Overstock Case Could Alter the Landscape of Price Comparison Advertising

BY: Griffin Finan

A California court ruled earlier this month that Overstock must pay a roughly $6.8 million penalty to settle claims that the retailer “routinely and systematically” made false and misleading claims about the prices of its products on its website. If upheld, this ruling could have significant effects on how companies use price comparisons in advertisements in the future.

A group of California District Attorneys sued Overstock in 2010 for $15 million, alleging that Overstock was deceptive in the way it determined and displayed price comparisons on its website. Overstock used a comparative advertising method based on price, which is commonly referred to as “advertised references prices” or “ARPs” that showed the price of a certain product on Overstock compared to the price of the same product from a different retailer. The lawsuit alleged that the ARPs that Overstock used were false or misleading because Overstock employees chose the highest price that they could find as an ARP or constructed ARPs using arbitrary formulas. The lawsuit alleged that as a result of Overstock’s method of constructing its ARPs, its savings comparisons were inflated.

A California state judge’s tentative ruling earlier this month levied civil penalties against Overstock of just over $6.8 million. The court dismissed some of the claims in the lawsuit, but found that Overstock’s pricing comparison violated the state’s laws on unfair competition and false advertising.

The court also issued an injunction that prohibits Overstock from comparison price advertising unless it is done in conformity with a lengthy set of court mandated practices outlined in the opinion. Among those requirements, the court ordered that Overstock explain its pricing more clearly on its website, including a disclosure of how it computes the price comparisons. The ruling also prohibits Overstock from setting average retail prices based on anything other than the actual retail price offered in the marketplace.

Overstock has said that they plan to appeal the court’s ruling by arguing that the court’s decision is misreading California law and is holding the company to a higher standard than other e-commerce sites. If this ruling is upheld, this could have a significant ripple effect on retail advertising for both online and brick-and-mortar businesses. Almost every state has a law regarding deceptive pricing in advertisement, and the Federal Trade Commission also has jurisdiction to pursue claims against deceptive advertising in price comparisons. Companies need to be aware if they are using comparative price advertising that those advertisements, and the formulas for determining the prices on those advertisements, will be scrutinized by government agencies.

Data Privacy Day

BY: Michelle Cohen

By Michelle Cohen, CIPP-US

On January 28th, in an effort raise awareness of privacy and data privacy, the United States, Canada and 27 countries of the European Union celebrate International Data Privacy Day.  Many organizations use Data Privacy Day as an opportunity to educate their employees and stakeholders about privacy-related topics.  With the recent, high-profile data breaches as Target, Neiman Marcus, and potentially, Michaels, the need for training and instruction on data security is more critical than ever before.  In this vein, we’ve set forth our views on what we see as the year ahead in legal developments relating to data security and what companies can do to prepare.

Legislation Introduced but on the Move?

Data security and data breaches will continue to be the focus of regulators and Congress through 2014.  In fact, Congress summoned Target’s Chief Financial Officer to appear before the Senate Judiciary Committee on February 4^th and a House committee is seeking extensive documents from Target about its security program.  Meanwhile, Senator Leahy re-introduced data breach legislation which would set a federal standard for data breach notifications (most states now require notifications, though the requirements differ state-to-state).

Senators Carper and Blunt introduced a separate bipartisan bill intended to establish national data security standards, set a federal breach notification requirement, and also require notification to federal agencies, police, and consumer reporting agencies when breaches affect more than 5,000 persons.  Many companies have suffered data breaches and then faced civil lawsuits under various causes of actions, including allegations that they did not notify customers promptly.  As a result, there may be strong support for federal standards rather than facing a patchwork of state laws. While the Target breach has certainly renewed interest in data security, and we expect Congress will conduct numerous hearings, ultimate passage of data breach legislation this Congress is still probably a longshot.

