Many thanks to the International Law Office (ILO) for publishing a derivative of our Legal Bytes article. You can download and read a personal copy of the ILO posting FTC Targets Ads That Target Kids, or you can read the original Legal Bytes blog posting at "Mom, is it OK for them to follow me?" FTC Targets Ads That Target Kids.
I have to thank Carl Bialik, The Numbers Guy writer and blogger for The Wall Street Journal, for including a quote in his recent (September 23, 2011) column, Bag Battle Takes a Statistical Turn.
The column focuses on the use of statistics by competitors and analysts alike – in this case statistics that related to claims made by Chicobag about the environmental impact of reusable plastic bags that many retail stores use to bag items, from groceries to clothing, when you check out with your purchases. It seems that Chicobag made some claims – citing statistics – about its products. Mr. Bialik's column notes that Hilex Poly and some other competitors challenged the claims being made by Chicobag, and were unable to come to grips with either the numbers or the claims; litigation ensued.
Although Mr. Bialik focuses on the way numbers are used and the difficulties inherent in accumulating and using statistics – often when the subject matter may actually be a moving target – the legal issue is similarly complex. More often than not, false, misleading, deceptive advertising claims challenge the explicit veracity of a claim and whether that claim can be substantiated or whether the "net impression" or implicit claims (e.g., pictures or activities) can mislead or potentially deceive consumers. This claim, brought as an action under the Lanham Act – seeking an injunction and damages for false advertising and unfair competition for both a violation of section 43(a) of the Lanham Act, 15 U.S.C. § 1125(a), and under a state statute (South Carolina Unfair Trade Practices Act, South Carolina Code Annotated § 39-5-10, et seq.) – really revolves around whether the veracity or inaccuracy of claims (even if they can be substantiated or derived from facts that were believed to be true when stated) makes any difference at all in the minds of consumers.
Without giving away The Numbers Guy's secrets (or forgetting the Federal Trade Commission Act that prohibits "unfair or deceptive acts or practices in or affecting commerce"), the legal claim, in my view, hinged not on whether the statistics claimed by Chicobag were incorrect or even in some cases materially inaccurate, but whether the particular claims as made using those statistics, were material to a consumer. Whether a consumer was likely to make a different purchasing decision – or might at least be informed enough to consider doing so – based on the degree of inaccuracy.
So when you think of my blog Legal Bytes, I'll close with a claim that everyone sees on those pizza cartons around the country – maybe the world: "You've tried the rest. Now try the best!" Can you say "puffery"?
Many of us remember when kids were actually worried about being caught misbehaving. Back in those days, parent’s concern over children’s behavior dealt with whether the kids were ‘fresh’ or ‘mischievous’ or talked too much in school. I was perennially the subject of “he would do so much better in class if he just stopped horsing around and paid attention.” Dear Mrs. Frohman, Mrs. Handel, Mrs. Flynn and Mrs. Bernstein – thanks! It took me several decades, but I finally got the message. Today, however, when we hear the terms children and behavior – well, at least according to the FTC, it ain’t the children that are misbehaving.
In a proposed amendment to rules that have been in effect since 2000, the Federal Trade Commission (“FTC”) is proposing amendments to COPPA (the Children’s Online Privacy Protection Act”) that “would require parental notification and consent prior to the collection of persistent identifiers where they are used for purposes such as amassing data on a child's online activities or behaviorally targeting advertising to the child." In describing the proposed changes (the proposed Amendment runs 122 pages long), the FTC notes that these new rules would apply to any identifying or tracking technology (cookies) that would link a child’s browsing behavior across multiple web pages and services – ostensibly including advertising networks and metric/measurement/analytical service providers who routinely have access to such information.
Although a ‘safe harbor’ for compliance with self-regulatory programs is included within the FTC’s proposal, it did suggest that these programs (and individual company compliance with these programs) be more closely monitored and supervised – including mandatory audits every 18 months and reports detailing actions taken by the self-regulatory body against the companies that do not comply. Clearly, one of the FTC’s objectives is to not only ensure a mandatory review of compliance, even for those companies that have not been subject to proceedings, but also to create a record-keeping and reporting system that gives the FTC the ability to obtain detailed information about the proceedings and the compliance efforts of individual companies.
Comments, which are due by November 28, 2011, may be filed with the FTC using it’s COPPA Rule Review Form. If you are interested, concerned, want your voice heard, or otherwise need to be guided by experienced counsel in this area, please feel free to contact me, Joseph I. Rosenbaum, or the Reed Smith lawyer with whom you regularly work. We would be happy to help!
Late this past June, the Federal Trade Commission indicated it was launching an investigation into Google’s search engine technology and whether it pushes consumers to Google’s other services in a manner that is unfair to competition.
That also means that the FTC will not only be asking Google for records and information about the way it conducts its business, but it will also be asking for information from Google’s competitors (presumably who would provide information gleefully, except that they best be careful about celebrating too prematurely when they hand over information to the government), AND – here it comes – lots of companies who do business with Google: The host of third parties that are advertising and marketing networks, publishers, services, sponsors and, yes, even advertisers and agencies themselves.
What should you do? Well we’ve prepared a handy reference guide – What Should You Do When the FTC Calls About Google? to explain what the FTC can ask, to explain a few of the basic legal principles that apply to the "asking" the FTC may engage in and, frankly, a warning that you should be calling your lawyers—lawyers knowledgeable in this process—and protecting your interests. For you in-house lawyers out there, if you aren’t familiar with handling these inquiries and third-party requests, perhaps you should consider engaging the services of outside lawyers who know how to help. So whether you know you need help, before or after receiving an inquiry from the FTC – formal or informal – or if you aren’t sure, you might just want to call Joseph I. Rosenbaum, Rachel A. Rubin or the Reed Smith lawyer with whom you regularly work. We would be happy to help!
An Open IMHO Letter to Google
Dear Google:
I’ve heard that the FTC has served you with a civil investigative demand in connection with your search-advertising business. They have raised the question as to whether your search engine technology pushes consumers to your other services in a manner that is unfair to your competition.
Now the FTC will try to determine if your market power is dominant because your practices are unfair and whether consumers are harmed, either directly or by not having competitive choices in the marketplace. Of course, the FTC has taken into account the complaints of your competitors. That is significant because I’ve heard a rumor that companies rarely try to incite trouble for their competitors at a regulatory agency.
So what happens next? Senior executives scramble. Lawyers do research and prepare briefs. Finance people set up cost centers and budgets. Evidence is gathered. Experts are retained. Distraction will be pervasive, invasive, consistent and persistent - until a settlement is reached. It won’t be pretty. It won’t be fun. It never is. But it’s here and at least the sword of Damocles is not hovering above. The issues will be confronted and the scope will be expanded – government always uses what it finds as a basis for going farther than originally planned (it’s great leverage). Then the serious business of trying to reach an accord will begin.
This isn’t about winning or losing. It’s about making a point. But it’s de facto, a recognition that you are thriving at what you do and have grown large and successful as a result. True, this action is probably not the recognition you prefer, but when the government wants everyone to believe you might be too big, too dominant, too much in control at the expense of competition and the detriment of consumers, the target is painted on you and it’s just a question of how much pain is inflicted before a settlement is reached.
Now I am not an economist or a market dominance expert, I’m a lawyer and blogger; but I thought I might help out by offering some observations you can bring to the attention of the FTC that might give the government (maybe others in the industry and even your competitors), pause to question whether their analysis, their efforts, their investigation, is correct or necessary. I’ve taken the liberty of including an attachment to this letter (see Attachment A) that provides some tips. Feel free to use them and tell your lawyers to back them up with lots of research and briefs – those are always impressive and useful.
Sincerely,
Joe Rosenbaum at Legal Bytes.
P.S. If your people end up spending hours, days and months with government regulators, working through lunches, late nights pouring over documents, huddled around conference tables, it may give you an opportunity to point the officials to their next target. You know who.
P.P.S. Feel free to use these and other quotes from the FTC if you like:
“And, as the information industry is still emerging, quite dynamic, and not yet well understood, plausible efficiency benefits should, perhaps, weigh heavily in the balance against asserted risks of decreased competition, especially when the technology is changing so fast that adverse effects on competition are likely to be transitory.”
“A less confrontational approach suggests that because of the robust pace of innovation in high-tech industries, government should not intervene 'unless certain that doing so will benefit consumers and the economy.' (See, Priest, The Law and Economics of U.S. v. Microsoft, AEI Newsletter, August 1998).” Antitrust Analysis in High-Tech Industries: A 19th Century Discipline Addresses 21st Century Problems, Prepared Remarks of Robert Pitofsky, Chairman, Federal Trade Commission, to the American Bar Association Section of Antitrust Law's Antitrust Issues in High-Tech Industries Workshop, February 25-26, 1999, Scottsdale, Arizona
You really need to see Attachment "A" so if it isn't already displayed, point whichever browser you are using and click the "Continue Reading" text on the left below.
Attachment A
Responses to the FTC Antitrust Investigation *
Google is not a verb.
Brand and reputation management is more important than trademarks in the online and mobile space. Get over it. Google is a company. The presence of other search, advertising-supported browsers, platforms and technology is actual evidence that no specific company or technology is truly dominant through the exercise of "control," but rather of the innovative appeal, utility and functionality to consumers. Do the names Netscape, MySpace or Sega ring a bell?
Google doesn’t and can’t control consumers.
Dominance implies barriers to entry, control and the evil things monopolists ostensibly do to protect their turf. My mouse is free to go where I tell it, free of any browser or search technology. Try this at home everyone: Open Internet Explorer. Firefox. Opera. Chrome. Safari. Don’t close any. Did Chrome take over control of your screen as the 1963 TV series "Outer Limits" did? Want more? Please refer to the Comparison of Web Browsers available on Wikipedia, starting with Nexus in 1991. You do remember dominant Nexus, don’t you?
Google presents no barrier to entry.
Bing searches. Facebook socializes. Twitter chirps. Groupon clips. FourSquare locates. LinkedIn networks. Anyone feel they can’t innovate? Generate buzz? Grow their own consumer-user base? Entry, algorithms, technology, costs almost nothing in this market – sadly hackers and cybercriminals often call attention to that fact. Perhaps a better question is whether innovation is stimulated by companies that constantly evolve and look for ways to improve the consumer experience, rather than lock them into one. I don’t have a two-year exclusive contract for my web browser with Google. Do you?
Google dominance based on consumer choice is neither bad nor illegal.
Dominance isn’t bad or illegal if it is earned, not coerced. Big doesn’t always equal bad – the government would be guilty if that were the measuring criteria. What if consumers prefer Google’s search technology because of utility, functionality, accessibility or another reason. I like the doodles on each day’s opening web page. Nothing is tied to my browsing, nothing controls or coerces my actions, and although I use a variety of browsers for reasons that are unique to me, none of them dominates my activity or behavior on the web. Just curious, does each government agency (e.g., the FTC) have a choice of browser used internally?
Google doesn’t harm consumers.
At the end of the day, if consumers aren’t harmed, if no unfair competition has occurred, if no barriers to entry exist, and if no control is exercised because of dominant position—the question we must all ask is whether the government is simply targeting each 800-pound gorilla in each decade, or whether some wrong must be set right. I wonder how many consumers have contacted the FTC complaining that they were forced to use a browser against their will. Does it not strike anyone as strange that a company that looks at the market, identifies an opportunity, and innovates for the benefit of consumers in that market, is targeted because it has done a good job? If there is no evidence that a consumer is harmed, precluded from making choices in a competitive marketplace, or prevented from using or benefiting from some product or service as a result of unfair or deceptive practices, riddle me this, Batman – whose interests is the government protecting?
* Note: Neither the author nor, to his knowledge, his law firm, represents Google. The author has not and does not do business with Google, although he has used its browser, used its search capabilities and other features and functions when he chooses to do so. The above analysis would and does apply to any similar situation. Why? Because it’s my humble opinion. IMHO, that’s why.
First issued in 1992 and revised in 1998, the Federal Trade Commission three years ago (2007) began an extensive review of its Guides for the Use of Environmental Marketing Claims, also known as the "Green Guides," focusing mainly on the dividing line between deceptive and non-deceptive speech. Noting the increasing use of "greenwashing" – the use of unsubstantiated environmental claims in advertising – the FTC is seeking to spell out the specific environmental claims that advertisers can and cannot make about their products and services. After hearings, surveys and feedback, the FTC recently formulated draft revisions to the Green Guides, publishing them for public comment.
Our own John P. Feldman prepared an insightful analysis of the draft revision and what it may mean if it is ultimately adopted by the FTC in its current form. That analysis, originally prepared as a presentation to lawyers, and advertising and marketing professionals, has now been recast into a narrative discussion; and thanks to the assistance of Carolyn Boyle and the editorial staff at the International Law Office, you can read all about it on the International Law Office website. The article, published as the Revised Green Guides: A Balanced Approach to Environmental Claims in Advertising, represents a terrific overview of the FTC's current thinking in this area, and it is a must read for any legal, regulatory, advertising and marketing professional who does "green" marketing and advertising or who may be responsible for it.
