Category: Communication Media & Internet

NLRB General Counsel Takes Issue with “Stay-or-Pay” Employment Provisions

On October 7, 2024, the General Counsel (GC) for the National Labor Relations Board (NLRB) issued a 17-page memorandum urging the NLRB to find so-called “stay-or-pay” provisions unlawful and to impose harsh monetary penalties on employers that use such provisions.

On October 15, 2024, the U.S. Department of Labor (DOL) similarly announced that it will combat stay-or-pay clauses, among other provisions in employment agreements that the DOL describes as “coercive.”

What is a “stay-or-pay” provision?

A stay-or-pay provision is a requirement that an employee pay their employer for certain expenditures made for the employee’s benefit if the employee separates from employment within a specified period of time. Examples include training repayment agreement provisions (sometimes referred to as “TRAPs”), and provisions requiring employees to repay signing bonuses, moving expenses, or tuition reimbursement.

Why does the NLRB GC take issue with such provisions?

The GC’s latest memorandum is essentially an addendum to her prior memorandum criticizing non-compete covenants. In her view, stay-or-pay provisions violate the National Labor Relations Act (NLRA) because, as she interprets them, they are akin to non-compete covenants that unlawfully restrict employees from changing jobs.

We don’t have union employees. Does the NLRA even apply to our business?

Yes. Under Section 7 of the NLRA, employees in both unionized and nonunionized workforces have the right to join together in an effort to improve the terms and conditions of their employment. Specifically, Section 7 grants employees “the right to self-organization, to form, join, or assist labor organizations, to bargain collectively through representatives of their own choosing, and to engage in other concerted activities for the purpose of collective bargaining or other mutual aid or protection, or to refrain from any and all such activities.” Although certain types of workers, such as managers, supervisors, and independent contractors, are not entitled to such rights, Section 7 of the NLRA otherwise applies to all workers – whether unionized or not.

Do I really need to be concerned about the NLRB GC’s memorandum, and is it legally binding on my business?

The memorandum does not carry the force of a statute or regulation or case law. And it’s not even the stance of the NLRB. It’s essentially the NLRB GC’s guidance for the stance she is encouraging the NLRB to take with respect to these types of provisions.

That said, the memorandum is getting a lot of publicity in the press and online, which means employees who have heard about it may become skeptical about the enforceability and/or legality of their stay-or-pay provisions. This, in turn, may embolden employees to make a move, as they may be less fearful of their repayment obligations.

Will the NLRB GC’s memorandum apply prospectively, or will it also apply retroactively?

If the NLRB adopts the GC’s view, then yes, the memorandum would apply both to agreements entered into in the future, as well as to agreements already signed by employees and former employees. However, it affords employers a 60-day period from the date of the memorandum to “cure” any pre-existing stay-or-pay provisions before facing potential prosecution.

What are the potential consequences for my business if the NLRB adopts the GC’s view?

The GC expects employers to make employees whole, which may mean rescinding or rewriting the agreement or reimbursing former employees for sums repaid pursuant to their agreements. She goes further and suggests that an employer must compensate an employee if the employee can demonstrate that “(1) there was a vacancy available for a job with a better compensation package; (2) they were qualified for the job; and (3) they were discouraged from applying for or accepting the job because of the stay-or-pay provision.”

Is there any way the stay-or-pay provisions used by my business aren’t objectionable?

According to the GC, a stay-or-pay provision is reasonable if (a) it is entered into voluntarily in exchange for a benefit to the employee (as opposed to, for example, being a condition of employment), (b) the repayment amount is reasonable and specific, (c) the “stay” period is reasonable, and (d) it does not require repayment if the employee is terminated without cause.

We do use stay-or-pay provisions in our business. What should we do now?

Your course of action depends on your appetite for risk. At a minimum, we encourage you to consult with your company’s legal counsel to discuss the full import of the memorandum, risks, and options for your business, as there are a lot more details and nuances in those 17 pages than we can summarize here.

Going forward, some employers might consider alternatives to stay-or-pay provisions, such as stay bonuses (e.g., instead of paying a signing bonus and requiring recoupment if an employee leaves within two years following their date of hire, condition payment of the bonus on the employee staying for a period of two years.) Of course, the hitch with this approach is that it may impact the enforceability of non-compete or non-solicitation covenants in states that require up-front consideration to impose such covenants for at-will employees.

Notably, the GC’s 60-day moratorium takes us to December 6, which is a full month following Election Day. By now, employers are familiar with the makeup of the NLRB changing depending on the party occupying the White House, and if there is a shift in political power come November, that may result in a newly constituted NLRB with new policy preferences. With that in mind, some employers may opt to use a wait-and-see approach before making any changes – whether to existing agreements or retention strategies going forward.

 
© 2024 Much Shelist, P.C.
For more on Stay-or-Pay, visit the NLR Labor Employment section.

FTC Social Media Staff Report Suggests Enforcement Direction and Expectations

The FTC’s staff report summarizes how it views the operations of social media and video streaming companies. Of particular interest is the insight it gives into potential enforcement focus in the coming months, and into 2025. Of particular concern for the FTC in the report, issued last month, were the following:

  1. The high volume of information collected from users, including in ways they may not expect;
  2. Companies relying on advertising revenue that was based on use of that information;
  3. Use of AI over which the FTC felt users did not have control; and
  4. A gap in protection of teens (who are not subject to COPPA).

As part of its report, the FTC recommended changes in how social media companies collect and use personal information. Those recommendations stretched over five pages of the report and fell into four categories. Namely:

  1. Minimizing what information is collected to that which is needed to provide the company’s services. This recommendation also folded in concepts of data deletion and limits on information sharing.
  2. Putting guardrails around targeted digital advertising. Especially, the FTC indicated, if the targeting is based on use of sensitive personal information.
  3. Providing users with information about how automated decisions are being made. This would include not just transparency, the FTC indicated, but also having “more stringent testing and monitoring standards.”
  4. Using COPPA as a baseline in interactions with not only children under 13, but also as a model for interacting with teens.

The FTC also signaled in the report its support of federal privacy legislation that would (a) limit “surveillance” of users and (b) give consumers the type of rights that we are seeing passed at a state level.

Putting it into Practice: While this report was directed at social media companies, the FTC recommendations can be helpful for all entities. They signal the types of safeguards and restrictions that the agency is beginning to expect when companies are using large amounts of personal data, especially that of children and/or within automated decision-making tools like AI.

Listen to this post 

Copyright © 2024, Sheppard Mullin Richter & Hampton LLP.
For more on Social Media, visit the NLR Communications Media Internet section.

Are We There Yet? DoD Issues Final Rule Establishing CMMC Program

The US Department of Defense (DoD) published a final rule codifying the Cybersecurity Maturity Model Certification (CMMC) Program. The final CMMC rule will apply to all DoD contractors and subcontractors that will process, store, or transmit Federal Contract Information (FCI)[1] or Controlled Unclassified Information (CUI)[2] on contractor information systems. The final CMMC rule builds on the proposed CMMC rule that DoD published in December 2023, which we discussed in depth here.

The final CMMC rule incorporates DoD’s responses to 361 public comments submitted during the comment period and spans more than 140 pages in the Federal Register. Many responses address issues raised in our prior reporting, and DoD generally appears to have been responsive to several concerns raised by the industry. In the coming weeks, we expect to update our separate summaries of CMMC Level 1Level 2, and Level 3 to reflect the final rule. This OTS summarizes the key changes to the CMMC Program in the final rule.

