Consumer Advertising Law Blog

Similar to the original guidance, the updated version emphasizes that consumer protection laws apply across all marketing platforms and devices, including print, TV, Smartphones, Facebook, and Twitter.  Just because our ads are coming to us on shinier, smaller, or faster devices, some things will remain old school--like Section 5 of the FTC Act.  Advertisers should not lose sight of the most basic principles, like clear and conspicuous disclosures, simply because the mediums on which they advertise have changed and continue to change.  

Sticking with the basics, the new guidance reminds advertisers that disclosures that must be made in order to keep claims from being deceptive must be clear and conspicuous and made prior to a consumer’s decision to buy (i.e., before they click “Add to Cart”).  Although there is no one-size-fits-all approach to disclosures, the following factors come into play:  proximity; placement; prominence; presence of distracting elements; the need for repetition; and using language understandable to the intended audience.

In a new take on the old, the guidelines state that if a disclosure won’t work because of the device or platform on which the claim is being advertised, the claim should be modified or shouldn’t be made on that device or platform.  Advertisers should also evaluate how their ads look across a range of devices, and create mobile versions or use responsive design when necessary.  In short, if the disclosure won’t fit, you must quit (considering that ad).  Simple as that--technological limitations will not be an excuse for running afoul of basic truth-in-advertising principles. 

Additionally, the new guidance says that disclosures should be “as close as possible” to the triggering claim they qualify.  Ideally, qualifying information should be incorporated into the claim itself.  If that isn’t practical, .com Disclosures provides guidance on making effective disclosures.  For example, building on past guidance regarding the use of hyperlinks to lead consumers to relevant disclosures, the new guidance recommends that advertisers label hyperlinks as specifically as they can to make their importance and relevance clear and make them effective across various media and devices.  Moreover, using links may not be sufficient, particularly if the advertised product is available in brick-and-mortar stores or from online retailers other than the advertiser--consumers should be presented with relevant disclosures in the ad text itself before going shopping in a store or at another online retailer.  In addition, the FTC cautions against putting disclosures in pop-ups, which may be blocked or just ignored.  In keeping with the original guidance, advertisers are also advised to avoid using hyperlinks for disclosures integral to the claim, such as those about product costs or health and safety issues.  The guidelines also caution advertisers about consumers needing to scroll to find disclosures.  According to the guidance, consumers shouldn’t have to scroll down the page to find disclosures.  But, if scrolling is necessary, the ad should contain visual cues to prompt consumers to scroll down or make the disclosures unavoidable--i.e., require the consumer to scroll through them before moving on.  Finally, although the guidelines say that advertisers are not required to utilize tools that can help monitor the effectiveness of disclosures, such as hyperlink click-through rates, the FTC advises advertisers not to ignore the data they do have.

The new guidelines include examples specific to the world of “tweeting.”  Using a fictional celebrity endorser, the .com Disclosures note that a tweet endorsing a product with merely a link to the product’s website is insufficient.  Celebrity tweeters still have to follow the requirements laid out in the Endorsement and Testimonial Guides, which we blogged about here and here.  Those Guides state that celebrities have a duty to disclose their relationships with advertisers outside the context of traditional ads (like Twitter).  It should be clear to followers if a celebrity is being compensated for a product or service they’re talking about on social media.  According to the FTC, these types of endorsements should clearly denote that it they are advertisements.  The new guidelines go further, noting that using “Ad” or “Sponsored” at the beginning of a tweet would likely be sufficient, but that the use of hashtags to indicate that a tweet or post is sponsored (i.e., #spon, #paid or #samp) may not be.  Depending on the content of the sponsored tweet, the tweet may also need to disclose typical results for the product in accordance with the Endorsement Guides.  Using links to make disclosures in tweets may not be sufficient for the reasons discussed above.

In recent years, the FTC has made an effort to update various guidance documents to account for changes in the mobile marketplace and advancements in advertising that have arisen in the new digital age. The new .com Disclosures specifically address some of the issues advertisers face in this age of new technology and social media.  While acknowledging that these guidelines will prove challenging to advertisers, the agency has stuck to its consistent message--necessary disclosures are required, regardless of how you’re conveying your message and deceptive advertising will not be tolerated.            

- Matthew Shultz & Danielle Garten

The FTC has defined mobile payments broadly to “include[ ] technologies and products in which a payment is made using a mobile device, such as payments made through Near Field Communication (NFC) technologies, mobile apps, online checkout wallets, and mobile carrier billing.”  At the April 26 workshop, participants identified multiple ways in which these technologies benefit consumers.  In addition to the convenience of payment, mobile payment makes it easier for consumers to use coupons or loyalty programs. In the new report, FTC staff also acknowledged that “[m]obile payments . . . may provide under-served communities with greater access to alternative payment systems.”  An alternative payment system also benefits businesses, who may see lower transaction costs thanks to consumers choosing to pay with their mobile devices, not their credit or debit cards.  More broadly, “[m]obile payments may also spur competition among payment methods, benefitting consumers and merchants alike.”