If you need help, need more information, or need knowledgeable counsel and representation in this important area of law and regulation – either now or increasingly in the future – please don't hesitate to contact John P. Feldman directly, or me, Joe Rosenbaum, or any of the Reed Smith attorneys with whom you regularly work.
Chapter Authors
United States
John L. Hines, Jr., Partner – jhines@reedsmith.com
Janice D. Kubow, Associate – jkubow@reedsmith.com
United Kingdom
Emma Lenthall, Partner – elenthall@reedsmith.com
Louise Berg, Associate – lberg@reedsmith.com
Introduction
This chapter explores emerging exposures associated with misleading advertising and defamation in social media.
The ever-growing number of conversations in social media venues creates new opportunities for advertisers to promote their brand and corporate reputation. These same conversations, however, create new risks. Online disparagement of a corporation or its products and/or services through social media can spread virally and very quickly, making damage control difficult. Accordingly, corporations need to be aware of their rights and remedies should they fall prey to harmful speech on the Internet. An organization also needs to understand how to minimize its own exposure and liability as it leverages social media to enhance its brand and reputation.
Within the context of social media, the two greatest risks to brand and reputation are, respectively, misleading advertising and defamation. Within the realm of misleading advertising, companies need to pay attention to new risks associated with the growing phenomenon of word-of-mouth marketing.
Social Media in Action in Commercial Litigation
False Advertising and Word-of-Mouth Marketing: Understanding the Risks
The US position
The presence of social media increases the risk that your organization will be touched by false advertising claims–either as a plaintiff or a defendant. First, more communication means more opportunity for miscommunication generally and for a misstatement about your or your competitor’s brand. Compounding this risk is the fact that social media marketing and sales channels (including word-of-mouth marketing programs) are now highly distributed, making enforcement of centralized communication standards difficult. Finally, social media frequently operates as a kind of echo chamber: consumers hear their likes and dislikes repeated back to them, amplified, and reinforced by those who share similar feelings.[1] In light of all these factors, the growth of social media is likely to see false advertising claims skyrocket. Indeed, it is worth noting that a 2008 Federal Judicial Center Report concluded that between 2001 and 2007, the number of consumer protection class actions filed annually rose by about 156 percent.[2]
False Advertising Generally
Generally, the tapestry of laws covering false advertising consists of Section 5 of the FTC Act[3] (the “FTC Act”), Section 43(a) of the Lanham Act,[4] the state deceptive practices acts, and common law unfair competition. All of these laws target deception of one form or another, but they differ in their requirements as to who can bring an action, the burden of proof required, and the available relief.
Section 5 of the FTC Act prohibits “unfair and or deceptive acts or practices.”[5]According to the FTC Policy Statement on Deception (1983),[6] deception exists if there is a material representation, omission or practice that is likely to mislead an otherwise reasonable consumer. Neither intent nor actual harm is a required element, and the FTC, in making a determination, is free to draw upon its experience and judgment rather from actual evidence in the marketplace.[7] The FTC will find an advertiser’s failure to disclose facts actionable under Section 5 if a reasonable consumer is left with a false or misleading impression from the advertisement as a whole.[8] The advertiser generally bears the burden of substantiating the advertising claim.[9] The FTC Act permits monetary and injunctive relief.[10]
Prior to, or in lieu of, an FTC proceeding, parties may find themselves before the National Advertising Division (“NAD”), a self-regulatory body that also focuses on resolving deceptive and misleading advertising. Parties generally participate in NAD proceedings willingly so as to avoid potentially more consequential action at the FTC. Although claims can be brought by consumers or competitors at the NAD, there is no private right of action at the FTC or in federal court under the FTC Act. Consumers seeking to file claims in court for consumer fraud and false advertising must resort to applicable state deceptive practices statutes and common law.
Competitors are also protected against deceptive practices under Section 43(a) of the Lanham Act, which provides for civil actions for injunctive and monetary (in state or federal court) for false or misleading statements made in commercial advertisement. The Seventh, Ninth and Tenth Circuit Courts of Appeals have tended to restrict standing under the Lanham Act to parties who are in direct competition; the other Circuits have a slightly broader standing threshold—but relief is not available to consumers. Under the Lanham Act, it is not necessary to show actual harm or intent to deceive to obtain an injunction.[11] To obtain damages, however, it is necessary to show that customers were deceived and that the plaintiff was harmed. Some courts raise a presumption of harm where the plaintiff proves the defendant’s intent and bad faith.
The plaintiff in a Lanham Act action has the burden of proving that the claim is deceptive.[12] The Lanham Act prohibits false and misleading statements; accordingly, the mere failure to disclose or omission to state a fact is not per se actionable. However if the failure to disclose makes a statement “affirmatively misleading, partially incorrect, or untrue as a result of failure to disclose a material fact,” then that statement is actionable.[13] In cases of implied deception, this means the plaintiff will have to introduce extrinsic consumer survey evidence.
As noted above, the growth of social media is likely to result in an increase in enforcement actions and private civil actions generally in connection with false advertising. Moreover, as discussed below, the FTC Guides make bloggers and advertisers using word-of-mouth marketing particularly vulnerable to deceptive practices and false advertising claims based on the blogger’s failure to disclose a material connection to the advertiser.[14] In addition, to clarifying the FTC’s own position with reference to how rules applicable to endorsements apply to social media, the FTC Guides are likely to be applied by state and federal courts when interpreting the Lanham Act and state deceptive practices acts.[15]
“Word of Mouth” Marketing
The Duty to Disclose
Social media has spawned virtually a new advertising industry and methods for spreading brand in an old way: word-of-mouth marketing. Word-of-mouth marketing involves mobilizing users of social media to “spread the word” about the advertiser’s goods and services. According to the Word of Mouth Marketing Association, word-of-mouth marketing is “[g]iving people a reason to talk about your products and services, and making it easier for that conversation to take place. It is the art and science of building active, mutually beneficial consumer-to-consumer and consumer-to-marketer communications.”[16]
Word-of-mouth marketing typically refers to endorsement messaging. Specifically, an endorsement is “an advertising message” that consumers are likely to believe is a reflection of the opinions and beliefs of the endorser rather than the “sponsoring” advertiser.[17] When a television ad depicts “neighbors” talking about the merits of the Toro lawn mower, we don’t believe that these statements reflect their personal beliefs; we know that they are actors speaking for the advertiser. On the other hand, Tiger Woods touting Nike golf equipment is an endorsement; we believe that we are listening to his personal views. A third-party’s statement, however, is not an advertisement (and not an endorsement) unless it is “sponsored.” To determine whether it is an endorsement, consider whether in disseminating positive statements about a product or service, the speaker is: (1) acting solely independently, in which case there is no endorsement, or (2) acting on behalf of the advertiser or its agent, such that the speaker’s statement is an ‘endorsement’ that is part of an overall marketing campaign?”[18]
As with all advertising, the bedrock concern of the FTC is with “unfair or deceptive acts or practices” prohibited under Section 5 of the FTC Act.[19] Deceptive acts or practices, generally, may include a failure to disclose material facts relative to a particular advertising claim. Thus, in the context of an endorsement, the relationship between the advertiser and the endorser may need to be made apparent to the consumer in order for the consumer to properly weigh the endorser’s statement. The FTC Guides state that advertisers are subject to liability for false or unsubstantiated statements made through endorsements, or for failing to disclose material connections between themselves and their endorsers, and that endorsers also may be liable for statements made in the course of their endorsements.[20] Section 255.5 of the FTC Guides requires that where a connection exists between the endorser and the seller that might materially affect the weight or credibility of the endorsement, such connection must be fully disclosed.
The FTC Guides distinguish three features of endorsements in the context of social media: (1) dissemination of the advertising message; (2) advertisers’ lack of control; and (3) material connections.
First, in traditional print and broadcast media, the advertiser controlled the messaging. Endorsements were embedded largely in a message controlled by the advertiser. This has changed. As the FTC explains (emphasis added):[21]
When the Commission adopted the Guides in 1980, endorsements were disseminated by advertisers—not by the endorsers themselves—through such traditional media as television commercials and print advertisements. With such media, the duty to disclose material connections between the advertiser and the endorser naturally fell on the advertiser.
The recent creation of consumer-generated media means that in many instances, endorsements are now disseminated by the endorser, rather than by the sponsoring advertiser. In these contexts, the Commission believes that the endorser is the party primarily responsible for disclosing material connections with the advertiser.
Consistent with this observation, the FTC Guides were amended to provide that “[e]ndorsers also may be liable for statements made in the course of their endorsements.”[22] Consistent with this observation, the FTC Guides were amended to provide that “[e]ndorsers also may be liable for statements made in the course of their endorsements.”[23] While at this writing the FTC has indicated that it does not intend to pursue individual users of social media and that it will be focusing enforcement on the advertisers, individual social media users would be ill advised to ignore the very clear mandates directed to them in the FTC Guides, standards that are also likely to influence courts in their interpretation of the Lanham Act and similar state laws.
Second, advertisers will frequently find themselves in relationships with apparently remote affiliate marketers, bloggers and other social media users. However, the advertiser’s lack of control over these remote social media users does not relieve the advertiser of responsibility for an endorser’s failure to disclose material information. “The Commission recognizes that because the advertiser does not disseminate the endorsements made using these new consumer-generated media, it does not have complete control over the contents of those statements.”[24] The Commission goes on to state, however, that “if the advertiser initiated the process that led to these endorsements being made—e.g., by providing products to well-known bloggers or to endorsers enrolled in word of mouth marketing programs—it potentially is liable for misleading statements made by those consumers.”[25]
Importantly, for advertisers, the determination of liability hinges on whether the “the advertiser chose to sponsor the consumer-generated content such that it has established an endorser sponsor relationship.”[26] Again, that relationship may exist with otherwise remote users. The FTC points out, however, that “[it], in the exercise of its prosecutorial discretion, would consider the advertiser’s efforts to advise these endorsers of their responsibilities and to monitor their online behavior in determining what action, if any, would be warranted.”[27]To avoid prosecution, if not liability, advertisers should heed the Commission’s admonition:[28]
[A]dvertisers who sponsor these endorsers (either by providing free products—directly or through a middleman—or otherwise) in order to generate positive word of mouth and spur sales should establish procedures to advise endorsers that they should make the necessary disclosures and to monitor the conduct of those endorsers.
Finally, the FTC Guides indicate that social media endorsers may have a heightened duty to disclose material connections to the advertiser. “[A]cknowledg[ing] that bloggers may be subject to different disclosure requirements than reviewers in traditional media,” the FTC states:[29]
The development of these new media has, however, highlighted the need for additional revisions to Section 255.5, to clarify that one factor in determining whether the connection between an advertiser and its endorsers should be disclosed is the type of vehicle being used to disseminate that endorsement—specifically, whether or not the nature of that medium is such that consumers are likely to recognize the statement as an advertisement (that is, as sponsored speech). Thus, although disclosure of compensation may not be required when a celebrity or expert appears in a conventional television advertisement, endorsements by these individuals in other media might warrant such disclosure.
. . .
The Commission recognises that, as a practical matter, if a consumer’s review of a product disseminated via one of these new forms of consumer-generated media qualifies as an “endorsement” under the construct articulated above, that consumer will likely also be deemed to have material connections with the sponsoring advertiser that should be disclosed. That outcome is simply a function of the fact that if the relationship between the advertiser and the speaker is such that the speaker’s statement, viewed objectively, can be considered “sponsored,” there inevitably exists a relationship that should be disclosed, and would not otherwise be apparent, because the endorsement is not contained in a traditional ad bearing the name of the advertiser.
Word of Mouth Marketing: Summary
The FTC’s message is thus clear: (1) bloggers and other social media users are viewed as primary disseminators of advertisements; (2) endorsers in social media, along with the sponsoring advertisers, are subject to liability for failing to make material disclosures relating to the endorsement relationship (e.g., gifts, employment and/or other connections and circumstances); (3) the FTC appears to take the position that there is a higher threshold of disclosure in social media than traditional media, and that the endorsement relationship itself is likely to trigger the obligation to disclose; (4) advertisers need to take reasonable steps to assure that material disclosures are in fact made; (5) advertisers cannot rely on the “remoteness” of the social media endorsers or on the advertiser’s lack of control over them to escape liability; (6) advertisers are technically liable for a remote endorser’s failure to disclose; (7) an advertiser’s ability to avoid discretionary regulatory enforcement due to the endorser’s failure to disclose will be a function of the quality of the advertiser’s policies, practices and policing efforts. A written policy addressing these issues is the best protection.
False Endorsements
False endorsement cases arise under Section 43(a) of the Lanham Act where a person claims that his name or likeness, or actions attributed to him, are being used improperly to promote particular goods or services.
