair or deceptive acts or practices. Simply put, a customer endorsement must be from an actual, bona fide user of the product or service and, if there is any material connection between the endorser and the advertiser that consumers would not reasonably expect but that would affect the weight given to the endorsement—such as payment or an employment relationship—then that connection must be clearly and conspicuously disclosed.

According to the complaint in In re Machinima, Machinima paid video bloggers (“influencers”) to promote Microsoft’s Xbox One system by producing and uploading to YouTube videos of themselves playing Xbox One games. Machinima did not require any disclosure of the compensation the influencers received, and many videos lacked any such disclosure. The FTC alleged that the payments would not be reasonably expected by YouTube viewers, such that the failure to disclose them was deceptive in violation of Section 5. In light of the Deutsch LA case, which dealt with endorsements on Twitter that did not include proper disclosures, In re Machinima seems uncontroversial. But what makes the case interesting is how close Microsoft came to being swept up in it.

Microsoft Escapes Liability, Narrowly

The FTC also issued a closing letter reflecting that it had investigated Microsoft, and Microsoft’s advertising agency Starcom, in relation to influencers’ videos. (Starcom managed the relationship with Machinima.) Even though the FTC did not ultimately take action against Microsoft (or Starcom), the closing letter is significant because it makes clear the FTC’s position that a company whose products are promoted bears responsibility for the actions of its ad agencies—as well as the actions of those engaged by its ad agencies.

According to the closing letter, Microsoft avoided an enforcement action because it had a “robust” compliance program in place that included specific guidance relating to the FTC’s Endorsement Guides and because Microsoft made training relating to the Endorsement Guides available to employees, vendors and personnel at Starcom. Furthermore, Microsoft and Starcom adopted additional safeguards regarding sponsored endorsements and took swift action to require Machinima to insert disclosures into the offending videos.

Given the increased reliance of advertisers on social media campaigns, the Machinima case provides both a clear warning and clear guidance to companies on how to minimize the risk of a Section 5 enforcement action. Not only must notice be provided of any paid endorsements, regardless of the medium in which they appear, but advertisers should also seriously consider having in place specific policies and procedures to address the FTC’s Endorsement Guides—as well as to ensure that their ad agencies and other involved parties comply with them.

Cell_iStock_000024872497XLargeOn July 10, 2015, the Federal Communications Commission (FCC) released a 140-page Omnibus Declaratory Ruling and Order in response to more than two dozen petitions from businesses, attorneys general, and consumers seeking clarity on how the FCC interprets the Telephone Consumer Protection Act (TCPA). As noted in vigorous dissents by Commissioners Pai and O’Rielly, several of the rulings seem likely to increase TCPA litigation and raise a host of compliance issues for businesses engaged in telemarketing or other practices that involve calling or sending text messages to consumers.

Since the FCC issued the order, trade associations and companies have filed multiple petitions for review in courts of appeals challenging the order (for example, see here and here). It will thus ultimately be up to the courts of appeals to decide whether the FCC’s new interpretations of the TCPA are reasonable.

What is an “Automatic Telephone Dialing System”?

The TCPA generally prohibits certain calls to cell phones made with an Automatic Telephone Dialing System (ATDS). As defined by statute, an ATDS is “equipment which has the capacity (A) to store or produce telephone numbers to be called, using a random or sequential number generator; and (B) to dial such numbers.” In the absence of statutory or FCC guidance, some courts have construed “capacity” broadly to encompass any equipment that is capable of automatically dialing random or sequential numbers, even if it does not actually do so, or even if it must be altered to make it capable of doing so.

In light of these decisions, a number of entities asked the FCC to clarify that equipment does not qualify as an ATDS unless it has the present capacity to generate and dial random or sequential numbers.

In its ruling, the FCC found that an ATDS includes equipment with both the present and potential capacity to generate and dial random or sequential numbers, even if such potential would require modification or additional software in order to do so. An ATDS also includes equipment with the present or potential capacity to dial numbers from a database of numbers.

The FCC, however, did state that “there must be more than a theoretical potential that the equipment could be modified to satisfy the [ATDS] definition.”  Per this limitation, the FCC explicitly excluded from the definition of an ATDS a “rotary-dial phone.”

