Clicky

Header graphic for print

InfoLawGroup

privacy. security. technology. media. advertising. intellectual property.

HIPAA as a Standard of Care for Common Law Negligence Claims

Posted in Cybersecurity, Data Security, HIPAA

Because the Health Insurance Portability and Accountability Act (“HIPAA”) does not provide a private right of action, plaintiff’s attorneys have sought a means to link HIPAA violations to other state or federal legal frameworks which do provide direct recourse for private individuals.  A recent ruling by the Connecticut Supreme Court may open new avenues of this type.  In Byrne v. Avery Center for Obstetrics and Gynecology, PC, the Court reached two key conclusions:

  • HIPAA does not preempt state common law causes of action for negligence and
  • the HIPAA regulations may be used to establish a standard of care for common law negligence causes of action.

The case arose when the plaintiff asked her physician not to share her medical records with a former significant other.  Contrary to the plaintiff’s request, the physician provided her medical records to the former significant other in response to a subpoena without notifying the plaintiff or contesting the subpoena, in violation of the HIPAA Privacy Rule.

It remains to be seen whether the Connecticut courts conclude that the alleged unauthorized disclosures of health information resulted in cognizable harm.  However, the ruling takes a significant step toward creating a method for individuals to hold health care providers, insurers, and other organizations that handle health information liable for uses or disclosures that occur in violation of HIPAA. 

Continue Reading

Numerous Warning Letters Serve as a Reminder that the FTC is Always Watching

Shannon Harell Posted in Advertising Law, Enforcement, FTC

The Federal Trade Commission (“FTC”) has been very active in its enforcement efforts in the past couple of months. In addition to other actions which we have blogged about, the FTC recently sent dozens of warning letters to advertisers in two separate efforts. In September, the FTC sent letters admonishing companies for their failure to make adequate disclosures in an effort dubbed “Operation Full Disclosure.” Then, in October, the FTC sent letters to companies for their potentially misleading “oxo degradable” claims in violation of the FTC’s Guides for the Use of Environmental Marketing Claims (or “Green Guides”).

 Operation Full Disclosure Warning Letters

First, in Operation Full Disclosure, the FTC sent warning letters to more than sixty undisclosed companies—including twenty of the largest advertisers in the US—for their failure to make clear and conspicuous disclosures in television and print advertisements. In its press release, the FTC noted that Operation Full Disclosure’s attention to providing truthful disclosures in print and television is in line with the FTC’s recent efforts to address online disclosures via the 2013 release of the revised .com Disclosures.

The ads subject to the warning letters came from a wide cross section of advertisers (including ads from the food, drug, household item, consumer electronics, personal care, and weight loss industries) and involved fine print, easy to miss, and hard to read disclosures that contained material information. Specific issues included:

  • Advertising a product price where the conditions for obtaining that price were not adequately disclosed.
  • Advertising a product capability or inclusion of an accessory where it was not adequately disclosed that consumers must first own or buy an additional product or service to obtain that capability or accessory.
  • Advertising that a product was superior in a product category where the basis of comparison or the class of products at issue was not adequately disclosed.
  • Advertising a “risk-free” trial period where the requirement to pay for initial and/or return shipping was not adequately disclosed.
  • Advertising outlier results via a testimonial where it was not adequately disclosed that the results were not typical.
  • Advertising involving false claims where the advertiser attempted to cure the falsity with contradictory disclosures.

In the warning letters the FTC advised that all disclosures must be clear, conspicuous, and in close proximity to the modified claims. In a blog post about Operation Full Disclosure, the FTC elaborated on what it means to be “clear and conspicuous” by reminding advertisers to focus on the “The 4Ps”:

  • Prominence: The disclosure must be big enough, have enough contrast and, for TV, on the screen long enough for the consumer to easily read and understand it. There is no “one size fits all” font, color, or time period. Rather, whether the disclosure is readable and understandable will depend on the circumstances.
  • Presentation: Apart from appearance, the disclosure must be set forth in an understandable manner, e.g., it should not be in legalese, should not be buried a block of text, etc.
  • Placement: The disclosure should be positioned in manner that the consumer is likely to actually notice and read it, e.g., it should not be buried in a footnote, off to the extreme side of the page, etc.
  • Proximity: The disclosure must be in close proximity to the claim it is modifying. This demonstrates, once again, the problem with footnotes. The FTC specifically stated that an asterisk does not solve the footnote problem.

