Sears Seeks to Modify FTC Order on Online Tracking

In 2009, Sears Holding Management settled with the Federal Trade Commission (FTC) over allegations that the company’s online tracking activity exceeded what they told consumers. Now, Sears has submitted a petition requesting that the FTC reopen and modify its settlement order, arguing that changing technology since 2009 has made the order’s definition of “tracking applications” too broad and has put them at a competitive disadvantage.

The 2009 FTC complaint charged that Sears “failed to disclose adequately the scope of consumers’ personal information it collected via a downloadable software application, telling consumers that the software would track their “online browsing,” without telling them that it also collected information from third-party websites consumers visited such as their shopping cart information, online bank statements, and drug prescription records. Sears was required to stop collecting data from participating consumers and to destroy what they’d collected.

Sears now argues that the definition of “tracking application” in the FTC’s order now applies to most software on nearly all platforms, making them “out of step with current market practices without a corresponding benefit in combatting threats to consumer privacy.” The definition of tracking applications is so broad, Sears claims, that it “encompasses all of Sears’ current mobile apps, forcing Sears to handle disclosures differently than other companies with mobile apps and disadvantaging Sears in the marketplace.” Sears claims that modification of the order would allow the retailer to align with current tracking practices used by their competitors.

 This post was written by Sheila A. Millar ,Tracy P. Marshall Nathan A. Cardon of Keller and Heckman LLP.,© 2017
For more legal analysis, go to The National Law Review 

FTC’s Settlement in Vizio May Provide Hint at Direction of Internet of Things Regulation

Internet of ThingsThe Federal Trade Commission’s (FTC’s) Settlement in FTC v. Vizio, Inc.may signal the direction that agency is heading on Internet of Things (IoT) enforcement. With veteran FTC enforcer Jessica Rich leaving and new appointee Maureen Ohlhausen taking over, Ohlhausen’s separate concurring statement in that matter is insightful.

The settlement took a broad view on the types of data that require protection. While the “Covered Information” included information like personal identifiers, IP address, and geolocation, it also included “Viewing Data,” which is essentially data about the content viewed on a television. Ohlhausen criticized this expansion and the FTC’s foray into this public policy basis for alleging an unfair practice. She notes, “But here, for the first time, the FTC has alleged in a complaint that individualized television viewing activity falls within the definition of sensitive information.” Hinting that this broad view of personal data may not continue, Ohlhausen writes, “There may be good policy reasons to consider such information sensitive…. But, under our statute, we cannot find a practice unfair based primarily on public policy. Instead, we must determine whether the practice causes substantial injury that is not reasonably avoidable by the consumer and is not outweighed by benefits to competition or consumers.” She then promises that “[i]n the coming weeks I will launch an effort to examine this important issue further.”


DOJ, FTC Announce New Antitrust Guidance for Recruiting and Hiring; Criminal Enforcement Possible

handcuffs, criminal enforcementMany companies—and the HR professionals and other executives who worked for them—have found out the hard way that business-to-business agreements on compensation and recruiting can violate the antitrust laws and bring huge corporate and personal penalties.

Last week, the Federal Trade Commission (FTC) and the Department of Justice Antitrust Division (DOJ) jointly issued antitrust guidance for anyone who deals with recruiting and compensation. The guidance is written for HR professionals, not antitrust experts. It avoids jargon and applies antitrust basics in plain English. It expands on those basics by providing short and direct answers to real-life questions.

The guidance comes in the wake of several actions in recent years by the federal antitrust agencies against so-called “no-poaching” or “wage-fixing” agreements entered by companies competing for the same talent. It announces that DOJ will prosecute criminally some antitrust violations in this space. While the new guidance is explicitly aimed at HR professionals, senior executives should understand it as well.

The guidance starts with the basics: The antitrust laws establish the rules for a competitive marketplace, including how competitors interact with each other. From an antitrust perspective, firms that compete to recruit or retain employees are competitors, even if they do not compete when selling products or services. Therefore, agreements among employers not to recruit certain employees (no-poaching) or not to compete on various terms of compensation (wage-fixing) can violate the antitrust laws.

To be illegal, these agreements need not be explicit or formal. Evidence of exchanges of information on compensation, recruiting, or similar topics followed by parallel behavior can lead to an inference of agreement. Intent to lower a company’s labor costs is no defense. Also, there is no “non-profit” defense: while they might not compete to sell services, non-profits are considered competitors for the staff they hire.