The Internet is rife with spoofing, fake profiling and other malicious conduct directed by one social media user against another. Frequently the conduct involves the transmission and publication of embarrassing or highly personal details about the victim. While historically, false endorsement cases have been brought commonly by celebrities or other people well-known to a community, the prevalence of social media will likely see the rise of false endorsement cases brought by non-celebrity victims under Section 43(a) and parallel state law.[30]
In Doe v. Friendfinder Network, Inc.,[31] the defendant operated a network of web communities where members could meet each other through online personal advertisements. Someone other than the plaintiff created a profile for “petra03755” including nude photographs and representations that she engages in a promiscuous lifestyle. Biographical data, according to the plaintiff, caused the public to identify her as “petra03755” to the community. The plaintiff alleged that the defendant did nothing to verify accuracy of the information posted, caused portions of the profile to appear as “teasers” on Internet search engine results (when users entered search terms matching information in the profile, including the true biographical information about the plaintiff,) and advertisements that in turn directed traffic to defendant’s site. In denying the motion to dismiss the Lanham Act claim, the district court stated:[32]
The plaintiff has alleged that the defendants, through the use of the profile in “teasers” and other advertisements placed on the Internet, falsely represented that she was a participant in their on-line dating services; that these misrepresentations deceived consumers into registering for the defendants’ services in the hope of interacting with the plaintiff; and that she suffered injury to her reputation as a result….
For purposes of this motion, then, the court rules that the plaintiff’s claim for false designation under 15 U.S.C. § 1125(a)(1)(A) does not fail simply because she is not a “celebrity.”
The UK position
While there is at present no specific legislation aimed at social media, there is a plethora of legislation and self-regulation that impacts on almost all activities connected to blogging, social networking or undertaking new forms of promotions on line. Some of the most important legal controls are:
The Advertising Standards Authority and the ‘CAP’ Code
The Advertising Standards Authority is an independent body which regulates all forms of advertising, sales promotion and direct marketing in the UK. Different regimes apply to broadcast and non-broadcast advertising. Online advertisements are covered by the self regulatory ‘non-broadcast’ Codes of Advertising Practice (CAP Code). [33]. While this Code only applies at present to advertisements in ‘paid for’ space, this is likely to change shortly. There is huge political pressure to extend the remit of the ASA and the CAP Code to all promotional messages on the Internet. In any event, all sales promotions are covered by the CAP Code. Advertisers need to be aware of the need for compliance with the Code. For example, the ASA regulates pop-up and banner ads on social networking sites and viral email or other marketing messages which advertisers pay social media to seed, though the position is not entirely clear. In addition there is a risk that Trading Standards or other regulators could intervene by utilising legislation, as described further below.
The ASA will not regulate any advertisements published in foreign media or which originate from outside the UK. Advertisers need only be concerned if they are placing an advertisement on a UK-based social networking site. However, the ASA does operate a cross-border complaints system in conjunction with ‘EASA’, the European Advertising Standards Alliance.
The CAP Code sets out a number of key principles to protect consumers against false advertising and other harmful advertising practices. For example, it states that advertising should be legal, decent, honest and truthful, and should not mislead by inaccuracy, ambiguity, exaggeration or otherwise), should not cause offence and should not contain misleading comparisons. It also contains specific rules relating to particular types of advertisement and products.
The UK non-broadcast advertising industry is self-regulating and therefore compliance with the CAP Code is voluntary. However, penalties for breaching the Code can include the following.
Advertisers also need to be aware that more powerful sanctions are in the pipeline and that, practically speaking, the risk of damage to the brand by an adverse adjudication is a real deterrent to most reputable advertisers and brand owners.
Advertisers who like to put out edgy content do not necessarily need to fear ASA regulation. ASA adjudications do not automatically stamp out anything which pushes the boundaries. As an example, a company called Holidayextras paid video site Kontraband to carry a viral ad for internet parking. The ad featured a man speaking with a heavy Irish accent who was running a dodgy car parking operation. He stumbled out of a caravan (beside which were a fence and a sign saying ‘ca parkin’) and swore as he chased off children and threw a chair at them. Throughout the ad, subtitles appeared which were a more polite interpretation of his words (for example, he appeared to kick a car and punch the driver and the subtitles stated "Just pop it in the space over there please Parker"; "There's a good chap"). More extreme behaviour and questionable practices followed, and at the end of the ad, a car was shown on fire. From his caravan the man phoned the customer saying “there’s been a slight problem with your Mondeo”. The ASA failed to uphold a complaint that the ad was offensive to Irish people and Romany travellers. They noted the ad was intended to show a humorous contrast between a fictional caricature and a company that valued security. Although the character spoke with a heavy Irish accent and ran his business from a caravan, because he displayed extreme behaviour from which the humour in the ad was derived, they did not consider the ad suggested that behaviour was typical of Irish or Romany communities. Whilst they understood that some people could find the ad in poor taste they concluded it was unlikely to cause serious or widespread offence.
False Endorsements
It is unlikely that the ASA will regulate third party endorsements of an advertisers’ products which appear on social media, unless the advertisers paid or actively participated with the media provider to put them there. As noted above, only ads in ‘paid-for’ space fall within the ASA’s remit, subject to possible imminent change as mentioned above.
However, advertisers who place ‘paid for’ ads containing endorsements should be aware that, according to the CAP Code, they should obtain written permission before referring to/portraying members of the public or their identifiable possessions, referring to people with a public profile or implying any personal approval of the advertised products. They should also hold signed and dated proof (including a contact address) for any testimonial they use. Unless they are genuine opinions from a published source, testimonials should be used only with the written permission of those giving them.
Advertisers should take particular care when falsely representing that a celebrity has endorsed their products or services as they could be vulnerable to a claim for passing off (regardless of whether the endorsement appears in paid-for space). Unlike most other jurisdictions, it is possible under English law to use dead and living celebrities without consent, provided there is no implied endorsement or a breach of any trade mark. The danger with the Internet, however, is that material may be accessible in jurisdictions outside the UK and therefore using the image of celebrities without permission in the online environment carries a greater degree of risk than on more traditional media.
Passing Off
Passing off is a cause of action under English common law. It occurs where consumers are misled by someone who is making use of another person’s reputation, and can take two forms:
Consumer Protection from Unfair Trading Regulations 2008
False advertising and word-of mouth marketing on social media could also fall foul of the Consumer Protection from Unfair Trading Regulations 2008 (which implement the EU Unfair Commercial Practices Directive in the UK). The regulations include a general prohibition on unfair business to consumer commercial practices which is so wide that its application could extend to a variety of commercial practices on social media. The regulations also legislate against misleading actions/omissions and aggressive commercial practices, and set out prohibitions on 31 specific practices that will be deemed unfair in any circumstances. Several of these could be relevant to commercial activity on social media. As an example, prohibition 11 prevents traders from using editorial content in the media to promote their products or services without making it clear that the promotion has been paid for. The prohibitions apply to any ‘trader’, i.e., a natural or legal person acting in the course of his trade, business, craft or profession. Contravention can lead to criminal penalties. This does not bode well for so-called ‘street teams’ as used by some brands to promote products. Street teams are often young people who are employed on a part-time basis to eulogise about a particular brand or product on social media platforms. Often difficult to spot, street teams can be hugely effective at driving brand equity because consumers do not realise that they are being targeted – instead, they believe that they are truly on the receiving end of genuine word-of-mouth recommendations.
Advertisers may also find useful the Word of Mouth Association UK Code of Ethics useful see http://womuk.net/ethics/. The Word of Mouth Marketing Association (“WOMMA”) and WOM UK are the official trade associations that represent the interests of the word of mouth and social media industry. The Code sets standards of conduct required for members that include sensible guidelines on the disclosure of commercial interests behind on line commercial activities and social network sites.
The Business Protection from Misleading Marketing Regulations 2008
The Business Protection from Misleading Marketing Regulations 2008 prohibit misleading advertising and set out rules for comparative advertising. Advertising is defined as ‘any form of representation which is made in connection with a trade, business, craft or profession in order to promote the supply or transfer of a product’. This broad definition could clearly cover false advertising and word-of–mouth marketing (as well as other content) on social media. A trader who falls foul of the regulations can be punished by a fine (or imprisonment for engaging in misleading advertising). A trader is defined as any person who is acting for purposes relating to his trade, craft, business or profession and anyone acting on their behalf. There is a defence for the ‘innocent’ publication of advertisements.
Social networking: a new form of advertising regulation?
The most effective means of controlling advertiser activity in the modern world is the ability for consumers to voice their discontent.
Sometimes social networking sites may enable consumers to send a message to advertisers where the regulator can’t. In January 2010, more than a thousand people joined a Facebook campaign to ban UK billboard advertising a website for those looking for “extramarital relations". The ASA had rejected a complaint about the billboard on the grounds that the ad would not cause "serious or widespread offence" and said that its remit was to examine the ad in isolation, rather than the product it was promoting, which is a legally available service. At the time of writing, the group had over 2,700 members
Equally the damage that can occur when a brand misleads the public can much more easily be broadcast to a wider audience via social networking and blogging sites.
Defamation and Harmful Speech: Managing Corporate Reputations
The U.S. position
In addition to confronting issues involving online brand management generally and word–of-mouth advertising specifically, corporations face similar challenges in protecting reputation, including risks associated with disparagement and defamation.
The architectures of the Internet and social media make it possible to reach an unlimited audience with a flip of the switch and a push of the send button—and at virtually no cost. There are few barriers to people speaking their mind and saying what they want. Furthermore, because of the anonymity social media allows, users are increasingly choosing to express themselves with unrestrained, hateful and defamatory speech. These tendencies, encouraged exponentially by the technology and the near-zero cost of broadcasting one’s mind, are likely to be further exacerbated under circumstances such as the current economic crisis, where people are experiencing extraordinary frustration and fuses are short.
Words can hurt. Defamation can destroy reputations. For individuals, false postings can be extraordinarily painful and embarrassing. For corporations, who are increasingly finding themselves victims of defamatory speech, a false statement can mean loss of shareholder confidence, loss of competitive advantage, and diversion of resources to solve the problem. While the traditional laws may have provided remedies, the challenges to recovering for these actions that occur over social media are enormous because the operators of the media that facilitate defamatory postings are frequently immune from liability. (Of course, if a corporation is the operator of a blog or other social media, there will be some comfort in the “immunities” offered to operators of these media.) The immunity under the applicable federal law, the Communications Decency Act (the “CDA”), and some other key issues associated with online defamation are discussed below.
Defamation Generally
Although the law may vary from jurisdiction to jurisdiction, to make a case for defamation, a plaintiff must generally prove: “(a) a false and defamatory statement concerning another; (b) an unprivileged publication to a third party; (c) fault amounting at least to negligence on the part of the publisher; and (d) either actionability of the statement irrespective of special harm or the existence of special harm caused by the publication.”[34] Defamation cases are challenging to litigate. It should be noted that in the United States, the First Amendment sharply restricts the breadth of the claim. Defamation cases frequently carry heightened pleading requirements and a shortened statute of limitations. If the victim is an individual and a public figure, he or she will have to prove malice on the part of the defendant to make a successful case. Finally, the lines between opinion and fact are frequently very hard to draw and keep clean.
Anonymous Speech
Online defamation presents added complications. Online, and in social media specifically, the source of the harmful communication is frequently anonymous or communicating through a fake profile. At the first line of attack, piercing anonymity of the anonymous speaker can be challenging because of heightened standards under First Amendment and privacy laws. A plaintiff victim will often file his case as a Jane or John “Doe” case and seek to discover the identity of the defendant right after filing. The issue with this approach is that many courts are requiring the plaintiff to meet heightened pleading and proof standards before obtaining the identity of the defendant. Effectively, if the plaintiffs can’t meet the heightened pleading standard to obtain the identity of the defendant, they will be unable to pursue their cases. In one leading case, the New Jersey Appellate Court established a test that requires plaintiff “to produce sufficient evidence supporting each element of its cause of action on a prima facie basis,” after which the court would “balance the defendant’s First Amendment right to anonymous speech against the strength of the prima facie case presented and the necessity for the disclosure.”[35]
Special Challenges: Service Provider Immunity
As noted above, the challenges to the corporate victim are compounded by the fact that its remedies against the carrier or host (the website, blog, search engine, social media site) are limited. The flipside, of course, is that corporations may have greater room in operating these kinds of sites and less exposure—at least for content that they don’t develop or create. (See Chapter 1 – Advertising) A blogger will be liable for the content that he creates, but not necessarily for the content that others (if allowed) post on his blog site.
Early case law held that if a site operator takes overt steps to monitor and control its site and otherwise self-regulate, it might be strictly liable as a publisher for a third party’s defamation even if the operator had no knowledge of the alleged defamatory content. Arguably, this encouraged site operators not to monitor and self-regulate.[36] Other early case law also held that if the operator knew about the defamation, it would be liable if it did not do something to stop the conduct.[37]These holdings arguably created an incentive to take down any potentially dangerous information to avoid liability—and thus, according to some, threatened to chill speech and dilute a robust exchange of ideas.
All of these early cases were overruled in 1996 by the CDA.[38] Section 230(c) of the CDA overruled all of the early cases by providing as follows: “[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.”[39] The term “information content provider” means “any person or entity that is responsible, in whole or in part, for the creation or development of information provided through the Internet or any other interactive computer service.”[40] Under Section 230(c), the operator, so long as not participating in the creation or development of the content, will be “immune” from a defamation claim under the statute.