Consent of the Current Subscriber or User

The TCPA exempts from liability calls to mobile phones “made with the prior express consent of the called party.” It does not, however, define “called party” for purposes of this provision, and courts have divided over how to construe that term.

Some courts have construed the term to mean the actual subscriber to the called mobile number at the time of the call, while others have construed it to mean the intended recipient of the call. The distinction is critical because consumers often give up their mobile phone numbers and those numbers are reassigned to other people, meaning that the actual subscriber and the intended recipient may not be the same person.

Faced with lawsuits from owners of such reassigned numbers, a number of entities petitioned the FCC, asking it to clarify that calls to reassigned mobile numbers were not subject to TCPA liability where the caller was unaware of the reassignment, and to adopt the interpretation that “called party” means the intended recipient of the call.

In response to petitions seeking clarity on this issue, the FCC ruled that the “called party” for purposes of determining consent under the TCPA’s mobile phone provisions is “the subscriber, i.e., the consumer assigned the telephone number dialed and billed for the call, or the non-subscriber customary user of a telephone number included in a family or business calling plan.”

Consistent with its interpretation of “called party,” the FCC further ruled that where a wireless phone number has been reassigned, the caller must have the prior express consent of the current subscriber (or current non-subscriber customary user of the phone), not the previous subscriber. Businesses, however, may have properly obtained prior express consent from the previous wireless subscriber and will not know that the number has been reassigned. The FCC thus allows a business to make one additional call to a reassigned wireless number without incurring liability, provided the business did not know the number had been reassigned and had a reasonable basis to believe the business had the intended recipient’s consent.

Is Consent Revocable?

The TCPA is silent as to whether, or how, a called party can revoke his or her prior express consent to be called. Given that silence, one entity petitioned the FCC to request that the Commission clarify that prior consent to receive non-telemarketing calls and text messages was irrevocable or, in the alternative, set forth explicit methods of revocation. In response, the FCC ruled that consent is revocable (with regard to both telemarketing and non-telemarketing calls), and that such revocation may be made “in any manner that clearly expresses a desire not to receive further messages.” Consumers may use “any reasonable method, including orally or in writing,” to communicate that revocation and callers may not designate an exclusive means of revocation.

The “Urgent Circumstances” Exemption to Consent Requirement Notwithstanding the FCC’s rulings regarding prior express consent, the FCC took this opportunity to create several new exemptions to that requirement with regard to certain non-marketing calls made to cellular phones. The FCC exempted the following types of calls:

  • Calls concerning “transactions and events that suggest a risk of fraud or identity theft”;
  • Calls concerning “possible breaches of the security of customers’ personal information”;
  • Calls concerning “steps consumers can take to prevent or remedy harm caused by data security breaches”;
  • Calls concerning “actions needed to arrange for receipt of pending money transfers”; and
  • Calls “for which there is exigency and that have a healthcare treatment purpose, specifically: appointment and exam confirmations and reminders, wellness checkups, hospital pre-registration instructions, pre-operative instructions, lab results, post-discharge follow-up intended to prevent readmission, prescription notifications, and home healthcare instructions.”First and foremost, the consumer must not be charged for the calls.
  • Further, such calls must be limited to no more than three calls over a three-day period, must be concise (generally 1 minute or 160 characters, if sent via text message), cannot include marketing or advertising content (or financial content, in the case of healthcare calls), and must have some mechanism for customer opt-out be provided.
  • The FCC reasoned that all of the aforementioned types of calls involved urgent circumstances where quick, timely communication with a consumer was critical to prevent financial harm or provide health care treatment. Although prior express consent is not required, such calls are still subject to a number of limitations.

Other Consent Issues

In addition to the points above concerning consent, the FCC also ruled on a number of specific consent issues, described here in brief:

