FTC Revises Endorsement Guide FAQs

This week, the FTC released an update to its FAQs on complying with its Guides Concerning the Use of Endorsements and Testimonials in Advertising  (“Endorsement Guides”). The FAQs offer informal guidance from the FTC and were last updated in May 2015. (For highlights from the last round of changes, please see our previous post.) The newest changes are less expansive than the 2015 update and are, in part, an unremarkable given the FTC’s established guidance on this topic. However, the update does include some helpful clarifications and reminders for endorsers and advertisers, including:

Built-In Disclosures are Not (Necessarily) Enough. One particularly notable addition to the FAQ is on disclosure functionality built into certain platforms. The new FAQ applies to all social-media platforms; it indicates generally that built-in disclosures are not necessarily enough and, like any disclosure, require evaluation of how clear, conspicuous, and complete the disclosure is.

However, in its explanation, the FTC specifically (though anonymously) references disclosure functionality made available by YouTube and Instagram and suggests that those features are likely not alone sufficient to fulfill an endorsor’s disclosure obligations. Per the FTC:

A key consideration [in determining whether a disclosure is effective] is how users view the screen when using a particular platform. For example, on a photo platform, users paging through their streams will likely look at the eye-catching images. Therefore, a disclosure placed above a photo may not attract their attention. Similarly, a disclosure in the lower corner of a video could be too easy for users to overlook. Continue Reading

Join ILG for a “Cocktails and Learn” event in Chicago on September 27


Join InfoLawGroup LLP for an evening discussion

on September 27, 2017 from 5:30-7:30 PM

“Speed of Feed/Speed of People: Business and Legal Issues Surrounding

How Users Consume Content and Ads in Social Media”

Hear from InfoLawGroup attorneys and

Tyler Hattery, Creative Strategist at Facebook

Beverages and light-fare food will be served.

Hyatt Place Chicago/Downtown-The Loop in the Madison/Franklin room

28 N. Franklin Avenue, Chicago, IL, 60606, USA

Please RSVP to rsvp@infolawgroup.com by September 20, 2017



Mindy Abern Joins InfoLawGroup LLP as Counsel

InfoLawGroup is pleased to welcome Mindy Abern as Counsel to our growing team.  Mindy is a digital media lawyer with significant experience working with clients both as outside counsel and in-house at Sears Holdings Corporation, where she served as marketing counsel.  Mindy works with clients on all aspects of marketing and advertising campaigns, including regulatory compliance and the intersection with privacy issues.   Please join us in welcoming Mindy to the team!

Do You Really Need to Store That IoT Data?

Not only are companies collecting a massive amount of data generated by the Internet of Things (IoT), they are storing it too. According to a survey of 1,000 enterprises conducted by 451 Research, 71 percent of enterprises are gathering IoT data and nearly half of the data generated are being stored. What the survey doesn’t reveal is if companies are considering the legal implications of storing IoT data and preparing to deal with demands for that data from outside entities.

Some contend that the IoT is on the brink of changing life as we know it. According to Gartner, 20.8 billion objects will be connected to the internet by 2020. On their own, droves of these data-generating things will churn out an inconceivable amount of intriguing data about our patterns of behaviors. And, when they begin talking to each other, the IoT will be as prevalent as oxygen.

With the IoT’s capability to fade into the background of our lives and quietly play witness to our worlds, the data it generates will pique the interest of a parade of public and private third parties that we can only begin to imagine, but that’s exactly what general counsel need to do. Sit down with business executives who are spearheading IoT projects and talk about the near-future risks associated with storing IoT data, prepare to respond with requests for IoT data and think about the impact to consumers.

When product development and marketing executives are working on an IoT initiative, top of mind are returns on investment, storage options and product development lifecycles. The last thing they are thinking about are criminal investigations, subpoenas and expectations of privacy rights. But, in-house counsel need to engage business executives about the nature of the data—whether it needs to be stored and for how long—before the data is collected, not after when it’s much more difficult to walk back.

Without legal counsel, business executives are more likely to store IoT they might not necessarily need, laboring under the notion that they may decide to use it down the road. Business executives need to understand not just the costs but the risks associated with storing IoT data as well as consider risk mitigation options such as building in automatic data deletion when data is no longer needed.

With its ability to tell stories about who we are, what we are doing and why, IoT data will reveal information that public and private parties are willing to fight for in court and pay big money to gain access to. Most of us have heard about police requesting access to Amazon’s personal digital assistant to help solve a murder case. In a different case, police are attempting to use Fitbit data to prove a husband was involved in his wife’s death.

When data requests arise, will you institute a do-no-evil policy such as Alphabet Inc.’s Google, which vows to only turn over data if a proper search warrant is issued? Will you fight any court requests tooth and nail and make a public show of it to strengthen your privacy-protecting brand? Or, will you cooperate with any police requests? Or will you cooperate only with a court order? And how will you disclose all of this to consumers?

Similar to a breach response plan, in-house counsel should be prepared to react to any third-party request for data—be it law enforcement, government regulator or third-party litigant—in accordance with a corporate position and plan. And the plan should take into account the potential legal and public relations issues, given that these types of unanticipated issues can provoke an emotional response from the public.

The IoT is booming, devices are proliferating and IoT-generated data is already beginning to attract the attention of police. And, it’s only a matter of time before more parties come knocking on your digital door with data requests. In-house counsel need to be involved with IoT initiatives from the start, regardless of the form they take. Early intervention will minimize the risk of unnecessary collection and storage of IoT data, as well as give GCs the opportunity to promulgate policies for how the company will deal with IoT data demands.


Reprinted with permission from the August 7, 2017, edition of Corporate Counsel. ©2017 ALM Media Properties, LLC.

All rights reserved. Further duplication without permission is prohibited.


A Reasonable Security Blanket

Fear the data breach.  Companies large and small worry that a security lapse compromising personal information may hurt their customers or employees and expose the organization to costly liability and a damaged reputation.  But recent developments suggest that comfort may still be found in keeping privacy promises and keeping up with “reasonable security” best practices.

This week’s $11.2 million settlement of the Ashley Madison class action is a reminder that companies handling potentially sensitive personal information can pay a heavy price for lax security.  Of course, in that case there were allegations of “deceptive” as well as “unfair” practices under FTC Act section 5(a), since the company, for example, charged a fee for deleting data from closed accounts and then failed to do so.  See the Bloomberg Law article (in which I’m quoted).  But this follows last month’s $115 million proposed settlement of consolidated class actions against Anthem, Inc. after the first of a wave of cyberattacks against large health insurance companies in 2015 and 2016.  In such cases, liability generally comes down to a simple question of keeping up with reasonable security measures, not a failure to keep specific privacy promises.  These cases demonstrate that this effort is a real challenge even for large organizations with substantial in-house IT resources.

The Federal Trade Commission has handled more than 60 complaints and consent orders concerning data breaches exposing sensitive personal data.  Its “Start with Security” guide offers ten practical principles for businesses handling personal information.  Today, the FTC announced that it will publish a weekly blog post on Fridays over the next few months called “Stick with Security” to offer insights drawn from the FTC’s experience with data breach investigations.  The first post explains how the FTC chooses to take enforcement action in the case of some publicized breach incidents and not others.

Good summer reading for a few minutes on Fridays.  Beach blanket optional.

Are You Keeping Up with COPPA? The FTC Just Updated Its Compliance Plan for Businesses

On June 21, 2017, the FTC released its updated its 6 step COPPA Compliance Plan for Businesses (“Compliance Plan”).   The changes to the Compliance Plan are intended to help businesses keep up with changes to technology and evolving business models in connection with the Children’s Online Privacy Protection Act (“COPPA”). The FTC states in its blog post  announcing the updated Compliance Plan that the changes fall into 3 categories:

New business models/technologies: COPPA applies to websites and other “online services.” The FTC is making clear, if there was any doubt, that voice activated devices that collect information are “online services” subject to COPPA.

New products: The FTC has specifically highlighted connected toys and other IoT devices as being subject to COPPA.

New Methods for Obtaining Parental Consent: The FTC has added two recently approved methods for obtaining parental consent to its list: (1) having parents answer a series of knowledge-based questions that only a parent should be able to answer; and (2) using facial recognition technology and photographs submitted by the parent.

Key Takeaways: The FTC has not updated its rules but has clarified its position. Companies should be continuously aware of how the use of new technologies and the launch of new products could implicate COPPA — and in an IoT world many products that previously would not have been an “online service” now likely are.

Partner Heather Nolan To Be Interviewed This Wednesday, June 21, 2017 on Privacy Issues In Marketing and Broadcasting

On Wednesday, June 21, 2017, InfoLawGroup partner, Heather Nolan, will be interviewed on the Privacy Piracy radio program out of the University of California by its host Mari Frank.  Heather will be discussing privacy issues in marketing and broadcasting.  The show is scheduled to take place at 3:30pm Central Time, and will be available for listening on the show’s website after the live stream.


InfoLawGroup Thanks Clients, Attorneys and Staff for 2017 Chambers Recognition

Chambers and Partners has again recognized InfoLawGroup in its new 2017 guide.  Along with being ranked for  Media & Entertainment: Transactional in the USA guide, two of our attorneys, Justine Gottshall (privacy) and Jamie Rubin (media & entertainment) were again recognized as leaders in their field.

We are delighted to receive public acknowledgment from Chambers and to be recognized along with other great firms.  We are grateful to our clients for recommending us, and thank all of our attorneys and staff whose hard work continues to make InfoLawGroup a success.

Does #Partner Mean “I Was Paid To Post This Message”?

The FTC says no!  Specifically, the FTC said: “terms like “Thank you,” “#partner,” and “#sp” aren’t likely to explain to people the nature of the relationship between an influencer and the brand.”  Before now, I might have approved the use of #partner in the right context.  But last week, the FTC sent letters to over 90 influencers (athletes, celebrities, etc.) reminding them of their obligation to disclose if they are being paid to post or otherwise have a relationship with a company/brand mentioned in their post. Letters were also sent to marketers to remind them of their obligations in this arena. The letters warn of the wrong way to make these disclosures (e.g., don’t make the disclosure after a “more” button in a post, don’t make the disclosure within a string of unrelated hashtags, don’t make the disclosure vague – no #sp or “thank you”).  Below are links to samples of the letters the FTC sent to influencers and marketers regarding improper/proper material connection disclosures.  And check out our other posts that explain related compliance obligations when engaging influencers: HERE and HERE.

Influencer Sample Letter From FTC

Marketer Sample Letter From FTC