Advertising Law - May 2015 #2

Manatt, Phelps & Phillips, LLP
Contact

In This Issue:

  • Data Breach Notification, Cyber Sharing Bills Move Forward
  • FTC Tracks Down Tech Company With Settlement Over Retail Tracking
  • First Comes the FDA Letter, Then Comes the Federal Class Action Complaint
  • Web Site a Place of Public Accommodation for ADA Purposes, Court Rules
  • Most Read Stories

Data Breach Notification, Cyber Sharing Bills Move Forward

As multiple privacy and data security bills wend their way through the legislative process, three proposals have made significant steps forward.

In a 307 to 116 vote, the House of Representatives passed the Protecting Cyber Networks Act, a bipartisan bill that provides liability protections to companies that share cyber threat information. The next day, House lawmakers passed a similar measure, the National Cybersecurity Protection Advancement Act, and moved both to the Senate. And the controversial Data Security and Breach Notification Act was approved by a House committee, pushing the legislation to the House floor for consideration.

The House Energy and Commerce Committee voted 29 to 20 to approve the data breach notification law, H.R. 1770, which has received mixed reviews. The Act would require businesses to notify consumers affected by a data breach within 30 days if the company determines that “a reasonable risk” of “identity theft, economic loss or economic harm” exists.

Although the bill would create a uniform national standard for data breach notification—a long sought-after request from the business community—it has been criticized by consumer advocates for preempting more stringent state data notification laws. Jessica Rich, director of the Federal Trade Commission’s Bureau of Consumer Protection, testified that the legislation does “not provide the strong protections that are needed to combat data breaches, identity theft, and other substantial consumer harms.”

Multiple changes adding consumer privacy protections were proposed during the Committee’s markup session prior to its vote, including an amendment allowing state attorneys general and consumers to bring suit against businesses and a suggestion to broaden the definition of personally identifiable information to cover geolocation information and health information. Both were rejected, as was a third proposal that would have expanded the notification requirements by removing the economic harm trigger.

The Committee did make one change by lowering the cap on financial penalties per consumer for failed notification from $11,000 to $1,000. The bill will now move to the House floor for consideration.

Also moving through the House are two separate pieces of legislation promoting the sharing of cyber threat information.

House lawmakers overwhelmingly approved H.R. 1560, the Protecting Cyber Networks Act. Companies that voluntarily share cyber threat information would be protected from private and regulatory actions under the proposal, as long as any personal data is removed before data is passed along to the government. The National Cyber Threat Intelligence Integration Center would be tasked with collecting and disseminating the cyber threat information.

Some lawmakers expressed reservations as to whether the measure contains strong enough privacy protections. Rep. Jared Polis (D-Colo.) said the bill “does more harm than good” by “raising enormous concerns about the inappropriate sharing of personal information and surveillance on Americans’ private lives.” Despite such comments, the House voted 307 to 116 to pass the bill to the Senate.

The next day, legislators approved H.R. 1731, the National Cybersecurity Protection Advancement Act, a similar proposal that would encourage cyber threat information sharing while providing a safe harbor to companies. The major difference between the two bills: H.R. 1731 vests authority with the National Cybersecurity and Communications Integration Center of the U.S. Department of Homeland Security.

Passed by a vote of 355 to 63, the NCPAA features a prohibition on federal use of shared information to engage in surveillance and would mandate that DHS establish privacy and civil liberty policies and procedures with regard to the “receipt, retention, use, and disclosure” of information shared.

Both cyber threat sharing proposals received amendments to sunset after seven years.

To read H.R. 1770, click here.

To read H.R. 1560, click here.

To read H.R. 1731, click here.

Why it matters: The question remains whether any of the data security or privacy measures will actually become law. The Senate must now reconcile the two House cyber threat sharing bills with each other as well as a Senate version, while the data breach notification proposal faces growing criticism over a lack of consumer protection.

FTC Tracks Down Tech Company With Settlement Over Retail Tracking

A company making use of tracking technology reached a settlement agreement with the Federal Trade Commission after the agency charged that Nomi Technologies falsely informed consumers that they could opt out of being tracked.

According to the complaint—which the agency said was its first filed against a retail tracking company—Nomi placed sensors in the stores of its clients. Using WiFi connections, Nomi then collected the 12-digit MAC addresses of consumers’ mobile devices in order to track their activities.