In Depth

THE CMMC PROGRAM

The final CMMC rule adopts in large part the new Part 170 to Title 32 of the Code of Federal Regulations proposed in 2023. The final rule formally establishes the CMMC Program and defines the security controls applicable to each of the three CMMC levels; establishes processes and procedures for assessing and certifying compliance with CMMC requirements; and defines roles and responsibilities for the Federal Government, contractors, and various third parties for the assessment and certification process. 32 C.F.R. § 170.14 codifies the three CMMC levels outlined in CMMC 2.0, which are summarized as follows in an updated CMMC Model Overview included in Appendix A to the final CMMC rule:

CMMC Model 2.0
Model Assessment
Level 3 134 requirements based on NIST SP 800-171 and 800-172 Triennial government-led assessment and annual affirmation
Level 2 110 requirements aligned with NIST SP 800-171 Triennial third-party assessment and annual affirmation; Triennial self-assessment and annual affirmation for select programs
Level 1 15 requirements Annual self-assessment and annual affirmation

See Cybersecurity Maturity Model Certification (CMMC) Model Overview, Version 2.11 – DRAFT at 3-4 (Sept. 2024).

CMMC Level 1 is required for contracts and subcontracts that involve the handling of FCI but not CUI. The security requirements for CMMC Level 1 are those set forth in FAR 52.204-21(b)(1)(i)-(xv), which currently governs contracts involving FCI. Contractors must conduct and report a CMMC Level 1 Self-Assessment in DoD’s Supplier Performance Risk System (SPRS) prior to award of a CMMC Level 1 contract or subcontract. Thereafter, contractors must make an annual affirmation of continued compliance. The final CMMC rule requires compliance with all CMMC Level 1 requirements at the time of the assessment and does not allow contractors to include a Plan of Action and Milestones (POA&M) to comply with unmet requirements in the future.

CMMC Level 2 is required for contracts and subcontracts that involve the handling of CUI. The security requirements for CMMC Level 2 are identical to the requirements in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev 2, and the final CMMC rule adopts the scoring methodology for compliance with those requirements that is currently employed by DFARS 252.204-7020. The final CMMC rule establishes a minimum required score of 88 out of 110 for Conditional Level 2 status with a POA&M. The final CMMC rule allows for certain CMMC Level 2 requirements that are not met at the time of assessment to be addressed through POA&Ms if the contractor meets the minimum required score. A contractor with Conditional status is subject to close out of all POA&Ms, which must be reported in SPRS within 180 days of Conditional status. Conditional status must be achieved prior to the award of any contract subject to CMMC Level 2. If the contractor does not close out all POA&Ms within 180 days of Conditional status, the contractor becomes ineligible for additional awards of CMMC Level 2 contracts.

The final CMMC rule retains the proposed rule’s distinction between CMMC Level 2 Self-Assessments and CMMC Level 2 Certification Assessments. CMMC Level 2 Certification Assessments are issued by CMMC Third-Party Assessment Organizations (C3PAOs) and fulfill one of the primary goals of the CMMC Program: independent verification of contractor compliance with CMMC security requirements. Whether a CMMC Level 2 Self-Assessment or Certification Assessment will apply to a particular contract will be determined by DoD based on the sensitivity of the CUI involved with that contract. When the final CMMC rule is fully implemented, DoD expects that the vast majority of CMMC Level 2 contractors will eventually undergo a Certification Assessment. Under the phased implementation of the CMMC Program discussed below, however, CMMC Level 2 Certification Assessment requirements will not regularly appear in solicitations or contracts until one year after the start of implementation. Contractors that achieved a perfect score with no open POA&Ms on a Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) High Assessment under DFARS 252.204-7020 prior to the effective date of the final CMMC rule will be eligible for a CMMC Level 2 Certification for three years from the date of the High Assessment.

CMMC Level 3 applies to contracts that involve the handling of CUI, but for which DoD has determined that additional safeguarding requirements are necessary. The additional CMMC Level 3 requirements consist of 24 requirements from NIST SP 800-172 listed in Table 1 to Section 170.14(c)(4) of the final CMMC rule. These additional CMMC Level 3 requirements include various “Organization-Defined Parameters” that can be used to tailor these requirements to a particular situation. The applicability of CMMC Level 3 requirements will be determined by DoD on a contract-by-contract basis based on the sensitivity of the CUI involved in the performance of that contract.

CMMC Level 3 assessments are performed exclusively by DCMA DIBCAC. The proposed CMMC rule establishes a scoring methodology for assessing compliance with CMMC Level 3 security requirements and allows for Conditional Level 3 status with POA&Ms for unmet requirements, subject to certain limitations and a general requirement that POA&Ms must be closed within 180 days. To achieve CMMC Level 3, contractors will need to have a perfect CMMC Level 2 score (110) and achieve a score of 20 out 24 for the additional CMMC Level 3 controls, with each control worth one point.

PHASED IMPLEMENTATION

The proposed rule contemplated a four-phase implementation over a three-year period, starting with the incorporation of self-assessment levels in Phase 1 through the full incorporation of CMMC requirements in all contracts in Phase 4. The final CMMC rule keeps the phases substantially the same, except it extends the time between Phase 1 and Phase 2 by six months, providing a full year between self-assessment and certification requirements:

  • Phase 1 – 0-12 Months: Phase 1 will begin when the proposed DFARS rule implementing CMMC is finalized. Our summary of the proposed DFARS rule can be found here. DoD has stated that it expects the final DFARS rule in “early to mid-2025.” During Phase 1, DoD will include Level 1 Self-Assessment or CMMC Level 2 Self-Assessment requirements as a condition of contract award and may include such requirements as a condition to exercising an option on an existing contract. During Phase 1, DoD may also include CMMC Level 2 Certification Assessment requirements as it deems necessary for applicable solicitations and contracts.
  • Phase 2 – 12-24 Months: Phase 2 begins one year after the start date of Phase 1 and will last for one year. During Phase 2, DoD will include CMMC Level 2 Certification Assessment requirements as a condition of contract award for applicable contracts involving CUI and may include such requirements as a condition to exercising an option on an existing contract. During Phase 2, DoD may also include CMMC Level 3 Certification Assessment requirements as it deems necessary for applicable solicitations and contracts.
  • Phase 3 – 24-36 Months: Phase 3 begins one year after the start date of Phase 2 and will also last for one year. During Phase 3, DoD intends to include CMMC Level 2 Certification Assessment requirements, not only as a condition of contract award but also as a condition to exercising an option on an existing contract. DoD will also include CMMC Level 3 Certification Assessment requirements for all applicable DoD solicitations and contracts as a condition of contract award, but DoD may delay inclusion of these requirements as a condition to exercising an option as it deems appropriate.
  • Phase 4 – 36+ Months: Phase 4 begins one year after the start date of Phase 3 and involves the inclusion of all CMMC Program requirements in all DoD solicitations and contracts, including option periods.

    APPLICABILITY TO PERFORMANCE OF DOD CONTRACTS

    The DoD has clarified that CMMC only applies to “contract and subcontract awardees that process, store, or transmit information, in performance of the DoD contract, that meets the standards for FCI or CUI on contractor information systems.” 32 C.F.R. § 170.3(a)(1). Given that CMMC will be implemented through a DFARS clause that is included in DoD contracts and subcontracts, the addition of the italicized language does not appear remarkable at first glance. However, it may prove an important qualification for companies that receive FCI and CUI in different circumstances. A company that receives CUI from the Government in the performance of one contract may also receive CUI from another entity independent of any contract or subcontract. For example, several categories of CUI reflect information that is contractor proprietary and, as such, can ordinarily be disclosed by the contractor that owns that information as that contractor deems appropriate. This can occur when teammates for a new opportunity share audit and business systems information for purposes of submitting a proposal, which information may be marked CUI by DoD to protect the proprietary information of the contractor being audited or whose business system was reviewed. The final CMMC rule’s clarification that it only applies to FCI and CUI handled in performance of the DoD contract may help clarify that the CMMC program does not restrict a contractor’s ability to process, store, or transmit its own information.