Watching Wyndham Take on FTC

As covered in this blog, various Wyndham entities have struck back at the FTC, challenging the FTC’s authority to bring an action against Wyndham for alleged data security failures. The Wyndham entities claim that the FTC may not set data security standards absent specific authority from Congress.  Yet, with Congress having not set data security standards thus far, the court in oral arguments seemed concerned about leaving a void in the data security area.  Wyndham’s motion to dismiss remains pending in federal court in New Jersey.  Most observers think the court will be hard pressed to limit the FTC’s authority under Section 5 of the FTC Act, which broadly prohibits ”unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce”  and provides the FTC with administrative and civil litigation enforcement authority.  The agency has used this administrative authority with great success, bringing numerous data privacy actions that usually result in settlements by companies rather than risk further litigation expenses, penalties, and reputational damage.  We think the FTC will remain vigilant in this space, including attention on the security of mobile apps.

Class Actions Jump on Breaches

Whether breaches affect Sony Playstation, Adobe,  Target, or some other company, the class action firms have been busy filing lawsuits based upon data breaches.  For example, by year end, at least 40 suits had already been filed against Target, with seven filed the day Target disclosed the breach.  The plaintiffs use various theories – including violations of consumer protection statutes, negligence, fraud, breach of contract, breach of fiduciary duty, invasion of privacy and conversion.  But, if a consumer’s information was potentially breached, yet nothing happened to the consumer as a result, does that consumer have cognizable damages?  That has been a huge sticking point for these lawsuits.  Yet, the class action lawyers will continue to file these suits and some companies will settle to avoid further reputational damages and litigation expenses.

Don’t Count out the States

States have taken the lead in setting data breach notification standards, and in some cases data security requirements.  For instance, in March 2010, Massachusetts enacted strict data security regulations.  Organizations that own or license personal information of Massachusetts residents are required to develop and implement a written comprehensive information security program (“CISP”) to protect that information.  Almost all of the states have standards setting forth what types of information are covered by data breaches, who gets notified, what content goes in the notifications and, the timing of the notifications.  Multiple states are investigating the Target breach; certainly less well known breaches get state regulators’ attention as well.  We predict the states will continue to be active regulators and enforcers of data security and data breaches, and will likely continue to “rule the roost” while federal legislation lags behind.

Preparation and Training Still Key

We’ve said before that, unfortunately, no company is immune from data breaches.  Companies cannot assume that they have the best anti-malware or security features and that these other newsworthy breaches resulted from lapses that would not apply to them.  Whether it is a sophisticated hacker or, more commonly, a well-meaning but negligent employee, data loss and data breaches will occur.  All organizations should have procedures in place NOW to prevent data loss and to prepare for a breach.  This includes IT, human resources, legal, and communications resources.  Companies should designate a “data security/data breach” team with representatives from these key departments (working with outside counsel and other privacy breach specialists when needed).  The team should meet periodically to review procedures, recommend improvements, and engage in periodic training on data security.

We can’t stress here enough about employee training.  An employee who, for instance, wants to finish a project at home after stopping by the gym might download information that contains sensitive personal information onto a flash drive.  Let’s say the gym bag gets stolen, along with the flash drive.  Well, the employee’s unlucky company may now have a huge data breach situation on its hands requiring notices to customers, state attorneys general, and potential litigation and other expenses (such as paying for creditor monitoring, now industry standard).  Employees need training about securing sensitive information – from shredding documents instead of putting them in the dumpster, to encrypting information that is being taken offsite, to avoiding “phishing” scams, to having unique passwords they change periodically.  According to recent reports, “password” and “123456” are still among the most popular passwords.  While data breaches cannot be avoided completely, we can ameliorate some risks with better practices in our organizations.

FTC Clamps Down on EU Safe Harbor Compliance: If Your Company Says It Is Certified, Keep Your Certification Current

BY: Michelle Cohen

Once again using its administrative litigation process, the Federal Trade Commission (“FTC”) announced settlements with twelve large businesses, including the Atlanta Falcons and Denver Broncos football teams, the Baker Tilly accounting firm, BitTorrent, Inc., a peer-to-peer file sharing protocol, Level 3 Communications (one of the largest Internet service providers in the world), and Reynolds Consumer Products, all relating to alleged deceptive claims of U.S.-E.U Safe harbor certifications.

