The past year has been a volatile one, from trade wars to the government shutdown to a stock market dive. One constant that U.S. businesses have become accustomed to, however, is deregulation across a wide variety of industries — except for technology. As innovation in that sector continues at a rapid pace, regulators will continue to address consumer protection concerns. In addition, technology companies will continue facing more aggressive enforcement as well as increasingly complex regulation at both the federal and state levels.
In this article, we look at digital advertising disclosures, data privacy and internet-driven products — three areas in which regulatory oversight of tech companies has dramatically increased — and discuss what the industry is likely to face in the coming year.
The Influencer Economy
One area in which regulators and enforcement agencies have targeted the entire digital advertising ecosystem — including advertising agencies, publishers, game companies, technology networks, traditional brands and even individual talent — is influencer advertising disclosures.
Advertisers have expanded their partnerships with influencers in recent years, and analysts estimate that spending on influencer marketing could reach $10 billion by 2022. Social media and content platforms have also invested heavily in this sector. (Facebook, for example, launched a search engine in June 2018 called Brand Collabs Manager to enable brands and content creators to search for partners with similar audiences.)
The Federal Trade Commission is the primary federal agency that regulates endorsements and testimonials. The FTC has authority under Section 5 of the Federal Trade Commission Act to prevent “unfair” or “deceptive” business practices, which includes online advertising and sponsorships. As early as 2009, the FTC issued updated guidelines for endorsements and testimonials specifically to ensure that disclosures are properly made in social and digital channels. The FTC stressed the importance of ensuring that consumers understand they are being advertised to in new online channels, as opposed to watching a celebrity on television, where a consumer readily understands they are being pitched a product.
In 2015, the FTC weighed in further on native advertising disclosures to push for disclosures that would delineate the blurred lines between editorial and advertising in digital and social channels. In the Native Advertising Guidelines, it distinguished between traditional product integration you may see in games or television and similar placements online, stressing that “deceptive door openers” such as headlines and content that appear editorial in nature are inherently deceptive and lead to consumers interacting with advertising that they otherwise may not have chosen to consume. During the same period, the FTC has also brought numerous enforcement cases against agencies such as Deutsch LA and major advertisers such as Lord & Taylor, as well as influencer networks and content and game studios, for failing to ensure sponsored posts on social media and in editorial were adequately disclosed.
In the past two years, the FTC has significantly expanded its enforcement efforts. It has continued to pursue cases against advertisers and brands, and issued further concrete guidance in its Endorsement Guides as well. For example, it reached a settlement agreement with Creaxion in fall 2018 for paying athletes to promote a client’s mosquito repellent. Creaxion reviewed and monitored promotional posts in advance, but did not require that the athletes disclose they were paid for their endorsements.
Since 2017, the FTC has also been enforcing sponsorship guidelines directly against influencers and content creators. In April 2017, the FTC sent over 90 warning letters to influencers and marketers related to disclosures of sponsored content or promotions on social media. That September, the FTC brought its first complaint directly against two influencers for falsely claiming that their reviews on social media were independent, and for failing to disclose their positions as owners and officers of the company they promoted, CSGO Lotto. The FTC has made it clear that all participants in the digital ecosystem are responsible for ensuring that advertising is clearly and conspicuously labeled.
We now see other agencies weighing in as well, most notably the U.S. Securities and Exchange Commission. In 2018, the SEC reached a settlement with professional boxer Floyd Mayweather Jr. and music producer Khaled Khaled (known as DJ Khaled). The SEC alleged that each individual promoted initial coin offerings on social media without disclosing that they received payments for their endorsements. Mayweather and Khaled paid over $300,000 and $100,000 respectively in connection with the settlement agreement.
Beyond expanded enforcement efforts by the FTC and SEC, influencers, media companies and brands also face — and will continue to face — increased pressure for self-regulation as well as scrutiny from the National Advertising Division, a division of the Better Business Bureau, on what constitutes sponsored content that requires disclosure. In one 2016 example, NAD investigated a partnership between People Magazine and the online shopping platform Joyus, and found that listing sponsored products and linking to sponsored content in People’s “Stuff We Love” section was advertising rather than editorial content. NAD recommended that the magazine implement changes to include adequate disclosures on this sponsored content. In another example, NAD recently investigated a shopping guide on skincare products that included monetized affiliate links. NAD ultimately found that the shopping guide was not advertising and was therefore outside its jurisdiction, because the editors created content independently without any input from their marketing team or the listed retailers and brands. However, NAD left open the possibility that editorial content with affiliate links could be considered advertising under other circumstances.
Overall, as the influencer economy continues to evolve, regulators will have to grapple with new issues to ensure consumers are protected adequately in the online marketplace. One such example is how regulators will treat CGI influencers such as Shudu Gram and Miquela Sousa . Also, whether such influencer marketing is deceptive on its face or whether the reasonable consumer now simply expects to be advertised to in this manner, similar to a television commercial.
Data Privacy
The next area in which technology companies have experienced greater regulation at both the federal and state levels since 2016 — and will continue to need to make a top priority — is data privacy. Monetization and leverage of large consumer data repositories has become integral to corporate growth strategies across technology and other industries. Some analysts have called big data the “new oil.”