    CMMC STATUS BEGINS ON THE EARLIER OF CONDITIONAL STATUS OR FINAL STATUS

    DoD has clarified that although contractors have 180 days to finalize their CMMC certification if they do not originally achieve a passing score, the additional time to finalize does not extend the period for CMMC renewals. Thus, if a contractor’s CMMC certification status was conditionally granted on January 1, 2025, and its final status occurs 180 days later, the contractor’s renewal date will still be three years from the conditional date (January 1, 2028), not the later anniversary of the final status date.

    TEMPORARY AND ENDURING EXCEPTIONS

    DoD will now allow contractors to obtain permanent and temporary variances that have the status of a “MET” requirement when assessed as part of CMMC. These variances are separate from unmet controls that must be addressed within the contractor’s POA&M and completed within 180 days. The final CMMC rule introduces “enduring exceptions” and “temporary deficiencies,” which are defined as follows: An enduring exception is “a special circumstance or system where remediation and full compliance with CMMC security requirements is not feasible.” The final CMMC rule definition includes examples such as “systems required to replicate the configuration of ‘fielded’ systems, medical devices, test equipment, OT, and IoT.” Enduring exceptions must be documented within a system security plan.

    A temporary deficiency is “a condition where remediation of a discovered deficiency is feasible, and a known fix is available or is in process.” Temporary deficiencies would arise after the implementation of a particular security requirement, not during its implementation. The example provided is “FIPS-validated cryptography that requires a patch and the patched version is no longer the validated version.” A temporary deficiency must be documented in an “operational plan of action.”

    An operational plan of action is a contractor’s formal documentation of temporary vulnerabilities and temporary deficiencies in the contractor’s implementation of the CMMC security requirements. The operational plan of action documents how these temporary vulnerabilities and deficiencies are to be “mitigated, corrected, or eliminated.”

    The proposed DFARS rule requires 72-hour notification for “any lapses in information security or changes in the status of CMMC certification or CMMC self-assessment levels during the performance of the contract.” Proposed DFARS 204.7503(b)(4)). As we pointed out in our summary of the proposed DFARS rule, it does not define “lapses in information security,” but that term appears substantially broader than the term “cyber incident,” which contractors must also report within 72 hours. Because the CMMC rule in C.F.R Title 32 establishes the cybersecurity controls that form the foundation of the CMMC Program, we expected that the final CMMC rule might provide the clarity missing from the proposed DFARS rule; however, the final CMMC rule does not discuss lapses, and it is unclear whether a temporary deficiency is the same as a lapse. The scope of a contractor’s notification obligations under the CMMC Program and the contractor’s DoD contracts and subcontracts therefore remains unclear, particularly whether a contractor must notify the Government every time a measure for complying with a particular CMMC control does not function as planned.

    DEFINITION OF SECURITY PROTECTION DATA

    In the interim rule, DoD introduced Security Protection Data (SPD) as an undefined term. The final CMMC rule defines SPD as follows:

    Security Protection Data (SPD) means data stored or processed by Security Protection Assets (SPA) that are used to protect [a contractor’s] assessed environment. SPD is security relevant information and includes but is not limited to: configuration data required to operate an SPA, log files generated by or ingested by an SPA, data related to the configuration or vulnerability status of in-scope assets, and passwords that grant access to the in-scope environment. (Emphasis added).

    In our earlier analysis, we discussed the concern that the ambiguous nature of SPD would make it difficult for contractors to determine which external service providers (ESPs) were in-scope for CMMC. The definition of SPD in the final CMMC rule retains this ambiguity, thus missing an opportunity for further clarity in the use of ESPs.

    DIBCAC ASSESSMENTS

    For Level 2 and Level 3 CMMC assessments, DoD now reserves the right to conduct a DCMA DIBCAC assessment of any contractor, in addition to other investigative evaluations of an OSA. The results of an investigative DCMA DIBCAC assessment will supersede any preexisting CMMC status, and DoD will update SPRS to show that the OSA is out of compliance. This replaces previous language in the proposed CMMC rule that allowed DoD to merely revoke CMMC status after its investigation. Notably, the final CMMC rule removes the ability to revoke CMMC Level 1 status and does not substitute a DCMA DIBCAC assessment in its place. These changes bring the CMMC program into alignment with the DoD Self-Assessment methodology required in DFARS 252.204-7019/7020.

    CSPS AND ESPS

    Of significant interest to service providers will be the changes to the requirements for cloud service providers (CSPs) and other ESPs. The final CMMC rule is less prescriptive than the proposed rule with respect to how these service providers fit into the scope of a contractor’s CMMC certification.

    First, as before, the final CMMC rule allows the use of CSPs to process, store, or transmit CUI where the CSP is Federal Risk and Authorization Management Program (FedRAMP) Authorized at FedRAMP Moderate baseline or higher, or where the CSP meets FedRAMP Equivalency. The final CMMC rule, however, states that FedRAMP Moderate and FedRAMP Moderate Equivalent determinations will be “in accordance with DoD Policy,” thereby incorporating the DoD Chief Information Officer policy memo on FedRAMP Moderate equivalency issued after the proposed rule. This reference may also allow DoD to change this policy in the future without further notice-and-comment rulemaking.

    Second, for ESPs that process, store, or transmit CUI or SPD, CMMC certification is no longer required in advance of the contractor’s certification. Instead, ESPs will be assessed as in-scope for the contractor itself against all of the relevant requirements. This change may relieve pressure not only on ESPs but also on contractors and CMMC C3PAOs if non-contractor ESPs do not need to be at the front of the line for certifications. Although many ESPs with significant Federal contracting customer bases will likely choose to obtain CMMC certification directly, smaller ESPs may choose to support Federal contractor customers in the customer’s own certifications on a case-by-case basis.

    Notably, this is a model that many service providers may be familiar with from a different context and standard. In practice, it seems similar to the method for service providers to comply with Payment Card Industry Data Security Standards (PCI DSS). Under PCI DSS, a service provider may obtain its own Attestation of Compliance (AOC) or may participate in the compliance efforts of each merchant it supports. Also, like the PCI DSS model, there now is a requirement to document the roles and responsibilities between ESPs and the contractors. 32 C.F.R. § 170.19(c)(2)(ii) (“documented in the OSA’s SSP and described in the ESP’s service description and customer responsibility matrix (CRM)”).

    APPLICABILITY TO SUBCONTRACTORS

    The final CMMC rule updates the applicability of the CMMC requirements to subcontractors by incorporating requirements not only for CMMC compliance but also explicitly to flow down CMMC requirements for both CMMC level and assessment type through the supply chain. There is again a helpful clarification that such flow-downs are only required for the performance of a “DoD contract” rather than the prior language that did not specify what types of contracts required flowing down. Id. § 170.23(a).

    MISREPRESENTATION AND FALSE CLAIMS ACT RISK

    Although the CMMC Level 1 and Level 2 security requirements are the same requirements in FAR 52.204-21 and NIST SP 800-171 that contractors have been required to follow for years, the final CMMC rule will require all contractors that handle FCI and CUI on their systems – even contractors subject to CMMC Level 1 – to make periodic affirmative representations regarding their cybersecurity programs and controls, in addition to the initial assessments and certifications reported in SPRS. Contractors must vet these representations carefully as any potential inaccuracy or ambiguity could generate litigation risk under a variety of criminal and civil laws, including the False Claims Act (FCA).