Nomi’s 2012 privacy policy stated that the company “pledged to … always allow consumers to opt out of Nomi’s service on its website, as well as at any retailer using Nomi’s technology.” Although consumers had the option to opt out at Nomi’s Web site, no such option could be found at stores, the FTC said, and consumers were not informed when the tracking was actually taking place.

These deceptions enabled Nomi to collect information on roughly 9 million mobile devices and provide data reports to retailers such as how long consumers stayed in a store, how many consumers passed by the store instead of entering, and how many repeat customers entered a store in a given period, the agency said. In addition, although Nomi “hashes” the MAC addresses before storing them, the FTC noted that the hashing process resulted in an identifier that is unique to the consumer’s mobile device and can be tracked over time.

Pursuant to the agreement, Nomi is prohibited from misrepresenting the options provided to consumers for controlling “whether information is collected, used, disclosed or shared about them or their computers or other devices,” and misrepresenting the notification provided to consumers about its information practices.

The Commission split 3 to 2 in issuing the complaint and accepting the proposed consent order, with dissents from Commissioners Maureen K. Ohlhausen and Joshua D. Wright. In her dissenting statement, Commissioner Ohlhausen emphasized that Nomi was a start-up operation with limited funds as well as “a third party contractor collecting no personally identifiable information,” with no obligation to offer consumers an opt-out.

She also agreed with Commissioner Wright that Nomi’s privacy policy was “partly accurate,” as the company did allow opt-outs on its Web site, and that no evidence existed of consumer harm. “A representation simply cannot be deceptive under the long-standing FTC Policy Statement on Deception in the absence of materiality,” Commissioner Wright wrote in his dissent.

To read the complaint, the consent order, and the statements of the Commissioners in In the Matter of Nomi Technologies, click here.

Why it matters: “It’s vital that companies keep their privacy promises to consumers when working with emerging technologies, just as it is in any other context,” Jessica Rich, director of the FTC’s Bureau of Consumer Protection, said in a press release about the case. “If you tell a consumer that they will have choices about their privacy, you should make sure all of those choices are actually available to them.” The Commission emphasized that the case stands for the proposition that the Federal Trade Commission Act still applies even to the latest mobile technologies.

First Comes the FDA Letter, Then Comes the Federal Class Action Complaint

That was fast. Less than a week after the Food and Drug Administration sent a letter to Kind LLC, cautioning the company that some of the brand’s snack bars featured an illegal “healthy” labeling claim regarding the saturated fat content, a California consumer has already filed suit.

Relying heavily on the FDA’s letter, Brandon Kaufer filed a putative class action composed of all United States purchasers of four flavors of Kind’s snack bars: Fruit & Nut Almond & Apricot, Kind Plus Dark Chocolate Cherry Cashew + Antioxidants, Fruit & Nut Almond & Coconut, and Kind Plus Peanut Butter Dark Chocolate + Protein.

Kind “specifically targets” health conscious consumers, the complaint alleged, with statements like: “There’s healthy. There’s tasty. Then there’s healthy and tasty. At Kind, we believe you deserve both.” The referenced snack bars all ran afoul of Section 403 of the Food, Drug, and Cosmetic Act by labeling the products as “healthy,” “+” or “plus,” “good source of fiber,” and “no trans fats,” despite failing to meet the statutory requirements, Kaufer claimed.

For example, in order to label a product “healthy” in compliance with the FDCA, a food must be low in saturated fat, defined as containing 1 gram or less of saturated fatty acids and not more than 15 percent of calories from saturated fatty acids. Kind’s snacks failed to meet the standard, the FDA and Kaufer said. The Almond & Apricot bar contains 3.5 grams of saturated fat per 40 grams of food while the Almond & Coconut bar has 5 grams of saturated fat per 40 grams of the food.

The FDA found similar problems with other claims like “+” or “plus,” a term that can only be used if foods surpass certain set dietary requirements, and “no trans fats,” a label claim that requires a manufacturer to include the amount of polyunsaturated and monounsaturated fatty acids on the food label. None of Kind’s bars met these requirements, both the FDA letter and the complaint stated.

In addition to violations of the FDCA, Kaufer alleged Kind failed to follow California’s Sherman Food, Drug, and Cosmetic Law, as well as state false advertising and unfair business practices law. The suit requests damages, restitution, and injunctive relief to halt the allegedly false and deceptive labeling claims.

To read the complaint in Kaufer v. Kind LLC, click here.

To read the FDA’s letter to Kind, click here.