The FTC went on to ask advertisers to make this simple query before posting an advertisement:

 If you find yourself struggling with how to craft an effective disclosure, why not take a step back and consider what the need for a disclosure might be telling you. Perhaps it’s pointing to a potential for underlying deception in your ad claim.

Nothing about Operation Full Disclosure should come as news to advertisers, but the effort does serve as a reminder that that the “clear and conspicuous” maxim is still an important one and that crafting helpful, honest, and readable disclosures is necessary to prevent an ad from becoming deceptive and drawing the ire of the FTC.

Green Guides Warning Letters

Then in late October, the FTC sent warning letters to fifteen marketers of “oxo degradable” plastic waste bags explaining that their oxo degradable, oxo bio degradable and biodegradable claims may be deceptive.

As background, “oxo degradable” plastic is made with an additive intended to cause it to degrade in the presence of oxygen. However, since waste bags generally are not exposed to enough oxygen when in the landfill environment, it is possible that oxo degradable bags will not completely degrade in the time frame expected by consumers. Making an unqualified oxo/bio/oxo bio degradable claim is not permissible under the Green Guides unless the advertiser can prove that the entire product or package will completely break down within one year. The October letters to advertisers questioned whether the advertisers have reliable scientific evidence to support their oxo/oxo bio/bio degradable claims and, if not, recommended that the claims be discontinued.[1]

Since the Green Guides were revised in 2012, the FTC has made significant enforcement efforts and these letters are a clear indication that the FTC remains focused on ensuring that advertisers make reliable and truthful environmental claims. Further, in its press release the FTC noted that companies “should not assume their claims are fine” if no letter was received. This enforcement effort, therefore, serves as a reminder that special attention must be taken when an environmental or “green” claim is made.

Key Takeways

These recent warning letters demonstrate that advertisers must not forget that the FTC is always watching regardless of the industry you are in, the claims you are making, or the medium in which you are advertising. Therefore, thinking, “no one will notice if we do [x, y, or z] … just this one time” is never a safe approach.


[1] The advertisers had until October 21, 2014 to respond to the letters. We will continue to watch for developments.

AAA Arbitration Now Requires Annual Payments — Is It Time to Reconsider Your Arbitration Clause?

Posted in Lawsuit

Recently, the American Arbitration Association (AAA) updated its Consumer Arbitration Rules to require pre-registration of consumer arbitration clauses and the payment of an annual fee for the ability to use its arbitration service. Now may be a good time to review your company’s arbitration clause if it currently provides for AAA arbitration of consumer disputes.

Why Review The Arbitration Clause Now?

Under the AAA’s recent change, companies using AAA for the arbitration of consumer disputes must pay to have their clause reviewed and included in the AAA’s registry. If a company wishes to continue using AAA arbitration, it may wish to ensure that it has the best clause for its needs before formally registering it with the AAA. This would also avoid the need to pay a change fee in the future. For companies opposed to paying an annual fee for the privilege of using AAA arbitration, a change in the dispute resolution mechanism may be warranted. If a consumer serves a demand for arbitration of a clause that the AAA had not previously reviewed, a company would need to pay an expedited fee for the review of the arbitration clause, and a risk also exists that the AAA may decline to arbitrate a dispute arising under that clause.

How Much Will These Changes Cost?