The CDA makes it challenging to attach liability to a website, blog, social media platform or other electronic venue hosting offensive communication. Under U.S. law, these service providers have a virtual immunity, unless they participate in the creation or development of the content. Cases involving social media make the breadth of the immunity painfully clear. In Doe v. MySpace, Inc.,[41] a teen was the victim of a sexual predator as a result of conduct occurring on MySpace. The teen’s adult “next of friend” sued MySpace for not having protective processes in place to keep young people off the social media site. In effect, the suit was not for harmful speech, but for negligence in the operation of MySpace.[42] The Texas District Court rejected the claim, and in doing so highlighted the potential breadth of the “immunity”:[43]
The Court, however, finds this artful pleading [i.e., as a “negligence” claim] to be disingenuous. It is quite obvious the underlying basis of Plaintiffs’ claims is that, through postings on MySpace, Pete Solis and Julie Doe met and exchanged personal information which eventually led to an in-person meeting and the sexual assault of Julie Doe…. [T]he Court views Plaintiffs’ claims as directed toward MySpace in its publishing, editorial, and/or screening capacities. Therefore, in accordance with the cases cited above. Defendants are entitled to immunity under the CDA, and the Court dismisses Plaintiffs’ negligence and gross negligence….
It is not clear that other courts would interpret the CDA as broadly as did the Texas court. Indeed, the breadth of the CDA remains highly disputed among the courts, academics and policymakers who raise the prospect of amending the law from time to time.
Companies that operate their own blogs or other social media platforms, such as a Twitter page can generally avoid liability for speech torts on their sites if they stick to traditional editorial functions—and do not allow those activities to expand into any conduct that could be interpreted as creation and development of the offensive conduct.[44] Although exercising editorial control is not penalized, the question confronting the courts is the point at which a company goes beyond editing or beyond providing a forum, and into the realm of creation and development.[45]
Where “creation and development” begins and ends may not always be a bright line. For example, the mere reposting of another “content provider’s” content is arguably safe and within the editorial province of the social media operator. Although not completely free from doubt, it appears that a blog operator can receive a potential posting, review the content for editorial concerns, and then post it without the content thereby becoming the operator’s creation.[46] Some courts hold that the operator’s reposting to third-party sites is still within the grant of the immunity. In Doe v. Friendfinder Network, Inc., for example, the community site caused the defamatory postings to be transmitted to search engines and advertisers and other linked sites. Holding that Section 230 protected that conduct, the court noted: “Section 230 depends on the source of the information in the allegedly tortious statement, not on the source of the statement itself. Because ‘petra03755’ was the source of the allegedly injurious matter in the profile, then, the defendants cannot be held liable for ‘re-posting’ the profile elsewhere without impermissibly treating them as ‘the publisher or speaker of [ ] information provided by another information content provider.’ … 47 U.S.C. § 230(c)(1).”[47] It is worth emphasizing that the Section 230 bar applies to providers “or users” of interactive computer services.[48] Significantly, there is at least an argument that re-tweeters (as “users”) are protected under the statute.
Plaintiffs continue to reach for creative attacks on Section 230. In Finkel v. Facebook, Inc., et al.,[49] the victim of alleged defamatory statements claimed that Facebook’s ownership of the copyright in the postings barred its right to assert Section 230. The plaintiff urged, in effect, that the defendant could not claim ownership of the content and simultaneously disclaim participation in the “creation and development” of that same content. Rejecting this argument, the New York trial court stated that “‘[o]wnership’ of content plays no role in the Act’s statutory scheme.”[50] Furthermore, the court reiterated Congressional policy behind the CDA “by providing immunity even where the interactive service provider has an active, even aggressive role in making available content prepared by others.”[51] The court was clear in dismissing the complaint against Facebook where the interactive computer service did not, as a factual matter, actually take part in creating the defamatory content.
This is an important decision. Many sites assume ownership of content through their terms of use, and a contrary ruling would materially restrict application of the CDA in those cases. Further litigation is likely in this area.
Some courts have explored plaintiffs’ assertions of service provider “culpable assistance” as a way of defeating the provider’s CDA defense. In Universal Comm’n Sys., Inc. v. Lycos, Inc.,[52] the plaintiff argued that the operator’s immunity was defeated by the construct and operation of the website that allowed the poster to make the defamatory posting. The First Circuit rejected the argument for a “culpable assistance” exception to the CDA under the facts as presented, but left open the possibility of such an exception where there was “a clear expression or other affirmative steps taken to foster unlawful activity.”[53]
This result is consistent with the Ninth Circuit’s decision in Fair Housing Council of San Diego v. Roommates.com, LLC.[54] In that case, involving an online housing service, the court held that the CDA did not provide immunity to Roommates.com for questions in an online form that encouraged illegal content. Roommates.com’s services allowed people to find and select roommates for shared living arrangements. The forms asked people questions relating to their gender and sexual orientation. Although Roommates.com clearly did not provide the content in the answers, the Ninth Circuit held that it was not entitled to immunity. The majority ruled that Roommates.com was not immune for the questionnaire itself or for the assembling of the answers into subscriber profiles and related search results using the profile preferences as “tags.” The court noted that the questions relating to sexual preferences posted by Roommates.com were inherently illegal and also caused subscribers to post illegal content themselves by answering the questions.[55] In a case that evoked a sharp dissent and defense of a strong immunity, the clear take-away from the Roommates.com decision is a view that the immunity is far from absolute.[56]
Entities that operate social media sites need to be especially careful not to allow their “editing” to turn into creation and development of content. Although these issues are far from settled, any embellishments and handling of posted content should be approached cautiously and only in the context of traditional editorial functions.
CDA Immunity: Scope of the IP Exception
One important issue dividing the courts is the scope of the immunity as it relates to intellectual property. Specifically, although the CDA confers a broad protection on service providers, it also provides that it “shall [not] be construed to limit or expand any law pertaining to intellectual property.”[57]In other words, a blog operator, for example, cannot assert a CDA defense to claims that, although involving speech, are rooted in harm to the victim’s intellectual property. If the victim asserts, as against the operator a claim for copyright infringement based on a blogger’s uploading of protected material on to the blog (clearly involving “speech”), the operator has no CDA defense. The victim and the operator will have to resolve their claims under the copyright law, and particularly the Digital Millennium Copyright Act. Likewise, if the victim asserts a claim under Section 1114 of the Lanham Act that its federally registered trademark is being wrongfully used on the blog, the operator arguably cannot rely on the CDA as a shield against liability.[58]
The courts differ over the scope of the intellectual property exception to immunity, and specifically over the definition of intellectual property for purposes of the statute. In Perfect 10, Inc. v. CCBill, LLC,[59] the court opted for a narrow reading of “intellectual property” and hence a broader scope for the immunity. Specifically, the Ninth Circuit “construe[d] the term ‘intellectual property’ to mean ‘federal intellectual property.’”[60] Accordingly, without determining whether the state law claims truly involved “intellectual property,” the Ninth Circuit held that the intellectual property exception does not, as a threshold matter, apply to state law claims, and therefore affirmed dismissal of various state law claims on CDA grounds.
On the other hand, some courts have opted for a broader reading of “intellectual property” that would have the exception cover relevant state law. For example, the court in Doe v. Friendfinder Network, Inc. determined that intellectual property under the CDA exception encompasses applicable state law and, on that ground, refused to dismiss the plaintiff’s right of publicity claim against the website operator.[61]
Reporter’s Privilege
Application of existing rules to new technologies can raise yet more hurdles in speech cases. For example, suppose false information about your company appears on a blog or that some bit of confidential information appears. As part of damage control, you may want to find the source–or compel the blog to disclose the source. This leads to an interesting question–to what extent are blogs actually “newspapers.” The question is one that courts are being forced to consider, because newspapers traditionally have a “reporter’s privilege” that allows them to resist revealing their sources. For example, in 2004, Apple faced such an issue with respect to someone who allegedly leaked information about new Apple products to several online news sites. Apple sought the identity of the site’s sources and subpoenaed the email service provider for PowerPage, one of the sites, for email messages that might have identified the confidential source. In 2006, a California Court of Appeals provided protection from the discovery of sources by the constitutional privilege against compulsory disclosure of confidential sources.[62] Courts continue to consider similar issues, and a number of legislative proposals have been introduced at the state and federal level.
Most recently, the New Jersey appellate court considered the issue in Too Much Media, LLC v. Hale,[63] where the court offered useful guidance on attributes distinguishing providers of information that are “news media” (and giving rise to a reporter’s privilege) and those that are not. In that case, a software provider in the adult entertainment sector brought a defamation claim against the defendant who operated a blog targeting pornography. The New Jersey court rejected the defendant’s assertion of the reporter’s privilege in response to plaintiff’s discovery for information relating to sources of certain information posted on the blog. Among other factors, the court noted that the defendant “produced no credentials or proof of affiliation with any recognized news entity, nor has she demonstrated adherence to any standard of professional responsibility regulating institutional journalism, such as editing, fact-checking or disclosure of conflicts of interest.”[64] The court went on to note “[a]t best, the evidence reveals defendant was merely assembling the writings and postings of others. She created no independent product of her own nor made a material substantive contribution to the work of others.”[65]
Ratings Sites
Social media has given rise to a proliferation of ratings sites. Many businesses are beginning to feel the effects of online negative reviews. The ratings sites themselves, however, need to tread carefully because the negatively affected businesses are jumping at the chance to shift their losses back to the ratings site.
Traditionally, ratings sites have two primary defenses.
First, to the extent that site operator itself is rating sites, the site operator’s system and/or list may be protected under the First Amendment as its “opinion.” Second to the extent that the site is carrying the ratings of third parties, the ratings site operator is protected under Section 230 of the Communications Decency Act for the tortious speech of the third parties who blog their ratings on the site (e.g., defamatory ratings).
The cases supporting an opinion defense reach back to cases challenging securities and credit ratings, such as Jefferson County Sch. Dist. No. R-1 v. Moody’s Inv. Services, Inc.[66] In Search King Inc. v. Google, Inc. v. Google Technology, Inc.,[67] which relied on Jefferson County Sch. Dist., Search King allegedly promoted an advertising business that identified highly ranked sites and then worked out deals with those sites to sell advertising on behalf of other companies. Google allegedly disapproved of Search King’s business model (which capitalized on Google’s PageRank ranking system) and responded by moving Search King itself to a lower page rank—causing it to move off the first page for certain queries. Rejecting Search King’s claim for interference with business advantage on the grounds that Google’s PageRank algorithm is protected opinion, the court found that manipulating the results of PageRank were not actionable because there was “no conceivable way to prove that the relative significance assigned to a given web site is false.”
Cases involving credit and securities ratings continue to be worth monitoring as relevant precedent for Internet ratings cases. In one of the cases growing out of the recent sub-prime crisis against Moody’s, Standard and Poor’s and other securities ratings agencies, a New York federal court rejected “the arguments that the Ratings Agencies’ ratings in this case are nonactionable opinions. ‘An opinion may still be actionable if the speaker does not genuinely and reasonably believe it or if it is without basis in fact.’”[68]Rejecting the argument that Jefferson County Sch. Dist. mandated a different result, the court noted that even under that case “‘[i]f such an opinion were shown to have materially false components, the issuer should not be shielded from liability by raising the word ‘opinion’ as a shibboleth.’”[69]
In the context of Internet ratings sites, it remains to be seen just where courts draw the line at such material false components, but ratings companies are obviously well advised to tailor their public statements and documents very precisely to their actual practices.
Ratings sites will have to be careful about not taking action that causes them to lose their immunity under Section 230. As an example of the kinds of cases to watch for, Yelp was recently sued in various class actions for allegedly manipulating the appearance of consumer reviews in instances in which the site reviewed had not purchased advertising from Yelp.[70] Yelp purports to help people find the “right” local business by listing consumer reviews; in order to correct for unduly malicious or biased reviews, all reviews are filtered through Yelp’s algorithm. Plaintiffs have claimed that Yelp circumvented the algorithm—suppressing positive reviews and emphasizing negative ones—in cases in which the reviewed site refused to buy advertising. Yelp has vigorously denied the allegations and is also waging a thoughtful collateral campaign through social media (including a YouTube video on how its filtering works).
These claims are demonstrative of the kinds of claims ratings sites are likely to face. If this kind of conduct was in fact endemic to the site, the plaintiffs would have a basis to argue against Section 230 immunity generally.
Defamation Law in England
The UK position
Generally speaking, the English courts are less vigorous in their defence of free speech than their American counterparts. There is no equivalent to the First Amendment in England. The outcome of a defamation case is decided by balancing the right to free speech against the right to reputation. Under the European Convention of Human Rights (which has been enacted into UK law) these rights are of equal value.
As a result of the greater protection given to reputation in comparison with other jurisdictions (such as the United States), the UK has become the forum of choice for many defamation claimants.
