: Compliance : Legal Bytes

Home > Compliance >

Posted on February 22, 2010 by Joseph I. Rosenbaum

Social Media Risks and Rewards

On February 18, 2010, the International Law Office (ILO) published an article authored by Gregor Pryor and Sachin Premnath in the London office of Reed Smith, and Joe Rosenbaum in New York. It discusses the benefits and pitfalls of social media, and raises issues and concerns applicable to global companies—not just those on either side of the pond!

The article was derived from one published in Legal Week, and you can download your own PDF copy of “Commercial risks and rewards of the social media phenomenon” right here.

Tags: Advertising, Compliance, E-Commerce, Marketing, Online, Regulation, Social Media

Posted on January 26, 2010 by Joseph I. Rosenbaum

FINRA Issues Guidance in New Social Media Websites Notice

In November, Legal Bytes reported (Regulators Poised to Give Financial Institutions a Slap in the Facebook) that Richard Ketchum, Chief Executive of the Financial Industry Regulatory Authority (FINRA), acknowledged Wall Street is eager to use social media to interact with customers. In the course of his remarks at a recent meeting of the Securities Industry and Financial Markets Association (SIFMA), he noted, "We continue to witness the advent of technologies that will challenge your ability to ensure compliance with regulatory requirements,” and “Social networking is one such innovation."

Now, supplementing existing FINRA Rules, FINRA has released a notice concerning online media rules (you can download and read a copy of the notice below) whose key components include requirements that securities firms:

Must develop policies and require its employees to comply with the new regulatory requirements
Must retain records of communications (a compliance requirement of the Securities Exchange Act of 1934) when social media is used to communicate
Must ensure that recommendations made through social media are suitable to all investors to whom the recommendation is made (e.g., by limiting or filtering access based on investor/consumer qualifications)

FINRA’s notice takes the position that securities firms must adapt existing rules to social media and essentially mirror the 2003 FINRA definition of “public appearance.” This definition noted that chat room postings were no different than if a firm representative was in a room making statements to a room filled with investors. FINRA’s current notice indicates that information posted or content placed online (static information) is subject to these same rules and must be approved by a firm principal – presumably, even information about individuals in the firm that may be part of an individual’s profile on the firm’s website or in social media platforms. But online interactions that are occurring on the fly (e.g., in real time), while subject to supervisory requirements (e.g., they must be supervised, perhaps even monitored), do not require such approvals.

You can read or download the FINRA Regulatory Notice 10-06 (Social Media Web Sites) [PDF] here.

As mentioned in the Legal Bytes November post, SEC disclosure rules apply to Tweets, blog postings, wall postings and other communication platforms provided by social media sites, and other regulatory agencies are seeking to address the use of social media sites by the entities they regulate (e.g., the FCC, the New York State Insurance Department). So if any of this is of interest and if you need to know more or need help, please contact me, Joseph I. Rosenbaum, or the Reed Smith attorney with whom you regularly work. We are happy to help.

Update: Reed Smith lawyers Christopher P. Bennet, Amy J. Greer, Jacob Thride and Kevin Xu have prepared a Client Alert on the subject which you can read by going to: FINRA Issues Notice for Financial Firms Using Social Media.

Tags: Advertising, Compliance, Financial Services, Marketing, Online, Regulation, Social Media

Posted on August 19, 2008 by Joseph I. Rosenbaum

Investigating Online & Interactive Advertising

The U.S. Congress appears determined to investigate online advertising. Early this month, the House Energy and Commerce Committee issued a letter to more than 30 companies, and what began as an inquiry into how Internet service providers use network data to target advertising, has morphed into a fishing expedition into all kinds of interactive advertising. Most notably, and despite urging by the FTC to allow self-regulation to take hold, the Committee does not differentiate between personally identifiable information and non-identifying, anonymous data used for traffic metrics, ad insertion and other common advertising purposes. Lumping different kinds of information together could needlessly undermine marketing as it has been practiced for decades. The “tailoring” of advertising, in the Committee’s words, based on consumers’ behavior and media consumption patterns, has been at the heart of marketing for as long as marketing has been around.

More disturbing are presumptions that “privacy” rights are being violated by any and all forms of behavioral or targeted marketing. Advocacy groups opposed to commercial communication seek to promote an implicit, yet fundamental redefinition of personal privacy—i.e., anything that derives from peoples’ activities, no matter how distanced or anonymous. Taken to logical conclusion, any academic, commercial or journalistic observation of consumer activity could fall under regulatory restrictions under such a framework. Not surprisingly, the FTC—with its long history of regulation of advertising practices—has argued before Congress that self-regulation is likely to be an effective means of protecting consumers’ real privacy interests. According to testimony by FTC Consumer Protection Bureau Director Lydia Parnes before the Senate Committee on Commerce, Science, and Transportation this July, the FTC is “cautiously optimistic that the privacy concerns raised by behavioral advertising can be addressed by industry self-regulation.” Nevertheless, in the letter released this month and in three previous inquiries over the past few months, both the House and the Senate seem to be searching for a rationale to regulate. Stay tuned.