    Since the inception of the CMMC Program, the US Department of Justice (DOJ) has increasingly made cybersecurity an enforcement priority. In 2021, DOJ launched its Civil Cyber-Fraud Initiative, which seeks to leverage DOJ’s expertise in civil fraud enforcement to combat cyber threats to the security of sensitive information and critical systems. Deputy Attorney General Lisa Monaco stated at the time: “We are announcing today that we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards — because we know that puts all of us at risk. This is a tool that we have to ensure that taxpayer dollars are used appropriately and guard the public fisc and public trust.” As CMMC is implemented, it will provide the “required cybersecurity standards” that DOJ will seek to enforce and a record of statements of compliance that DOJ will use to leverage the FCA in enforcement.

    THE ELEPHANT (STILL) IN THE ROOM

    The final CMMC rule, like the proposed rule, does nothing to address the fundamental uncertainty regarding what constitutes CUI and the widespread overmarking of CUI. We continue to see emails from Government officials with CUI markings embedded in signature blocks that automatically attach to every email that official sends out – even when the email is sent to private entities and individuals who do not hold a contract subject to CMMC. Multiple commentators expressed concerns regarding the mismarking and overmarking of CUI, but DoD generally responded by pointing to its existing guidance on CUI marking, without addressing whether that guidance is sufficient or is actually being followed.

    CONCLUSION

    The final CMMC rule makes several significant changes to the proposed rule, but it largely keeps the structure, content, and format of the proposed rule in place. We will continue to analyze the final CMMC rule, including updating our in-depth analyses of each CMMC certification level, in the weeks to come.

    But are we there yet? No, and if you don’t stop asking, DoD will turn this car around! DoD must still finalize the companion DFARS rule before the CMMC can be fully implemented by DoD for new contracts. Once that final DFARS rule is released, we expect a gradual, phased approach that will take three to four years before CMMC is a reality for all Federal prime contractors and subcontractors that store, process, or transmit FCI or CUI in performance of DoD contracts.

    © 2024 McDermott Will & Emery
    For more on the CMMC Program, visit the NLR Consumer Protection section

FTC Finalizes “Click-to-Cancel” Rule

The Federal Trade Commission (FTC) has finalized amendments to the Negative Option Rule, now retitled the “Rule Concerning Recurring Subscriptions and Other Negative Option Programs“ (“Rule”), which represents a significant overhaul of the regulatory framework governing how companies handle subscription services and automatic renewals.

Over the years, the FTC has received numerous complaints about deceptive practices related to negative option programs, prompting the need for updated regulations. The original rule, established in 1973, was focused primarily on protecting consumers from deceptive practices in physical goods such as book and record clubs. However, with the rise of e-commerce, the need for more robust protections for online subscriptions has grown significantly. The FTC’s amendments aim to address these issues and bring more transparency and fairness to this business model.

“Negative option marketing” is a broad term that encompasses a variety of subscription and membership practices. The Rule expands coverage to apply broadly to all forms of negative option marketing in any form of media, including, but not limited to, electronic media, telephone, print, and in-person transactions. It defines the negative option feature as “a contract provision under which the consumer’s silence or failure to take affirmative action to reject a good or service or to cancel the agreement is interpreted by the negative option seller as acceptance or continuing acceptance of the offer.” Negative option programs generally fall into four categories: prenotification plans, continuity plans, automatic renewals, and free trial (i.e., free-to-pay or nominal-fee-to-pay) conversion offers.

Most provisions of the Rule will go into effect 60 days after its publication in the Federal Register, except the provisions regarding disclosure of important information (§ 425.4), consent (§ 425.5) and simple cancellation (§ 425.6), which will become effective 180 days after publication in the Federal Register, thus providing businesses with a period to adapt their subscription practices to these new requirements.

Key Updates

  • Clear and Conspicuous Disclosures: The FTC now requires businesses to present subscription terms in a clear and conspicuous manner before any billing occurs. Sellers must provide the following “important information” prior to obtaining the consumer’s billing information: (1) that consumers’ payments will increase or recur, if applicable, unless the consumer takes steps to prevent or stop such charges; (2) the deadline by which consumers must act to stop charges; (3) the amount or ranges of costs consumers may incur, and frequency of the charges; (4) information about the mechanism consumers may use to cancel the recurring payments. Each of the required disclosures must be clear and conspicuous, and failure to provide this information is a deceptive or unfair practice.
  • Consent: The Rule requires negative option sellers to obtain consumers’ express informed consent before charging the consumer. The failure to obtain such consent is a deceptive or unfair practice. Sellers must keep or maintain verification of the consumer’s consent for at least three years.
  • Click-to-Cancel Requirement: One of the most notable changes in the Rule is the introduction of the “click-to-cancel” provision. This new requirement mandates that companies provide a straightforward and user-friendly method for consumers to cancel their subscriptions. At a minimum, the simple mechanism for cancellation must be provided through the same medium the consumer used to consent to the Negative Option Feature. For example, for services that are subscribed to online, the cancellation process must also be available online and must be as easy as signing up for the service in the first place. This is especially significant because many businesses have been criticized for making cancellation intentionally difficult, such as by requiring consumers to call a customer service line or navigate multiple steps just to cancel their service.
  • Removal of Annual Reminder Requirement: During the rulemaking process, the FTC had initially proposed requiring businesses to send consumers an annual reminder of their ongoing subscription services and provide information on how to cancel. However, this provision was ultimately removed from the final Rule. While consumer advocates had supported the inclusion of annual reminders, which would have provided an extra layer of protection for consumer, businesses argued that this requirement would be overly burdensome, especially for companies with large subscriber bases. However, the Rule still mandates that sellers must provide consumers with clear and timely notifications regarding recurring charges.
  • Removal of Prohibition on Upsell Offers: Another key provision of the proposed version of the Rule was the regulation of upsell offers during the cancellation process, which would have required sellers to immediately effectuate cancellation unless they obtained the consumer’s unambiguously affirmative consent to receive a save prior to cancellation. Companies often attempt to retain customers by offering lower-priced alternatives or special deals when a consumer tries to cancel a subscription. While these offers are not inherently problematic, the FTC has expressed concern that some businesses use upsell tactics to confuse consumers or prevent them from successfully canceling their service. However, the finalized version did not adopt this amendment. The FTC has determined that revisions to this proposed provision are necessary, for which it would need to seek additional comment. This means that while businesses are free to present alternatives to consumers, they also must provide a clear and direct path to cancelation without requiring consumers to navigate multiple steps or reject numerous offers.
  • Enforcement and Penalties: To ensure compliance with the new Rule, the FTC has increased the potential penalties for violations. Businesses that fail to adhere to the new requirements can face significant fines. The FTC has the authority to pursue penalties of up to $51,744 per violation, which could quickly add up for companies with large subscriber bases. This enforcement mechanism underscores the seriousness of the FTC’s efforts to crack down on deceptive subscription practices and provides a strong incentive for businesses to comply with the Rule.
  • Relation to Other Laws: The Rule does not preempt state laws that require more protection for consumers. Rather, it reflects the FTC’s intention to align with other laws and regulations, such as the Restore Online Shoppers’ Confidence Act (ROSCA), The Telemarketing Sales Rule, and state-level automatic renewal laws.

Industry Impact

The new regulatory landscape for Negative Option Programs will have several notable impacts on industries that rely heavily on subscription-based revenue models, such as e-commerce, streaming platforms, Software as a Service providers, health and fitness subscriptions, and other online services. Companies will need to reassess their subscription practices, ensure that their cancellation processes are in line with the new requirements, and update their disclosures to meet the transparency standards set by the FTC. Businesses will also need to invest in employee trainings and possibly make changes to their subscription systems and software. This could lead to increased compliance and operational costs as companies try to come into compliance with these new requirements, on top of the potential for lost revenue due to less automatic renewal income.