To prove defamation under English law, the claimant must show that a statement:
A number of claims have already been made under UK defamation law in respect of social networking sites. In Applause Store Productions and Firsht v Raphael (2008), the defendant, a former friend of Matthew Firsht, set up a Facebook profile in Firsht’s name and a Facebook group entitled ‘Has Matthew Firsht lied to you?’. This contained defamatory material suggesting that he and his company had lied to avoid paying debts. This was found to be libelous and damages of £22,000 were awarded. The judge took into account the likelihood of a high level of hits on the webpage – here it could be accessed by the Facebook London group which had around 850,000 members.
The rise of social media has resulted in a prevalence of ‘hate’ sites – blogs or Facebook groups specifically set up to promote the ‘hatred’ of a celebrity or a company. There is therefore plenty of scope for defamation claims, but statements on these sites will not always be defamatory. In Sheffield Wednesday Football Club Limited v Neil Hargreaves (2007) which concerned postings on a football club fan website about the club’s management, the judge considered whether the statements could “reasonably be understood to allege greed, selfishness, untrustworthiness and dishonest behaviour” and were therefore defamatory, or whether the posts were mere “saloon-bar moanings”.
One key difference between US defamation law is that the UK does not have the single publication rule – so on the internet, a new cause of action arises every time the website is accessed. This has been criticised as online publishers potentially face unlimited liability in respect of older material which remains on their sites. The government launched a consultation in September 2009 to consider changing this in relation to online publications.
Anonymous Speech
A Norwich Pharmacal order is an order which the UK courts may make requiring a third party to disclose information to a claimant or potential claimant in a legal action. Where a third party is involved in the wrongful acts of others (whether innocently or not), they have a duty to assist the party injured by those acts, and so a court will order them to reveal relevant information.
Norwich Pharmacal orders can be used to require social networking sites to disclose the identities of site users. For example, in the Sheffield Wednesday case referred to above, the High Court ordered the operator of the football club fan website to disclose the identifies of four users of the site who had posted the allegedly defamatory messages concerning the club’s management. A similar order was obtained against Facebook in the Applause Store case referred to above.
Service Provider Immunity
EC Directive 2000/31/EC (the E-commerce Directive) states that Internet service providers (“ISPs”) providing hosting services receive partial immunity from defamation (and other) actions (Article 14). An ISP will be immune if it does not have actual knowledge of illegal activity or information, or knowledge of the facts or circumstances from which it is apparent that the activity or information is illegal.
An ISP will lose immunity if, on obtaining knowledge of the illegal activity, it fails to act expeditiously to remove or to disable access to the information.
Section 1 of the English Defamation Act 1996 provides a similar defence where a secondary publisher takes reasonable care in relation to the publication of the statement, and did not know and had no reason to believe that what he did caused or contributed to the publication of a defamatory statement.
As a result of these provisions and cases which interpret them, ISP immunity in the UK is much narrower than in the United States. ISPs can lose their immunity if they know or ought to know about infringing statements and are therefore more likely to take action to remove possibly defamatory statements.
In Godfrey v Demon Internet Limited (1999, pre-dating the E-Commerce Directive) a defamatory statement was posted on a Usenet newsgroup and the ISP was named as a defendant. The claimant sent the ISP a fax informing it of the defamatory statement and requesting its removal. The defendant ignored this and allowed the statement to remain for a further 10 days. It was held that the ISP was a common law publisher of the material and as it knew of the offending statement but chose not to remove it, it placed itself in an ‘insuperable difficulty’ and could not benefit from the s1 defence in the Defamation Act.
However, an ISP who does not host the information or have an involvement in initiating, selecting or modifying the material, and effectively acts only as a conduit, will have a defence under the Defamation Act and the E-Commerce Regulations. This was demonstrated in the case of Bunt v Tilley (2006), where a number of ISPs were absolved from liability in respect of defamatory postings on newsgroups.
It is in an ISP’s interests to be quick to remove defamatory material if they wish to remain immune. For example, after the Godfrey case above, the ISP removed the comments and suspended newsgroup access to certain members until they signed a form of indemnity. Similarly, another ISP, Kingston Internet Limited, shut down an ‘anti-judge website’ after the Lord Chancellor’s department wrote to complain. However, by requiring ISPs to act in this way, it could be argued that the law goes beyond what is necessary, and that the scales are being pushed too far in favour of protection of reputation at the expense of free speech.
Protection of Sources
Like the U.S., the UK has laws which protect journalistic sources. However, unlike the U.S., protection is not afforded only to newspapers. The relevant provision (section 10 of the Contempt of Court Act 1981) states that ‘no court may require a person to disclose, nor is any person guilty of contempt of court for failing to disclose, the source of a publication for which he is responsible, unless it is established to the satisfaction of the court that disclosure
is necessary in the interests of justice or national security, or for the prevention of disorder or crime’. This wording clearly extends beyond journalists and could apply to social media. However, as the public policy reasoning behind the section may not be there in the case of many publications on social media, a court may be more ready to find that disclosure is necessary.
Bottom Line—What You Need to Do
Clients who are victims of speech torts must be prepared to act—but they must use the right tool when the problem arises. These tools range from a conscious choice to do nothing, responding with a press release; responding on the company’s own blog, fan page on Facebook and/or Twitter page; and/or engaging a reputation management company (for example, making use of search engine optimisation techniques to reduce visibility of negative comment). The negative publicity associated with disparaging comments can be greatly exacerbated by “sticky” sites that get high rankings on Google causing, for example, a negative blog posting to be highly listed when a potential customer types your organisation’s name into Google or another search engine. Your organisation is well advised to undertake a multi-prong strategy: consider the legal options, but consult with search engine and reputation management specialists to see if there might be a communications/ technical solution. Of course, litigation, including proceedings to unmask the anonymous speaker, should be considered. But a heavy-handed approach may simply make a bad situation worse—and at great expense. Litigation—or even a cease-and-desist letter that finds its way to an Internet posting—may give your organisation exactly the kind of publicity it does not want.
Frequently, malicious actors will time their communications to a key corporate event, such as the company’s earnings reports, in order to enhance the damage from the comment. Gone are the days when response to an incident can be vetted by a formal legal memorandum to corporate counsel. The damage can be “done” in literally a matter of hours. A quick response can make all the difference.[71] Accordingly, it is important for companies to understand the exposures to brand and reputation in social media, to have policies in place for managing internal and external communications in these new media, and to have contingent plans for dealing with reputation and brand disparagement, whether as the responsible party or as the victim, before the event happens—so that the response can be quick and damage the minimal.
Clients who find themselves on the end of a complaint should also be prepared to act quickly in order to mitigate any damage done. Also, if the websites in question are accessible in the UK, ISPs and other content hosts could lose any immunity they may have if they are notified about infringing material and take no action.
[1] See, Cass R. Sunstein, “On Rumors: How Falsehoods Spread, Why We Believe Them, What Can Be Done,” (Farrar, Straus, and Giroux 2009).
[2] The Impact of the Class Action Fairness Act of 2005 on the Federal Courts.
[3] 15 U.S.C. § 45.
[4] 15 U.S.C. § 1125(a).
[5] 15 U.S.C. § 45.
[6] Available at http://www.ftc.gov/bcp/policystmt/ad-decept.htm
[7] Kraft, Inc. v. Federal Trade Commission, 970 F.2d 311, 314 (7th Cir. 1992);FTC v. Brown & Williamson Tobacco Corp., 776 F.2d 35, 40 (D.C. Cir. 1985).
[8] Int’l Harvester Co., 104 FTC 949 1058 (1984).
[9] Sandoz Pharmaceuticals v. Richardson-Vicks, 902 F.2d 222, 228 (3d Cir. 1990).
[10] 15 U.S.C. § 45 (m)(1)(A) (civil penalty of $10,000 per violation where violator has actual knowledge, or knowledge fairly implied). 15 U.S.C. § 53(b).
[11] U.S. Healthcare v. Blue Cross of Greater Philadelphia, 898 F.2d 914, 921 (3d Cir. 1990); Johnson & Johnson v. Carter-Wallace, Inc., 631 F.2d 186, 190-91 (2d Cir. 1980).
[12] Sandoz Pharmaceuticals v. Richardson-Vicks, 902 F.2d 222, 228 (3d Cir. 1990) (“The key distinctions between the FTC and a Lanham Act plaintiff turns on the burdens of proof and the deference accorded these respective litigants. The FTC, as a plaintiff, can rely on its own determination of deceptiveness. In contrast, a Lanham Act plaintiff must prove deceptiveness in court.”).
[13] U.S. Healthcare, 898 F.2d at 921 (3d Cir. 1990) (quoting 2 J. McCarthy, Trademarks and Unfair Competition § 27:713 (2d Ed. 1984)).
[14] See, Guides Concerning the Use of Endorsements and Testimonials in Advertising, available at http://www.ftc.gov/opa/2009/10/endortest.shtm (“FTC Guides”) (issued Oct. 5, 2009 and effective Dec. 1, 2009).
[15] See, e.g., Ramson v. Layne, 668 F.Supp. 1162 (N.D. Ill. 1987).
[16] FTC Guides, at 5, n.11.
[17] FTC Guides, § 255.0.
[18] FTC Guides, at 8.
[19] 15 U.S.C. § 45.
[20] FTC Guides, § 255.1(d).
[21] FTC Guides, at 38-39.
[22] FTC Guides, § 255.1(d).
[23] FTC Guides, § 255.1(d).
[24] FTC Guides, at 42.
[25] Id.
[26] FTC Guides, at 15.
[27] Id.
[28] FTC Guides, at 39.
[29] FTC Guides, at 40, 42.
[30] See, 1 McCarthy, Rights of Publicity, § 5:22 (“under the proper circumstances, any person, celebrity or non-celebrity, has standing to sue under § 43(a) for false or misleading endorsements.”), quoted in Doe v. Friendfinder Network, Inc., 540 F.Supp.2d 288, 301 (D.N.H. 2008).
[31] 540 F.Supp.2d 288 (D.N.H. 2008).
[32] Id. at 305-306; see also, Ting JI v. Bose Corporation, 2009 WL 2562663, at *3, No. 06-10946-NMG (D. Mass, Aug. 12, 2009).
[33] The CAP Code can be found on CAP’s website at http://www.cap.org.uk.
[34] Restatement, Second, Torts § 558.
[35] Dendrite v. Doe, 775 A.2d 756, 760 (N.J. App. 2001); but see, Solers, Inc. v. Doe, 977 A.2d 941, 954 (D.C. 2004) (requiring a prima facie showing but rejecting a balancing test at the end of the analysis); see also, Cohen v. Google, Inc., No. 100012/09 (Unpublished) (New York Supreme Court orders Google’s Blooger.com to disclose identity of anonymous blogger, where plaintiff established the merits of her cause of action for defamation and the information sought was material and necessary to identify potential defendants).
[36] E.g., Stratton Oakmont v. Prodigy, 1995 WL 323710, at *3 (N.Y. Sup. Ct., May 24, 1995) (Unreported).
[37] E.g., Cubby v. Compuserve, 776 F.Supp. 135 (S.D.N.Y. 1991).
[38] 47 U.S.C. § 230 (“CDA”).
[39] 47 U.S.C. § 230(c)(1).
[40] 47 U.S.C. § 230(f)(3).
[41] 474 F.Supp. 2d 843 (W.D. Tex. 2007).
[42] In Barnes v. Yahoo!, Inc., 570 F.3d 1096 (9th Cir. 2009), for example, the Ninth Circuit dismissed a claim for negligence where the claim was more clearly tied to a failure to take down offensive speech.
[43] 474 F.Supp.2d at 849.
[44] See Batzel v. Smith, 333 F.3d 1018 (9th Cir. 2003) (provider’s “minor alterations” to defamatory material not actionable); 318 F.3d 465, 470-71 (3d Cir. 2003); Ben Ezra, Weinstein & Co. v. Am. Online, Inc., 206 F.3d 980, 985-86 (10th Cir. 2000) (rejecting argument that service provider’s deletion of some, but not all, inaccurate data about plaintiff from another source “transforms Defendant into an ‘information content provider’ “); Blumenthal v. Drudge, 992 F.Supp. 44, 52 (D.D.C.1998) (exercise of “editorial control” over defamatory third-party content fell within § 230 immunity); Doe v. Friendfinder Network, Inc., 540 F.Supp.2d 288, 297 and n. 10 (D.N.H. 2008) (slight editorial modifications to defamatory profile does not defeat immunity).
[45] See, Anthony v. Yahoo! Inc., 421 F.Supp.2d 1257, 1262-1263 (N.D. Cal. 2006) (service’s alleged creation of false profiles inducing plaintiff to maintain his membership not barred by Section 230); Hy Cite Corp. v. badbusinessbureau.com, L.L.C., 418 F.Supp.2d 1142, 1149 (D. Ariz. 2005) (service provider’s creation of its own comments and other defamatory content associated with third-party postings defeats Section 230 defense).
[46] Batzel v. Smith, 333 F.3d 1018 (9th Cir. 2003); Zeran v. Am. Online, Inc., 129 F.3d 327, 330 (4th Cir. 1997) (right to exercise traditional editorial functions, including “whether to publish, withdraw, postpone or alter”).