Where the workshop took a balanced approach to benefits and drawbacks, the new report focuses almost entirely on the risks and concerns the workshop panelists identified: dispute resolution; consumer data security; and privacy. One of the greatest benefits mobile payments provide to both consumers and businesses -- flexibility -- is the source of the problem for dispute resolution, specifically the web of statutory requirements that may protect some consumers or businesses, but not others, and certainly not in the same ways. For example, a fraudulent transaction involving a credit card has a statutory liability cap of $50, but if the same transaction involves a gift card, the FTC Act, the FTC’s general consumer protection mandate, is the sole statutory protection (the Consumer Financial Protection Bureau has proposed a rule related to gift card laws and the FTC has commented). The FTC is evaluating whether to implement “consistent protections across mobile payments,” and, as it does, urges businesses to “develop clear policies regarding fraudulent and unauthorized charges and clearly convey these policies to consumers.”

The FTC singles out mobile carrier billing for special attention. Like gift cards, there are no specific statutory protections for consumers who find fraudulent third-party charges on their phone bills, a practice known as “cramming.” The new report notes an FTC comment to the Federal Communications Commission (“FCC”) that “consumers should be able to block all third party wireless charges” and should have “clear[ ] and prominent[ ]” service provider information about third-party charges and how to block any unwanted charges.  The FTC also wants providers to establish a clear dispute resolution system.  The FTC will host a workshop on mobile cramming on May 8 to assess the breadth of potential solutions to cramming, including those that industry stakeholders have provided to the FCC. 

The FTC report also refers to a Federal Reserve study that found data security to be a chief consumer worry related to mobile payments. The FTC encourages “all companies in the mobile payments chain” to adopt safeguards like end-to-end encryption and dynamic data authentication, reminding businesses that harm to consumers due to a data breach can not only harm the reputation of the business, but also can trigger liability under state or federal data security laws. 

A frequent concern of the FTC, the report highlights the privacy anxieties associated with the distinction between data collection capabilities in “traditional” and mobile payments.  In a traditional payment, data is split among the merchant (purchase) and the credit card company or bank (contact information; location of purchase). No one entity has all of the purchaser’s information. Mobile payments add many new players at each step of the payment chain and provide a “mobile payments ecosystem to gather and consolidate personal and purchase data in a way that was not possible under the traditional payments regime.” Such collection and consolidation is not inherently bad, but it does raise the potential for increased risks to consumer data privacy. To help protect consumer privacy and ease privacy concerns, the FTC previously offered three privacy principles in its March 2012 report Protecting Consumer Privacy in an Era of Rapid Change (as this blog described).  The FTC continues to encourage businesses to follow these principles of “privacy by design,” consumer choice, and transparency in a new mobile payments report.  

As it develops a more complete framework for mobile payments, the FTC is looking to the experiences of other countries for both the manner in which the mobile payments systems operate as well as the manner of their regulation.  The new report includes short descriptions of practices or policy proposals in other countries and by multinational organizations, indicating which models the FTC may explore in determining how to address the consumer privacy, security, and trust issues that arise as mobile payment technology develops.

- Nancy Perkins and Seth Wiener

The FTC announced that it has settled charges against mobile device manufacturer HTC America that the company placed sensitive consumer information at risk by failing to reasonably secure software applications for its mobile phones and tablets. Although the FTC has been concerned with pursuing what it regards as unreasonable data security practices as “unfair or deceptive acts” for years, this is the FTC’s first action against a mobile device manufacturer.  The settlement not only requires HTC to develop security enhancements for the software, but also to implement a comprehensive security program and “undergo independent security assessments every other year for the next 20 years.”

The FTC alleged that HTC failed to employ reasonable and appropriate security practices in at least five ways:

1. failure to adequately assess the security of its products;
2. failure to adequately train its engineering staff on privacy and security issues;
3. failure to conduct assessments to identify potential security vulnerabilities;
4. failure to follow well-known security practices that would have ensured that applications would only have access to consumer information with their consent; and
5. failure to have a process to address reported privacy and security concerns.

More specifically, the complaint alleges that customized applications pre-installed by HTC to differentiate its products from other devices running Google’s Android operating system and Microsoft’s Windows Mobile and Windows Phone operating systems failed to include adequate “permission check code[] to protect th[e] pre-installed application from exploitation.”  For example, a third-party application could have commanded one of the pre-installed applications to download and install additional apps without the user’s knowledge or permission -- in other words, without the “permission check code” that the complaint alleges is “simple, well-documented software-code.”  Then these new applications could have accessed, among other information, financial account numbers, user names and passwords, text messages, photographs, and physical location information, as well as sensitive device functionality like the microphone.  FTC also noted a particular concern with malware that could have led to “text message toll fraud,” which occurs when text messages are sent to a premium number without the user’s consent in order to charge fees to the user.

As summarized in the complaint, “[i]n effect, this vulnerability undermines all protections provided by Android’s permission-based security model.”  The FTC alleged that HTC could have prevented these security issues, which were present in approximately 18.3 million devices, through implementation of “readily-available, low-cost measures.” 