© 2024 Foley & Lardner LLP
For more on the FTC, visit the NLR Antitrust Trade Regulation section

How to Develop an Effective Cybersecurity Incident Response Plan for Businesses

Data breaches have become more frequent and costly than ever. In 2021, the average data breach cost companies more than $4 million. Threat actors are increasingly likely to be sophisticated. The emergence of ransomware-as-a-service (RaaS) has allowed even unsophisticated, inexperienced parties to execute harmful, disruptive, costly attacks. In this atmosphere, what can businesses do to best prepare for a cybersecurity incident?

One fundamental aspect of preparation is to develop a cyber incident response plan (IRP). The National Institute of Standards and Technology (NIST) identified five basic cybersecurity functions to manage cybersecurity risk:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

In the NIST framework, anticipatory response planning is considered part of the “respond” function, indicating how integral proper planning is to an effective response. Indeed, NIST notes that “investments in planning and exercises support timely response and recovery actions, resulting in reduced impact to the delivery of services.”

But what makes an effective IRP? And what else goes into quality response planning?

A proper IRP requires several considerations. The primary elements include:

  • Assigning accountability: identify an incident response team
  • Securing assistance: identify key external vendors including forensic, legal and insurance
  • Introducing predictability: standardize crucial response, remediation and recovery steps
  • Creating readiness: identify legal obligations and information to facilitate the company’s fulfillment of those obligations
  • Mandating experience: develop periodic training, testing and review requirements

After developing an IRP, a business must ensure it remains current and effective through regular reviews at least annually or anytime the business undergoes a material change that could alter either the IRP’s operation or the cohesion of the incident response team leading those operations.

An effective IRP is one of several integrated tools that can strengthen your business’s data security prior to an attack, facilitate an effective response to any attack, speed your company’s recovery from an attack and help shield it from legal exposure in the event of follow-on litigation.

© 2024 Varnum LLP
For more on Cybersecurity, visit the NLR Communications Media Internet section.

The Murky Waters of Wash Trading Digital Assets – DOJ Charges 18 Individuals and Entities

The United States Attorney’s Office for the District of Massachusetts recently unsealed what it described as the “first-ever criminal charges against financial services firms for market manipulation and ‘wash trading’ in the cryptocurrency industry.” The SEC also filed parallel civil charges alleging violations of Securities for the same alleged schemes.

The government has charged eighteen individuals and companies, including four cryptocurrency market makers, with engaging in illegal market manipulation through “wash trading” digital assets. According to the DOJ and SEC filings, although these individuals purported to offer “market making services,” they were actually engaged in offering “market-manipulations-as-a-service” by engaging in artificial trading of digital assets to give the false appearance that there was an active (and heavily traded) market for those tokens.

How this case came to the DOJ’s attention is as novel as the legal theory behind the charging documents. According to DOJ spokespeople, the investigation started with a tip from the SEC about one of the companies at issue. Further investigations into that company—along with the help of cooperating witnesses—led authorities to set up a sham crypto firm, NextFundAI, and create a token associated with the firm. Posing as NextFundAI, the government communicated with the defendants—market makers who allegedly offered to trade and manipulate the price of NextFundAI’s token by wash trading, or trading the token back-and-forth between crypto wallets they controlled.

While there may be rules against wash trading in traditional securities markets (see, e.g., 26 U.S. Code § 1091), the rules are as clear in the digital asset space. Indeed, the regulatory vacuum facing the digital asset industry makes it difficult for those in the industry to avoid eventual regulatory action, and what many have referred to as “regulation by enforcement.” This is particularly true where the technological realities of digital assets do not fit squarely within the existing legal framework. There may be disagreement about the purpose or intent behind a cryptocurrency transaction where one individual is transferring cryptocurrency between wallets that person or entity controls. But there may not be a misrepresentation or fraudulent act inherent in this type of transaction. Indeed, the transaction itself (including the wallet address of the sender and recipient) is likely immediately and accurately recorded on the public blockchain. So, according to the government, the “fraud” is the intent behind the trades – to manipulate the market by artificially generating trade volume to signal interest and activity in the token.

The government’s allegations are also interesting because in addition to the wire fraud charges (18 U.S.C. § 1343), which generally do not require proof that the digital asset at issue is a security, the government has charged the defendants with conspiracy to commit market manipulation (18 U.S.C. § 371), which requires the government to prove that the token at issue is a security. This charge is significant because it will require the DOJ to prove at trial that the tokens at issue are securities.

Although several individuals involved have already pleaded guilty, there are several defendants who appear to be testing the government’s novel theory in court. We anticipate that this will be the first of many similar investigations and enforcement actions in the digital asset space.

©1994-2024 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.
For more on Digital Assets, visit the NLR Securities SEC section.

The Evolution of AI in Healthcare: Current Trends and Legal Considerations

Artificial intelligence (AI) is transforming the healthcare landscape, offering innovative solutions to age-old challenges. From diagnostics to enhanced patient care, AI’s influence is pervasive, and seems destined to reshape how healthcare is delivered and managed. However, the rapid integration of AI technologies brings with it a complex web of legal and regulatory considerations that physicians must navigate.

It appears inevitable AI will ultimately render current modalities, perhaps even today’s “gold standard” clinical strategies, obsolete. Currently accepted treatment methodologies will change, hopefully for the benefit of patients. In lockstep, insurance companies and payors are poised to utilize AI to advance their interests. Indeed, the “cat-and-mouse” battle between physician and overseer will not only remain but will intensify as these technologies intrude further into physician-patient encounters.

  1. Current Trends in AI Applications in Healthcare

As AI continues to evolve, the healthcare sector is witnessing a surge in private equity investments and start-ups entering the AI space. These ventures are driving innovation across a wide range of applications, from tools that listen in on patient encounters to ensure optimal outcomes and suggest clinical plans, to sophisticated systems that gather and analyze massive datasets contained in electronic medical records. By identifying trends and detecting imperceptible signs of disease through the analysis of audio and visual depictions of patients, these AI-driven solutions are poised to revolutionize clinical care. The involvement of private equity and start-ups is accelerating the development and deployment of these technologies, pushing the boundaries of what AI can achieve in healthcare while also raising new questions about the integration of these powerful tools into existing medical practices.

Diagnostics and Predictive Analytics:

AI-powered diagnostic tools are becoming sophisticated, capable of analyzing medical images, genetic data, and electronic health records (EHRs) to identify patterns that may elude human practitioners. Machine learning algorithms, for instance, can detect early signs of cancer, heart disease, and neurological disorders with remarkable accuracy. Predictive analytics, another AI-driven trend, is helping clinicians forecast patient outcomes, enabling more personalized treatment plans.

 

Telemedicine and Remote Patient Monitoring:

The COVID-19 pandemic accelerated the adoption of telemedicine, and AI is playing a crucial role in enhancing these services. AI-driven chatbots and virtual assistants are set to engage with patients by answering queries and triaging symptoms. Additionally, AI is used in remote and real-time patient monitoring systems to track vital signs and alert healthcare providers to potential health issues before they escalate.

 

Drug Discovery and Development:

AI is revolutionizing drug discovery by speeding up the identification of potential drug candidates and predicting their success in clinical trials. Pharmaceutical companies are pouring billions of dollars in developing AI-driven tools to model complex biological processes and simulate the effects of drugs on these processes, significantly reducing the time and cost associated with bringing new medications to market.

Administrative Automation:

Beyond direct patient care, AI is streamlining administrative tasks in healthcare settings. From automating billing processes to managing EHRs and scheduling appointments, AI is reducing the burden on healthcare staff, allowing them to focus more on patient care. This trend also helps healthcare organizations reduce operational costs and improve efficiency.

AI in Mental Health:

AI applications in mental health are gaining traction, with tools like sentiment analysis, an application of natural language processing, being used to assess a patient’s mental state. These tools can analyze text or speech to detect signs of depression, anxiety, or other mental health conditions, facilitating earlier interventions.