If a company wishes to keep AAA as its arbitrator – or to switch to AAA –it should be aware of the following fees:

  • Initial Registration: For arbitration clauses submitted anytime during the 2014 calendar year, a company must pay $650 for review of the clause and maintenance of that clause in the AAA’s registry through the end of 2015. Companies submitting their clause any time during 2015 must pay $500 for review and inclusion of the clause in the registry through the end of 2015.
  • Annual Renewal Fee: The annual renewal fee to maintain the clause in AAA’s registry is $500.
  • Changes to a Registered Arbitration Clause: If a company makes changes to a previously-registered clause, it must be resubmitted for review, and the AAA will assess an additional $500 charge.
  • Expedited Review Fee: If a consumer makes a demand for arbitration under a clause that the AAA had not previously reviewed and included in the clause registry, the company must pay a $250 fee for an expedited review, in addition to any other applicable fees.

What Do These Changes Mean for My Company?

Many companies have chosen to include arbitration clauses in their consumer contracts and online terms after the U.S. Supreme Court ruled strongly in favor of the enforceability of arbitration agreements in 2011 and 2013. Now that an annual fee is required for the ability to use AAA, companies may wish to conduct a cost-benefit analysis of using AAA for arbitration.

Infrequent users of arbitration – such as small companies and those that do not often face disputes with their customers – are those that stand to be hurt the most by the AAA’s changes. These companies must now pay a recurring fee solely for the assurance that the AAA would be willing to arbitrate a dispute under the pre-approved arbitration clause.

Companies opposed to paying an annual fee to AAA may wish to explore other options. JAMS, another large arbitration provider, may be a viable option for some companies, and other smaller arbitration firms also exist. Finally, it may be worthwhile to reconsider whether the company’s objectives can be met through more-traditional dispute resolution terms (e.g., choice of law and forum, and perhaps a class waiver). A full discussion regarding the pros and cons of any dispute resolution mechanism are best had with qualified counsel.

FTC Brings First Actions Under the Restore Online Shoppers’ Confidence Act

Benjamin Stein Posted in E-Commerce, Enforcement, FTC

Last month, the Federal Trade Commission brought a pair of actions under the Restore Online Shoppers’ Confidence Act (“ROSCA”) – the first of their kind.

ROSCA Generally

ROSCA (15 U.S.C. 8401 et seq.) was signed into law just before the end of 2010. In general, the law regulates two types of online transaction: sales using a negative option feature and sales by a third party to a consumer immediately following a transaction between that consumer and an “initial merchant” – defined for these purposes as a “person that has obtained a consumer’s billing information directly from the consumer through an Internet transaction initiated by the consumer.” 15 U.S.C. §8402(d)(1). Continue Reading

Alcohol Ads In the Digisphere – New-ish Guides In Town

Posted in Advertising Law, Apps, E-Commerce, Marketing, Mobile Apps, Privacy, Social Media, Standards
At the end of September, thirteen leading beer, wine and spirits producers published the Digital Guiding Principles (DGPs) as part of their global commitment to reducing harmful drinking.  These are self-regulatory guidelines — they are not law, although some of the principles track legal requirements in the U.S.  Moreover, these principles do not replace any other guidelines or codes applicable to alcohol advertising (e.g.the Beer Institute Advertising and Marketing Codethe Distilled Spirits Council’s Guidance Note on Responsible Digital Marketing Communications (DISCUS)).  Rather, they are meant to establish a worldwide policy on the subject of responsible alcohol advertising online, in social media and in apps.  Some of these global principles mirror Beer Institute and DISCUS guidance.  The principles are introduced with a statement on scope and expressly apply to both paid and unpaid alcohol beverage marketing communications.  The principles address 4 main topics:
  • Minors
  • Responsible Consumption
  • Transparency
  • Privacy

MINORS

In connection with minors, the producers set forth three focus areas:

  • age-screening;
  • placement of marketing communications; and
  • content sharing (e.g., forward-to-a-friend).

The producers want alcohol beverage companies to implement an age-affirmation mechanism to check that a user is over the legal purchasing age whenever alcohol beverage marketing communications actively engage a user to directly interact with a brand.  Specifically, the producers want the age-affirmation mechanism to be based on a combination of DOB and country of residence.  The producers are open to the type of technology used to achieve age-affirmation, but a user who does not meet the set eligibility criteria should not be able to easily back click and re-enter a different DOB.  Presumably, a cookie based technology similar to what many companies employ for COPPA age-screening would suffice.  Many alcohol brands already implement a DOB screen on their web sites and other online features.