In addition to charging that HTC’s failure to implement reasonable security practices was an unfair or deceptive act, the Commission also charged HTC with making at least two false or misleading representations in its user manual.  First, the complaint alleged that the manual’s representation that a user would be notified when a third-party application requested access to personal information was undermined by the vulnerabilities discussed above.  Second, the complaint alleged the user manual was false and misleading by representing that a user’s location data would not be sent to HTC along with an error report unless the user specifically checked a box marked “Add location data.” The complaint alleged that because of the security vulnerabilities discussed above, location data was sent to HTC even where the user did not check the box granting permission.

Shortly after announcing the settlement, the FTC hosted a Twitter chat to answer questions about the highly publicized settlement.  In response to a question about whether there was any evidence that consumer data had been lost, the FTC said that it brought the case because of the “risk” of substantial harm to consumers as well as HTC’s allegedly deceptive practices.  It also reiterated that “consumer privacy continues to be a top priority for FTC.”

This case illustrates the close connection between security practices and representations about privacy; promises about privacy rest in part upon a company’s ability to design, deliver, and support functionality with a privacy and security architecture that delivers upon those promises.  Put another way, design supports privacy.

- Ronald Lee and Daniel Stuart

Identity theft, which is defined in the report as “[w]hen someone appropriates your personal identifying information (like your Social Security number or credit card account number) to commit fraud or theft,” is likely to remain a top concern for the FTC, especially as an increasing amount of sensitive consumer information moves to mobile devices and the “cloud.”  This is evident from the FTC’s recent release of security recommendations for mobile app developers, as well as its settlement with HTC over concerns about the security of consumer information collected by mobile software applications. 

• Consumers reported paying over $1.4 billion in the over one million fraud cases contained in the report, with a median amount paid of $535.
• Though it’s buried in a footnote, Washington, DC had the highest per capita rate of fraud complaints at 752.1 complaints per 100,000 residents.  The nation’s capital was third in per capita identity theft complaints at 169.1 complaints per 100,000 residents.
• Florida was second to DC in per capita fraud complaints (693.5 per 100,000) and was by far the number one state for identity theft complaints at 361.3 per 100,000 residents. In fact, ten of the top eleven metropolitan areas for identity theft are in Florida. 
• South Dakota had the lowest per capita rate of both fraud and identify theft complaints. 
• For fraud complaints, the most popular method of contacting consumers was via email (38%) followed closely by phone (34%). 

The full report is available for download here. 

- Daniel Stuart

The report builds on the FTC’s previous work on privacy issues, including the FTC’s March 2012 privacy report; the FTC’s February 2012 report and December 2012 follow-up report regarding mobile apps for children; and the FTC’s May 2012 workshop regarding mobile privacy. It also takes into account and favorably endorses the California Attorney General’s January 2013 recommendations regarding “Privacy on the Go” for app developers, platform providers, ad networks, mobile carriers, and operating system developers.  (For previous posts regarding privacy issues in this blog, see here). 

The new report provides guidance to various participants in the mobile device ecosystem, including platform providers (e.g., Apple, Google, Amazon, Blackberry, and Microsoft), app developers, trade associations representing the developers, and third parties such as ad networks and analytics companies.

For platform providers, the FTC staff recommends the following actions:

• developing a “do-not-track” mechanism for mobile devices, similar in function to do-not-track controls already implemented in the leading internet browsers;
• providing “just-in-time” disclosures when apps attempt to collect sensitive data, to allow consumers to decide whether to allow the collection;
• developing a “privacy dashboard,” such as that already used by some platforms, to assist consumers in determining and reviewing which apps have access to which data;
• using icons, as some platforms already do, to signal to consumers when apps are accessing geolocation information;
• increasing platform supervision and regulation of app providers, including through contractual provisions requiring privacy measures;
• increasing transparency of the app review process, to allow consumers to better understand the extent platforms review apps prior to making them available in app stores, as well as any later compliance checks or reviews undertaken by platforms.

For app developers, the new report recommends:

• developing a privacy policy, and making it easily available to consumers through the platform’s app store;
• providing just-in-time disclosures and obtaining affirmative express consent when collecting sensitive information, to the extent the platform does not already do so;
• improving coordination with ad networks and other third-parties, to ensure that the app developers understand what information the third party is collecting and how that information is being used, so that the app developer can provide truthful disclosures to consumers.

With respect to developers’ trade associations, the report suggests they could help design standardized icons and “badges” or other similar short, standardized disclosures to depict app privacy practices.  Finally, for advertising networks and other third parties, the report urges efforts to improve coordination and communication with app developers regarding privacy protection and assistance to platforms in developing and implementing an effective do-not-track system for mobile apps.

The recommendations in the FTC staff report, while not legally binding, merit very close attention by all four groups of players mentioned in the report. The report itself emphasizes the FTC’s past enforcement activities in the data privacy and security arena, and the FTC’s suit against Path is confirmation that those activities will be aggressive in the area of mobile apps. Platforms and developers, in particular, that fail to attend to the report’s recommendations will invite unnecessary liability exposure, which can be avoided by taking the report seriously and being proactive in all areas reasonably applicable to their role in the mobile app ecosystem. 

UPDATE (2/12/2013): If you want a more in-depth article on this topic, click here.

- Nancy Perkins and Gabriel White