04.26.2018
|
Updates
The American Bar Association’s 66th Antitrust Law Spring Meeting held earlier this month included many sessions on consumer protection. In this third of a three-part series detailing the meeting’s discussions, we offer some key takeaways from those sessions, including the year in review, the GDPR’s effects on U.S. businesses, debates over net neutrality, and COPPA’s impact on voice-enabled devices.
Last Year Today: Consumer Protection 2017
Claim substantiation and advertising impacting public health dominated the 2017 consumer protection landscape according to Lesley Fair (Federal Trade Commission, Bureau of Consumer Protection), Paul L. Singer (Office of the Texas Attorney General, Consumer Protection Division), Anahid M. Ugurlayan (Better Business Bureau, National Advertising Division), and Robert M. Langer (Wiggin and Dana LLP).
The panel emphasized that the scope of the FTC Act is broad, that claims about products treating serious diseases must be supported by clinical testing, and that companies promoting their products as Made in the USA must meet the “all or virtually all” standard, meaning that all significant parts and processing that go into the product must be of U.S. origin. Fair highlighted a variety of FTC matters, including its settlements with companies that allegedly misrepresented the benefits of supplements to cancer patients and that used phony testimonials to support weight loss claims. The FTC also secured a settlement with Bollman Hat Company—and its subsidiary SaveAnAmericanJob, LLC—for marketing hats with claims such as “American Made Matters” and “Made in USA since 1868” even though more than 70 percent of their hat styles were imported as finished products.
Ugurlayan noted that, although rare, reconsideration of decisions from the National Advertising Division (NAD) may occur, marketers should not bury material information in a hyperlink, and companies must avoid claims about an entire product line when the comparison is limited to a particular product. Urgurlayan highlighted NAD’s decision to reconsider and amend a 1994 decision in favor of GlaxoSmithKline plc because a shift in underlying science related to the company’s laxative products contradicted the earlier decision. NAD likewise recommended that Reynolds Consumer Products LLC modify or discontinue claims that the company’s Hefty storage bags cost less than Ziploc bags because the claim did not expressly identify the compared Ziploc product.
Singer highlighted the strong relationship between state attorneys general and the FTC and emphasized that state agencies are actively enforcing consumer protection standards. He likewise commented that county and city governments may have authority and desire to pursue actions on behalf of consumers. For example, the city of Santa Monica settled with BeachBody, LLC, the company behind the P90X exercise routine, for $3.6 million after accusations that the company improperly charged consumers automatically for subscription renewals after a free trial.
Finally, Langer addressed state divergence in enforcement of the “unfairness” prong via “Little FTC Acts.” Following the FTC’s lead, some states adopted the FTC’s current approach to assessing unfairness—requiring substantial injury to consumers that is not reasonably avoidable and is balanced against the countervailing benefits to both consumers and competition. Yet many states, if not a majority, continue to use some version of the “Cigarette Rule,” which assesses unfairness using amorphous concepts such as “immorality” and the “penumbras” of rules and regulations, even though the FTC rejected the standard more than 30 years ago.
EU GDPR: Ripples Across the Atlantic?
The General Data Protection Regulation (GDPR) “will change not only the European data protection laws but nothing less than the whole world as we know it,” said Jan Philipp Albrecht, one of the GDPR’s authors. This quotation framed the discussion by Janis C. Kestenbaum (Perkins Coie LLP), Geff Brown (Microsoft Corporation), Hugh G. Stevenson (Federal Trade Commission, Office of International Affairs), and Kurt Wimmer (Covington & Burling LLP) during a panel examining the GDPR’s impact in the United States and around the world.
When the GDPR goes into effect on May 25, 2018, U.S. companies that target their goods and services to EU residents or track the behavior of EU residents will be subject to its new requirements, regardless of whether they have a physical presence in the European Union. Most companies with a global presence have already started creating data governance systems to comply with the GDPR. The panel indicated that companies need not abide by the GDPR’s requirements if they offer an app or website in the United States that only incidentally provides service to EU users. However, many U.S. companies will be subject to GDPR requirements through the Article 28 flow down requirements for processors. Thus, if a small U.S. company serves U.S. customers with a global presence, even that small company will likely need to comply with the GDPR.
The panel emphasized that because large companies like to provide a consistent experience for their customers, U.S. residents may soon see new privacy notices, new tools to access and control data, and—where consent is required for processing—new opt-in consent requests as part of a global rollout of GDPR compliance tools. For smaller companies, U.S. users probably will not see a difference. But with the public’s increased focus on privacy protection, some companies operating exclusively in the United States may build GDPR-compliant privacy and data security programs simply to secure a competitive advantage.
Despite the potentially global effects of the GDPR, the panel mused that this was likely not a watershed moment, even with the recent increased media attention on privacy. The panel noted, however, that U.S. courts have been increasingly using language similar to that used in the GDPR. In response to EU privacy law, the world will have to strike a balance between the right to be forgotten and the rights to access information and of expression in other systems.
Whose Internet Is It Anyway?
In a vibrant exchange of ideas, panelists traded barbed ideas jousting about the pros and cons of net neutrality. Framing the issue for panelists Gregory P. Luib (Dechert LLP), Gigi B. Sohn (Georgetown Law’s Institute for Technology Law & Policy), and Robert M. McDowell (Cooley LLP), moderator David Turetsky (University at Albany, SUNY) set the stage by tracing the history of the FCC’s classification of broadband services from 2002 to present.