The “Safe Harbor” certification, overseen by the U.S. Department of Commerce, is a voluntary privacy certification; however, it requires an annual reaffirmation to maintain “current” certification status.  The FTC filed complaints against these companies alleging that the organizations made statements in their privacy policies or displayed the Safe Harbor certification mark indicating that they held current Safe Harbor certifications, even though these companies had allowed their certifications to lapse.  The European Commission has recently criticized what it views as lax enforcement of the Safe Harbor process in the U.S., and issued a report with recommendations for improvements.    The European Commission will review its participation in the Safe Harbor framework in a decision to be issued by summer 2014.

As background, European Union countries have strict standards regarding the transfer of personal information outside of the EU.  Back in 2000, the U.S. Department of Commerce and the European Commission negotiated the U.S.-EU Safe Harbor Framework..  This “Safe Harbor” permits U.S. companies to transfer personal data lawfully from the EU.  To participate in the Safe Harbor, a company must self-certify to the Department of Commerce that it complies with seven principles and related requirements that have been deemed to meet the EU’s adequacy standard for ensuring the protection of personal data.  These principles are: notice, choice, onward transfer (i.e., transfer to third parties), access, security, data integrity, and enforcement.  A company’s privacy policy must address these principles. The FTC, among other agencies, may enforce Safe Harbor compliance.

The process is entirely voluntary.  Once a company self-certifies to the Department of Commerce and Commerce reviews and accepts the filing, a company may state that it has certified compliance with the Safe Harbor. Most companies state this certification in their privacy policies. Organizations may use the Safe Harbor “seal” on their websites and elsewhere.  Annually, by the anniversary of its original filing date, a company must “reaffirm” its compliance in order for its certification to remain current.

The FTC’s action this week alleges that the twelve companies stated that they held current certifications under the U.S.-E.U. (and in three cases, the similar U.S. –Swiss) Safe Harbor frameworks, when in fact the certifications were not current.  Companies which have self-certified compliance with the Safe Harbor framework should check their certifications to ensure they are up-to-date with their annual reaffirmations.  The Department of Commerce maintains a public database listing the status of every self-certifying company. While the annual reaffirmation is not an overly taxing task, the FTC’s settlements with these companies demonstrate that the agency is taking its Safe Harbor enforcement role seriously and that it is monitoring compliance.

While the proposed settlements do not contain monetary penalties, the companies are barred from any further misrepresentations about their participation in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization. The organizations must also maintain relevant advertisements and promotional materials for five years, and the consent order (once approved) would be in place for 20 years. The proposed settlements are subject to public comment for 30 days and then require final approval of the FTC commissioners.

In privacy law and FTC enforcement, in particular, a guiding principle is “if you say it, do it, and if you don’t do it, don’t say it.”  The FTC’s action on Safe Harbor enforcement is a good lesson – companies should review their privacy policies to make sure they are up-to-date, accurate, and reflect current practices, including ensuring any certifications are up-to-date.  While the U.S.-EU Safe Harbor certification is voluntary, companies must complete their annual reaffirmations on time or risk enforcement.

New TCPA Changes Going into Effect Soon – What They Mean

BY: Griffin Finan

On October 16, 2013, two changes will go into effect in the rules implementing the federal Telephone Consumer Protection Act (TCPA). Importantly, these rules impose stricter requirements on mobile messaging and prerecorded telemarketing calls. The rule changes, announced back in February 2012, may spur further litigation concerning the scope of the TCPA. All businesses should review the new requirements to ensure compliance or risk significant potential litigation expenses and negative publicity.