If the platform does not have an age-affirmation solution, the company should not engage in interactive marketing if 70% of the platform’s audience composition is not the legal purchasing age in the applicable country.  If the platform’s audience composition does meet the 70% requirement, the marketing communication should include an age disclaimer/statement explaining that the content is intended for users who are of the legal purchasing age and the platform should provide a mechanism to remove or moderate inappropriate user-generated content.  Note, the producers have made a commitment to work with platform providers on technology to achieve compliance with the principles.  For marketing communications that do not seek to have users directly interact with the brand, the communication should only be placed in media that can reasonably be expected to meet an audience composition where at least 70% of the audience is of the legal purchasing age.

For shareable content made available on a platform controlled by an alcohol beverage company, the producers want the company to display a “Forward Advice Notice” explaining that the content should not be forwarded to anyone under the legal purchase age in the country of viewing.  The producers indicate that the Forward Advice Notice can be displayed via a prominent link.  I note that this last focus area in connection with minors is limited to platforms controlled by the alcohol beverage company.  Query if a company page within a larger social media platform is considered to be controlled by the alcohol beverage company

RESPONSIBLE CONSUMPTION

The Responsible Consumption topic focusses on clearly posting a responsible drinking message within all digital communications and on an all platforms.  The topic all focusses on moderating user generated content.  The producers want individual companies’ marketing codes to include a statement indicating how often they monitor user generated content.  The producers also want companies to post a user generated content policy wherever they allow user generated content.

TRANSPARENCY

The producers are also concerned about transparency and do not want companies implying they are a consumer in connection with marketing communications.  Presumably, this comes up where brands and consumer are conversing in social media feeds and the like.

PRIVACY

Finally, the principles address user privacy in a fairly broad stroke manner, but they do get specific on three issues: (1) the producers want all direct marketing communications (e.g., email) to be consent/opt-in based; (2) they want brands to provide an easy opt-out mechanism so recipients can opt-out of future marketing communications; and (3) companies should feature data privacy statements on the web sites they control and encourage users to reach the statements.

Justine Gottshall To Speak at BAA/PMA Annual Marketing Law Conference

Posted in Marketing, Privacy, Privacy Law

Attending the BAA Conference? Please join our partner, Justine Gottshall, as she leads a panel on Privacy by Design – A Cast of Characters: The Lawyer, the Marketer & the Organization. She will be joined by Susan Cooper from Facebook, Susan Goodhue from LinkedIn, and Michael McCullough from Macy’s. The session is on November 6, 2014 in Chicago. We hope you can join us!

California Amends Data Breach Notification Law, Does Not Require Mandatory Offering of Credit Monitoring

Posted in Breach Notification, California, Identity Theft

California Governor Jerry Brown signed into law an amendment to California’s data breach notification law on Monday. Although at least one news outlet has reported that the law requires a company to offer credit monitoring services, this interpretation is misguided. Rather, the law only places restrictions on certain companies if they choose to offer identity theft prevention and mitigation services. In addition, the law also prohibits persons from selling (or advertising or offering to sell) any individual’s social security number, subject to certain exceptions.

Continue Reading

Recent International Study Reports Delinquencies in App Privacy Disclosures

Posted in App developers, App Store, Apps, COPPA, Data Security, FTC, Information Security, Mobile Apps, Privacy

In a recently reported study released by the the Global Privacy Enforcement Network (“GPEN”), the GPEN found that a testing sample of 1,211 mobile apps accessed during May of this year failed to provide users with adequate privacy protections under current regulatory provisions in the United States and in other countries. The GPEN is a coalition of privacy officials from 19 countries, including the United States Federal Trade Commission (“FTC”).

