Resources

Consumer Protection in 2014: A Review of Recent FTC Consumer Protection Measures and Trends to Watch Out for in the New Year

published in For the Defense | June 1, 2014

By Brandon L. Buchanan and Zachary A.P. Oubre

The Federal Trade Commission (FTC or Commission), turns 100 years old this year and has come a long way since trust-busting on behalf of President Woodrow Wilson. In 2012 and 2013, there was a dramatic increase in the amount of monetary relief sought by the FTC and a newfound insistence on full restitution, even in cases involving unsubstantiated claims without consumer fraud. Indeed, according to its 2013 annual report, the FTC ordered a record-breaking $741.5 million in redress and disgorgement and $63.6 million in civil penalties. These figures are even more astonishing compared to 2012 reports of $223.7 million in disgorgement and redress and $9.75 million in civil penalties. 2014 should be no different.

So, as companies become increasingly focused on digital marketing and using targeted marketing, defense counsel should expect continued aggressive enforcement by the FTC of the same. Counsel should specifically take note of their clients’ online and mobile presence because recent appointments and lobbying efforts by the Commission suggest that the agency will narrow its focus on the manner in which corporate America presents itself online and the manner in which companies collect and use consumer data.

Furthermore, and perhaps most importantly, the days of receiving a mere cease and desist are likely over. The first call from the FTC will more likely result in a detailed and stringent consent order with broad injunctive provisions, together with a monetary penalty that will sting long after the end of a client’s fiscal year. Six-figure settlements are now the norm, and seven- figure judgments are far from impossible. With updated polices regarding digital marketing and children’s privacy, expect a continued focus on online advertising and children, with increasing attention toward the use and protection of consumer data.

A Change of Staff, but Likely No Changing of the Guard

In June 2013, FTC Chairwoman Edith Ramirez appointed Jessica Rich as the new Director of the Bureau of Consumer Protection. Rich, a 20-year FTC career attorney, served as deputy director of the Bureau of Consumer Protection under David Vladeck, who led the charge in the multi-million-dollar judgments and settlements against Google and Facebook that are now the FTC’s norm. Rich also has an 11-year track record in the agency’s Division of Privacy and Identity Protection and drafted the first children’s online privacy regulations. Many also consider Rich to be the architect of the FTC’s privacy program.

In a recent interview with Adweek, the new director noted her belief that deceptive health claims are “the worst” type of deceptive advertising and also stated that mobile advertising, mobile security, and mobile payments would be a focus point for the FTC. Accordingly, counsel and their clients should expect continued aggressive enforcement with respect to truth-in-advertising and health claims but should also be mindful of a new focus on mobile marketing and data protection.

Consumer Data Protection—Continued Push for New Power

The past two years saw marquee cases against numerous entities involving the protection of consumer data, including the record-breaking $22.5 million suit brought against Google for allegedly misrepresenting that it would not place cookies or serve targeted ads to users of Apple’s Safari browser. See Press Release, Fed. Trade Comm’n, Google Will Pay $22.5 Million to Settle FTC Charges it Misrepresented Privacy Assurances to Users of Apple’s Safari Internet Browser (Aug. 9, 2012), (last visited Apr. 10, 2014).

But multi-billion-dollar entities are not the FTC’s sole target. Last year also saw a social networking company settle a civil lawsuit initiated by the FTC that alleged that the website operator collected personal information from mobile device address books without user consent. See Press Release, Fed. Trade Comm’n, Path Social Networking App Settles FTC Charges it Deceived Consumers and Improperly Collected Personal Information from Users’ Mobile Address Books (Feb. 1, 2013), (last visited Apr. 10, 2014). The settlement agreement required the operator to pay $800,000 in civil penalties and establish a comprehensive privacy program to be approved by the FTC as well as undergo annual independent reviews and assessment of its privacy procedures for the following 20 years. Id.

