Alerts

AD-ttorneys@law – June 21, 2018

Alerts / June 21, 2018

In This Issue:

FTC Enforcement Action Slain by 11th Circuit

Without a specific practice to banish, Commission’s order is held ‘unenforceable’

Epic

In early June, the Federal Trade Commission (FTC or Commission) suffered a defeat at the hands of the 11th Circuit, when the court vacated an order it had lodged against LabMD, a now-defunct cancer detection center.

This dispute goes way back in FTC years, back to 2013, when the original complaint was filed. If you look at the Commission’s action summary, you’ll get a feel for just how many times this particular ball has been kicked back and forth.

Trojan Remorse

At some point in the mid-2000s, a LabMD employee installed LimeWire, a peer-to-peer (P2P) file-sharing application, on her work computer. LimeWire, one of the many P2P file-sharing services that became popular in the early aughts, connected to a network of millions of users. From 2007 to 2008, the employee’s use of the application exposed to this network a sensitive file saved on her hard drive that contained the personal information of thousands of LabMD customers.

Although it is unclear how many times the file was shared over LimeWire, or if it was ever shared at all, a third-party consultant began contacting LabMD about the exposure. The consultant offered to take care of the security breach, but LabMD rebuffed the company’s advances.

In response, the consultant, in early 2009, downloaded the file from LimeWire and forwarded it to the FTC for review. The Commission’s complaint, which alleged that LabMD engaged in “unfair practices” because it had failed to implement a security plan that reasonably protected the patients, was filed in 2013. The case went back and forth until June 2018, when the latest appeal hit the 11th Circuit.

The Takeaway

Under the circuit court’s consideration was an enforcement action brought by the Commission. The action, which had been approved by the FTC in 2016, mandated that LabMD “install a data-security program that comported with the FTC’s standard of reasonableness” as a response to an unfair lack of security measures taken by the company.

The appellate court held that even if LabMD’s failure to enact a security policy was the cause of harm to the exposed customers, “the Commission’s cease and desist order is nonetheless unenforceable.” While the court assumed that the FTC was correct in concluding that LabMD’s allegedly inadequate security standards constituted an unfair act or practice under Section 5 of the FTC Act, the order maintained that the cease-and-desist order did not “enjoin a specific act or practice,” but rather mandated “a complete overhaul of LabMD’s data-security program and says precious little about how this is to be accomplished” and thus, by lacking sufficient specificity, was unenforceable.

We’re waiting for news on what the FTC’s next step might be – perhaps the case will find its way to the Supreme Court. In any event, the broad measures mandated by the Commission in many of its actions may come under new scrutiny in the wake of this decision. In light of this decision, the FTC may change how it proceeds in cease-and-desist orders in data breach cases. The 11th Circuit specifically criticized the Commission for not setting forth specific prohibitions and instructing LabMD to cease specific acts or practices. The court found that by taking a generalized approach to mandating a requirement that LabMD implement measures “reasonably designed” to protect data security, a challenge to LabMD’s compliance would essentially leave the district court “managing the overhaul,” a result the court held was “a scheme Congress could not have envisioned.” “It is self-evident that this micromanaging is beyond the scope of court oversight contemplated by injunction law[,]” the court held.

The FTC may simply appeal and hope that the Supreme Court will hear the case and take the FTC’s side, or we may start seeing greater technical specification from the Commission as to what constitutes reasonable data security requirements when it settles cases and enters into consent orders, or issues cease-and-desist orders. However, companies should not look to this decision as degrading the FTC’s authority to bring unfairness actions under Section 5 based on allegedly inadequate security in the wake of a data breach, but rather as a purely technical decision regarding the proper scope of injunctive relief, and the courts’ contempt powers to enforce consent and cease-and-desist orders.

Chris Farley IP Holder Settles With Bike Company

Suit alleged ‘fat guy comic’ was a specific brand of humor belonging to comedian

Legend

Whether he was destroying coffee tables with his sheer heft, having a strip-off with Patrick Swayze, or soaring red-faced and angry above the SNL studio audience on a flying cable rig, comedian and actor Chris Farley left a big impression on the culture before his sad passing in 1997.

Recently, the company that manages Farley’s estate and property rights, Make Him Smile Inc. (MHS), filed suit against Trek Bicycle Corp., one of the world’s largest bike companies, for exploiting Farley’s larger-than-life persona. “Farley spent his entire career building, then capitalizing on, his unique brand of ‘fat guy’ humor,” the complaint states. “The name ‘Farley’ is … linked and associated with his persona and his identity as a fat comic actor.”

Sounds Personal

It was precisely that “fat guy” image that MHS claims Trek CEO John Burke had in mind when he created the company’s “Fat Bikes,” oversized cycles with a wider chassis and fat tires designed “to explore more places in more seasons … from dunes to drifts and snow to sand.”

Burke lives in Maple Bluff, Wisconsin, the town where Farley was born and raised, and, according to the complaint, Burke and Farley’s family were socially acquainted. This familiarity, it claims, led Burke and other Trek executives to brand the Fat Bikes with the name “Farley,” “a clever, memorable and loud advertising and branding ‘hook’ to help launch and promote … its various Fat Bike products,” including multiple bicycle models and attendant accessories. The suit also accused Trek of duping third-party sales and marketing companies into believing it had the right to utilize the Farley intellectual property.

The Takeaway

MHS filed the suit in September 2017, seeking damages and an injunction against the company, alleging misappropriation under California common law, false endorsement under the Lanham Act, violation of the California civil code, and unfair business practices under the California business and professional code.

On June 1, 2018, the case was removed from the Central District of California, landing in the Western District of Wisconsin, the stomping grounds of both parties. But court watchers who were settling in for a hometown wrestling match were disappointed when, only days later, the case was settled under an as-of-yet-undisclosed agreement.

Companies should be mindful when associating themselves or their products or services, even subtly, with celebrities. While paying homage to a respected hometown hero may on its face seem innocent, even admirable, it is likely to imply a false endorsement and constitute a misappropriation of persona for commercial advantage. Indeed, celebrities and their estates carefully foster and exploit, or elect not to exploit, celebrity name, likeness and persona as personal brands. Bask in the light of a celebrity, without consent, and risk being burned.

California Pushes Auto-Renewal Regs in New Directions

Changes that affect subscription termination, notice-details take effect

Don’t Mess With the West

The Golden State has made some news recently as a thorn in the side of the Trump administration. California has launched more than 20 lawsuits against the president and his administration, on topics as diverse as DACA, the travel ban, the transgender military ban, healthcare, environmental regulations and energy efficiency standards.

And California has the weight to throw down: As the most populous state, and the fifth-largest economy on Earth, the decisions of its government and regulatory apparatus have outsize effects on the out-of-state businesses that want to peddle their wares and services there.

An example of the Golden State holding business to a higher standard than federal law, or the laws of sister states, is California Senate Bill 313, revising Business and Professions Code 17602, which as we have previously reported adds to existing state legislation regarding auto-renewal offers. While the law passed and was signed by the governor back in September 2017, it is just now going into effect.

The Takeaway

Effective July 1, 2018, Bill 313 imposes new restrictions on auto-renewal operations that offer a free gift or a trial period, regarding an explanation of the temporal nature of that initial offer and the differing terms of the renewal, and regarding renewal termination requirements for online offers. Businesses that offer such a deal are required “to include in the offer a clear and conspicuous explanation of the price that will be charged after the trial ends or the manner in which the subscription or purchasing agreement pricing will change upon conclusion of the trial.” Consumers must also be notified about how to cancel a free gift or free-trial auto-renewal offer before they are charged for the product or service, and they must affirmatively consent to the terms and conditions before their credit card is charged.

There was already a requirement for an “easy-to-use mechanism for cancellation” (e.g., a toll-free number) that is clearly and conspicuously disclosed as part of the original offer and in the terms. Now, the California law also requires businesses offering auto-renewal services to allow customers who accepted their offer online to cancel it “exclusively online.” This “may include a termination email formatted and provided by the business that a consumer can send to the business without additional information.” This provision seems to be aimed at businesses that make canceling difficult by requiring online adopters to switch to a different medium – phone or post – to cancel their service.

This last provision extends coverage mandated by the federal Restore Online Shoppers' Confidence Act. Companies doing business in California should be aware of these changes, which are likely to have an impact on the country as a whole.

Unchanged is the requirement that the seller must provide the customer an acknowledgment of the renewal terms, cancellation policy and methods of cancellation in a manner that is capable of being retained by the consumer (e.g., an email), and a notice of any change in terms. The revised law, however, clarifies that notice of changes in terms must be given before the changes go into effect.

Companies that offer free trials and auto-renewal programs in California should review disclosures, terms and procedures to ensure compliance with these revised requirements. California often is a trend-setter, and other states may follow suit by implementing similar or even more restrictive regulations. Regardless, national advertisers and retailers will be subject to the California standard. “As goes California, so follows the nation.”

Plaintiff Should Cop to COPPA, Google Claims

Moves to dismiss class action, objecting to ‘end run’ around FTC

Big Dogs

Back in April 2018, Sirdonia Lashay Manigault-Johnson and her child (referred to in the complaint by the mercifully short initials “R.R.”) filed a class action suit against three related internet giants: Alphabet Inc. and its two better-known subsidiaries, YouTube and Google.

Filed in the District of South Carolina, Charleston Division, the action took exception to the companies’ “exfiltration” of her son’s personal information by the companies.

The suit notes that YouTube is a massive source of kids’ advertising income – the suit cites a projected YouTube kids’ ad market of $1.2 billion by 2019 – and that children spend up to 30 percent of their online time on the site. This combination, the suit claims, poses a unique danger to young users that the companies fail to address.

State Case Stated

In Ms. Manigault-Johnson’s account, YouTube failed to secure her consent and neglected to provide notice that it was gathering information on R.R. As proof, she referred to the YouTube terms of service, which she claims expects users to be above 13 years of age when using the site (her son was not). She also notes that the ad services associated with YouTube – AdWords, DoubleClick and Google Preferred – lack a separate child privacy policy.