  • Provision of Phone Number to a Health Care Provider. Clarifying an earlier ruling, the FCC ruled that the “provision of a phone number to a healthcare provider constitutes prior express consent for healthcare calls subject to HIPAA by a HIPAA-covered entity and business associates acting on its behalf, as defined by HIPAA, if the covered entities and business associates are making calls within the scope of the consent given, and absent instructions to the contrary.”
  • Third-Party Consent on Behalf of Incapacitated Patients. The FCC ruled that consent to contact an incapacitated patient may be obtained from a third-party intermediary, although such consent terminates once the patient is capable of consenting on his or her behalf.
  • Ported Phone Numbers. In response to a request for clarification, the FCC ruled that porting a telephone number from wireline service (i.e., a land line) to wireless service does not revoke prior express consent.
  • Consent Obtained Prior to the Current Rules. In response to petitions requesting relief from or clarification of the prior-express-written-consent rule that went into effect on October 16, 2013, the FCC ruled that “telemarketers should not rely on a consumer’s written consent obtained before the current rule took effect if that consent does satisfy the current rule.”
  • Consent via Contact List. In response to a petition concerning the use of smartphone apps to initiate calls or text messages, the FCC ruled that the mere fact that a contact may appear in a user’s contact list or address book does not establish consent to receive a message from the app platform.
  • On Demand Text Offers. In response to a petition concerning so-called “on demand text offers,” the FCC ruled that such messages do not violate the TCPA as long as they (1) are requested by the consumer; (2) are a one-time message sent immediately in response to that request; and (3) contain only the requested information with no other marketing information. Under such conditions, the messages are presumed to be within the scope of the consumer’s consent.

Calls Placed by Users of Apps and Calling Platforms

The FCC also addressed a number of petitions seeking guidance as to who “makes” or “initiates” a call under the TCPA (and is thus liable for TCPA violations) in a variety of scenarios involving calls or text messages made by smartphone apps and calling platforms.

The FCC offered no clear rule, and instead held that to answer this question “we look to the totality of the facts and circumstances surrounding the placing of a particular call to determine: 1) who took the steps necessary to physically place the call; and 2) whether another person or entity was so involved in placing the call as to be deemed to have initiated it, considering the goals and purposes of the TCPA.”

The FCC noted that relevant factors could include “the extent to which a person willfully enables fraudulent spoofing of telephone numbers or assists telemarketers in blocking Caller ID” as well as “whether a person who offers a calling platform service for the use of others has knowingly allowed its client(s) to use that platform for unlawful purposes.”

Authorization of “Do Not Disturb” Technology

Finally, at the request of petitioning state attorneys general, the FCC affirmed that nothing in the Communications Act or FCC rules or orders prohibits telephone carriers or VoIP providers from implementing call-blocking technology to stop unwanted “robocalls.” The FCC explained that such carriers “may legally block calls or categories of calls at a consumer’s request if available technology identifies incoming calls as originating from a source that the technology, which the consumer has selected to provide this service, has identified.”  The FCC “strongly encourage[d]” carriers to develop such technology to assist consumers.

As more users spend more time on their mobile devices, advertising dollars are following. And the compliance regime that governs interest-based advertising (IBA) (formerly referred to as online behavioral advertising or OBA) is expanding as well. (IBA is the collection of information about users’ online activities across different websites or mobile applications, over time, for the purpose of delivering online advertising to those users based on those activities.) The regime arose from a February 2009 Federal Trade Commission (FTC) report entitled Self-Regulatory Principles for Online Behavioral Advertising, which the Digital Advertising Alliance (DAA), a consortium of media and marketing associations, translated into a self-regulatory program (DAA Principles) in an effort to avoid legislation.

The DAA Principles focus on providing consumers with notice of and control over how information collected from their use of online services is used for IBA purposes. To facilitate such notice and choice, the DAA provides an advertising option icon to be placed in or near an interest-based ad. The icon, when clicked, delivers consumers to a landing page that describes the data collection practices associated with the ad and provides an opt-out mechanism. The Council of Better Business Bureaus, which, along with the Direct Marketing Association, enforces the DAA Principles, has construed the principles to also require notice on any site where information is collected for IBA purposes. Such notice typically takes the form of an “Our Ads” or similarly named link in the site footer, separate from the privacy policy link, that clicks through to the same landing page as the advertising option icon, or to similar notice and choice. A dedicated industry website,, also provides consumers with the ability to exercise choice with regard to IBA.