  1. Legal and Regulatory Considerations

As AI technologies become more deeply embedded in healthcare, they intersect with legal and regulatory frameworks designed to protect patient safety, privacy, and rights.

Data Privacy and Security:

AI systems rely heavily on vast amounts of data, often sourced from patient records. The use of this data must comply with privacy regulations established by the Health Insurance Portability and Accountability Act (HIPAA), which mandates stringent safeguards to protect patient information. Physicians and AI developers must ensure that AI systems are designed with robust security measures to prevent data breaches, unauthorized access, and other cyber threats.

Liability and Accountability:

The use of AI in clinical decision-making raises questions about liability. If an AI system provides incorrect information or misdiagnoses a condition, determining who is responsible—the physician, the AI developer, or the institution—can be complex. As AI systems become more autonomous, the traditional notions of liability may need to evolve, potentially leading to new legal precedents and liability insurance models.

These notions beg the questions:

  • Will physicians trust the “judgment” of an AI platform making a diagnosis or interpreting a test result?
  • Will the utilization of AI platforms cause physicians to become too heavily reliant on these technologies, forgoing their own professional human judgment?

Surely, plaintiff malpractice attorneys will find a way to fault the physician whatever they decide.

Insurance Companies and Payors:

Another emerging concern is the likelihood that insurance companies and payors, including Medicare/Medicaid, will develop and mandate the use of their proprietary AI systems to oversee patient care, ensuring it aligns with their rules on proper and efficient care. These AI systems, designed primarily to optimize cost-effectiveness from the insurer’s perspective, could potentially undermine the physician’s autonomy and the quality of patient care. By prioritizing compliance with insurer guidelines over individualized patient needs, these AI tools could lead to suboptimal outcomes for patients. Moreover, insurance companies may make the use of their AI systems a prerequisite for physicians to maintain or obtain enrollment on their provider panels, further limiting physicians’ ability to exercise independent clinical judgment and potentially restricting patient access to care that is truly personalized and appropriate.

Licensure and Misconduct Concerns in New York State:

Physicians utilizing AI in their practice must be particularly mindful of licensure and misconduct issues, especially under the jurisdiction of the Office of Professional Medical Conduct (OPMC) in New York. The OPMC is responsible for monitoring and disciplining physicians, ensuring that they adhere to medical standards. As AI becomes more integrated into clinical practice, physicians could face OPMC scrutiny if AI-related errors lead to patient harm, or if there is a perceived over-reliance on AI at the expense of sound clinical judgment. The potential for AI to contribute to diagnostic or treatment decisions underscores the need for physicians to maintain ultimate responsibility and ensure that AI is used to support, rather than replace, their professional expertise.

Conclusion

AI has the potential to revolutionize healthcare, but its integration must be approached with careful consideration of legal and ethical implications. By navigating these challenges thoughtfully, the healthcare industry can ensure that AI contributes to better patient outcomes, improved efficiency, and equitable access to care. The future of AI in healthcare looks promising, with ongoing advancements in technology and regulatory frameworks adapting to these changes. Healthcare professionals, policymakers, and AI developers must continue to engage in dialogue to shape this future responsibly.

©2024 Norris McLaughlin P.A., All Rights Reserved
For more on AI, visit the NLR Artificial Intelligence section.

APPARENTLY NOT AN INDEPENDENT CONTRACTOR: Summary Judgment Denied Because Third Party Vendor May Have Had Apparent Authority To Make Calls Without Consent

Hi TCPAWorld! The Baroness here and I have a good case today.

Dickson, v. Direct Energy, LP, et al., No. 5:18-CV-00182-JRA, 2024 WL 4416856 (N.D. Ohio Oct. 4, 2024).

Let’s dive in.

Background

In this case, the plaintiff Dickson alleges the defendant Direct Energy sent him ringless voicemails (RVMs) in 2017 without consent.

Direct Energy filed a motion for summary judgment arguing that it cannot be held liable under the TCPA because it did not directly make the calls to Dickson (a third-party vendor did) and it cannot be held vicariously liable for the calls under agency principals.

More specifically, Direct Energy argues that Total Marketing Concepts (TMC) was an independent agent and was not acting with actual or apparent authority when it violated the TCPA and Direct Energy did not ratify the illegal acts of TMC.

Law

For those of you not familiar, a motion for summary judgment is granted when there is no genuine dispute as to any material facts and the movant is entitled to judgment as a matter of law.

Under the TCPA, a seller can be held either directly or vicariously liable for violations of the TCPA.

As noted above, Direct Energy did not directly deliver any RVMs to Dickson. So it cannot be directly liable for the calls. Dickson instead seeks to hold Direct Energy vicariously liable for the acts of TMC and TMC’s subvendors.

Let’s first look at the principal/agent relationship.

Direct Energy primarily argued that TMC was NOT its agent because of the terms of their agreement. Specifically, Direct Energy identified TMC as an “independent contractor.” Moreover, TMC was “expressly instructed to send RVMs only with TCPA-compliant opt-in consent.”

Importantly, however, whether an agency relationship exists is based on an assessment of the facts of the relationship and not on how the parties define their relationship.

Listen up folks—contractual terms disclaiming agency will not cut it!

While Direct Energy and TMC did have a provision in their contract which expressly disclaimed any agency relationship, the Court highlighted that the parties entered into an amended agreement which expressly authorized TMC to (among other things) close sales on Direct Energy’s behalf and thereby bind Direct Energy in contracts with customers. In other words, Direct Energy authorized TMC to enter into agreements on its behalf.

The Court also found Direct Energy exerted a high level of control over TMC:

  • Direct Energy had the ability to audit TMC’s records to ensure compliance with its contractual obligations
  • Direct Energy could audit TMC’s subcontractors in the same manner
  • Direct Energy had access to TMC facilities to ensure compliance
  • Direct Energy had the ability to terminate the contract with or without cause
  • Direct Energy authorized TMC to telemarket on its behalf using the Direct Energy trade name as if Direct Energy was making the telemarketing call

Therefore, the Court found Dickson produced evidence which a reasonable jury could find that Direct Energy exerted such a level of control over TMC such that there was a principle/agent relationship, despite their contract expressly providing otherwise.

ACTUAL AUTHORITY

Actual authority exists when a principal explicitly grants permission to an agent to act on their behalf, whether through express or implied means.

Express authority

Pursuant to the Teleservices Agreement, TMC was responsible for complying with the TCPA. Thus, there was no evidence that TMC had express actual authority to contract individuals who had not given consent.

Implied authority

Dickson argued that Direct Energy nonetheless led TMC to reasonably believe it should make telemarketing calls that violate the TCPA. However, the Court found that TMC’s authority was expressly limited to opt-in leads. So, Dickson failed to demonstrate a genuine issue of material facts showing that TMC acted actual authority—either express or implied—when it contracted potential customers who had not opted in to receiving such calls.

APPARENT AUTHORITY

Apparent authority arises when a principal’s conduct leads a third party to reasonably believe that an agent has the authority to act on the principal’s behalf, even if such authority has not been explicitly granted.

Here’s where it gets interesting.

Dickson presented evidence that Direct Energy received several thousand complaints regarding the RVMs but did not stop the conduct.

That’s a lot of complaints..

Moreover, Direct Energy authorized TMC to use its trade name and approved the scripts. Thus, Dickson argued Direct Energy allowed third-party recipients of the RVMs to reasonably believe the RVMs were from Direct Energy.

And even though TMC used other third-party telephony services, this was expressly authorized by the agreement between Direct Energy and TMC.

Therefore, the Court found that Dickson demonstrated that Direct Energy authorized and instructed TMC to use its tradename in its RVMs, approved the scripts used by TMC, and knew or should have known of TMC’s improper conduct and that did not take action to prevent that conduct from continuing.

