The American Bar Association’s 65th Antitrust Law Spring Meeting held at the end of March included a number of sessions focused on consumer protection. In this final installment in our three-part series, in which we previously covered meeting takeaways on enforcement and mergers and acquisitions, we offer some key takeaways on the year in review, consumer protection implications of the new world of “big data,” food law and global convergence (or not) of privacy and data security standards.
Consumer Protection Year in Review 2016
New technology and emerging markets dominated the 2016 consumer protection landscape, according to Lesley Fair, senior attorney at the Federal Trade Commission’s Bureau of Consumer Protection; Kathleen McGee, chief of the New York Attorney General’s Bureau of Internet and Technology; Laura Brett, assistant director in the National Advertising Division of the Advertising Self-Regulatory Council; Kevin O’Connor of Godfrey & Kahn SC; and Terri J. Seligman of Frankfurt Kurnit Klein & Selz PC.
The FTC highlighted its success in advertising substantiation, privacy and data security, and financial deception, settling with companies for allegedly misrepresenting the accuracy of smartphone accessories that measure blood alcohol content, deceiving consumers into believing that an app could measure blood pressure as accurately as a cuff test and falsely claiming that indoor tanning systems could reduce consumers’ risk of cancer.
The FTC also secured settlements over allegations of deceptively tracking the locations of consumers—including children—without their knowledge and even after consumers expressly denied permission to access location information. And the U.S. District Court for the District of Nevada imposed a record $1.3 billion judgment against racecar driver Scott A. Tucker and AMG Services for a false and misleading payday-lending scheme.
The New York AG tackled violations of internet privacy and data security, fraudulent advertising for online fantasy sports and algorithm “bots” that bypass online security measures to purchase thousands of concert tickets, thereby preventing typical consumers from purchasing tickets at face value. Company disclosures of potential data breaches increased nearly threefold from 2015, with approximately 1,200 notifications to the state. Although unauthorized hacking was the primary cause for notifications, company negligence was a close second. McGee emphasized the need for businesses to adopt reasonable security measures, to understand which third-party organizations have access to their users’ information and to avoid requesting from customers more information than is necessary for a particular transaction.
The Advertising Self-Regulatory Council addressed both new-technology advertising and advertising about new technology. Brett emphasized the need for full disclosure in “native advertising,” that is, material in a publication (often online) that resembles the publication’s editorial content but is financed by an advertiser and promotes the advertiser’s product. While a majority of digital publishers now label native content (an increase of 119% since 2015), nearly one-third of all publishers use disclosures that are inconsistent with FTC guidance. Although consumers may post online statements about the value or effects of a product or service, if a company provides hyperlinks to those consumer statements, the company may face liability for adopting those statements and assumes the burden of substantiating the claims.
Finally, O’Connor discussed efforts to address consumer protection issues in “disruptive technologies”—those that displace or transform a business model or industry. Highlighting litigation against Uber, Lyft, Airbnb and similar “sharing economy” platforms, O’Connor indicated that private litigation will likely help shape consumer protection practices because existing government regulation and enforcement is not well equipped to address the issues presented by these new platforms and their practices. The challenge, according to O’Connor, is finding the proper balance between protecting consumers from potential or actual harm while avoiding regulatory disruption of new technologies that promote and create consumer welfare.
Competition and Consumer Law Issues With Customer Profiling
David L. Meyer of Morrison & Foerster LLP, Thomas B. Pahl of the FTC Consumer Protection Bureau, Lydia Parnes of Wilson Sonsini Goodrich & Rosati PC, Maurice E. Stucke of the University of Tennessee, and Hill B. Wellford of Morgan Lewis & Bockius LLP discussed the competition and consumer protection law implications of “big data”—that is, using extremely large data sets of consumer patterns, interactions and behaviors for commercial purposes.
The panelists emphasized the importance of counseling clients on several key federal laws potentially triggered by use of big data, including the Equal Credit Opportunity Act (ECOA), which outlaws “redlining” in lending situations under a disparate treatment or impact theory; FTC Act Section 5(a), which prohibits unfair or deceptive acts or practices; and the Dodd-Frank Act’s prohibition on unfair, deceptive or abusive acts or practices, which is enforced by the Consumer Financial Protection Bureau. These laws affect how firms acquire, store, transfer and use consumers’ data, and require them to take reasonable steps to protect such data. The panelists discussed a number of different scenarios that could trigger liability. Denying a loan based on big data analysis indicating that members of a protected class are less likely to repay loans would violate the ECOA. In developing algorithms, businesses need to ensure they do not take such data into account (“privacy by design”), or risk liability. Certain uses of big data might even result in the inadvertent qualification of a business as a “consumer reporting agency” under the Fair Credit Reporting Act, which triggers several obligations.
The panelists also discussed the implications of big data enabling “first degree” behavioral discrimination, e.g., perfect price discrimination based on the consumer’s online history. In this world—where each consumer may be offered and pay a different price—there is no such thing as the market-clearing or competitive price. While most economists agree that traditional price discrimination is neutral from a welfare standpoint, the effects of behavioral discrimination are “murkier” and potentially harmful in this new world order. The panelists were mixed on whether behavioral discrimination enabled by big data is a new phenomenon or just a supercharged version of, for example, the car dealer sizing up the customer on the lot.