The FTC’s message is this: Make sure that your client’s privacy policy accurately portrays its actual use and collection of consumer data. Anything else that a client does that the policy does not include will be considered unconsented and may subject the client to strict injunctive relief and a stiff penalty. As a result, clients should thoroughly review their respective practices and update their privacy policies accordingly, making them as detailed as possible in explaining how consumer information will be accumulated, used, and shared. Companies should also specifically note which cookies, if any, their sites use, and whether a site collects any geolocation data.

As the year continues, the FTC also seems likely to look to other measures to improve upon consumer data privacy. One such method is de-identification, which is the process of stripping personal information from consumer data. At the 2013 Global Privacy Summit, FTC Chairwoman Edith Ramirez stated that de-identification is “a very fruitful avenue that ought to be pursued” and that the FTC was examining the process for incorporating de-identification into new law or current policy. If done, website operators may be required to take extra measures to remove personal identifiers from the data that they collect from customers.

The FTC may also begin more closely scrutinizing data brokerage firms. The agency openly supports a recent data broker bill introduced in February 2014 by Senator Jay Rockefeller (D-W.Va.). If passed, S. 2025 would give consumers access to data held by data brokers serving the marketing industry and allow consumers to correct misinformation and even opt-out to prevent use of their information. Under the bill, data brokers would also be required to implement procedures to “ensure the maximum possible accuracy of the personal information it collects.” Senate bill 2025 specifically charges the FTC with creating and maintaining a website listing all brokers subject to the new law, and the agency would likely also be responsible for ensuring data broker compliance with the law.

As a result, expect the FTC to lobby for this and similar measures to provide it with rulemaking authority and data security enforcement capabilities. These new measures would be more ways that the agency could try to expand its authority to continue efforts to protect consumer data. And, even if these laws are not passed, the FTC’s focus on data privacy and data brokers will likely not cease. In the interim, counsel should ensure their clients’ data collection practices match their privacy guidelines, and may also suggest that clients begin and/or continue to implement measures to protect the collected data.

A Continued Focus on Children

The FTC’s consumer privacy efforts have not been limited to lobbying and enforcement. In the past year, the FTC also updated the rule regarding the Children’s Online Privacy Protection Act of 1998 (COPPA). Most companies now realize that COPPA regulates the collection of personal information from children under 13 years of age. However, on July 1, 2013, the revised FTC COPPA Rule went into effect, adding four new categories of “personal information” and a broadened definition of “operators” subject to the rule.

The four new categories of “personal information” are (1) geolocation data; (2) images, videos, and audio of children; (3) screen and user information; and (4) persistent identifiers. See Fed. Trade Comm’n, Complying with COPA: Frequently Asked Questions (Revised 2013) (last visited Apr. 10, 2014). The first category, geolocation information, is defined by the FTC as “information precise enough to identify the name of a street and city or town” where the child is located. Id. The Commission has made clear that this new stand-alone category merely clarifies what the original rule encompassed and has advised website operators to obtain parental consent before collecting any geolocation information. Id. However, counsel should make their clients aware of the clarification because many sites, and particularly apps, collect such data.

The other three categories are completely new, although the accumulation falling into them that occurred before July 1, 2013, will not require parental consent. But all new collection of this information will require consent. The first new category is images and videos of a child or audio of a child’s voice. Although past collection of this information is “grandfathered” by the revised rule, the FTC, nevertheless, “recommends that entities either discontinue the use or disclosure of such information after the effective date of the amended Rule or, if possible, obtain parental consent.” Id. Screen or user name information is also a new category. This information was only previously considered personal information if it revealed an individual’s e-mail address. Under the amended rule, however, a screen or user name is personal information if it includes an identifier “substantially similar” to an e-mail address “that permits direct contact with a person online.” Id. Similarly, persistent identifiers were previously considered personal information only if they were included with other individually identifiable information. Id. Now, under the revised rule, persistent identifiers are considered personal information if they can be used to recognize a user over time and across different sites or online services. Id. Importantly, COPA also protects user names and persistent identifiers that were collected before July 1, 2013, if a company associates new information with the user name or persistent identifier, requiring the company to obtain parental consent unless an exception applies. Id.

