AD-ttorneys@law – September 26, 2017

Alerts / September 26, 2017

In This Issue:

Subscribe to AD-ttorneys@law >>

FTC Commissioners Disagree on Deceptive Omission Charges

Lenovo settlement occasions interesting debate

Gift Horse

Personal computing titan Lenovo ran afoul of the Federal Trade Commission (FTC) when it was hit with a complaint regarding ad-injecting software developed by Superfish Inc. that Lenovo pre-installed on a number of laptop models between 2014 and 2015.

The FTC alleged that when a laptop user hovered the mouse cursor over a product image while shopping online, the software, called VisualDiscovery, displayed pop-up ads regarding similar products sold by Superfish’s marketing partners. The FTC also alleged that the software served as a local proxy that stood between the consumer’s browser and all internet websites that the consumer visited, including encrypted websites. According to the FTC, this allowed VisualDiscovery to see consumers’ sensitive personal information, including login credentials, Social Security numbers, financial accounts and medical information. While only a subset of this information was transmitted to Superfish, the company had the ability to collect more information.

In addition to the above issues, the FTC complaint alleged that VisualDiscovery software employed a number of other practices that exposed consumers to security vulnerabilities, including replacing websites’ digital certificates with VisualDiscovery-signed certificates without verifying that the websites’ own digital certificates were valid, and using easy-to-crack passwords on all affected laptops.

The FTC alleged that Lenovo failed to disclose the true nature of VisualDiscovery, which ran invisibly as a background process, without adequately requiring the user to affirmatively activate the software.

You Shall Not Pass!

The Commission hit Lenovo with three counts under the Federal Trade Commission Act: First, a deceptive failure to disclose that VisualDiscovery was enabled on the laptop and that it would present ads and serve as a proxy “middle man”; second, unfair pre-installation based on the pre-installation of VisualDiscovery that, without adequate notice or informed consent, acted as a man-in-the middle; and third, unfair security practices based on Lenovo’s failure to take reasonable measures to address security risks from this software.

Lenovo settled the case with the FTC in early September 2017. The settlement prohibits the company from misrepresenting the features of preloaded pop-up ad software on new laptops. Lenovo is also required to clearly and conspicuously disclose the software’s frequency of advertisements and data collection practices, and affirmatively secure express consent prior to initial operation. The settlement also required a software security program to address software security risks related to new and existing application software.

The Takeaway

There was a notable ending to the case which involved a public disagreement between FTC Acting Chairman Maureen Ohlhausen and FTC Commissioner Terrell McSweeny.

Both commissioners supported the complaint and the settlement, but they issued conflicting statements regarding Lenovo’s deceptive omission practices. Commissioner McSweeny asserted that Lenovo’s unlawful conduct went beyond what was alleged in the complaint. She stated that the failure to disclose that pre-installed software would serve pop-up ads while consumers shopped online and that such software would reduce download and upload speeds, in and of itself, was deceptive.

Acting Chairman Ohlhausen countered, stating that the lack of disclosure that Lenovo’s computers contained pre-installed software that would serve pop-up ads during web browsing and would slow web browsing did not in and of itself constitute a deceptive omission. The acting chairman also noted that ad software like VisualDiscovery is understood by consumers to serve up or insert advertising. While she agreed with Commissioner McSweeny on the existing first count – that the “middle man” proxy function was a deceptive practice – she did not think that the ads themselves made “VisualDiscovery unfit for its intended use. “Therefore,” she continued, “I do not find Lenovo’s silence about those features to be a deceptive omission.”

Based on the commissioners’ disagreement over what practices could be considered deceptive, businesses should exercise caution when implementing data collection and advertising practices without consumers’ consent.

Subscribe to AD-ttorneys@law >>

FTC Issues FAQ on Endorsement Rules

Commission guidance document tackles nuances of company/endorser relationships

Inquiring Minds

As we’ve reported previously, the Federal Trade Commission (FTC) is taking an increasingly active interest in the activity of endorsers and influencers. A recent spate of “educational” letters to a number of endorsers was followed by specific warning messages in September of this year. This, in turn, was followed by the FTC’s first-ever action against individual influencers.

In the interest of creating clarity and definition around endorsement relationships, the Commission has assembled a helpful guidance document featuring the most common questions it receives on the topic and the FTC’s answers.

Blog Slog

Blogs get up-front attention in the document, beginning with a question about the assumed reimbursement of bloggers in product endorsements. “Isn’t it common knowledge that bloggers are paid to tout products or that if you click a link on a blogger’s site to buy a product, the blogger will get a commission?” No, says the FTC – even if the majority of a blog’s readership understands an implied financial relationship, even “a significant minority” of readers who do not understand will render the blog endorsement deceptive.