TCPA litigation has been increasing significantly in recent years. The number of TCPA-related cases filed in 2012 increased by 34 percent compared to 2011 and was more than three times the number of cases brought in 2010. Part of the reason fueling the uptick in TCPA litigation is the increasing use of mobile messaging, combined with the enormous potential damages possible under the statute. Every individual text, call or fax that is found to be in violation of the TCPA can result in damages from $500 to $1,500 and there is no limit on the number of violations that can be included in an individual suit. The Federal Communications Commission (FCC) and state attorney generals, as well as private litigants, may also enforce the TCPA.

Some major companies have been hit with significant penalties under the TCPA. In May, Papa John’s International agreed to pay $16.5 million as part of a settlement of a TCPA class action stemming from claims that the company sent unsolicited text messages to more than 200,000 people through a third-party marketer. Steve Madden and Domino’s Pizza have also both reached settlements this year agreeing to fines of nearly $10 million to settle TCPA claims.

The two changes going into effect in October are as follows. One exception from liability under the TCPA for phone calls or text messages using an autodialer or a prerecorded message is for those that are made with “prior express consent.” Under the new interpretation from the FCC of the prior consent exception, with limited exceptions, a business can only invoke the prior express consent exception for autodialed or prerecorded calls to a mobile phone or for prerecorded telemarketing calls to a residential line if the called party has physically or electronically signed an agreement that clearly authorizes calls or texts to be made to their phone number by that particular sender. Additionally, a recipient’s signing the agreement must be optional and cannot be tied to the purchase of any goods or services.

The other significant change to the TCPA rules is the elimination of the “established business relationship” exception for prerecorded telemarketing calls to residences. Previously, businesses could avoid TCPA liability for prerecorded telemarketing calls that otherwise were prohibited by claiming that they had an established business relationship with the consumer by virtue of a previous purchase or other business interactions. The new regulations have eliminated this exemption, meaning businesses are now required to obtain written consent for all prerecorded telemarketing to residential phone numbers, even those that are for previous customers. With this change, the FCC followed the Federal Trade Commission (FTC), which made a similar express consent requirement under the Telemarketing Sales Rule for prerecorded telemarketing calls a few years ago.

As some of the recent cases have shown, businesses can face enormous potential liability under the TCPA, including liability for actions of third-party marketers acting on behalf of them. The statistics demonstrate that plaintiffs’ lawyers are aggressively pursuing TCPA actions, and the changes in the rules may lead to yet more TCPA cases. Given the changes that will go into effect in October, businesses should review their TCPA policies to ensure that they are in compliance, so that they can avoid the possibility of paying onerous penalties.

FTC ‘Checks’ In With $3.5 Million Consent Order Under Fair Credit Reporting Act

BY: David Deitch

This week the Federal Trade Commission entered into a consent decree with Certegy Check Services, one of the nation’s check authorization service companies, pursuant to which Certegy has agreed to pay $3.5 million to settle charges that it violated the Fair Credit Reporting Act (FCRA).  This massive penalty – the second largest ever – reinforces the perception that the FTC will continue vigorous enforcement against what it perceives as violations of that venerable statute, first passed in 1970.

The FCRA establishes obligations not only for the three big consumer reporting agencies (CRAs) – Experian, Transunion, and Equifax – but also for “nationwide specialty consumer reporting agencies”.  These are CRAs that compile and maintain files on consumers on a nationwide basis relating to medical records or payments, residential or tenant history, check writing history, employment history, or insurance claims.  Certegy, which falls within this latter category of entities subject to the FCRA, was obligated to “follow reasonable procedures to assure maximum possible accuracy” in the reports it provided concerning consumers’ financial information, and was also obligated to investigate any consumer dispute regarding such  informationwithin a reasonable period of time, to report back to the consumer, and to delete any information that is inaccurate, incomplete, or unverifiable.

While Certegy is not as well known to consumers as the big three credit reporting agencies, it plays an important role in consumer transactions.  When people want to pay by check, many businesses rely on Certegy for a check authorization recommendation that is based in part on information in its files about consumers’ check writing history.  Certegy also furnishes information to other credit reporting agencies, which may multiply the effect of any inaccuracies.