[47] 540 F.Supp.2d at 295-96 (emphasis in original).
[48] See Barrett v. Rosenthal, 50 Cal.4th 33, 146 P.3d 510 (2006) (noting § 230(c)(1) protects any “provider or user” (emphasis added)), California Supreme Court holds individual user of social media immune from reposting message she received electronically from another “content provider”).
[49] 2009 WL 3240365, No. 102578/09 (N.Y. Sup. Sept. 15, 2009).
[50] 2009 WL 3240325, at *1.
[51] 2009 WL 3240365, at *1 (citing Blumenthal v. Drudge, 992 F.Supp. 44, 52 (D.D.C. 1998)).
[52] 478 F.3d 413 (1st Cir. 2007).
[53] Id. at 421.
[54] 521 F.3d 1157 (9th Cir. 2008) (en banc).
[55] See Nemet v. Chevrolet Ltd. v. Consumeraffairs.com, 591 F.3d 250, 256-257 (4th Cir. 2009) (distinguishing Roommates.com, the Fourth Circuit holds, among other things, that defendant is not encouraging illegal conduct).
[56] See also, Chicago Lawyers’ Committee for Civil Rights Under Law, Inc. v. Craigslist, Inc, 519 F.3d 666, 669-70 (7th Cir. 2008) (rejecting that Section 230 confers an absolute immunity).
[57] 47 U.S.C. § 230(e)(2).
[58] See, Doe v. Friendfinder Network, 540 F.Supp.2d at 303 n. 13 (notion that trademark claims are not intellectual property claims, while not before the court, strikes it as “dubious”).
[59] 488 F.3d 1102 (9th Cir.), cert. denied, 128 S.Ct. 709 (2007).
[60] Id. at 1118-19.
[61] 540 F.Supp.2d 299-304. Accord, Atlantic Recording Corporation v. Project Playlist, 603 F.Supp.2d 690 (S.D.N.Y. 2009).
[62] O’Grady v. Superior Court (Apple Computer, Inc.), 39 Cal.App.4th 1423 (Sixth Dist. 2006).
[63] 2010 WL 1609274, A-0964-09 (N.J. Super. A.D., April 22, 2010).
[64] 2010 WL 1609274, at *11.
[65] Id.
[66] 175 F.3d 848 (10th Cir. 1999) (affirming dismissal of claims directed to credit ratings based on First Amendment).
[67] 2003 WL 21464568, No. CIV-02-1457-M (W.D. Ok., May 27, 2003).
[68] Abu Dhabi Commercial Bank v. Morgan Stanley & Co., et al, slip op. 08 Civ. 7508 (SAS) at 34 (S.D.N.Y. Sept. 2, 2009), quoting In re IBM Corp. Sec. Litigation, 163 F.3d 102, 109 (2d Cir. 1998).
[69] Id. at 34-35 n.126 (quoting 175 F.3d at 856).
[70] Cats and Dogs Hospital v. Yelp, Inc. CV10-1340VBF (C.D. Cal. 2010); Levitt v. Yelp, Inc., CGC-10-497777 (Superior Court, San Francisco, 2010).
[71] Clifford, “Video Prank at Domino’s Taints Brand,” http://www.nytimes.com/2009/04/16/business/media/16dominos.html (April 15, 2009).
Chapter Authors
United States
Mark S. Melodia, Partner –mmelodia@reedsmith.com
Paul Bond, Associate – pbond@reedsmith.com
Amy S. Mushahwar, Associate – amushahwar@reedsmith.com
United Kingdom
Cynthia O’Donoghue, Partner – codonoghue@reedsmith.com
Gregor J. Pryor, Partner – gpryor@reedsmith.com
Introduction
This chapter explores the implications in social media arising from the laws and regulations surrounding data privacy, security and information security management.
According to statistics published on Facebook,[1] there are more than 400 million active users of Facebook worldwide. Most major brands have Facebook group and/or fan pages—with commentators even doing case studies of those that have been most effective.[2] Yet, there remains reluctance by some companies and brands to use social media. Social networking sites such as Twitter, MySpace, Facebook and LinkedIn may enhance collaboration and help companies connect with customers, but they can also make it easier than ever for employees and customers to share confidential customer data, company secrets and negative product information. A major airline’s Valentine’s Day debacle exemplifies how the usefulness of social media is tempered by fear of what might be disclosed.[3] The passengers were stranded on the tarmac, some up to 11 hours, while a rapidly moving storm tore through the East Coast. Passengers were immediately using their mobile phones, and stories accompanying pictures of overflowing toilets instantaneously appeared in social media. Similarly, when a group of unfortunate passengers were stuck in the Channel Tunnel for several hours during adverse winter weather, Facebook updates told the story of their difficulties. Just as these incidents spread virally via social media, so too might the liability associated with a breach of protected personal information. In the United States, millions of dollars in claims could be made against the hosting site and cause extremely bad publicity. The prospects for further government regulation of social media in the United States. are accelerating. Prompted by the expansive new information sharing practices of social media companies, both the Federal Trade Commission (“FTC”) and the United States Department of Commerce are looking into the development of formal standards to protect the privacy of Internet users.[4] The adequacy of the traditional framework of providing notice to consumers about privacy practices and relying on the consumer’s informed choice is coming under increasing skepticism.
Social Media in Action in Data Privacy & Security
Personal data collected by social media companies is at risk from all sides. Thieves want to profile, steal and resell personally identifiable information and data. Employees are tempted to misuse customer data, for monetary gain or to satisfy idle curiosity, perhaps with no malicious purpose at all.[5] Even standard business processes pose risks to personal data. Not forgetting that social media companies themselves want to gain commercial leverage from the data collected.
Social media enterprises collect, store, use, share, and dispose of personal data every day, including eCommerce-related non-public financial information (for example, credit, banking and payment information). Each of these inflection points is an opportunity for something to go wrong, for a law to be broken or a data subject put at risk. This chapter explains some things social media companies and companies that use social media should know.
Company Obligations Set Forth in the User Agreement
User agreements are private agreements between the publisher and its users, and they define the rights and obligations of each party. Typically, user agreements have at least two components: (1) a privacy policy and (2) a terms of use. While there is no legal distinction between putting them into one document rather than splitting them, social media and web-based services recognise the increased importance privacy and data protection play—not only in law and regulation, but also to consumers. In Europe, regulatory guidance suggests separating terms of use and terms relating to data protection and privacy. Creating a separate document, page or display makes these terms conspicuous, and in a visual and distinctive manner create a better “notice and disclosure” or transparency and consent argument, should a consumer or a regulator challenge the efficacy of notice to consumers.
Privacy policies are statements made by companies about their practices regarding personal information. Companies on the Internet, social media or otherwise, post privacy policies to disclose information practices in accordance with federal and state statutes.[6] Terms of use, on the other hand, describe the terms and conditions governing the relationship between the user and the publisher or operator of the service. Because privacy policies are effectively part of the terms and conditions—the rights and obligations—between the parties, we may simply refer to them as the “agreement” in these materials.
Because these agreements run between and among publishers and users (and sometimes a company that is using a service or website), a company’s obligation with respect to personal data will change depending upon whether it is the social media service (e.g., Facebook, MySpace or Twitter), a company-sponsored fan site (e.g., a Starbucks sponsored fan site on MySpace) or an unrelated third-party fan site.
Social Media Companies
Social media companies, as authors of these agreements, have the primary responsibility to ensure all personally identifiable information that is collected, used, stored and shared, is used in accordance with the user agreement (and, of course, law and regulation). But, this does not mean that social media companies must be overly conservative in their user agreements. Most social media companies do not charge any recurring user fees for use of their site or service. So, access to and data from users in the community is a social media company’s primary commodity to monetise the site.
This ability to commercially exploit data is tempered by data protection and privacy laws. The need for ‘information monetisation’ can create in an adversarial relationship between the site user and the social media company. As a result, many consumer advocacy organisations are analysing and notifying consumers of updates to social media website user agreements.[7] These consumer watchdog organisations can generate considerable controversy; take for example, Facebook’s Terms of Service update in February 2009. At that time, The Consumerist flagged a series of changes to the Facebook Terms of Service, including deletion of the following text:[8]
You may remove your User Content from the Site at any time. If you choose to remove your User Content, the license granted above will automatically expire, however you acknowledge that the Company may retain archived copies of your User Content.
From this deletion, The Consumerist author, Chris Walters, opined that: “Now, anything you upload to Facebook can be used by Facebook in any way they deem fit, forever, no matter what you do later,” Walters wrote. “Want to close your account? Good for you, but Facebook still has the right to do whatever it wants with your own content.” Ultimately, The Consumerist blog created a firestorm, which caused Facebook to repeal its Terms of Service changes three days after the blog was posted.
The Terms of Service change is not the only example of the tension created over the use of consumer information and consumer disclosures. In the early days of 2007, Facebook launched its Beacon advertisement system that sent data from external websites to Facebook, ostensibly for the purpose of allowing targeted advertisements. Certain activities on partner sites were published to a user’s News Feed. Soon after Beacon’s launch, civic action group, MoveOn.org, created a Facebook group and online petition demanding that Facebook not publish their activity from other websites without explicit permission from the user.[9] In less than ten days, this group gained 50,000 members. Beacon amended its Terms of Service as a result.[10] A class action lawsuit was filed against Facebook as a result of Beacon. The lawsuit was ultimately settled in September 2009[11], and the Beacon advertisement service was shut down.
Facebook has, nonetheless, continued to press on the outside of the envelope with respect to consumer privacy. At the F8 Conference this April, Facebook announced a series of changes to its privacy policies sure to draw considerable attention.[12] The changes include:
Allowing external websites to add a “Like” button. If the user of that external website clicks the “Like” button, that user’s Facebook page will be modified to reflect information about the user’s use of that external site. The user’s Facebook friends will be able to view such information.
Partnering with sites like Pandora and Yelp! to provide for “instant personalization.” This means that when a Facebook user visits those sites, unless she has taken specific elections on her Facebook privacy settings, those sites will download “can pull in information from your Facebook account, which includes your name, profile picture, gender and connections (and any other information that you've made visible to the public). If you visit Pandora, for example, the site could also pull in your favorite music artists, create playlists accordingly, and then notify your Facebook friends.”[13]
In the immediate aftermath of the Facebook changes, members of the United States Congress have already expressed intent to pass laws putting the onus on companies like Facebook to get specific consent from consumers before rolling out new information sharing platforms.[14]
Compared to the United States, Europe has traditionally taken a more stringent approach to data protection. Article 8 of the Charter of Fundamental Rights of the European Union explicitly provides a fundamental right to protection of personal data within the EU. There is also a greater focus on raising awareness. For example, Europe even organised a “European data protection day”, held annually on 28 January.[15] As a result, social networking sites tend to be the subject of far greater public scrutiny than in the United States. Privacy groups and thorough press coverage ensure that any changes to the privacy policies of service providers and any risks or abuses related to these services are comprehensively discussed and brought to the attention of social media users. The Guardian story covering the changes to Facebook’s Privacy Policy in 2009 titled “Facebook privacy change angers campaigners”[16] and a headline from The Sun titled “Teen Weapons Shock On Bebo”,[17] are just two examples of the press coverage social networking sites receive.
Company or Third-Party Sponsored Fan Site or Portal
Many companies, however, do not own or operate a social media website, and thus, do not author the social media user agreement. Instead, these companies are monitoring content regarding their products and services on fan sites/portals run by another company. For example, Starbucks does not operate its own social media website, but operates portals on MySpace, Facebook, Twitter and YouTube. The key for removing information that may be detrimental to Starbucks or any brand is to know where the content lies (on a company or third-party sponsored portal), and the user agreement of the social media website the offending information lies upon.
For portals or fan sites that are sponsored by the marketing company, it is simple for the company to remove offending information. Facebook, MySpace and YouTube offer page administration options for content removal on company-sponsored portals. For these services, the company can directly control content posted to the portal by designating in its administrative options to pre- or post-screen user-generated content. Twitter, however, works differently. On the company-sponsored Twitter profile, the company can control what “Tweets”[18] it sends to its followers, but the company cannot directly control what is “retweeted”[19] by others from the company-sponsored tweets.[20]
For portals or fan sites that are not sponsored, it is more difficult to administer content and remove known privacy violations. Removal of third-party content involving your company or brand is governed by the respective social media site’s user agreement. These will be different depending on the site or service. Take, for example, if one of your employees records a confidential session (a health care visit, tax preparation, loan application meeting, etc.) between the employee and one of your customers. Could the company seek removal of the confidential video? The question of whether a corporation could remove this content on behalf of its customer is different depending upon what social media service is used.
Notwithstanding the removal of some content by social network providers from the service, it may still surprise some users how their data is stored and used by social networking sites, even in some cases after it has been removed or the user is no longer a member of the site. In addition, social media sites employ technological measures that recognise a user’s computer. For example, according to Twitter’s terms of use, Twitter can collect and use a user’s “automatic” information, such as a user’s IP address or cookies. Whether these provisions will be sufficient to satisfy the upcoming changes in law which will require Twitter to obtain European users’ consent before using their cookies remains to be seen.[26]
Notwithstanding the contractual user agreement rights and obligations on social media, a number of national and international laws also govern this area.