In addition, the FTC clarified that it is not especially monitoring bloggers or holding them to a higher standard than traditional media outlets. However, the unique nature of blogs, as opposed to a newspaper or television advertisement, may cause the viewer to misconstrue the relationship the blogger has with a company when the blogger discusses the company’s products.

Getting Paid

The FTC addressed the many different flavors of perks, reimbursements and gift giving. For the Commission, the weight of the question is on the credibility of the endorser. Even absent any sort of financial arrangement, endorsers often receive free items and discounts, and even donations to charity in the endorser’s name. What care should the endorser take with these other forms of remuneration?

“The question you need to ask,” says the FTC, “is whether knowing about that gift or incentive would affect the weight or credibility your readers give to your recommendation. If it could, then it should be disclosed.” Throughout the FAQs, the Commission consistently emphasized the importance of transparency as a best practice.

In Real Life

The FTC also tackled a number of in-the-weeds, highly specific questions that deal with the nuances of what constitutes an endorsement. For instance, one question reads: “Do I actually have to say something positive about a product for my posts to be endorsements covered by the FTC Act?” The Commission’s answer should give every endorser pause: “You don’t necessarily have to use words to convey a positive message.”

Here, the FTC has touched on a recurring theme: If you have a relationship with the company marketing a product, and your audience thinks what you communicate about a product reflects your opinion about it, it’s an endorsement under the FTC Act. Therefore, proper disclosure is required.

The Takeaway

Our summary includes only a small sample of the overall guide, which covers subjects such as television product placements, how “liking” a product on social media may constitute endorsement, and other guidelines for online endorsements. The guide also has a lengthy discussion of disclosure rules, advertiser responsibilities for what others say in social media, and more.

It’s a must read for advertisers, ad agencies, bloggers, online personalities and other social influencers – and anyone soliciting or providing an endorsement. Based on the FTC’s growing scrutiny of influencers and endorsements on social media, any individual contemplating an endorsement relationship should exercise caution and be as transparent as possible when potentially endorsing products.

Subscribe to AD-ttorneys@law >>

FTC Pursues Violators of Europe-United States Privacy Agreement

Companies falsely claimed adherence to Swiss, EU protocols


Every day, untold terabytes of information transfer between the United States and European countries – a vast aggregate of personal and commercial data that benefits users on both sides of the Atlantic.

However, the United States handles data security in a fundamentally different way than European countries, and these differences require a common framework to encourage an ongoing exchange of goods and information between the jurisdictions. Enter the Privacy Shield Framework. The Shield is a set of principles for companies to adhere to when transferring personal data between services in the states and services in the European Union (Switzerland has a separate but similar agreement with the United States).

The Privacy Shield Framework establishes a self-certification regime for U.S. companies. Under the Shield, the U.S. companies attest to the Department of Commerce that they are complying with the principles and guidelines of the Shield Framework, including various provisions addressing notifications, accountability, information security and liability. The benefits for all participants are obvious.

Triple Threat

The Federal Trade Commission (FTC) recently settled three cases against U.S. companies that claimed to participate in the E.U.-U.S. Privacy Shield Framework, but allegedly did not meet the regime’s requirements. They were the first cases of their type since the Privacy Shield Framework replaced the earlier U.S.-EU Safe Harbor Framework.

The Commission settled charges against software company Decusoft, printing company Tru Communication, and assistant to real estate wireless operators Md7 in early September 2017. The FTC alleges that the companies claimed to participate in the Framework, but had actually failed to complete their self-certification process with the Department of Commerce. The Commission further alleged that Decusoft had similarly violated the Swiss-U.S. Privacy Framework.

Each of the companies agreed to refrain from misrepresenting their participation in security or privacy programs sponsored by the government, self-regulatory, or standard-setting organizations. Each agreed to also comply with FTC reporting requirements.

The Takeaway

These cases are novel – they’re the first to address the relatively recently enacted E.U.-U.S. Privacy Shield, and also the first to tackle companies that started a self-certification process in similar programs but did not complete all the steps.

Nonetheless, these cases are part of a larger picture. The FTC brought 39 actions against companies under the predecessor U.S.-E.U. Safe Harbor Framework. The Commission has also pursued four similar actions related to the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) system.

It is clear that the FTC is taking a serious approach to false participation claims, and is keeping its eye on companies that drop out of the certification process midway, but still claim to be within the guidelines of the Framework. Based on the FTC’s increasing scrutiny of companies’ proposed data practices and privacy commitments, U.S. companies should exercise caution when purporting to adhere to a regulatory scheme without full compliance.

Subscribe to AD-ttorneys@law >>

FTC Handicaps Golf Product Marketers for Negative Option Offers

Companies settle with Commission after alleged negative option mulligans

Front Nine

The Federal Trade Commission (FTC) recently announced a settlement with four individuals and six separate but interlocking companies. The agency alleged that the group participated in a number of negative option and continuity sales schemes.

The defendants operated a number of websites that sold golfing gear and kitchen products, sites with names like “Gourmet Cooking Rewards” and “Golf Online Academy.” They promoted these websites through television infomercials and mass email campaigns. Customers were assured of a 100 percent money back guarantee on all their products, as well as 30- to 60-day trial periods, and that their trial offers were risk-free.

The FTC alleges that the defendants inserted as many as 14 “upsell” pages as customers worked their way through the process of entering their shipping and billing information for a specific product. These pages pushed additional negative option offers and continuity plans.

Penalty Stroke

In its initial complaint, filed in March 2017 in the United States District Court for the Southern District of California, the Commission claimed a laundry list of infractions.

The defendant’s websites failed to mention the terms and conditions that accompanied a free product or a trial period, according to the complaint. Often the disclosures were tucked away, far from the “add to cart” button or other sales confirmation links. The complaint also alleged the disclosures were rendered unintelligible because they were festooned by dense layers of hyperlinks and tiny text surrounded by distracting graphics.

In addition, the defendants were accused of bundling offers by combining free trials with continuity plans for other products. One site offered free instructional golf DVDs, but hooked customers into a continuity plan for online golf lessons. Analogous bundled offers were made by combining coupons and discounts with cooking lessons. However, in many cases the defendants failed to obtain consumer consent for these extras and consumers were unaware they were subject to such bundled offers.

The FTC also noted that customers who viewed the offers on mobile devices were more likely to be deceived, since the devices’ smaller screen size made the disclosures even more difficult to read.

The Takeaway

The Commission charged the defendants with deceptive acts and practices under Section 5(a) of the Federal Trade Commission Act and with violations of the Restore Online Shoppers’ Confidence Act (ROSCA).

The settlement terms prohibit further misrepresentations of the cost of the defendants’ goods and services, and require defendants to disclose details about any negative option, to secure consumer consent, and to cease billing consumers who were charged before March 2016.
Three of the individuals charged were hit with a combined settlement penalty of $2.5 million, backed by security interests given to the FTC in real estate and other assets. This FTC action and resulting settlement once again demonstrates the FTC’s immense power in enforcing unfair or deceptive practices, and its commitment to enforcing ROSCA.

Subscribe to AD-ttorneys@law >>

Baker & Hostetler LLP publications are intended to inform our clients and other friends of the firm about current legal developments of general interest. They should not be construed as legal advice, and readers should not act upon the information contained in these publications without professional counsel. The hiring of a lawyer is an important decision that should not be based solely upon advertisements. Before you decide, ask us to send you written information about our qualifications and experience.


In The Blogs

Previous Next
Data Counsel
For Educational Institutions, Post-Ransomware Harassment Requires A+ Messaging
February 3, 2023
Educational institutions have not been excluded from the ransomware epidemic, and stakeholder communications are critical to an effective response. In a typical double-extortion ransomware attack, threat actors demand that victims pay a...
Data Counsel
Welcome Counsel Andrew Epstein to the DADM Group
February 2, 2023
We are excited to welcome new Counsel Andrew Epstein to our Digital Assets and Data Management Group. Andrew joins our Digital Risk Advisory and Cybersecurity team and works out of our Seattle office. Andrew joins us most recently from...
Data Counsel
Illinois Supreme Court: 5-Year Statute of Limitations for BIPA Claims
February 2, 2023
Earlier today, the Illinois Supreme Court issued a decision in Tims v. Black Horse Carriers, Inc., 2023 IL 127801, in which the court held that a five-year statute of limitations applies to all claims arising under the Illinois Biometric...
Data Counsel
Pennsylvania's Data Breach Notification Law Is Changing: What Does It Mean for Entities Doing Business in the Keystone State?
By Sara M. Goldstein
December 19, 2022
2023 is going to bring big changes to Pennsylvania’s Breach of Personal Information Notification Act. Although the revisions to the law do not go into effect until May 2, 2023, now is the time for Pennsylvania entities to ensure that they...
Data Counsel
OCR Guidance on Use of Tracking Technologies Warrants Review of Website Tech
By Stefanie L. Ferrari, Lynn Sessions, Aleksandra Vold
December 13, 2022
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) issued guidance regarding covered entities’ and business associates’ use of tracking technologies (the Guidance). As discussed in greater detail below, the...