The DAA has always held that the DAA Principles apply universally; in July 2013, it issued guidance regarding their application to the mobile environment (Mobile Guidance). The DAA has also acknowledged the challenge that screen-size, among other things, may pose to complying with the principles’ notice and choice requirements in the same fashion as in the desktop experience. In February 2015, however, the DAA announced two new measures to facilitate compliance with the requirements on mobile devices: (1) a new consumer choice page optimized for mobile (which is otherwise the same as, and (2) a downloadable app, “AppChoices,” that enables consumers to manage ad preferences for certain third party in-app ad delivery services. The Mobile Guidance explains how a company engaged in IBA should provide notice and choice—via the consumer web page and/or AppChoices app, as applicable—to its users. The DAA recently announced that the DAA Principles will be enforced in the mobile space, effective September 1, 2015. This enforcement will include not only the notice-and-choice regime but also other mobile-specific issues addressed by the DAA’s Mobile Guidance, such as the use of precise geolocation. As a result, companies should work diligently to figure out their compliance strategies for their mobile websites and applications.

PrintIn law school, everybody learns the adage that hard cases make bad law. When it comes to the Federal Trade Commission, a better aphorism might be, “easy cases make new law.” The FTC’s recent settlement with Nomi Technologies Inc. is, as the FTC’s press release notes, the “FTC’s first against a retail tracking company.” On its face, the case is like many FTC privacy cases: It challenges a statement in the company’s privacy policy for allegedly being inconsistent with the company’s actual practices and thus deceptive. Under the surface, however, the case may open the door for the FTC to create a notice-and-choice regime for the physical tracking of consumers, analogous to its well-established notice-and-choice regime for online tracking.

“Retail Tracking” and Nomi’s Allegedly Deceptive Practices

Retail tracking occurs when retailers, or their third-party service providers, capture and track the movements of consumers in and around stores through their mobile devices, such as through the use of Wi-Fi or beacons, in order, for example, to better understand store traffic or serve targeted offers. The FTC’s chief technologist recently published detailed comments on the “privacy trade-offs” of retail tracking and the various technologies that companies are using to engage in it. Given the potential lack of transparency around the practice and the corresponding privacy implications, it is not surprising that the FTC decided to address the practice through its Section 5 authority, even if the FTC did so in an indirect fashion.

It is also not surprising that the FTC has moved cautiously into this space. The facts of In re Nomi, as alleged in the complaint, are simple. Nomi provided mobile device tracking technology that enabled its clients, brick-and-mortar retailers, to receive analytics reports about aggregate customer traffic patterns — that is, how long consumers stay in the store and in which sections, how long they wait in line, what percentage of consumers pass by the store altogether, and so on. Nomi represented in the privacy policies posted on its website that it would “[a]lways allow consumers to opt out of Nomi’s service on its website as well as at any retailer using Nomi’s technology.” While Nomi offered an opt-out on its website, it allegedly did not provide an opt-out mechanism at its clients’ retail locations, thus rendering its privacy policy promise deceptive, in violation of Section 5 of the FTC Act.

The FTC further alleged that Nomi represented, expressly or by implication, that consumers would be given notice when they were being tracked at a retail location. The statement of Chairwoman Edith Ramirez and Commissioners Julie Brill and Terrell McSweeny in support of the complaint and proposed order explains that “the express promise of an in-store opt out necessarily makes a second, implied promise: that retailers using Nomi’s service would notify consumers that the service was in use. This promise was also false. Nomi did not require its clients to provide such a notice. To our knowledge, no retailer provided such a notice on its own.” By allegedly failing to provide notice when a retail location was utilizing Nomi’s service to track customers, Nomi’s implied promise to provide notice was also deceptive.

The FTC Keeps Nomi Narrow, for Now. What Lessons Can Others Learn?

The proposed order provides for very narrow injunctive relief: It simply enjoins Nomi from misrepresenting how consumers can control the collection, use, disclosure or sharing of information collected from them or their devices, and from misrepresenting the extent to which consumers will receive notice about such tracking. The majority commissioners, in their statement, were at pains to disclaim any significance of the case with regard to the practice of retail tracking specifically:

While the consent order does not require that Nomi provide in-store notice when a store uses its services or offer an in-store opt out, that was not the Commission’s goal in bringing this case. This case is simply about ensuring that when companies promise consumers the ability to make choices, they follow through on those promises.