As such, the Court found a genuine issue of material fact existed that TMC acted with apparent authority when it contracted potential customers who had not opted in to receiving such calls.

RATIFICATION

Ratification occurs when an agent acts for the principal’s benefit and the principal does not repudiate the agent’s actions.

A plaintiff must present some evidence that a principal benefitted from the alleged unlawful conduct of its purported agent to hold the principal liable for the acts of the agent under the theory of ratification.

Here, Dickson failed to produce evidence that Direct Energy received any benefit from TMC’s unlawful telemarketing acts. For example, Dickson produced no evidence of any contracts that Direct Energy secured as a result of TMC contacting potential consumers who had not given opt-in consent. Importantly, the Court stated “[p]ure conjecture that Direct Energy must have benefitted in some way because of the volume of calls made by TMC on its behalf is simply not enough to survive summary judgment.”

Therefore, the Court found Dickson failed to demonstrate the existence of a material fact as to whether Direct Energy ratified TMC’s violations of the TCPA.

In light of the above, the Court recommended denying Direct Energy’s motion for summary judgment. Although there was no genuine issue of material fact related to actual authority and ratification, the Court determined that a genuine issue of material fact does exist concerning whether TMC acted with apparent authority.

This case highlights the complexities of agency relationships in TCPA cases and serves as a reminder for companies: mere contractual disclaimers of agency will not suffice. Courts can still hold you vicariously liable for the actions of third parties acting on your behalf! Choose the companies you are working with wisely.

© 2024 Troutman Amin, LLP
For more news on Independent Contractor TCPA Liability, visit the NLR Communications, Media, & Internet section.

Are You Eligible for Passport Renewal Online?

In good news, the State Department has announced the roll-out of its new online passport renewal system. Eligible individuals can renew their 10-year passports online without having to mail in any documentation.

Be sure to plan ahead if you are using the online service because only routine service is available – no expedited processing.

Although applicants will not be required to turn in their “old” passport, that passport will be cancelled after the renewal application is submitted and will no longer be valid for international travel.

Eligibility requirements for online processing:

  • The old passport is a 10-year passport, and the applicant is at least 25 years of age;
  • The old passport was issued between 2009 and 2015, or more than 9 years but less than 15 years from the date the new application is submitted;
  • There is no request for change of name, gender, or place of date of birth;
  • The applicant is not travelling for at least 8 weeks from the application submission date;
  • The applicant is seeking a regular (tourist) passport, not a special issuance passport (such as diplomatic, official, or service [gray cover] passports);
  • The applicant lives in the United States, either in a state or territory (passports cannot be renewed online from a foreign country or using Army Post Office [APO] or Fleet Post Office [FPO]); and
  • The applicant is in possession of their current passport and it is not damaged or mutilated and it has not been reported as lost or stolen.

To renew online, the applicant must sign in or create an account on Home | MyTravelGov (state.gov) and follow the step-by-step directions. The applicant will have to:

  • Provide information about the passport they want to renew;
  • Choose whether to apply for a passport book or passport card or both;
  • Enter proposed travel dates;
  • Upload a digital photo;
  • “Sign” the application; and
  • Make the required payment by credit or debit card

Applicants can enroll to receive email updates regarding their applications.

Those not eligible to apply online may renew by mail if they meet the eligibility criteria. Those not eligible to renew by mail (such as children) must renew in person.

The State Department estimates that 5 million people will be eligible to use this new online service annually. Last year, a record 24 million passports were issued. The State Department hopes to continue to expand the online service to further optimize the passport renewal process.

Jackson Lewis P.C. © 2024
For more on Passport Renewal, visit the NLR Immigration section.

What Digital Advertisers and Influencers Need to Know About the FTC Final Rule Banning Fake Consumer Reviews and Testimonials

As previously blogged about here, following notices of proposed rulemaking in 2022 and 2023, on August 22, 2024 the Federal Trade Commission finalized a rule that will impose monetary civil penalties false and misleading consumer reviews and testimonials.  Those covered by the Final Rule, including, but not limited to, advertisers, marketers, manufacturers, brands and various intermediaries, and businesses that promote and assist such entities, should consult with an experienced FTC compliance lawyer and begin to prepare for its enforcement, immediately.

What Does the FTC Final Rule Banning Fake Consumer Reviews and Testimonials Cover?

The FTC Final Rule Banning Fake Consumer Reviews and Testimonials formalizes the prohibition of various practices relating to the use of consumer reviews and testimonials and sets forth which practices may be considered unfair or deceptive pursuant to the FTC Act.

In short, the Final Rule is intended to foster fair competition and protect consumers’ purchasing decisions.  In general, the Final Rule covers: (i) the purchase, sale or procuring of fake reviews or testimonials (for example and without limitation, a reviewer that does not exist, a reviewer that did not actually use or possess experience with the product or service, or a review that misrepresents actual experience); (ii) providing compensation or other incentives in exchange for reviews that express a particular sentiment; (iii) facilitating “insider” consumer reviews and testimonials that do not contain a clear and conspicuous disclosure of the relationship; (iv) utilizing websites that appear to be independent review websites when, in fact, they are controlled by the business whose products or services are reviewed; (v) suppressing reviews, either by intimidation or by merely publishing certain reviews or ratings (for example and without limitation, only positive reviews or ratings); and (vi) misusing fake indicators of social media influence.

The Final Rule also includes some important definitions.  For example, the Final Rule defines “consumer reviews” as reviews published to a website or platform dedicated (in whole or in part) to receiving and displaying consumer evaluations, including, for example, via reviews or  ratings.

The Final Rule defines “consumer review hosting” as “providing the technological means by which a website or platform enables consumers to see or hear the consumer reviews that consumers have submitted to the website or platform.”  In simple terms, this means that if an employee posts an unsolicited review on a corporate website concerning a product/service that they have experience using, it may not necessarily be considered deceptive as long as the material connection is disclosed.

“Clear and conspicuous” disclosures (such as, for example and without limitation, those pertaining to material relationships between a manager or officer to a brand), must be unavoidable, and easy to notice and understand for ordinary, reasonable consumers.  Note, for  audiovisual content, disclosures must be presented in “at least the same means as the representations requiring the disclosure.”

The Final Rule follows the FTC’s Updated Endorsement Guidelines (2023).  The FTC Endorsement Guides address a much broader range of conduct than the Final Rule, and provide best practice recommendations regarding the use of product endorsements and reviews in advertising.

What are the Requirements of the FTC Final Rule on Reviews and Testimonials?

The Final Rule largely codifies existing FTC policy related to reviews and testimonials and sets forth limitations for a handful of categories of conduct that the FTC will consider deceptive.  In part, the Final Rule prevents covered entities and their agents from using fake reviews and deceptive testimonials, suppressing honest negative reviews and paying for positive reviews.

In pertinent part and without limitation:

  1. 16 CFR § 465.2: Fake or false consumer reviews, consumer testimonials, or celebrity testimonials

Business and brands are prohibited from creating, buying, selling or disseminating fake or false reviews or testimonials, including, but not limited to, those that expressly or impliedly misrepresent they are by someone that does not exist (for example and without limitation, AI-generated reviews), by someone that does not have experience with the product/service, those that misrepresent experience with a product or service, and negative reviews intended to damage competitors.

Businesses and brands are prohibited from creating, purchasing, procuring or disseminating such reviews (and/or facilitating dissemination) when the business knew or should have known that the reviews or testimonials were not bona fide.