Ms. Manigault-Johnson sued the three companies for intrusion upon seclusion in violation of the Children’s Online Privacy Protection Act (COPPA); a California subclass of plaintiffs sued for violations of California’s constitutional right to privacy.

The Takeaway

The three companies moved to dismiss in early June 2018. Their arguments raise interesting issues.

The company attacked Ms. Manigault-Johnson’s claims as an “attempted end run around [the] exclusive enforcement structure” of the Federal Trade Commission, which is the chief enforcement agent of COPPA under the law. The plaintiff “asserts two purported state law causes of action, both of which rest entirely upon alleged COPPA violations,” Google maintained. “These claims are preempted by COPPA and should be dismissed for that reason alone.”

Moreover, the motion held that even if the preemption did not apply, the rights of California, South Carolina or any other state to stake out privacy guidelines would not be weakened by rejecting her claims, “because both California and South Carolina’s privacy laws are aimed at preventing ‘egregious’ intrusions into personal and intimate affairs” and “courts have repeatedly held that the conduct at issue … does not constitute a breach of social norms or an intrusion into intimate affairs sufficient to state a claim for violation of state privacy laws.”

Alphabet filed a separate motion to remove itself from the case, holding that it could not be sued because it was merely the parent company of Google and YouTube, and that no specific claims had been made against it.

This is not the first time that private plaintiffs have tried to piggyback on state laws to state a claim that conduct violating COPPA, by the nature of such, states a claim under state law, notwithstanding that Congress limited the enforcement of COPPA to the FTC and state attorneys general. We will be watching this case to see whether it is successful in advancing such a theory.

Fitbit Still Has a Ways to Run With Class Action

Suit alleging false heart-rate monitor claims still has a pulse

The Ballad of Robb and Fitbit

Remember Robb Dunn? We’ve covered him before. Dunn is the last man standing (for now) in a class action against fitness technology company Fitbit that’s taken a number of twists and turns. Dunn joined a class action against Fitbit that was originally filed back in 2016. More plaintiffs joined, then all of them exited except Dunn, spared because he was the only plaintiff who opted out of arbitration in Fitbit’s user agreement. When will these star-crossed lovers meet in a courtroom?

Refresher

Let’s take it back.

Dunn claimed Fitbit falsely represented that a number of its fitness products, including the “Charge HR,” “Surge” and “Blaze” fitness watches, were equipped with technology that would consistently and accurately record the wearer’s heart rate. The suit marshaled expert testimony to the effect that the products were, in fact, inaccurate. Additionally, Dunn alleged that Fitbit caught its customers up in an arbitration clause that was unfair and deceptive for certain Fitbit users.

Dunn leveled a wide palette of charges, suing under the California Consumer Legal Remedies Act, the California False Advertising Law and the California Unfair Competition Law, as well as for common-law fraud, fraud in the inducement, unjust enrichment, breach of express warranty, breach of implied warranties under the Magnuson-Moss Warranty Act, and the Arizona Consumer Fraud Act.

The Takeaway

Fitbit countered with a motion to dismiss in March 2018, arguing that Dunn had neglected to state the specific instance of fraud, and that the marketing tags he objected to were mere puffery. Dunn responded by reiterating the expert claims and citing a recent stock-drop case against the company.

The Northern District of California weighed in in June 2018, denying the motion to dismiss with the exception of the unjust enrichment claim. The court brushed aside Fitbit’s argument that Dunn had failed to “state with particularity the circumstances constituting fraud” because he had not mentioned particular statements on the product packaging. The court held that this was easily remedied by an amended complaint from Dunn.

The court looked askance at the rest of Fitbit’s objections, noting that none were “well taken.” Fitbit’s argument that the company’s slogans and packaging tags were inactionable puffery were defused because “the complaint is replete with examples of actionable ‘misdescriptions of specific or absolute characteristics of a product.’” The remainder of Fitbit’s objections met a similar fate.

The court awaits Dunn’s amended complaint. For now, at least, his involvement with Fitbit continues.

The hearts of advertisers may skip a beat when they hear of cases like this going forward. This case should inspire companies to scrutinize the packaging and advertising they produce. Statements about products or services being sold should not only be truthful but also not misleading, and substantiation is required of all claims, explicit and implied. Companies should take steps to ensure that consumers are not being confused by advertising statements. By staying vigilant, companies may be able to avoid the heartbreak of ongoing litigation.

Linda Goldstein Joins Esteemed Faculty of DigitaLatest Summit in New York 

Linda Goldstein, leader of BakerHostetler’s advertising, marketing and digital media practice, has joined the faculty of DigitaLatest, an essential summit for marketing executives taking place on August 6-9 in New York. Senior management from leading digital marketing platforms, tools and technologies, including Google, Twitter and Snapchat, will share their latest developments and best brand use cases. Linda’s session will cover the latest legal developments and highlight best practices for minimizing risk. For registration information, click here.

Baker & Hostetler LLP publications are intended to inform our clients and other friends of the firm about current legal developments of general interest. They should not be construed as legal advice, and readers should not act upon the information contained in these publications without professional counsel. The hiring of a lawyer is an important decision that should not be based solely upon advertisements. Before you decide, ask us to send you written information about our qualifications and experience.