Another large change is that the revised rule broadens the definition of “operators” subject to COPPA. Now, not only are website operators required to follow COPPA, services that integrate with sites, such as plug-ins or advertising networks, are also required to comply with COPPA regulations. Id.

In light of the rule revisions, and given the new director’s focus on mobile privacy and data, counsel should expect enforcement measures directed toward mobile applications and websites targeting children. This seems especially likely given that the FTC staff report, Mobile Apps for Kids: Disclosures Still Not Making the Grade (Dec. 2012), found that the mobile app industry and third parties providing services within apps had generally failed to make the grade with respect to protecting child privacy. The report strongly encouraged these industries to incorporate better privacy protection for children, provide greater transparency regarding the collection, use, and sharing of personal information through child apps, and provide parents an easier way to review these policies and to provide informed consent.

Truth-in-Advertising

The FTC focus on truth-in-advertising should not change in 2014, and digital marketing will continue to be a focus for the agency. The FTC truth-in-advertising rules have always required ads to be “clear and conspicuous.” In 2013, the agency shed additional light on what that means in the context of digital marketing.

On March 12, 2013, the Commission updated its 2000 Dot Com Disclosures to specifically focus on various forms of online advertising such as Facebook and Twitter. See .com Disclosures: How to Make Effective Disclosures in Digital Advertising (Mar. 2013). In the updated disclosures, the FTC provides broad guideposts concerning how digital marketers can ensure compliance with the FTC Act and refrain from placing themselves on the FTC’s radar. Defense counsel should read this document since corporations are now more than ever utilizing the Internet and social media to market their respective products.

Some of the most important disclosure guidelines discussed in the guidance include taking into account how an ad and corresponding disclosure will be viewed on various platforms and devices such as cell phones. Id. Another guideline regarding Twitter requires that tweet advertisements specifically state they are ads within a specific message, as opposed to a separate tweet in the Twitter feed, and must prominently place within a Twitter message any and all qualifying information with respect to the ad.

These revisions continue a previous focus by the FTC on “native advertisements.” “Native advertising” refers to the idea of blending marketing messages to resemble the content within which it is incorporated. This controversial advertising method has long been used by companies, but with the advent of the Internet and decreasing consumer attention spans, the FTC began closely scrutinizing the “conspicuousness” of such marketing. Prevalently used examples include promotional tweets within a Twitter stream and sponsored blog posts. These marketing methods are now specifically addressed by the revised Dot Com Disclosures, and counsel should ensure that their clients are aware of the changes. For example, the guidelines specifically address blogging product reviews in one example showing a blog post about house paint in which the writer states at the end that she received a free can of paint. According to the agency, this disclosure must be clear and conspicuous and not tucked away after a series of links or other distractions.

Here is the heart of the message: Do not hide the fact that an online message is an ad or somehow sponsored by the product or service that it references. Furthermore, given the updated disclosures’ specific reference to mobile platforms, marketers and counsel should expect a specific focus on mobile apps and mobile marketing, and an attorney should ensure that whatever disclosures a client uses, consumers can easily access and view disclosures on the cell phone screens that consumers have become so accustomed to using.

Double Blind Tests for Lose Weight, Grow Hair Claims?

Perhaps the FTC’s most controversial 2014 focus is health-related claims. Health and medical claims are always near and dear to the agency’s heart, and 2013 saw no difference. In 2013, the Commission brought numerous high-profile enforcement actions against companies for allegedly false and misleading claims about the health and medical benefits and product performance. For example, on January 7, 2014, the FTC initiated administrative actions against four private diet-product companies regarding allegedly misleading advertising. See Michelle Celarier, FTC Gives the Skinny on Weight-loss Promises, Jan. 7, 2014. Among the defendants was Sensa Products LLC, which agreed to cease making false claims about its weight loss product and to pay a $26.5 million fine to settle the FTC investigation. See Press Release, Fed. Trade Comm’n, Sensa and Three Other Marketers of Fad Weight-loss Products Settle FTC Charges in Crackdown on Deceptive Advertising, Jan. 7, 2014, (last visited Apr. 10, 2014). This trend likely will continue since the new director of the Bureau for Consumer Protection considers deceptive health claims to be the “worst” of all.