Tags: Advertising, Communication & Interaction, Compliance, Marketing, Online, Privacy & Publicity, Regulation

Posted on April 19, 2008 by Joseph I. Rosenbaum

To Collect or Not To Collect, That's the Dilemma?

This article was contributed by Adam Snukal, Esq.

Surfed the web lately? Seen a banner promoting a product, service or trip to Ireland you priced yesterday? Serendipity? Luck? Cookies? Yes, it’s those tiny files placed on your computer when you visit a website. Advertisers can now parse through cookies on your computer when you visit certain websites and instantaneously serve up advertisements based on your historical online behavior—“behavioral marketing.” For some, this is a great convenience. For others, like New York State Assemblyman Richard Brodsky, this is invasive and should be stopped unless the consumer has given consent.

Assemblyman Brodsky sees the acquisition of Doubleclick by Google as a step backward for consumers since the combined company could tap into a reservoir of consumer behavior and search data on an individual basis. So he introduced a bill aimed at restricting Internet behavioral marketing—The Third Party Internet Advertising Consumers’ Bill of Rights Act of 2008—that would prohibit advertisers from collecting and using sensitive, personally identifiable information from users online; require websites to clearly and conspicuously disclose behavioral policies and practices; give consumers the right to opt-out of profiling practices; prevent their online behavior from being collected and used to deliver targeted advertisements; and police how advertisers are permitted to merge and synthesize such information with other data (e.g., merging personally identifiable information collected offline with information collected online). Opponents—some of the largest interactive advertising and media companies—have voiced their opposition in a letter to Assemblyman Brodsky, noting, “Time after time, state laws that have attempted to impose this sort of broad Internet regulation have been struck down by the courts, doing nothing more than making taxpayers bear the expense both of defending the lawsuit and paying the successful plaintiffs’ attorneys fees.”

On the same day it approved the Google-Doubleclick merger, the FTC released proposed guidelines for “individually targeted advertising based on software that tracks a consumer’s activities online” that includes the need for transparency in treatment of consumer privacy in behavioral advertising; reasonable security to protect sensitive consumer data and a requirement to obtain consent from the consumer before collecting his or her data for behavioral marketing.

Industry associations, advertisers, agencies and media companies continue to believe self-regulation remains the best mechanism for dealing with a dynamically evolving, increasingly interactive usergenerated world. Legislation and regulation responding to abuses of a few is often ill-conceived, poorly implemented and obsolete as technology and the marketplace evolve. Curiously, there are examples in the advertising, motion picture and gaming industries that, for decades, have successfully policed and regulated, with government regulation remaining a backstop or safety net when needed. Is anyone out there listening? Perhaps if more lend their voices to the dialogue, meaningful and effective solutions will emerge.

Tags: Compliance, Consumer Protection, Internet-Web Matters, Privacy & Publicity, Regulation

Posted on March 15, 2008 by Joseph I. Rosenbaum

It's a Dyanmic Environment Out There: Yes, You Can Still Avoid Being a Target

Most of us know the law tends to lag behind the marketplace. It is in the nature of most legal systems to try and balance statutory and regulatory authority—which makes rules based on experience or potential issues that will apply to future conduct—with judicial and regulatory decisions—cases that are adjudicated, create precedent and help shape the contours and boundaries of what is or is not permissible behavior within the statutory authorities.

In such a framework, we are often asked to counsel clients as to what is or is not acceptable when there may be little law, few regulations and sometimes no precedent. What to do? Well, as you may imagine, there is no simple answer. But there are some guideposts. A key guidepost is to consider common sense, best practices and some lessons learned from analogous legal precedent.

Take the subject of privacy, for example. List management, data mining, market segmentation, affiliate sharing, secondary uses of information, cookies, behavioral marketing and lead generation are common buzzwords in the advertising and marketing world—now supplemented with interactive and context-sensitive advertising, advergaming, pay per click, pay per action, gadgets and widgets, and the list increases and changes almost daily. It will not be long before the GPS tracking systems that help us navigate in our automobiles and that are available in many mobile phones and wireless devices, will become a marketing opportunity.

While there are no guarantees, subscribing to industry best practices where they exist, using some common sense, and considering how your activities and operations might affect your customers, suppliers, and business partners, and how they will be perceived by those constituencies and the regulators, are sound benchmarks.

The flurry of unwanted and unsolicited commercial emails prompted Congress to pass the CAN-SPAM legislation to limit and regulate commercial—read “advertising and marketing”—email messages. CAN-SPAM permits an opt-OUT mechanism…but is that enough? Most major companies—indeed member states of the European Union—require at least a single opt-IN, and mobile subscription services view double opt-in and authentication as the gold standard. Why would a regulator or court view it differently?