In other words, Nomi is the FTC’s first case involving brick-and-mortar tracking, but the FTC is not yet creating new law: The proposed order does not impose any affirmative notice and choice obligations on industry participants in the retail tracking space. It is not surprising that the commission declined to take such a drastic step with a practice that is still, relatively speaking, in its infancy, and that does not, on its face, involve sensitive personal information (though, while the information collected may be anonymous and analyzed only in aggregate, some retailers may, or at least could, pair tracking information through their apps with other information about identifying a specific consumer).When the FTC does impose specific obligations relating to a particular practice, it typically moves in an incremental fashion. For example, the FTC noted in its 2009 Report on Self-Regulatory Principles for Online Behavioral Advertising and again in its 2012 Privacy Report that the collection of precise geolocation requires affirmative express consent because such information is sensitive. The FTC continued to indicate, in guidance and follow-on staff reports, that a failure to provide notice and obtain affirmative opt-in consent for the collection of precise geolocation information could give rise to a cause of action for deception under Section 5 of the FTC Act.Then, when the FTC settled a case (

When the FTC does impose specific obligations relating to a particular practice, it typically moves in an incremental fashion. For example, the FTC noted in its 2009 Report on Self-Regulatory Principles for Online Behavioral Advertising and again in its 2012 Privacy Report that the collection of precise geolocation requires affirmative express consent because such information is sensitive. The FTC continued to indicate, in guidance and follow-on staff reports, that a failure to provide notice and obtain affirmative opt-in consent for the collection of precise geolocation information could give rise to a cause of action for deception under Section 5 of the FTC Act.Then, when the FTC settled a case (Goldenshores), alleging violations of Section 5 relating to an Android app’s collection, use and disclosure of precise geolocation from users’ devices, the order imposed specific parameters on the out-of-policy notice and choice that the app had to provide — effectively creating a new notice and choice regime for the collection, use and disclosure of such information that companies ignore at their peril.By contrast, the

Then, when the FTC settled a case (Goldenshores), alleging violations of Section 5 relating to an Android app’s collection, use and disclosure of precise geolocation from users’ devices, the order imposed specific parameters on the out-of-policy notice and choice that the app had to provide — effectively creating a new notice and choice regime for the collection, use and disclosure of such information that companies ignore at their peril.By contrast, the

By contrast, the narrow approach the FTC has taken with Nomi raises the question of whether the FTC would ever impose a notice and choice obligation for offline, retail tracking. We have no certainty around the FTC’s view, but it is reasonable to anticipate that the FTC will move in a direction that mirrors its position with respect to online tracking — that is, that at least when information is collected for targeted advertising purposes, a company should provide meaningful disclosures to consumers about the tracking and choice with respect to whether to allow it.[2] The FTC could ultimately deem a failure to provide such notice and/or choice an unfair and/or deceptive practice under Section 5 of the FTC Act.

What does this mean for retailers and other places of business? In light of Nomi and our expectations with respect to the direction the FTC is likely to take, companies that engage in in-store tracking should consider how best to provide their customers with notice and choice. Whatever the FTC does, it will probably move conservatively. That means that the FTC is likely to continue to identify practices as violations of Section 5 if they can be remedied without stifling retail tracking technology as it matures.

The Nomi complaint presents two interrelated themes that provide a guide to future enforcement. First, choice must be linked to notice, meaning that, as far as the FTC is concerned, consumers do not have meaningful choice unless they also have notice at the point of collection, even if notice is provided only in a privacy policy only. Nomi can thus be read to suggest that, at least in some circumstances, choice with regard to virtual tracking needs to be accompanied by notice in the brick-and-mortar world. Second, the complaint suggests, obliquely, that tracking consumers’ physical activities is “material” — i.e., that it is likely to affect the consumer’s conduct. If that is right, then this type of tracking must be disclosed to consumers because the failure to make such a disclosure would be, axiomatically, a material omission.

How should retailers proceed? One option is to track only those customers who have downloaded the retailer’s app and affirmatively agreed to be tracked for identified purposes, such as the delivery of targeted offers. Another option is to use a vendor that subscribes to the Future of Privacy Forum Mobile Location Analytics Code of Conduct, which requires participating mobile location analytics companies to, among other things, provide consumers with appropriate notice and choice. These types of compliance strategies could help protect companies from the next possible phase of FTC enforcement in this space, since they address what appear to be, for now, the most direct ways to avoid conducting retail tracking without providing notice and choice.