The FTC alleged in its complaint that Certegy failed to comply with many of its obligations as a nationwide specialty consumer reporting agency.  Among other things, the FTC asserted that Certegy would not undertake the required reinvestigation of allegedly inaccurate information, and would place unfair burdens on consumers in connection with requests for such reinvestigations.  The FTC states that this is its first case alleging a violation of the so-called “Furnisher Rule” relating to regulations governing such entities that furnish credit report information on consumers.

The stipulated order will certainly change the way that Certegy does business but, perhaps even more important, the $3.5 million penalty should attract the attention of other entities whose businesses are subject to the FCRA.  Such businesses would be wise to revisit their policies and procedures to ensure that they comply with the obligations under the statute and related regulations to ensure that they will not be the next target of FTC enforcement in this area.

Ifrah Law Blog Wrap-Up for November 2011

BY: Jeff Ifrah

In November 2011, we at Ifrah Law expressed our views on a number of current issues in our blogs, Crime in the Suites and FTC Beat. This post summarizes and wraps up our thoughts from the month.

ACLU Wins FOIA Appeal on Prosecutors’ Use of Cell Phone Location Data

The Justice Department must turn over the names and docket numbers of numerous cases in which the government accessed cell phone location data without probable cause or a warrant.

Read the full post here on the Crime in the Suites blog.

Options for Suing the Federal Government Under Bivens Unlikely to Expand

U.S. Supreme Court argument indicates that the Justices are unlikely to extend Bivens to cover cases against private employees.

Read the full post here on the Crime in the Suites blog.

Judge Imposes 15-Year Sentence in FCPA Case; Appeal to Follow

This case will test the Justice Department’s expansive definition of “foreign official” under the statute.

Read the full post here on the Crime in the Suites blog.

High Court Hears Argument in GPS Fourth Amendment Case

The Justices grapple with issues of search and seizure in an online, wired world.

Read the full post here on the Crime in the Suites blog.

In Appeal of Construction Fraud Case, DOJ Seeks Tougher Sentences

This case, arising from Boston’s “Big Dig” project, will test the limits of a trial judge’s sentencing discretion.

Read the full post here on the Crime in the Suites blog.

Self-Regulation Reigns, for Now, on Consumer Data Privacy Issues

The online advertising industry is inching its way to more comprehensive policies regarding the collection of consumer data.

Read the full post here on the FTC Beat blog.

Google, Microsoft Assume Roles of Judge, Jury and Executioner on the Web

The Internet giants cancel the Web connections of companies that are accused by the government of mortgage fraud but have not been convicted.

Read the full post here on the FTC Beat blog.

New House Hearing Shows Strength of Hill Support for Legal Online Gaming

Many members of Congress remain serious that legal and technical obstacles can be overcome and that legislation can be passed in this area.

Read the full post here on the Crime in the Suites blog.

Convicted of Fraud but Changed Their Lives; Appeals Court Takes Note

A couple committed mortgage fraud back in the late ‘90s. The 7th Circuit gives them sentencing credit for self-rehabilitation.

Read the full post here on the Crime in the Suites blog.

More Big Pharma Companies Cough Up Big Dollars in DOJ Settlements

How high will these settlements go? The government has the power to strong-arm drug companies into settlements. How much will it demand?

Read the full post here on the Crime in the Suites blog.

Ifrah Law’s Blog Wrap-Up, March 9-23

BY: Ifrah Law

This is the fourth of a regular series of posts that summarize and wrap up our latest thoughts that have appeared recently on Ifrah Law’s blogs.

1. Proposed Gaming Bill Could Make Nevada First to Legalize Online Poker

Nevada, long an innovator in the gambling arena, may soon take another major step by becoming the first state to legalize online poker. We discuss the state’s importance in the gaming world, the chances of passage of the bill, and the groups that stand to benefit.

