Franchise Law Update : Fox Rothschild Law Firm: Franchise Lawyer & Attorney: Franchise Law, Legal Decisions, Regulatory Compliance

Today the Federal Trade Commission issued updated guidance regarding endorsements.  As you may recall, the FTC last issued endorsement guidance in June 2010. That guidance focused on three major principles:

1. Endorsements must be truthful and not misleading;
2. Endorsements cannot contain claims requiring proof you don't have; and
3. Endorsements must clearly disclose any material connection between the endorser and the advertiser.

That last point has been the subject of some discussion and concern for consumers using social media. The FTC's Testimonial Guides, in fact, specifically address social media concerns. Nevertheless, it seems that, in practice, compliance with the FTC's guidance has not been too great a burden, as common sense has prevailed.

Nonetheless, because the social media activities of endorsers cannot be pre-screened at all times, or even directly monitored in many instances, it is a good idea to remind those associated with your franchise system, especially current franchisees, of the FTC endorsement guides.  While current franchisees are probably some of your most ardent fans, neither you nor they want to run afoul of the guidance.

Which brings us full circle  to today's updated guidance.  For the most part, today's message from the FTC reinforces the current endorsement guidance.  What is new,  and I believe quite helpful, is a short video that describes the guidance and answers some frequently asked questions. It will likely become a useful education tool for anyone subject to the guidance.

• Print
• Comments
• Trackbacks
• Share Link

A few months ago we wrote about the FTC's decision to launch a Consumer Privacy Bill of Rights. One of the more interesting things about the Bill of Rights was that the FTC seemed to be setting up a regime where a company's voluntary decision to "opt-in" to the regime could become the basis for FTC enforcement, if the voluntary policy was breached. In fact, Commissioner J. Thomas Rosch dissented from that portion of the FTC's privacy report and recommendations.

So it was interesting to me to note that Commissioner Rosch voted with a unanimous majority of FTC Commissioners to authorize a complaint against a large, international hotel group where the violation is based upon the group's own privacy policy. Specifically, the FTC complaint alleges that the hotel group's "privacy policy misrepresented the security measures that the company and its subsidiaries took to protect consumers' personal information." The agency charges that the security practices were unfair and deceptive and violated the FTC Act.

What particularly seems to have upset the FTC in this case is the fact that one breach allegedly facilitated other breaches. The hotel group learned in 2008 of a data breach to its system through one property. The FTC claims the security flaws exploited in that breach were not corrected, allowing two other breaches to occur. In those two subsequent breaches, the FTC says that approximately 120,000 consumer payment card records were stolen. Those records were supposedly used by crime syndicates--including some in Russia--to make fraudulent purchases.

This enforcement action by the FTC again highlights the importance of developing best practices for the protection private consumer data and maintenance of privacy policies. Perhaps more importantly, it also demonstrates that, despite some public misgivings from at least one Commissioner, the FTC seems intent upon using its enforcement powers to require companies to fully comply with their stated privacy policies. This development will bear watching, and, at the same time, it suggests a careful review of privacy policy and practice is in order so as to ensure both are in alignment.

• Print
• Comments
• Trackbacks
• Share Link

By now, you have almost certainly seen the reports that the White House and the Federal Trade Commission want a Consumer Privacy Bill of Rights with seven principles:

• Individual Control: Consumers have a right to exercise control over what personal data companies collect from them and how they use it.
• Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices.
• Respect for Context: Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.
• Security: Consumers have a right to secure handling of personal data.
• Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequence to consumers if the data is inaccurate.
• Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.
• Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.

 Today, the FTC took a significant step toward establishing a framework that would implement that last principle, Accountability. In outlining the new framework, the FTC report (PDF) suggested several significant changes for businesses who interact with consumers online:

First, the FTC expects consumers will have an “easy to use and effective ‘Do Not Track’ option by the end of the year.” According to the Washington Post, the FTC, the Commerce Department and the Digital Media Alliance are working together to create a one-click icon that will permit consumers an easy way to “opt-out” of online tracking. The Digital Advertising Alliance represents 90 percent of all web sites with advertising.

Second, the FTC urged companies offering mobile services to voluntarily improve privacy protections, including in particular, the retrieval and storage of location information. As the Wall Street Journal (subscription required) noted under the headline "Your Apps are Watching You", over one-half of tested mobile apps sent unique ID or location information without informing the app user first.

Third, FTC called on big data brokers to develop a centralized website that would allow people to view all the entities that hold their data and how that data is used. The FTC also called for the passage of legislation that will allow people to view their data and correct inaccuracies, similar to what is currently permitted for credit reports. As previously announced, the FTC will continue to bring enforcement actions against companies that engage in deceptive or unfair practices.

Finally, and of particular interest to the franchise community, while the framework applies to all commercial entities that collect or use consumer data that can be linked to a specific consumer, computer, or other device, the FTC report explicitly recognizes “the potential burden on small businesses” and accordingly “concludes that the framework should not apply to companies that collect and do not transfer only non-sensitive data from fewer than 5,000 consumers a year.” The details of this “small business” option will need to be fleshed out and seem narrow upon initial review.  For example, the Commission defines “non-sensitive data” as data that is not a Social Security number or financial, health, children’s, or geolocation information.

There was a dissent from the report by Commissioner Thomas Rosch. The dissent seems principally concerned that the framework is too focused on what consumers may believe is unfair, as opposed to what is actually deceptive. It also noted that the recommendations probably aren’t voluntary in practice, because most firms will feel obliged to comply the proposed best practices or face the wrath of the FTC.

As expected for several years now, the FTC has staked out a strong position in favor of “opt-in” online privacy controls for consumers combined with substantial transparency regarding how personal information gathered online will be used. The good news is that the framework is voluntary and permits significant industry involvement in crafting best practices. The bad news, as Commissioner Rosch correctly notes, is that the FTC report and rhetoric strongly implies that adoption of the best practices will be nearly mandatory and that it will enforce those practices against those who opt-in.

• Print
• Comments
• Trackbacks
• Share Link

Compliance with online privacy rules just got a little more complicated. The Wall Street Journal is reporting late this afternoon that California Attorney General Kamala Harris has reached an agreement with six leading mobile device companies regarding privacy policies for apps.  The companies who agreed to the settlement are the largest in the sphere: Apple, Google, Amazon, Microsoft, HP, and RIM.

While details appear to be sketchy at this point, the key change is that all apps offered through platforms for the companies' devices will now be required to have a privacy policy. There is no timetable yet for implementation of the policy, but the Attorney General said that she will enforce the settlement and prosecute companies without policies or who use personal information in violation of their policies. While the settlement applies in California only, it is expected that the policies will be uniform across all devices and for all states.

This settlement appears to represent only the latest government effort to monitor and regulate personal information online.  Of course, the Facebook settlement last fall was substantial. Some members of Congress have demanded hearings respecting announced changes in Google's privacy policies.  And just in the last week it was disclosed that the FTC is investigating background check companies for violations of their privacy policies and the Fair Credit Reporting Act.  Given the current regulatory environment, ensuring that privacy policies for information franchisors and franchisees collect online are complete, and followed completely, is essential.

• Print
• Comments
• Trackbacks
• Share Link