  1. 16 CFR § 465.4: Buying positive or negative consumer reviews

Business and brands are prohibited from incentivizing a consumer to write a review when the incentive is conditioned – expressly or implicitly – on the review expressing a particular sentiment (whether positive or negative) about a business or brand, or related products or services.  It is not unlawful for a company to offer incentives for consumers to write reviews, however, it is unlawful, for example, to condition the incentive upon, for example, a 5-star review.  While the FTC Endorsement Guides separately mandate a clear and conspicuous disclosure when a review is incentivized by monetary payment or another incentive/relationship, a disclosure of the incentive is not a defense when the incentive is conditioned on the review expressing a particular sentiment.

  1. 16 CFR § 465.5: Insider consumer reviews and consumer testimonials

Section 465.5 of the Final Rule prohibits businesses and brands from creating, soliciting or posting reviews or testimonials by officers, managers, employees or agents thereof without clearly and conspicuously disclosing their relationship, or “material connection.”  There are limited exceptions.  First, the prohibition does not apply to unsolicited social media posts by employees or social media posts that result from generalized solicitations (e.g., non-employee specific).  Second, the prohibition does not apply to unsolicited employee reviews that merely appear on a business’s website because of its “consumer review hosting” function.

Additionally, reviews solicited from immediate relatives (e.g., spouse, parent, child or sibling), employees or agents of officers, managers, employees or agents of a business or brand require that latter ensure that the immediate relative clearly, conspicuously and transparently disclose the material connection to the business.  The foregoing also applies, for example and without limitation, to requests that employees or agents solicit reviews from relatives.  Covered “insiders” are required to instruct such reviewers to clearly and conspicuously disclose their relationships to the business or brand and, if they knew or should have known that a related review appears without a disclosure, take remedial steps to address the disclosure.

The Final Rule states that if the business or brand knew or should have known of a material relationship between a testimonialist and the business, it is a violation for the business or brand to disseminate or cause the dissemination of a consumer testimonial from its officer, manager, employee, or agent without a clear and conspicuous disclosure of such relationship.

  1. 16 CFR § 465.6: Company-controlled review websites or entities

Companies and brands are prohibited from creating or controlling review websites or platforms that appear independent when they are, in fact, operated by the company itself.  For example, companies may not expressly or by implication falsely represent that a website they control provides independent reviews or opinions.  Section 456.6 is intended to prevent the creation of illegitimate independent review websites, organizations or entities to review products and services.  It does not apply to general consumer reviews on a brand’s website, for example, so long as those reviews comply with applicable legal regulations.

  1. 16 CFR § 465.7: Review suppression

Pursuant to Section 465.7 of the Final Rule, businesses and brands may not suppress, manipulated or attempt to suppress or manipulate negative reviews (or otherwise manipulate or attempt to manipulate overall perception) by solely displaying positive feedback, with limited exceptions such as when a review contains confidential or personal information, or is false or fake, and/or wholly unrelated to the products/services offered.  The criteria for doing so must be “applied equally to all reviews submitted without regard to sentiment.”

Businesses and brands are also prohibited from suppressing negative reviews or ratings, and misrepresenting (expressly or implicitly) that the selected consumer reviews or ratings represent most or all reviews or ratings.  The Final Rule does not prohibit sorting or organizing reviews – per se – however doing so in a manner that makes it more difficult for consumers to view/learn of negative reviews may be considered an unfair or deceptive act or practice.

All reviews must be treated fairly so that consumers are provided with a true an accurate representation of consumer experiences.

Additionally, the Final Rule prohibits the use of “unfounded or groundless legal threat” or other physical threat, intimidation or false accusation to prevent a review from being written or created or to cause the review to be removed.

Section 465.7, in pertinent part, is consistent with various portions of the January 2022 agency guidance entitled Featuring Online Customer Reviews: A Guide for Platforms.  The foregoing guidance recommends that businesses and brands: (i) that operate a website or platform that features reviews, have processes in place to ensure those reviews truly reflect the feedback received from legitimate customers about their real experiences; (ii) be transparent about your review-related practices; (ii) do not ask for reviews only from people you think will leave positive ones; (iii) that offer an incentive to consumers for leaving a review, not condition it, explicitly or implicitly, on the review being positive (even without that condition, offering an incentive to write a review may introduce bias or change the weight and credibility that readers give that review); (iv) do not prevent or discourage people from submitting negative reviews; (v) have a reasonable processes in place to verify that reviews are genuine and not fake, deceptive, or otherwise manipulated (be proactive in modifying and upgrading your processes); (vi) do not  edit reviews to alter the message (e.g., do not change words to make a negative review sound more positive); (vii) treat positive and negative reviews equally (do not subject negative reviews to greater scrutiny); (viii) publish all genuine reviews and do not exclude negative ones; (ix) do not display reviews in a misleading way (e.g., it could be deceptive to feature the positive ones more prominently or require a click through to view negative reviews); (x) that display reviews when the reviewer has a material connection to the company or brand offering the product or service (e.g., when the reviewer has received compensation or a free product in exchange for their review), clearly and conspicuously disclose such relationships; (xi) clearly and conspicuously disclose how they collect, process and display reviews, and how they determine overall ratings, to the extent necessary to avoid misleading consumers; and (xii) have a reasonable procedure to identify fake or suspicious reviews after publication (if a consumer or business tells a business or brand that a review may be fake, investigation and appropriate action are necessary – that may include taking down suspicious or phony reviews or leaving them up with appropriate labels).

  1. 16 CFR § 465.8: Misuse of fake indicators of social media influence

Section 465.7 prohibits selling, distributing, purchasing or procuring “fake indicators of social media influence” (for example and without limitation, likes, saves, shares, subscribers, followers or views generated by a bot or fake account) that are actually known to be or should be known to be fake, and that could potentially be used or are actually used to misrepresent or artificially inflate individual or business importance for a commercial purpose.  Thus, liability will not attach to a business or brand that engages an influencer using fake indicators of social media influence if the business or brand neither knew nor should have known thereof.

How is the FTC Final Rule Different from the Proposed Rule?

Notably, the Final Rule does not include a provision from the proposed rule that would have precluded advertisers from using consumer reviews that were created for a different product.  Known as “review hijacking,” the FTC was unable to resolve various concerns about the meaning of “substantially different product.”  The FTC reserved the right to revisit this issue, going forward via further rulemaking.

What are the Consequences for Violating the FTC Final Rule on Reviews and Testimonials?

The concepts, prohibitions and obligations included in the Final Rule are not entirely new.  However, the Final Rule does significantly enhance the FTC’s ability to pursue civil monetary damages in the form of penalties in the amount of up to $51,744, per violation or per day for ongoing violations.  The Final Rule also will permit the FTC to seek judicial orders that require violators to compensate consumers for the consequences of their unlawful conduct.

Takeaway:

The Final Rule banning fake consumer reviews and testimonials generally prohibits specific  practices that the FTC has determined are deceptive or misleading, including: (i) fake or false consumer reviews, consumer testimonials or celebrity testimonials; (ii) purchasing positive or negative consumer reviews; (iii) insider consumer reviews and consumer testimonials; (iv) company-controlled review websites or entities; (v) review suppression; and (vi) misuse of fake indicators of social media influence.  The Final rule will be effective October 21, 2024.  Violations of the Final Rule can result in significant financial and reputational consequences.  Companies that utilize consumer reviews, consumer testimonials or celebrity endorsements should consult with an experienced eCommerce attorney to discuss proactively implementing responsible written policies and contracts that ensure compliance with the Final Rule and other applicable legal regulations (for example and without limitation, ensure the clear and conspicuous disclosure of material connections), educating employees and agents, reviewing marketing strategies, auditing first and third-party (for example and without limitation, lead generators) promotional materials and activities for non-compliance (for example and without limitation, ensuring that reviews  provide an accurate representation of consumer experiences), and developing and implementing appropriate compliance plans and written policies that include required remedial actions.

© 2024 Hinch Newman LLP
For more on the FTC Fake Consumer Reviews rule, visit the NLR Communications Media Internet section