The potential costs of antitrust violations are huge: fines by the agencies; treble damages for injured actual or potential employees; and intrusive regulation of basic company operations from consent decrees and judgments. In addition, the DOJ used this guidance to announce that it will now prosecute criminally any naked wage-fixing or no-poaching agreements. According to DOJ, these naked agreements—“separate from or not reasonably necessary to a larger legitimate collaboration between the employers”—harm competition in the same irredeemable way as hardcore price-fixing cartels. So now, any executives involved in such agreements—whether HR professionals or not—face personal consequences, including threats of potential jail time.

Even unsuccessful attempts to reach an anticompetitive agreement on these topics can be illegal in the eyes of the regulators. As the guidance makes clear, so-called “invitations to collude” have been and will continue to be pursued by the FTC as actions that might violate the Federal Trade Commission Act.

Some of these information exchanges and agreements do not automatically violate the antitrust laws and there is nothing in this new guidance that suggests otherwise. If the agreements are reasonably necessary to an actual or potential joint venture or merger, legitimate benchmarking activity, or other collaboration that might help consumers, their net effect on competition would need to be judged. In prior actions, the agencies also have recognized as legitimate certain no-poaching clauses in agreements with consultants and recruiting agencies. Even such common uses as employment or severance agreements might not run afoul of the antitrust law’s prohibitions.

The guidance does not—and really cannot—go into all the detail necessary to determine when any particular effort will pass antitrust muster. It does refer readers to the earlier Health Care Guidelines but those helpful tips relate only to information exchanges. The guidance also provides links to the many prior civil actions taken by the agencies on these types of matters. It is accompanied by a two-sided index card entitled Antitrust Red Flags for Employment Practices that could be part of an effective compliance program.

© 2016 Schiff Hardin LLP

Made in the USA (For the Most Part)

made in the USANewspaper headlines report a new economic trend—manufacturing is returning to the United States. The country’s industrial production grew by 0.7 percent in July, its biggest jump since November 2014. This number represents everything made by factories, mines, and utilities. Before companies start slapping “Made in the USA” labels on their wares, they need to make sure they are familiar with the legal requirements to do so.

The Federal Trade Commission (the FTC) monitors the marketplace and aims to keep businesses from misleading consumers. Within the FTC’s jurisdiction is regulating “Made in the USA” claims.

If a product is labeled as “Made in the USA,” without any qualification, it must be “all or virtually all” made in the United States. “[A]ll significant parts and processing that go into the product must be of U.S. origin. That is, the product should contain no – or negligible – foreign content.” The FTC contemplates the site of final assembly or processing, the proportion of manufacturing costs paid to the U.S., and how detached the foreign material is from the finished product. For many businesses, this standard can be hard, if not impossible, to meet.

Since January 2015, the FTC has issued 46 letters to companies asserting misleading U.S. origin claims on a wide range of products, such as cookware, snow blowers, auto parts and pet products.

For example, the FTC recently determined that Shinola—a Detroit-based manufacturer of high-end watches, bicycles, and leather goods—did not meet it. Shinola advertises its products with the slogans “Built in the USA” and “Built in Detroit.” But in June of this year, the FTC called this labeling misleading because “100 percent of the cost of materials used to make certain watches . . . [and] more than 70 percent of the cost of the materials used to make certain belts” goes to imported materials. For example, Shinola’s watches incorporate Swiss-made timekeeping components.

Shinola’s founder had a good reason for why his company incorporated foreign parts:  many of the components are unavailable in the U.S. The components are imported to Detroit where Shinola’s 400 employees assemble watches in the company’s factory. The FTC, however, applied its “net impression” analysis and determined that Shinola’s slogans contradict reality. Shinola’s advertisements will now read “Built in Detroit using Swiss and Imported Parts.”

In light of the FTC’s stance on U.S. origin claims, companies should follow FTC decisions and exercise caution when saying “Made in the USA.” There is no bright line rule for whether a product is “all or virtually all” made in the USA. Companies should consider how their products fit within the FTC’s framework and only then decide whether their merchandise has, according to the FTC, been “Made in the USA.”

© 2016 Schiff Hardin LLP

Federal Trade Commission Continues to Scrutinize Social Media Influencer Programs

Social Media Influencer ProgramsThis week, as part of its ongoing focus on influencer programs, the Federal Trade Commission (FTC) settled charges against Warner Brothers Home Entertainment, Inc. regarding its use of such a campaign to market the video game Middle Earth: Shadow of Mordor. This investigation of Warner Bros. was brought under the FTC Act, which prohibits deceptive marketing, and requires that endorsers “clearly and conspicuously” disclose any “material connection” to the brand they are endorsing.