CAN-SPAM requires affirmative consent in order to legally reach the point where a consumer has deemed to have given permission to receive commercial advertising and marketing emails. Some companies use a “negative” consent approach—when the page loads, the consent box is already checked. Convenient? For a marketer, of course. For a consumer? Maybe. For a regulator? You tell me.

In the introduction, I mentioned GPS tracking via cell phone or mobile device. Not only might your parents, children, friends and colleagues be able to know where you are, but how about that mall you are driving by or that restaurant on the street where you parked or the retail shop you happen to be browsing as well.

In looking forward, think about what you would want from your business if you were a customer, based on what you already know. It’s your business, think how you want it to be perceived—by your customers, your suppliers, the regulators and courts and, yes, even your own employees. In looking at the present, think about the complaints you receive. Is there a pattern? A theme? Can you do better? Often the most expedient advertising and marketing approach is not the best one. Yes, it might be more cost effective, generating more responses—but it also might be the worst approach for your business and operations.

Tags: Compliance, Email, Marketing, Privacy & Publicity, Regulation

Posted on February 1, 2007 by Joseph I. Rosenbaum

New E-Discovery Rules

With file sizes growing, you would think computers that can rapidly process large files and storage capability would be all the rage. For compliance officers, record managers and lawyers, it’s retrieving the information that is the hot issue and hardly a trivial one. New Federal rules relating to civil litigation took effect at the end of last year, requiring companies involved in federal litigation to produce electronically stored information as part of the pre-trial discovery process. The new rules apply to employee e-mails, instant messages and other electronic, digitally stored information. In the event the companies are sued, legal experts say, companies will need to start worrying about everything in electronic form—from digital photos on employee cell phones to text (“SMS”) messages.

Companies need to have sound record retention and destruction of records policies to ensure compliance with regulatory record-keeping requirements and to avoid potentially massive costs of searching and retrieving information that could and should have been purged. Absent actual or an expectation of specific litigation or a subpoena requiring production of data, companies can purge their systems of information that may no longer be relevant or necessary to their business operations. As the cost of storage has come down, however, companies routinely store information and don’t bother to delete unnecessary information—because it’s easy and affordable to simply keep everything!

The opposite is also an issue. Communication between lawyers and technology folks is less than perfect. A lawsuit arrives, but no one tells data management or systems. Tapes and disks continue to be routinely erased or written-over, with corresponding loss of data. Lots of companies don’t have policies and don’t know what information they have, where it is stored, and who may have, have kept or destroyed copies of information in electronic form. Lack of information is a weakness for lawyers. If you remember the adage, “never ask a question you don’t already know the answer to,” imagine how a litigator for the company will feel blindsided by records she was unaware of or cited by a court for destroying records he didn’t know his client had.

Why pay attention? Because by exercising preventive care, you can avoid potentially huge legal and operational expenses. By crafting and enforcing compliant and well-thought-out record retention and destruction policies, you can avoid high-priced lawyers sorting through email messages about the staff luncheon, and the pitfalls associated with a “smoking gun” needlessly showing up in that pesky lawsuit. Call us. The ATM Legal Team can help!

Tags: Advertising, Communication & Interaction, Compliance, Internet-Web Matters, Marketing

Posted on February 28, 2006 by Joseph I. Rosenbaum

Record Retention -- It's Not Just For...

For failing to preserve records, Morgan Stanley is paying $15 million to the SEC and a number of other regulators under an agreement reached with the SEC’s Division of Enforcement. Although any such settlement requires approval of the Commission, and Morgan Stanley is still in settlement discussions with the NASD. If you recall, last year Morgan Stanley ended up paying $1.57 billion resulting from a lawsuit in which much of the attention was devoted not merely to its inability to produce documents, but also because the judge concluded that Morgan Stanley’s conduct was knowing, in bad faith and deliberate.

The $15 million current fine, the highest ever imposed for a firm’s inability to retain and produce records, may have been the result of the SEC’s belief that an agreement relating to document retention previously agreed upon, was not being complied with.

Tags: Compliance, Online Security

Legal Bytes
Reed Smith LLP

The law firm of Reed Smith and its Advertising Technology Media & Entertainment lawyers and attorneys provide legal services related to online, wireless & web ecommerce, digital content and digital rights, advertising, marketing, intellectual property, software, systems, outsourcing, security & distribution, digital rights, gaming, social networks and virtual worlds.

Attorney Advertising. This Web site may be considered advertising under the rules of some states. Prior results described on this site cannot and do not guarantee or predict a similar outcome with respect to any future matter that we or any lawyer may be retained to handle.

Legal Bytes : Advertising & Media Lawyer & Attorney : Reed Smith Law Firm : Marketing & Intellectual Property : Legal Bytes Law Blog

Published by
ReedSmith

Insights at the intersection of digital advertising, new media, ecommerce and the law