Historically, the United States has regulated privacy by sector, with unique frameworks for different categories of sensitive data, such as health or financial information. Various state and federal agencies also have authority to pursue actions based on unfair or deceptive practices, like failing to disclose how a user’s data is shared with third parties or sharing data in violation of a stated privacy policy. In the past two years, enforcement actions under existing laws have resulted in record-breaking penalties. This is the case not only in the United States but elsewhere as well, as enforcement of the EU’s new regulations under the General Data Protection Regulation come into effect. Any company that collects or uses data from EU residents is subject to the GDPR, and U.S. companies with an EU presence now have additional risk exposure. This can even affect deals between U.S.-based companies, for example, as part of due diligence for potential acquisitions. In addition, large technology companies have come under heightened scrutiny by legislators, particularly in light of major security breaches and potential misuse of data.
Last fall, enforcement agencies reached record-breaking settlements related to data breaches. For example, Anthem agreed to pay $16 million for claims under the Health Insurance Portability and Accountability Act. The data breach underlying those claims resulted in over 78 million records compromised. In addition, a multi-state settlement agreement related to a failure to disclose a data breach required a $148 million payment. And the New York attorney general reached a $5 million settlement agreement for claims under the Children’s Online Privacy Protection Act, the largest fine to date under that statute.
Technology companies also faced several highly publicized investigations into their data privacy practices by Congress and enforcement agencies in the past year. These actions have even taken place at the municipal level. The city attorney of Los Angeles, for instance, recently sued the Weather Channel for failing to disclose that location data collected through the company’s mobile app may be used for commercial purposes like targeted marketing.
This past year, California passed a sweeping privacy law that adds significant disclosure and other compliance obligations for any company that collects consumer data. This law will come into effect in 2020 and will further increase regulatory exposure. Similar to the GDPR in Europe, California’s new law broadly defines personal data to cover almost any information related to an identifiable individual, expands notice obligations for companies that collect user data and creates new rights for users to request access or deletion of their data. In addition, companies may face greater liability in private suits based on statutory damages under the new law.
In response to the increasing complexity of the regulatory landscape, major technology companies have begun to lobby for a federal privacy law. 2019 and 2020 will be key years for the development of further U.S. privacy regulations, and in determining how much control consumers will have over the ownership and right to manage their own personal data.
To handle both consumer expectations over the management of their data and increased regulatory scrutiny, technology companies will need to continue to adapt to this new environment. In addition, ‘privacy by design’ may become less of a catch phrase and more of a term requiring deeper integration by U.S. tech-enabled businesses. And with the rise of smart cities, states and cities themselves will have to understand how they are collecting or enabling the collection of data on their residents.
Connected Devices
As data privacy issues have drawn greater attention, regulators have increased scrutiny of connected devices. The market for internet of things devices has grown rapidly in the past two years, and analysts predict that it could grow to $520 billion by 2021. IoT devices pose unique security risks. They can collect sensitive data (e.g., security cameras) or be used for purposes that could pose a safety risk in the event of a breach (e.g., an automated vehicle or a traffic light). The FTC has pursued actions against device markers as early as its 2013 settlement agreement with TRENDnet, and published guidance on best practices for IoT device makers in a 2015 report, including security-by-design and transparency about data collected.
Until recently, the FTC advocated a “wait and see” approach to the IoT ecosystem. That said, since 2017, it has reached significant settlement agreements with IoT device makers, and new legislation at the state and federal level is targeting IoT devices. Furthermore, IoT device makers have faced enforcement actions related to data collection practices, and additional inquiries from lawmakers. A major TV manufacturer paid $2.2 million as part of settlement with the FTC and the State of New Jersey in 2017 based on claims that software pre-installed on “smart” televisions collected viewing data about 11 million users without their knowledge. In 2018, electronic toymaker VTech settled FTC claims under COPPA that a mobile app connected to its toys collected personal information from children without their parents’ consent. And this past summer, several U.S. senators sent letters to device manufacturers and the FTC requesting that regulators investigate the business practices of makers of IoT devices with passive listening features.
IoT device makers must also comply with new guidance and legislation governing connected devices. For example, in September 2018, California passed the first law governing IoT devices. It requires that IoT device makers implement “reasonable security features” that are appropriate to the type of device and the nature of the data it processes. There are also sector-specific regulations and laws on the horizon for IoT device makers. For example, the Senate is considering a bill governing autonomous vehicles, the AV START Act, which will increase federal oversight of the testing and deployment of autonomous vehicles.
What to Expect this Year
U.S. businesses will continue to use data and technology as a means of creating efficiency and innovation in the marketplace. In fact, many of the largest technology companies are accelerating this process, expanding into new cities and hiring at a rapid pace. In certain areas of the tech sector — including digital advertising, connected devices and digital health — innovation is still in its early stages, but we will continue to see growing adoption of their products and services by both companies and consumers.
Although regulators are in catch-up mode, they are looking with an eye to the future, for example, by considering the imposition of trade restrictions on certain technologies, including artificial intelligence. The federal government will certainly continue to focus on the tech industry — both from a consumer protection perspective as well a fair trade perspective in regard to competition from China and others — but tech companies should also expect much more by way of state and local regulations in 2019, with California at the forefront.