In late 2014, Warner Bros. and its advertising agency, Plaid Social Labs, LLC, hired “influencers” (i.e., individuals with large social media followings) to create videos and post them on YouTube, and promote the videos on Twitter and Facebook.  One of the influencers hired for the program, PewDiePie, is the most-subscribed individual creator on YouTube, with more than 46 million followers. Warner Bros. paid each of the influencers from a few hundred to tens of thousands of dollars for the videos, in addition to providing free copies of the game. Under these contracts, Warner Bros. had the ability to review and approve the videos.

The FTC alleges that Warner Bros. failed to require sponsorship disclosures clearly and conspicuously in the video itself, where viewers were likely to notice them. Instead, Warner Bros. instructed influencers to place the disclosures in the description box below the video. Warner Bros. also required the influencers to include other information about the game in the description box, so most of the disclosures appeared “below the fold,” visible only if consumers clicked on the “Show More” button. Additionally, when influencers embedded the YouTube videos on Facebook or Twitter, the description field (and thus, the disclosure) was completely invisible.  Some of the disclosures also only mentioned that the game was provided free, and did not disclose the payment.

This continues the FTC’s focus on influencer programs with insufficient disclosures. In March, the FTC settled charges against national retailer Lord & Taylor related to its use of an Instagram influencer program with insufficient disclosures, where the influencers were paid and provided with a free dress. The influencers were required to make a post with the hashtag #DesignLab, and tagging @LordandTaylor, but were not instructed to disclose the payment or the free goods. At the same time, Lord & Taylor placed a paid article in Nylon, an online magazine, and purchased a paid placement on the Nylon Instagram account. Neither the post nor the article indicated they were paid advertising.

Likewise, in September 2015, the FTC settled charges against Machinima, an online entertainment network. Microsoft, through its advertising agency, hired Machinima to promote its Xbox One gaming console and video games. The  FTC alleged Machinima gave pre-release versions of the console and games to influencers, as well as payments of tens of thousands of dollars in some cases, in exchange for their uploading and posting endorsement videos.  Machinima did not require that the influencers disclose the sponsorship.

In each of these cases, the FTC entered consent agreements that require the brands to closely monitor and review its influencer content for appropriate disclosures, and terminate influencers who fail to accurately and conspicuously disclose their paid endorsements. The brands must keep records of their compliance and the FTC may review them at any time—with penalties of $16,000 per violation.

As marketing teams continue to try to reach consumers in new and creative ways, the FTC continues to signal its intention to closely scrutinize each development. As these methods evolve, brands should be conscious of their obligations to ensure appropriate disclosures in every format and to monitor for compliance.

© 2016 Neal, Gerber & Eisenberg LLP.

Serious Games Require Serious Attention to Marketing Statements

BrainLumos Labs recently paid $2 million to the Federal Trade Commission to settle claims that it deceived consumers about its brain training application’s ability to increase cognitive function. According to the FTC,  the company alleged that its app, called Lumosity, provided many beneficial effects including the ability to improve users’ school and work performance, delay the onset of age-related cognitive disorders and help restore brain function lost as a result of brain trauma and other health conditions.

According to the FTC, the company did not have sufficient scientific data to back up the claims made in its ads. The FTC also claimed that the company did not disclose that it solicited consumer testimonials about the effectiveness of the product via a contest that offered users the chance to win iPads and other prizes.

In a prepared statement, the company stood by the scientific basis for its brain-training methods and asserted that the settlement was a result of its marketing language that has since been discontinued.

The use of games for “good” causes, such as education, health and training is known as “serious games.” The potential for these types of games to help people in a variety of ways is immense. The number of these games is growing rapidly.

Makers of these games must be mindful not to overreach in the claims of what these games can do. The FTC has been active in policing unsupported claims by app makers.

Additionally, the FTC has been enforcing its endorsement guidelines which require disclosure when a company provides some compensation or financial incentive for endorsements or testimonials. Here, the fact that users had a chance to win valuable prizes in exchange for providing testimonials apparently was not disclosed.

Serious games and other apps have tremendous opportunity to provide beneficial results. However, it is important for makers of these games and apps to understand and comply with the various legal issues that are relevant to these offerings. It is advisable to seek legal review of all serious games and apps and their marketing plan before they are released to identify potential legal issues.