The essential element of health-related advertising claims continues to be “substantiation.” But even that standard is now in dispute. On January 10, 2013, the Commission upheld in part and reversed in part an administrative law judge’s initial decision regarding advertising claims for POM Wonderful products. In the Matter of POM Wonderful LLC, FTC Docket No. 9344 (Jan. 2013). In the initial decision, the administrative law judge found that the makers of POM Wonderful 100% Pomegranate Juice and POMx supplements made false and unsubstantiated claims in advertisements that their products would prevent or treat conditions such as heart disease, prostate cancer, and erectile dysfunction.

In the decision, the Commission found that the “substantiation” test applied and required that two well-designed, well-conducted, double-blind, randomized controlled clinical trials were required to substantiate claims that a food can treat, prevent, or reduce the risk of “serious diseases.” Because POM failed to meet this standard, the Commission upheld the administrative law judge’s finding of deceptive advertising. The Commission’s final judgment did not, however, impose the FTC staff’s sought-for requirement that POM obtain preapproval from the FDA for disease-related claims. Instead, the Commission found that two randomized, well-controlled human clinical trials would offer the same benefits as FDA preapproval, and would be a “clear, bright line standard that would be easy to enforce and at the same time, provide certainty for Respondents.”

The Commission’s determinations regarding remedies were equally important. The Commission first decided that it was proper to “fence in” POM and order the company to meet more stringent substantiation standards on POM than the company’s competitors had over the course of 20 years. The Commission also imposed individual liability on company officers who participated in the marketing campaigns.

POM appealed the decision to the District of Columbia Court of Appeals. Final briefs were due March 24, 2014, and a hearing had not yet been scheduled as of the drafting of this article. See POM Wonderful LLC v. Federal Trade Commission, Case No. 13-160 (D.C. Cir.).

This seemingly new standard for substantiation may shock many companies currently only using one, double-blind test. Although the opinion notes that the substantiation requirements imposed on POM were case-specific, the decision is a strong signal that the FTC will likely soon require a heightened standard of substantiation for health and disease-related claims. Also notable is that the Commission imposed individual liability on company officers. Given the agency’s increasing willingness to seek and to enforce multi-million-dollar recoveries in false advertising and substantiation cases, a willingness to impose corporate officer liability could create substantial risk for officers of health and food product companies.

An Active Centenarian

In sum, in its hundredth year, the FTC appears more like a teenager than a centenarian. In 2012 and 2013 the agency actively modified its policies and enforcement measures to comport with technological advances, and the future should be no different. The agency will likely continue to enforce truth-in-advertising on the Internet aggressively, and counsel should learn and disseminate the agency’s revised policies, including the revised COPPA Rule and Dot Com Disclosures. Counsel also will want to encourage marketers of health-related claims to use the POM standard of substantiation and closely watch that case for a decision.

This year may also realize new laws and regulations regarding data privacy as well as restrictions on a new industry, the data broker. Furthermore, mobile marketing seems likely to be the agency’s largest focus, and counsel should expect savvy from agency with respect to the nuances of digital advertising and marketing sciences and that its rules and regulations comport with this understanding. Importantly, how the old FTC standards apply to new technology will not only be the subject of reports and messages to companies, but also multi-million-dollar enforcement measures.

In sum, the best tactics for defense counsel are to have your clients review their online marketing policies in light of these new changes and to make your clients aware of the FTC’s willingness to seek million-dollar remedies. Counsel should also encourage clients to review their privacy policies and the measures that they employ to gather, use, and protect their customers’ personal information. It’s a brave new world, and each year the FTC seems to become braver and braver.

For the Defense is a monthly publication of the Defense Research Institute.