Company Obligations Set Forth in National and International Law
U.S. position
Today, businesses operate globally with technology that knows no national boundaries. Nothing comes more naturally than sharing and sending information halfway around the world. Social media epitomises that modern, global ethos.
Every jurisdiction in the world can claim the right to protect its citizens–and information about them. The United States has a very different concept of “personal information” and adequate protection of it than the European Union; the European laws are not necessarily across all of its Member States. And so it goes, in every part of the world. A social media company can be completely compliant with United States law and still run afoul of legal mores elsewhere. By way of example, Facebook experienced a culture clash with Canada’s privacy commissioner with respect to the disposal of personal information. Facebook had been retaining data on subscribers who quit, so that they could more easily rejoin should they choose to do so later. Canada’s privacy commissioner determined that Facebook’s retention of data was a violation of Canada’s Personal Information Protection and Electronic Documents Act, and negotiated a settlement that provides that, “Collected personal information can be kept only for a specified time and must be deleted or destroyed when no longer needed.”[27]
Europe position
Social media services accessible in Europe will also have to comply with the relevant legislation, the implementation of which may differ between Member States. They may also be subject to any additional national measures.
The EU’s Article 29 Data Protection Working Party has set forth an opinion on online social networking.[28] This Opinion, adopted June 12, 2009, opines that “social networking services” or “SNS” are generally data controllers, and SNS subscribers are generally data subjects. In the view of these authors, even those SNS located outside the EU are bound to respect EU strictures on data processing and onward transfer as to residents of EU member countries. Where a subscriber’s information is only available to a self-selected circle of friends, the Opinion posits that the exception allowing sharing of personal information within households applies. However, when access to the subscriber’s information is shared more broadly, with or without that subscriber’s consent, “the same legal regime will then apply as when any person uses other technology platforms to publish personal data on the web.”[29] The Working Paper goes on to state a number of other positions regarding marketing by SNS, complaint procedures, and (advocating) the availability of pseudonyms.
United Kingdom position
The UK has its own domestic data protection law in place which implements the EU Data Protection Directive.[30] The Data Protection Act 1998 (‘Act’) requires organisations processing personal data to comply with eight distinct data protection principles. The UK also has in place domestic legislation implementing the EU e-Privacy Directive.[31]
The UK Government is currently at odds with the European Commission for failing to properly implement the Data Protection Directive and e-Privacy Directive at national level. The European Commission commenced infringement proceedings against the UK for its failure to guarantee the confidentiality of electronic communications (such as emails and internet browsing) which protection is otherwise enshrined in European legislation. This action was triggered by secret trials conducted in 2006-2007 by the UK telecommunications provider, British Telecom, of a behavioural advertising technology being developed by the company Phorm. This technology enabled the monitoring of an individual’s Internet use without the user’s consent or knowledge, the results of which enabled companies to more effectively target advertising to users. In a failed attempt to bypass data protection laws, Phorm matched a user’s IP address with a unique identifier which was then provided to advertisers, together with profiling information about browsing history. If the UK fails to change its domestic legislation to ensure the privacy of online communications, this action may result in a hearing before the European Court of Justice.[32]
Privacy Policies/Notices: Guidance and General Principles
On both sides of the Atlantic surveys have been carried out to assess whether privacy policies sufficiently and clearly inform users of how their personal data will be used and for what purposes. Although in the UK privacy policies are not a legal requirement under the Act, a privacy policy is a simple way to satisfy the fair processing requirement, which is one of the data protection principles under the Act. Regulatory guidance supports the use of clear and simple privacy policies which adapt a “layered” approach, with the most important information highlighted in a clear manner.
Nonetheless, the surveys have highlighted a need for existing privacy notices to be clearer and more user-friendly. As a means to an end, organisations should make sure that their privacy policies focus primarily on informing the consumer and not on protecting the entity.[33]
Privacy policies should be reviewed regularly to make sure that they continue to comply with any changes in the data processing activities of an organisation and the relevant data protection and privacy laws applicable.
There are obvious benefits to ensuring privacy policies are transparent. Not only will consumers be less likely to complain, it may also provide a competitive advantage from consumers having more confidence in the organisation and how their personal data is being processed. This may lead to consumers entrusting the organisation with further personal data it would not otherwise have received. This seems to be one of the most important trends in social media today – do users trust the site operator?
The Next Direction in Privacy Law [34]
The main challenge for social media companies is that the regulatory privacy obligations seem to be developing on-the-fly in this area. There was no US law clearly forbidding Facebook from partnering with several dozen other sites to share information regarding subscriber usage of affiliate sites. There was no law clearly forbidding Facebook from making such activity logs visible to the subscribers’ friends. Facebook even provided a pop-up, opt-out mechanism to help respect subscriber privacy choices. Yet following a class action lawsuit, discussed above, Facebook shut down its Beacon program and donated $9.5 million to a non-profit foundation to promote online safety and security.[35] Clearly, as important as existing laws are the developing sensibilities of both consumers and privacy officials. The predominant theme appears to be a profound antipathy toward the aggregation and use of information of consumer behavior, however well disclosed. Social media companies need to proceed very carefully in capitalising on the wealth of information that they are assembling, developing subscriber and policymaker support for programs in the works, and adequately disclosing program information to consumers, at a minimum, in the user agreement. Moreover, companies need to realise that even where the law has been slow to catch up, consumer reaction and the threat of regulatory or legal action has often shaped privacy practices in social media. Keeping on top of those trends is critical.
Take, for example, the 2009 global industry initiative to address concerns over behavioral advertising. In 2009, the American Association of Advertising Agencies, Association of National Advertisers, Interactive Advertising Bureau, Direct Marketing Association and the Better Business Bureau, completed a joint business initiative and released the “Self-Regulatory Principles for Online Behavioral Advertising”.[36] The trade groups worked closely with the Council of Better Business Bureaus in crafting the principles. The initiative was in response to urging by the FTC that unless the industry adopted polices, government regulators would step in.
The industry effort covers the categories the FTC identified as the key areas of concern: education, transparency, consumer control, data security, material changes, sensitive data and accountability. The Council of Better Business Bureaus, along with the Direct Marketing Association, are now developing additional policies to implement accountability programs to give some teeth to the self-regulatory rules and to foster widespread adoption of the principles.
This initiative appears to have now crossed over to Europe and there is discussion of a special “behavioural” advertising logo that will be displayed in all behavioural advertising. Looking forward, privacy and data protection law will continually be outpaced by technological developments. To take a recent example, the Google Buzz social networking service that was launched in February 2010 has been at the centre of a torrent of criticism by users and privacy groups who claim that the new service has violated rights to privacy. Google Buzz was an attempt by the search giant to convert its Gmail service into a social network. A particularly controversial feature was that Gmail users were automatically signed up to Buzz and a ‘ready-made’ social network of ‘friends’ for them to follow was created using information from Gmail accounts of the contacts with whom they most frequently email and chat.
Following the ferocity of public reaction, Google has been forced to adapt many of the features of Buzz, including removing the automatic links between Buzz and content posted by users on other Google services (e.g., Picasa photo albums), making the option to opt-out of Buzz altogether more prominent in the email facility and adopting an ‘auto suggest’ rather than an ‘auto-follow model’. In April 2010, the Privacy Commissioner of Canada, Jennifer Stoddart, and the heads of the data protection authorities in France, Germany, Israel, Italy, Ireland, Netherlands, New Zealand, Spain and the United Kingdom sent a strongly-worded letter to the chief executive officer of Google Inc. to express their concerns about privacy issues related to Google Buzz.[37]. The authorities noted that:
“While your company addressed the most privacy-intrusive aspects of Google Buzz in the wake of this public protest and most recently (April 5, 2010) you asked all users to reconfirm their privacy settings, we remain extremely concerned about how a product with such significant privacy issues was launched in the first place.” And, in a statement seemingly directed at every company looking to launch innovative products in this space, the regulators warned, “It is unacceptable to roll out a product that unilaterally renders personal information public, with the intention of repairing problems later as they arise. Privacy cannot be sidelined in the rush to introduce new technologies to online audiences around the world.”
Whilst legal action by users who feel their rights have been infringed is inevitable (for example, a woman in Florida has already instructed lawyers regarding the misuse of her personal data), the problem for Google may spread far wider. In trying to make the “getting started experience as quick and easy as possible”[38] to compete with other social networking services, they have potentially alienated users and may now have a harder task convincing the millions of users on Facebook and Twitter to migrate to Buzz instead.
Another social media phenomenon is the exploitation of geo-location technology. Four Square is a location-based game which can be downloaded onto a user’s phone and which turns city maps into a game board. Users can “check-in” via their phones and this information is fed to Twitter, where the user’s location is made public. By “checking in,” the application is able to recommend places to go, things to do nearby and tips from other users for that location. Whilst this application clearly has its benefits, users appear undeterred by the implications of revealing their whereabouts, or, indeed, where they are not; this could pave the way for a new wave of privacy concerns.
Company Engagement in (or Avoidance of) Third-party Legal Disputes
Increasingly, information gathered by social media sites is at the center of legal controversies to which social media companies themselves are strangers.
Both the social media enterprise and individual companies on social media can protect themselves. As stated above, each social media enterprise already has (or should have) a detailed suite of policies, reflected in the user agreement, to determine how the company fits in to the substance and process of third-party legal actions. Likewise, all companies should put policies in place governing employees’ actions on social media to avoid company vicarious liability.
Ultimately, subscribers should also take steps to protect themselves because regulators can do only so much to protect subscribers’ personal data and privacy.
Children
The popularity of social networking with young people makes the issue of data protection and privacy more acute. A central concern is that young people lack the awareness of the associated risks of these services and the potential for abuse when revealing personal data. Online risks for young users include illegal and age-inappropriate content, improper contact and conduct, including victimisation or grooming and potentially risky behaviors. Whilst the United States has laws and regulations to protect the privacy of children online, the FTC has announced plans to accelerate review of its regulations with an eye towards imposing more stringent standards.[48]
The impact of digital media on privacy issues for young people has been a key focus in both the UK and throughout Europe. In the UK, for example, the Information Commissioner has published numerous good practice notes for website operators whose sites are directed at children. The Home Office Task Force on Child Protection on the Internet has also published in 2008 good practice guidance for providers of social networking and other interactive services[49].
Whilst a focus of legislators has been to raise awareness amongst users of the risks associated with social networking (for example, through the annual EU “Safer Internet Day”), more recently there has been a focus on the contribution that service providers can make to security in the online environment. Following almost a year of discussions, in February 2009 the European Commission and major social networking companies, including Facebook, Bebo, and MySpace, agreed the “Safer Social Networking Principles for the EU”[50]. These principles were aimed at giving young people extra protection from violations of their privacy and the potential abuse of their personal information. Key principles include: ensuring services are age-appropriate for the intended audience[51]; empowering users through tools and technology to manage the service[52]; providing easy-to-use mechanisms for users to report conduct or content that violates the Terms of Service of the provider; encouraging users to employ a safe approach to personal information and privacy; and assessing the means for reviewing illegal or prohibited content.
However, a year on, the review of the implementation of the principles published by the European Commission on 9 February 2010 suggests that whilst the principles have been a step forward in tackling online risks for young people, more still needs to be done. According to the Commission less than half of social networking companies make profiles of users aged under 18 visible only to friends by default, and only one-third replied to user reports requesting assistance.[53] Whilst currently the Commission is in favor of a multi-stakeholder collaboration with providers and adopting a ‘best practice approach’ to manage potential risks, if providers do not toe the line, the consequence may be regulatory intervention.
Protections To Deter Criminal Activity
Data security class action litigation usually focuses not on the (often judgment-proof) criminal wrongdoers themselves, but on the companies those wrongdoers happened to work for, with, or through. Moreover, governments around the world have drafted businesses into the war against identity theft. Hefty fines can result from a lack of due diligence.
The penalties for breaches of the Data Protection Act 1998 in the UK are currently under review.[54] The UK Government has proposed to put in place tougher sanctions to act as deterrents, for example, up to two years imprisonment and maximum fines of £500,000, the latter of which is expected to take effect in April 2010.[55] The UK, as well as other European countries, is taking data protection law seriously, and service providers should bear this in mind.
In social media enterprises, an even greater risk than identity theft or financial fraud exists. Users of social media have been exposed to emotional abuse[56] and have been sexually assaulted,[57] among other crimes. Attempts have been made to hold the social media enterprises themselves liable for not doing more to stop these abuses. Whilst legal actions have generally not resulted in recovery against social media enterprises, the attendant bad publicity and subscriber concern carry a cost of their own.