Why it matters: The lawsuit provides an important reminder that once a regulator’s action becomes public, companies can expect to see a class action (or multiple complaints) follow. While the letter from the FDA was sent to Kind on March 17, it was not released until the week of April 13. Kaufer’s suit was filed on April 17.

Web Site a Place of Public Accommodation for ADA Purposes, Court Rules

Despite lacking any brick and mortar location, a federal court judge in Vermont concluded that Scribd’s Web site constituted a “place[] of public accommodation,” requiring compliance with the Americans with Disabilities Act.

A group of blind consumers charged that Scribd’s membership program—where users pay a monthly fee to read e-books from the site’s library—illegally excludes blind individuals because the Web site and mobile app are not compatible with screen reader software.

Scribd moved to dismiss, arguing that the site is not covered by the ADA because it is not a physical location.

Rejecting this position, U.S. District Court Judge William K. Sessions III emphasized the intent behind the statute. “Now that the Internet plays such a critical role in the personal and professional lives of Americans, excluding disabled persons from access to covered entities that use it as their principal means of reaching the public would defeat the purpose of this important civil rights legislation,” he wrote.

The ADA contains 12 categories of “public accommodation.” Although Scribd argued that the meaning of “place[] of public accommodation” was clear and unambiguous, the court said the fact that reasonable jurists have reached different conclusions about how far the protections of Title III extend “reveals some measure of ambiguity in the text of the statute.”

Some courts—the Third, Sixth, and Ninth Circuit Courts of Appeals—have adopted a narrow interpretation of the ADA, requiring a sufficient connection between the discrimination alleged by plaintiffs and a physical place. The Eleventh Circuit has taken a “somewhat more expansive vein,” while on the broad end of statutory interpretation, the First and Seventh Circuits have read Title III to apply even in the absence of some connection to a physical place, Judge Sessions said.

“While no circuit court has directly addressed whether a website with no physical retail outlet or building open to the public can be a place of public accommodation under Title III, clearly there is more than one reasonable interpretation of the language at issue here,” the court said.

Given these differences of opinion, Judge Sessions found the statute to be ambiguous and considered sources outside of the text, including legislative history, the position of the Department of Justice, and common sense.

“[P]erhaps most importantly, reading the statute as Scribd argues the court should read it would lead to absurd results,” the court wrote. “Requiring a physical structure or some connection to a physical threshold would result in arbitrary treatment. For example, it would make little sense if a customer who bought insurance from someone selling policies door to door was not covered but someone buying the same policy in the parent company’s office was covered. It is highly unlikely Congress intended such inconsistent results.”

Taking a liberal approach while reading the statute, Judge Sessions found that the “plaintiffs have persuasively argued that Scribd’s services fall within at least one of the following categories: ‘place of exhibition or entertainment,’ a ‘sales or rental establishment,’ a ‘service establishment,’ a ‘library,’ a ‘gallery,’ or a ‘place of public display or collection.’”

The court denied Scribd’s motion to dismiss, concluding that the plaintiffs had sufficiently alleged that the site owns, leases, or operates a place of public accommodation.

To read the opinion in National Federation of the Blind v. Scribd Inc., click here.

Why it matters: The decision intensifies the split among courts that have considered the application of the ADA to online entities. While the majority position requires that a Web site have a sufficient connection to a brick and mortar location for ADA liability to attach, other courts, including Judge Sessions and a federal court judge in Massachusetts in a Netflix case, have found the ADA applies to a strictly Internet business. As noted in the Scribd decision, the Department of Justice has taken the position that e-tailers fall under the purview of the ADA, physical location or not, and is currently promulgating regulations to that effect.

Most Read Stories

In case you missed any, here are our top 10 most widely read stories in March:

1. “Paying for Consumer Reviews Gets Company FTC Action

2. “California Court Doesn’t Like The Taste Of “100% Juice” Lawsuit

3. “NAD: A Product Can’t be The “#1 Prescribed Brand” Without Other Prescribed Brands

4. “NAD: Sprint Should Discontinue “All New” And “Brand New” Network Claims

5. “New DAA App Brings Choice to Mobile

6. “Melanoma Detection Apps Settle With FTC

7. “Yelp Sues Over Fake Review Services

8. “LinkedIn to Pay $1.25M in Data Breach Suit

9. “Response To FCC’s New Net Neutrality Regs Anything But Neutral

10. “It’s Back: Congress Considers Data Broker Legislation Again

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Manatt, Phelps & Phillips, LLP

Written by:

Manatt, Phelps & Phillips, LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Manatt, Phelps & Phillips, LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide