CPW is your source for the latest developments in consumer data privacy litigation. As many of you already know, the Federal Trade Commission (“FTC”) is an independent U.S. law enforcement agency charged with protecting consumers and enhancing competition across broad sectors of the economy. The FTC’s primary legal authority comes from Section 5 of the Federal Trade Commission Act (“FTCA”), which prohibits unfair or deceptive practices in the marketplace. The FTC has used its authority to address a wide array of practices affecting consumers, including those that emerge with the development of new technologies and business models and in the realm of data privacy. For various reasons, the FTC’s regulatory practices matter on the litigation front as well (for instance, some courts have found that a purported violation of Section 5 can form a basis for a negligence per se claim under state law in data privacy litigation).
The FTC and its partners in Cleveland, Ohio, recently held their latest webinar, Green Lights & Red Flags: FTC Rules of the Road for Business, which provided practical information on advertising, data security, and how existing consumer-protection laws apply to today’s global digital marketplace. Topics covered during the October 29, 2020 webinar include truth-in-advertising law, social-media marketing, consumer reviews, email marketing, data-security basics, business-to-business fraud, and practical tips on responding to a cyberattack.
The CPW team attended the webinar. Below is a breakdown of the concepts discussed.
Introduction: Protecting Small Businesses from Scams
The FTC’s event opened with a presentation on the ways in which small businesses can protect themselves from scams, including business-to-business fraud, which has proliferated during the coronavirus pandemic. It was emphasized that education is key, and businesses must learn to identify common scams. Other key points conveyed included that:
- Scammers often use solicitations where they call themselves official-sounding names and cite to credible-sounding entities or regulations to say the business needs an official-sounding document, like a certificate of good standing. These scammers often use urgent language and request low-enough fees (e.g., $65) in the hopes that the targeted businesses will just pay them.
- Similarly, scammers spoof legitimate email addresses to impersonate individuals from the target company or another company with which the target has a relationship. It was mentioned that they may ask for private information, payment, or access to a computer (if impersonating an IT employee), or make any number of seemingly legitimate requests. They may also spoof email addresses from public-health agencies such as the CDC or WHO and send malicious links. It was also emphasized that the risk of falling prey to such scams is increased now that many employees are working from home and do not have the day-to-day contact with each other in the office that they once did.
- Another common scam involves advance fees, loans, or grants. A caller (or even visitor) will offer to help a business by securing a business loan or grant if the business pays a fee upfront. In the midst of the COVID-19 pandemic, these scammers often offer to secure vital resources such as PPP loans, counting on the businesses’ being desperate and having general familiarity with the PPP loan concept.
- It was advised that businesses to protect themselves from these various fraudulent schemes should be skeptical, keep an eye out for red flags (e.g., an individual who reaches out with urgency, requesting or demanding an immediate response, or offering to resolve a problem if you quickly provide some payment), and independently verify people’s identities.
Data Security and Responding to a Cyberattack
A panel moderated by the Director of the FTC East Central Region discussed data-security basics and provided practical tips for companies to respond to cyberattacks. The panel noted that cyber threats are increasingly prevalent these days, as cybercriminals have become increasingly organized and sophisticated. Simultaneously, the U.S. workforce has largely transitioned from working in corporate environments with robust IT infrastructure to working on our home networks without such safeguards.
The panel addressed a business can prevent cyber incidents or mitigate the damage should one occur. These best practices include:
- A company should retain only the information and documents that it actually needs, so that it is not responsible for an unnecessary amount of information should a breach occur.
- Ensure that access to documents and information is limited to those who need it.
- Secure information and documents, whether they are digital or hard copy. This means using physical locks and electronic locks (e.g., credentials, firewalls, encryption), and not having employees work on public Wi-Fi.
- Properly dispose of anything not needed, including shredding sensitive documents.
- Plan ahead by establishing an incident response plan and policy and procedures for handling data and addressing a breach of it.
- Create multiple layers of backups. An effective backup system will have three layers: local (a full backup of servers and workstations), rotating offsite (weekly or monthly rotation of a hard drive containing backups at a secure offsite location), and online (ideally with real-time updates).
- Have a robust, secure IT environment with up-to-date security software, anti-malware software, a secure business-class router, VPN, and a security inventory program to catalog where a business’ sensitive information resides.
The event also included a presentation from an attorney from the FTC Bureau of Consumer Protection to provide an introduction to truth-in-advertising law. Before a business runs an ad campaign, the FTC speaker suggested it should address five questions to ensure legal compliance and boost consumer confidence.
- What consumer-protection laws apply?
- A variety of federal and state consumer-protection laws may apply to any given advertisement, which is defined broadly to encompass communications via TV, radio, print, online, telemarketing, direct mail, social media, and other media.
- The FTC Act, in particular, prohibits “deceptive” or “unfair” advertising in any medium. An ad is “deceptive” if (1) it contains a misrepresentation or omission of information (2) that is likely to mislead consumers acting reasonably under the circumstances, and (3) it would be material (important) to their purchasing decision.
- By contrast, an ad is “unfair” if (1) it causes substantial injury (physical, financial, or other) (2) that the consumers cannot not reasonably avoid themselves and (3) whose benefits to consumers or competition do not outweigh the injury caused.
- What claims does the ad convey to consumers?
Ads can convey multiple claims to consumers through words, images, and even omissions of information, so it’s important for a business to consider all claims – express and implied – that any given ad conveys to consumers. An ad can be literally truthful and yet still deceptive to consumers.
- Does a business have proof to support those claims?
During this session, it was also emphasized that when an advertiser makes an objective claim about its product, the advertiser implies that it has proof to support the claim. Before running an advertisement, advertisers should have proof (i.e., competent and reliable evidence) to back up their claims about their products. The standard of proof varies depending on the type of product being marketed – if it deals with health and safety, for example, the advertiser must have competent and reliable scientific evidence, which may include methodologically sound tests, studies, or research that meets the standards of experts in the relevant field.
A narrow exception to this is puffery, i.e., representations that no reasonable consumer would actually take as true (e.g., “the world’s best cup of coffee”).
- Has a business clearly disclosed all material information?
If the disclosure of information is necessary to prevent deception, the disclosure must be clear and conspicuous. Businesses should ask: Is the disclosure big enough for consumers to notice and read? Is it worded in a way that’s easy for consumers to understand? Is it where consumers will see it and at a time that gives a meaningful choice? Is it close to the claim that it explains?
To ensure a disclosure is clear and conspicuous, a business should consider using the same tools used to catch a consumer’s eye generally – e.g., color, size, sound, graphics. Fine print, dense blocks of text, footnotes, fleeting superscripts, and obscure hyperlinks will probably not meet the clear-and-conspicuous standard.
- Do a business’ claims raise any compliance concerns?
Finally, a business should consider whether any of its claims in an advertisement raise any compliance concerns. The examples focused on at this session included advertisements claiming that a product has certain environmental benefits – e.g., something is recyclable, degradable, free of a given material, earth-friendly – was made in the USA, or will ship the day after it’s ordered. So, for example, as discussed by the FTC:
- It is problematic to market baby diapers as biodegradable and compostable, because consumers cannot home-compost human waste so most of the diapers will end up in landfills where they will not break down. (The FTC has published Green Guides as an informational resource for companies that would like to make environmental claims about their products.)
- To claim (without qualification) that a product was made in the USA, the product must be all or virtually all made in the USA.
- If a company advertises “pay today, ship tomorrow,” it must notify consumers if it does not actually end up shipping the day after payment and provide the consumers the option to cancel for a refund or wait the additional time it takes for the product to ship. This is the case anytime there is a shipping delay.
Avoiding a Promotion Commotion
The FTC webinar also included a panel moderated by the Assistant Regional Director of the FTC East Central Region, which discussed email marketing, social-media marketing, consumer reviews, and other timely topics. This included:
- Under the CAN-SPAM Rule, which applies to most commercial email (not only “spam”), marketing emails must not misrepresent the sender’s identity, or use misleading headers or subject lines. Such messages must be identified as ads and include a valid physical postal address and an easy unsubscribe feature (which the company must honor within 10 days of receiving an unsubscribe request).
- The panel reiterated that one major risk area is “free” offers and negative options. FTC guidance is clear: free means free. So, for example, if a product is offered for “free” but requires a payment of “$4.95 shipping,” the shipping cost must be clearly and conspicuously disclosed.
- Another area to watch for is customer reviews. These are important because consumers presumably place more weight on their peers’ word about products than what advertisers say about their own products. Thus, if someone with a connection to a seller leaves a positive review of the seller’s product, but the audience has no reasonable way of expecting that the connection between the reviewer and the seller exists, the connection must be clearly and conspicuously disclosed.
- Such a connection may also exist if the seller provided monetary payment or promised to provide free product to the reviewer. Thus, the same rule of disclosure applies to social-media “influencers” who provide product placement in their posts – such posts must disclose that they are paid advertisements or sponsored content. Further, the same truth-in-advertising principals discussed above apply – a company must not convey claims via social-media influencers unless it has evidence to substantiate the claim.
The event was sponsored by the FTC’s East Central Region, the Office of the Ohio Attorney General, Better Business Bureau Serving Greater Cleveland, and the Cuyahoga County Department of Consumer Affairs.