Read the full post here on the Crime in the Suites blog.

2. Brady Violation Leads to Reversal of Conviction in D.C.

When it comes to Brady violations, sometimes late is no better than never, it seems, as the D.C. Court of Appeals reverses a conviction for assault with intent to commit murder. We explain what information the prosecutors withheld and why it was important.

Read the full post here on the Crime in the Suites blog.

3. ‘Taking the Fifth’ Before Congress: A New Ethics Twist

It’s unethical for a prosecutor to put a witness on the stand with knowledge that the witness will exercise the privilege against self-incrimination. We look into a new D.C. Bar ethics opinion that gives a novel answer to the question of doing the same thing before a congressional committee.

Read the full post here on the Crime in the Suites blog.

4. Is FTC Action Needed Against Pricey Apps?

It’s true that children shouldn’t be buying expensive Smurfberries and other online goodies for their apps with real money (on Mom or Dad’s credit card). The FTC has been asked to take action. We discuss whether the agency is the right place to turn, or perhaps Mom and Dad are.

Read the full post here on the FTC Beat blog.

5. Does Google Need to Police Its Ads for Fraud?

There are unscrupulous merchants out there on the Internet. Does Google need to look into every advertiser before accepting its money? A consumer group’s letter to the FTC has awakened interest in this issue.

Read the full post here on the FTC Beat blog.

6. Online Sellers Need to Beware of State Attorneys General

A Philadelphia online electronics store is the target of Pennsylvania’s attorney general for alleged bait-and-switch practices. But it’s not just the state of origin that can target an online seller.

Read the full post here on the FTC Beat blog.

Wu Appointment May Mean More Regulation to Come

BY: Ifrah Law

On February 8, the Federal Trade Commission announced that Columbia Law Professor Tim Wu would be joining the Commission’s Office of Policy Planning. The law professor known for coining the phrase “net neutrality” reportedly will advise the Commission on long-range competition and consumer protection policy initiatives.

Professor Wu’s appointment is considered by many in the business community as a harbinger of more market-stifling regulation to come. In a recent Forbes article, D.C. business consultant Scott Cleland was quoted as saying, “It’s nothing but trouble for business … He’s about as interventionist and hyper-regulatory a thinker as you will find.”

There is sound basis for the concern that Professor Wu will help the federal agency identify new – and possibly costly and unnecessary – regulatory interventions. He has been a long-standing advocate of government regulation of Internet access, professing fears of “private power as much as public power.” He has been instrumental in aiding the Federal Communications Commission to devise net neutrality rules and policies.

Just as the FCC, armed at least in part by Wu policy proposals, vies for more regulatory control over the Internet, the FTC has invited the same pro-regulation thinker to help it build its justifications for a power grab.

But the FTC already has its place in Internet commerce, is very active on this front, and should not seek regulatory control beyond this role. For instance, the agency recently settled a sizeable “scareware” case against several individuals and companies for their deceptive Internet advertising schemes. The case looks pretty egregious: the defendants apparently incorporated automatic downloads in their Internet ads, involuntarily redirected consumers to their websites, falsely claimed to scan and detect malware on the consumers’ computers, and prompted consumers to purchase software to remove the nonexistent files.

The scareware case seems to fit squarely within the FTC’s jurisdiction: Rogue companies bilked consumers of significant sums (roughly $40 per software download) under false pretenses through deceptive advertising. Investigating and bringing charges against such companies is within the parameters of the FTC’s purpose to protect consumers and within the agency’s statutory powers to prevent “unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce.”

The FTC seems to have acted appropriately in the scareware case. But pursuing a systematic course of looking for new regulatory mechanisms, which is what is anticipated from the Wu appointment, is another thing. Just as free marketers, entrepreneurs, and businesses have been chiming, “if it isn’t broken, don’t fix it” vis-à-vis the FCC’s endeavors to assume more regulatory control over the Internet, the same should be said vis-à-vis the FTC.