Finally, the panelists discussed the implications of big data for our understanding of collusion, markets and non-price competition. If multiple competitors use the same algorithm to determine price, the result could be “tacit collusion on steroids.” The big data world makes two-sided market analysis more relevant and raises questions about how to apply a SSNIP test to the non-paying side of a two-sided market. The FTC is already looking into a SSNIQ (for quality) test for these situations, where the quality change is measured in terms of the quantum of privacy given up. Whether this is a new world order, or more of the same, the panelists did not entirely agree. But they made clear that big data is here to stay and has important implications for consumer protection compliance.
Playing to Beliefs: Taking Advantage of Popular Wisdom
With consumers increasingly tapping into trends and fads to improve their health and fitness, food marketers may be tempted to push the envelope in capitalizing on those interests. Michael Jacobson, executive director of the Center for Science in the Public Interest; Maria Salgado of Cornerstone Research; Jacob Gersen, director of the Harvard Food Law Lab; John Graubert of Covington & Burling LLP; and August Hovarth of Kelley Drye & Warren LLP provided insight into the intersection of publicly available information, consumer perceptions based on that information and food law.
Consumers today expect a high level of return on the food they buy—from nutritional benefits and taste to treatment of medical conditions and epidemic obesity. Although there has been a proliferation of information online and in traditional media about nutritional benefits and risks, that information is not always accurate or reliable. Referencing popular books and websites like Eat This, Not That and foodbabe.com, Hovarth cautioned against a growing trend of “folk wisdom” and “folk nutrition” promoted by authors and commentators with either no or limited education, background or experience in food science.
Jacobson likewise lamented a growing trend of food marketers misleading consumers about the benefits of particular products. He expressed frustration over the missed opportunity to provide labeling information that could be helpful to consumers but is instead directed at features that are unhelpful or have limited value. Salgado supplemented that discussion by addressing how consumer beliefs about science affect the impact of that marketing. Her research indicates that consumer reaction to marketing messages is weaker when the food science is already established and known by consumers. On the other hand, when the consumer is unsure about the science of a particular ingredient or product feature, marketing messages about information promoted as science have a stronger impact on consumer behavior.
Gersen discussed his work evaluating the direct and indirect inferences drawn by consumers from food labeling. For example, do consumers generally infer that a product labeled “natural” is also “GMO free”? His research indicates that consumers do not draw as many inferences from food price as they draw from health ratings.
Bringing the law back into the discussion, Graubert emphasized the importance of identifying whether a food seller has in fact made a claim about its product and then determining whether there is sufficient substantiation to support that claim. He cautioned that enforcers may be seeking to hold companies liable for claims they are not making but that consumers simply believe. In other words, companies are facing potential action for implications based on information provided by third-party sources, not the companies themselves. In areas where the science is not yet established, he urged enforcers to consider balancing the benefits of the claim if true against the harm of the claim if false. By engaging in this benefit analysis, consumers are assured accurate information without companies facing undue risk of overreaching enforcement activity.
Data Protection: Global Convergence or Roads Diverged?
Julie Brill of Hogan Lovells LLP; Elizabeth Denham, the U.K. information commissioner; Peter Swire of the Georgia Institute of Technology; and Phyllis M. Marcus of Hunton & Williams LLP discussed the convergence of international privacy and data security standards, and whether convergence matters.
Commissioner Denham sees convergence as a process that, over time, has resulted in significant harmonization across countries in terms of what it means for a public body or private entity to process data responsibly and what rights an individual should have over his or her data. In Commissioner Denham’s view, there is far too much unhelpful rhetoric about European fundamental rights to data protection versus United States values surrounding the free flow of information and open access.
On the other hand, Swire emphasized how differences in political dynamics in the United States and Europe are giving way to increasingly divergent data protection policies. Started as a common market of independent states, Europe has always needed to ensure the free flow of information across states and thus has strong incentives for unified rules. In the United States, by contrast, regulation is seen as an imposition on commerce, and there is significant resistance to command-and-control privacy rules—as exemplified by the Senate’s vote in March 2017 to repeal recently promulgated FCC privacy rules for internet service providers.
With the EU Parliament’s approval last year of the General Data Protection Regulation (GDPR), top of mind is whether and when the United States might pass a comprehensive data protection law. The panelists agreed on the answer: not likely any time soon. Perhaps that is inconsequential. As Brill pointed out, data protection laws in the United States are robust, notwithstanding the existing part-federal, part-state jigsaw of specialized laws focused on specific industry sectors and consumer categories. Over 100 countries have data protection laws on the books. Increasingly, global businesses will likely adapt their own data protection policies and practices to comply with the most stringent requirements abroad, whether or not the United States joins the party by adopting comprehensive baseline legislation.
Given the low likelihood of comprehensive data protection reform in the United States any time soon, the panel seemed in agreement that the best approach going forward is to continue to the fill the gaps with the fingers of consolidated enforcement. Former Commissioner Brill expressed her fear that some businesses and policy makers might be content with the existing fissures, and in her opinion, “relying on the states is not the right answer.”
A version of this article was originally published by Law360 on April 5, 2017.
© 2017 Perkins Coie LLP