Citing regulatory and legal milestones, Turetsky laid out how broadband has faced heightened levels of regulation since the dawn of the millennium. That changed in 2018 with the Restoring Internet Freedom Order, also known as the Net Neutrality Repealer (Order), which reversed the 2015 Order Promoting and Protecting the Open Internet and reclassified broadband services from Title 2 (common carrier standards) to Title 1, subjecting them to less FCC oversight. Internet service providers (ISPs) are no longer prohibited from blocking, degrading speeds, or having paid prioritization of internet content. To ensure a “level playing field,” the Order preempts most state regulation—placing out of reach enforcement tools that might be used by state attorneys general or private litigants.
Luib, a former FTC advisor, defended the repeal and attempted to allay fears that the competitive sky would fall as a result of the Order, suggesting that opponents will continue to wage the battle, but change is unlikely during the current presidential administration.
Luib was met with a fiery response from Sohn, who advised former FCC Chair Tom Wheeler. In 2015, Wheeler adopted regulatory changes in response to court interventions that narrowed regulatory oversight. Citing polling that 70–75 percent of Americans agree that net neutrality should remain, Sohn posited that net neutrality is a salient political issue. Beyond politics, Sohn expressed disappointment, contending that the FCC abdicated its regulatory responsibility in adopting the Order. She also decried the notion that the FTC could fill the oversight void because it lacks the expertise and authority to adequately protect consumers.
McDowell, a former FCC commissioner, rounded out the panel and parodied progressive positions on net neutrality, suggesting a false depiction of a “dystopian” world where innovation did not exist before the FCC adopted net neutrality during the Obama administration. McDowell, a self-proclaimed optimist, argued in favor of market forces and existing competition laws as the best tools to modulate the conduct of ISPs.
When the floor was opened to questions, former FTC Chair Jonathan Leibowitz “corrected the record” on the scope of the FTC’s powers as well as its track record for enforcement. When asked whether there was a legislative option, the panelists unanimously responded affirmatively. There was general consensus favoring the codification of principles adopted during Michael Powell’s tenure as FCC chair as well as standards for net neutrality first adopted in 2010 that ensured transparency while preventing blocking and unreasonable discrimination in the flow of lawful internet traffic.
The panelists questioned wistfully whether the decade-long debate will ever end. Because the final question seems to depend on congressional action, the panelists were prepared for this debate to continue for years to come.
Kids Connected: IoT and Children’s Privacy
The intersection of voice recognition services, the Children’s Online Privacy Protection Act (COPPA), and the GDPR was debated during a panel addressing the Internet of Things (IoT) and children’s privacy. Phyllis H. Marcus (Hunton Andrews Kurth LLP) moderated panelists Maneesha Mithal (Federal Trade Commission, Division of Privacy and Identity Protection), Dona J. Fraser (Better Business Bureau, Children’s Advertising Review Unit), and Brian Huseman (Amazon, Public Policy).
The panel addressed some of the findings from a 2017 research study conducted by Hart Research Associates, and supported by Amazon, that explored how IoT—specifically, connected toys and other devices—impact families and their children. The study concluded that, among other things, most parents who have connected devices in their homes believe either that the benefits outweigh the harms (43 percent) or that they are about equal (46 percent), that nearly all such parents (94 percent) are comfortable with their child using the device, and that most parents (66 percent) feel highly confident in their ability to manage their child’s technology use.
Although the FTC recognizes the value of using voice as a replacement for written words in performing search and other functions online, a website or online service directed toward children that collects personal information (or an online service with knowledge of the data collection) must comply with COPPA. Compliance includes providing notice of the privacy policy and obtaining verifiable consent from the child’s parent. To help in that endeavor, COPPA enables industry groups to submit to the FTC self-regulatory guidelines and apply for “safe harbor” treatment, and the FTC has approved seven such organizations.
Fraser observed that it is less expensive for companies to build compliance on the front end than to retrofit a service. She emphasized that the safe harbor should strike a balance—mitigating risk of noncompliance while allowing a robust user experience. She also noted, without objection from Mithal, that if the FTC has questions about COPPA compliance, it will generally first attempt to work with the safe harbor service, informally, to cure any perceived deficiencies in the service’s policy or procedure.
Referring to products directed at adults but involving children (e.g., baby monitors), the panel discussed whether, as a practical matter, manufacturers may mitigate the risk of noncompliance by designing the device to delete any personal information after its use or by maintaining all personal information locally on the device.
Finally, the panel addressed some of the ways in which the GDPR differs from COPPA. Generally, the GDPR defines children as individuals under the age of 16, whereas COPPA uses the age of 13. EU member states can lower the age to 13, but this may lead to logistical challenges for compliance, including whether to design the installation questionnaire to include a question to determine the location of the user first and then a question to determine the user’s age before enabling differing levels of engagement for the service if necessary. There will also be questions about what rules apply to U.S. services provided to children in Europe, and vice versa. Generally, with respect to GDPR and the protection of children’s privacy, the panel advised: Stay tuned.
Read the entire ABA Antitrust Law Spring Meeting recap series:
A version of this article was originally published as “Expert Analysis, Highlights Of ABA Antitrust Spring Meeting: Part 3” by Law360 on April 18, 2018.
© 2018 Perkins Coie LLP