The GPEN report concluded that 60% of mobile apps accessed raised significant privacy concerns based on the following criteria:

  • The apps failed to disclose how the apps used personally identifying information (“PII”);
  • The apps required users to provide more PII than necessary as a condition to downloading the apps; and
  • The privacy policies associated with the apps were provided in too small of a font to be read on the screens of mobile devices.

Of the apps examined, the GPEN found that 30% failed to provide sufficient information on how PII would be used by the app providers.  In fact, the GPEN report found that many of the apps tested provided no privacy information at all.

Additionally, another 31% of the apps the GPEN examined requested access to PII, including contacts, device ID location, calendar and call logs, in the absence of any indicated reason for why such information would be necessary to use the apps for their advertised purposes.  The GPEN report also showed that 43% of the apps failed to make the apps’ privacy policies readable on mobile devices’ smaller screens as compared to on computers.

The most common type of PII requested by the apps examined by the GPEN was users’ geographical locations. Specifically, the report indicated that 32% of the reviewed apps requested geolocation information as a prerequisite to downloading the mobile apps.

The names or providers of the apps the GPEN examined were not identified in its report.  Also, the GPEN report did not indicate how it selected the apps that it studied.

The GPEN’s report is significant because it demonstrates the common and growing disparity between legal requirements for privacy disclosures in the United States and elsewhere and how privacy policies for mobile apps should be disclosed. Moreover, the findings in the GPEN’s report likely foreshadow further regulatory enforcement here in the United States by the FTC, as well as action by regulatory bodies outside of the United States.

 

ALERT: Google’s Plan to Open Its Services to Children Could Spur Changes to COPPA Enforcement

Posted in Behavioral Advertising, Children's Privacy, Data Privacy Law or Regulation, InfoLawGroup, Marketing, PII, Privacy Law

Recent reports indicate that Google is developing a program that would allow children under the age of 13 to obtain accounts on Google services such as Gmail and YouTube.  The Wall Street Journal  recently reported that “Google is trying to establish a new system that lets parents set up accounts for their kids, control how they use Google services and what information is collected about their offspring… Google wants to make the process easier and compliant with the rules.”  These accounts would allow children under the age of 13 to create their own Gmail accounts and access child-friendly YouTube channels.

Google currently employs an age-neutral verification mechanism, where account creators are simply asked to identify the day, month, and year of their birth (as opposed to, for example, directly asking “are you 13 or older?”).  The idea here is to not “tip off” account creators that age may be a limitation to one’s ability to open a Google account. Google also uses cookies during the account creation process to guard against people simply reverting their browsers to enter a different birthday to gain access and, ultimately, create an account.  Continue Reading

Ninth Circuit Finds Browsewrap Arbitration Clause Unenforceable Despite Conspicuous Link

Posted in E-Commerce, Lawsuit

A recent Ninth Circuit decision highlights the importance of obtaining affirmative user assent to online Terms of Use. In Nguyen v. Barnes & Noble Inc., 2014 WL 4056549 (Aug. 18, 2014), the Ninth Circuit concluded that a conspicuous link to the site’s Terms of Use posted throughout the site and in close proximity to a checkout button was insufficient to find an arbitration agreement enforceable in the absence of a user’s express agreement to the online Terms.

In Nguyen, an online retailer advertised a liquidation sale for certain discontinued products. The plaintiff purchased two products and received an email confirmation. The following day, the retailer canceled the order via email due to unexpectedly high demand. The plaintiff filed a putative class action, alleging that the retailer engaged in deceptive business practices and false advertising. The retailer moved to compel arbitration, pursuant to its website’s Terms of Use.  The plaintiff opposed, arguing that he never clicked on the “Terms of Use” hyperlink nor actually read the Terms of Use, and that he therefore could not be bound by the Terms. The trial court agreed with the Plaintiff and denied the retailer’s motion to compel arbitration.

The Ninth Circuit affirmed the district court’s decision and concluded that the plaintiff was not bound by the arbitration clause in the online Terms. Although the circuit court reached its decision under New York law, it noted that “both California and New York law dictate the same outcome.”

Continue Reading