Government Forces Awaken: Rise of Cyber Regulators in 2016

As the sun sets on 2015, but before it rises again in the New Year, we predict that, in the realm of cyber and data security, 2016 will become known as the “Rise of the Regulators.” Regulators across numerous industries and virtually all levels of government will be brandishing their cyber enforcement and regulatory badges and announcing: “We’re from the Government and we’re here to help.”

The Federal Trade Commission will continue to lead the charge in 2016 as it has for the last several years. Pursuing its mission to protect consumers from unfair trade practices, including from unauthorized disclosures of personal information, and with more than 55 administrative consent decrees and other actions booked so far, the FTC (for now) remains the most experienced cop on the beat.   As we described earlier this year, the FTC arrives with bolstered judicial-enforcement authority following the Third Circuit’s decision in the Wyndham Hotel case.  Notwithstanding the relatively long list of administrative actions and its published guidance – businesses that are hacked and that lose consumer data, are at risk of attracting the attention of FTC cops and of proving that their cyber-related systems, acts and practices were “reasonable.”

But the FTC is not alone. In electronic communications, the Federal Communications Commission (FCC) in 2015 meted out $30 million in fines to telecom and cable providers, including to AT&T ($25 million) and Cox Communications ($595K). And this agency, increasingly known for its enforcement activism, may have just begun.  Reading its regulatory authority broadly, the FCC has asserted a mandate to take “such actions as are necessary to prevent unauthorized access” to customers’ personally identifiable information. This proclamation, combined with the enlistment of the FCC’s new cyber lawyer/computer scientist wunderkind to lead that agency’s cyber efforts, places another burly cop on the cyber beat.

The Securities and Exchange Commission (SEC) will be patrolling the securities and financial services industries. Through its Office of Compliance Inspections and Examinations (OCIE), the SEC is assessing cyber preparedness in the securities industry, including investment firms’ ability to protect broker-dealer and investment adviser customer information. It has commenced at least one enforcement action based on the agency’s “Safeguards Rule” (Rule 30(a) of Regulation S‑P), which applies the privacy provisions in Title V of the Gramm-Leach-Bliley Act (GLBA) to all registered broker-dealers, investment advisers, and investment companies. With criminals hacking into networks and stealing customer and other information from financial services and other companies, expect more SEC investigations and enforcement actions in 2016.

Moving to the Department of Defense (DoD), new rules, DFARS clauses, and regulations (e.g., DFARS subpart 204.73, 252.204–7012, and  32 CFR § 236) are likely to prompt the DoD Inspector General and, perhaps, the Defense Contracting Auditing Agency (DCAA) to examine whether certain defense contractors have the required security controls in place.  Neither the DoD nor its auditors have taken action to date.  But don’t mistake a lack of overt action for a lack interest (or planning).  It would come as no surprise if, by this time next year, the DoD has launched its first cyber-regulation mission, be it by the False Claims Act, suspension and debarment proceedings, or through terminations for default.

In addition to these cyber guardians, other federal agencies suiting up for cyber enforcement include:

  • The Consumer Financial Protection Board’s (CFPB) growing Cybersecurity Program Management Office;

  • The Department of Energy’s (DOE) Office of Electricity Delivery and Energy Reliability, examining the security surrounding critical infrastructure systems;

  • The Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services, addressing healthcare providers and health insurers’ compliance with health information privacy and security safeguard requirements; and

  • The Food and Drug Administration, examining the cybersecurity for networked medical devices containing off-the-shelf (OTS) software.

But these are just some of the federal agencies poised for action.   State regulators are imposing their own sector-specific cyber security regimes as well.   For example, the State of California’s Cybersecurity Task Force, New York’s Department of Financial Services, and Connecticut’s Public Utility Regulatory Agency are turning their attention toward cyber regulation. We believe that other states will join the fray in 2016.

At this relatively early stage of standards and practices development, the National Institute of Standards and Technology (NIST) 2014 Cyber Security Framework lays much of the foundation for current and future systems, conduct, and practices. The NIST framework is a “must read.” NIST, moreover, has provided additional guidance earlier this year in its June 2015 NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.  While addressing security standards for nonfederal information systems (i.e., government contractors’ information systems), it also provides important guidance for companies who do not operate within the government contracts sphere.  Ultimately, this 2015 NIST publication may serve as an additional general standard against which regulators (and others) may assess institutional cybersecurity environments in 2016 – and beyond.

But for now, the bottom line is that in 2016 companies now must add to its list of actual or potential cyber risks and liability, the hydra-headed specter of multi-sector, multi-tiered government regulation – and regulators.