Where there is a pre-existing protective order in place, even the simple act of making a friend request via a social media service can rise to the level of criminal contempt.[58] And, especially where the social media environment involves the creation or accumulation of some artificial currency, subscribers can also abuse the system to achieve property crimes or tax evasion.[59]
Precautions to detect likely criminal activity, to the extent practicable, and having social media employment agreements to establish company expectations, are essential for any business’s self-preservation. Typically, companies can take actions such as routine audits and establishing human resources notification policies for crimes involving employees in the workplace. Social media employment agreements are now essential for individuals doing work for your business. We recommend evaluating all of the types of individuals employed by your company and developing a social media agreement that will fit for: employees, contractors, hired talent (representing the company in an endorsement/marketing context), and outsourcing contracts, where applicable. (See Chapter 6 – Employment.)
Addressing Traditional Data Security Concerns
Every social media enterprise needs a comprehensive written information security program. The very open architecture that allows social media enterprises to thrive also allows information security threats to multiply. For example, the Twitter worm, “StalkDailey,” “can gain access to unsuspecting Twitter users by masquerading as the family, friends, and co-workers of the user.”[60] In fact, 19 percent of all hacking attacks were directed at social media enterprises in the first half of 2009, “ranging from simple defacement of sites, placing malware on them or using them to spread smear campaigns.”[61] Social media enterprises need to enlist not just their employees, but also their subscribers, in rapid response to developing privacy threats based on well-understood policies and procedures. Failing to do so may result in dilution of a brand’s value as regulators and consumers react to lapses in security.
A written policy is necessary, but not sufficient to ensure compliance. A written policy without implementation and adherence is a dead letter. Plain language review, easy-to-follow training materials, employee testing, vendor auditing, security breach drills, and the like are indispensible to making sure policy is part of day-to-day procedure.
At the same time, outreach to subscribers to let them know what to expect (and not expect) from the company will help subscribers defend themselves from spoofers, phishers, and similar would-be attackers.
Also, like every company, social media companies should have plans for: the protection and secure disposal of personal data (including in hard copy); the implementation of major litigation holds; and response to the loss or theft of personal data (including, where required or appropriate, through notice to data subjects).
Is the Company Properly Insured against Data Privacy Incidents?
The last risk you need to plan for is the risk that all other mitigation will, ultimately, not be sufficient. As noted above, no system is perfect. Data privacy and security lawsuits can cost millions or tens of millions of dollars to resolve. The right level of coverage, either under general policies or specific endorsements, is something that every company needs to determine on an ongoing basis.
Bottom Line—What You Need to Do
Understand the sensitive nature of information that flows through social media. Recognise the serious compliance and litigation risks that the collection and distribution of such information entails. Consider contractual tools to mitigate these risks, including properly drafted privacy policies and terms of use. Know your obligations under all applicable data privacy and security laws, and have a nuts-and-bolts plan to meet those obligations. Stay ahead of developments in data and privacy security law, so that, to the extent possible, the compliance program put in motion today will be deemed adequate even under the standards of tomorrow. Lastly, know your coverage position with respect to data privacy and security incidents, and properly adjust that coverage in light of known and suspected risks.
[1] “Press Room,” available at: http://www.facebook.com/press/info.php?statistics.
[2] Callan Green, “Killer Facebook Fan Pages: 5 Inspiring Case Studies,” Mashable.com (June 16, 2009) available at: http://mashable.com/2009/06/16/killer-facebook-fan-pages/.
[3] Lisa Wehr,”Jet Blue & Taco Bell: Lessons in Crisis Marketing,” iMediaConnection.com (April 19, 2007), available at: http://www.imediaconnection.com/content/14452.imc.
[4] “The Commerce Department is playing catchup,” Washington Internet Daily (Apr. 22, 2010).
[5] John Lister, “Most Departing Employees Steal Company Data,” Tech.Blorge (Feb. 23, 2009) available at: http://tech.blorge.com/Structure:%20/2009/02/23/most-departing-employees-steal-company-data/ (stating almost six in 10 people who left a job in the United States in 2008 took confidential data with them, according to a survey by data protection firm Ponemon), and “Many Users Say They’d Sell Company Data for the Right Price,” by Tim Wilson, DarkReading (Apr. 24, 2009) available at: http://www.darkreading.com/insiderthreat/security/client/showArticle.jhtml?articleID=217100330 (stating 37 percent of workers would sell data for $1.5 million, according to a survey of commuters in London’s railway stations by InfoSecurity Europe).
[6] For example, the Gramm-Leach-Bliley Act requires certain types of companies (financial institutions, insurance companies and brokerage companies) to maintain privacy policies.
[7] Some common privacy-oriented consumer monitoring groups are: the Electronic Privacy Information Center, Privacy Rights Clearinghouse, World Privacy Forum and the Electronic Frontier Foundation, amongst others.
[8] See, Facebook’s New Terms of Service: “We Can Do Anything We Want With Your Content. Forever.” by Chris Walters, the Consumerist (Feb. 15, 2009) available at: http://consumerist.com/5150175/facebooks-new-terms-of-service-we-can-do-anything-we-want-with-your-content-forever.
[9] See, Caroline McCarthy, “MoveOn.org takes on Facebook’s ‘Beacon’ Ads,” CNET (Nov. 20, 2009), available at: http://news.cnet.com/8301-13577_3-9821170-36.html.
[10] See, Louise Story and Brad Stone, “Facebook Retreats on Online Tracking,” New York Times (Nov. 30, 2007), available at: http://www.nytimes.com/2007/11/30/technology/30face.html
[11] Sam Diaz,”Beacon Settlement Gets Preliminary Ok,” CNET (Oct. 24, 2009), available at http://news.cnet.com/8301-1023_3-10382634-93.html.
[12] http://www.cio.com/article/591831/Facebook_Privacy_Changes_5_Can_t_Miss_Facts?page=1&taxonomyId=3169
[13] Id.
[14] “Expansion triggers political backlash,” Chicago Tribune, p. 27 (April 29, 2010).
[18] Tweets are text-based posts of up to 140 characters displayed on the author’s profile page and delivered to the author’s subscribers, who are known as followers.
[19] The retweet (or “RT” in front of the Twitter line) allows Twitter users to share the best links, tweets, and gems they find from others using the service. These messages can be positive or negative in nature.
[20] For “retweets,” the company would need to seek removal of the information under Twitter’s user agreement, which is available at http://help.twitter.com/forums/26257/entries/18311.
[21] YouTube Website, Privacy Issues: Privacy Complaints for Other People, available at: http://www.google.com/support/youtube/bin/answer.py?answer=84753 (“In order to process privacy claims, we must receive notification directly from the individual in the video…. Any attempt to report a privacy violation for someone other than yourself will not be investigated.”)
[22] Facebook Statement of Rights and Responsibilities, available at: http://www.facebook.com/terms.php?ref=pf (last visited, Oct. 27, 2009).
[23] Id. at § 5.8.
[24] MySpace.com Terms of Use Agreement, last updated June 25, 2009, available at: http://www.myspace.com/index.cfm?fuseaction=misc.terms
[25] Id. at §§ 8.6, 8.16.
[27] “Facebook Won’t Face Off with Canada’s Privacy Commissioner,” 27 No. 9 Andrews Computer & Internet Litig. Rep. 11 (Sept. 30, 2009).
[28] http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/wpdocs/2009_en.htm
[29] Opinion 5/2009 on online social networking, p. 6.
[30] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data implemented in the UK by the Data Protection Act 1998.
[31] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) implemented in the UK by the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426).
[33] “Making privacy notices meaningful” The Reporter (Calleja Consulting) July 2009.
[34] Portions of this chapter first appeared in, and are reprinted with permission of, the Privacy & Security Law Journal.
[35] “Facebook Shuts Down Beacon to Settle Class-Action Lawsuit,” 27 No. 9 Andrews Computer & Internet Litig. Rep. 8 (Sept. 30, 2009), citing Lane, et al. v. Facebook Inc., et al., No. 08-CV-03845-RS (N.D. Cal.).
[39] “Concerned mother sets up MySpace sting operation,” 5 No. 7 Quinlan, Computer Crime and Technology in Law Enforcement art. 2 (July 2009).
[40] “Impeachment by Facebook Status Update?” 14 No. 9 Cyberspace Law. 23 (2009), citing to State v. Corwin, 2009 WL 2562667 (Mo. App. August 20, 2009) (upholding convicting despite allegation that exclusion of Facebook status page was error).
[41] Tariq Remtulla, “Facebook Not So Private? Ontario Court Finds Facebook Profile Discoverable,” 14 No. 4 Cyberspace Law. 17 (May 2009).
[42] Margaret DiBianca, “Warnings Against LinkedIn Recommendations: Justified or Propaganda?” 14 No. 9 Del. Emp. L. Letter 2 (Sept. 2009).
[43] See Harry Haydon The Sun dated 05 Jul 2009, available at http://www.thesun.co.uk/sol/homepage/news/2517719/MI6-spy-chief-has-cover-blown-on-Facebook-by-wife.html.; Allegra Lawrence-Hardy, Esq., and Jessica Sawyer Wang, Esq., “Are Your Company’s Secrets Threatened By Your Employee’s MySpace Page?” 28 No. 14 Andrews Automotive Litig. Rep. 7 (Jan. 6, 2009).
[44] http://www.pcc.org.uk/news/index.html?article=NjA4MQ== ; “PCC Code – police comments sourced from private profiles on social networking sites” The Reporter (Calleja Consulting) December 2009
[45] “Submission of MySpace Internet Entry to Newspaper for Publication Does Not Constitute Actionable Invasion of Privacy,” 30 No. 6 Cal. Tort Rep. 14 (June 2009).
[46] “Facebook: The Future of Service of Process?” 25 No. 8 Andrews Pharmaceutical Litig. Rep. 11 (Sept. 21, 2009).
[47] “Service via Twitter – the UK courts embrace technology” The Reporter (Calleja Consulting) November 2009
[48] “FTC Tells Congress It Is Reviewing Whether Technology Changes Call for Revisions to the Agency's Rule Protecting Kids' Online Privacy,” FTC website, http://www.ftc.gov/opa/2010/04/coppa1.shtm (April 29. 2010).
[49] http://police.homeoffice.gov.uk/publications/operational-policing/social-networking-guidance/?view=Binary The task force’s good practice has now been integrated in to the work of the UK Council for Child Internet Safety.
[50] http://ec.europa.eu/information_society/activities/social_networking/eu_action/selfreg/index_en.htm
[51] Whilst this may be based on a range of factors, there is an implication in the notes to the principles that a minimum age of 13 could be imposed in line with the U.S. approach and the Children’s Online Privacy Protection Act which in the UK only allows providers to collect data without parental consent from users over 13 years old. Suggested measures to ensure age-appropriateness could include providing means for content providers, partners or users to label, rate or age restrict content when appropriate, using for example the Broadband Stakeholder Group’s good practice principles on audiovisual content information.
[52] For example, taking steps to ensure that private profiles of users registered as under 18 are not searchable.
[54] “Data protection offences – custodial sanctions” The Reporter (Calleja Consulting) November 2009; “Serious data protection breaches – civil monetary penalties” The Reporter (Calleja Consulting) December 2009.
[55] See sections 4, 55, 55A and 55B of the Data Protection Act 1998 (as amended).
[56] “Feds Appeal Dismissal in MySpace Suicide Case,” 27 No. 10 Andrews Computer & Internet Litig. Rep. 8 (Oct. 14, 2009), citing to United States v. Drew, No. 08-CR-00582-UA, 2009 WL 2872855 (C.D. Cal. Aug. 28, 2009).
[57] “MySpace is Not Liable for Members’ Sexual Assaults,” 13 No. 7 Andrews Telecomm. Indus. Litig. Rep. 9 (Aug. 19, 2009), citing to Doe, et al. v. MySpace Inc., No. B205643, 2009 WL 1862779 (Cal. Ct. App., 2d Dist., Div. 8 June 30, 2009).
[58] “MySpace Protective Order Violations,” 14 No. 4 Quinlan, National Bulletin on Domestic Violence Prevention art. 6 (Apr. 2008).
[59] “Second Life Currency Open to Theft,” 10 No. 1 E-Commerce L. Rep. 12 (Jan. 2008).
[60] Nancy McKenna, “Worming its way through Twitter,” 5 No. 6 Quinlan, Computer Crime and Technology in Law Enforcement art. 5 (June 2009).
[61] “Report cites jump in Facebook,Twitter attacks,” (Aug. 18, 2009), Triangle Bus. J. (Pg. Unavail. Online), 2009 WLNR 16076587.
Well, it seems like almost yesterday (actually a little more than a month ago), that a subsidiary of Mixx, the popular social voting site, launched TweetMixx, a new service that enables companies, brands, politicians, and celebrities collect and aggregate all the mentions about them on Twitter on a single page. “TweetMixx Channels,” as the service is branded, enables you to create a branded page, tailored to you – from your own Twitter Tweets and RSS Feeds to comments from customers, reviewers, fans or pretty much anything you like. We’ll use “you” generically to mean any label that fits – people, brands, goods, services, you name it.
Ever see those vanity license plates on cars? Now you can have your own vanity Twitter Mixx channel, and the service uses “Tabs” to allow a variety of features and functions. There’s one that uses search terms to find links and tweets about you on Twitter, in apparent deference to the new Federal Trade Commission Endorsement Guides (see our post FTC (Revised) Endorsement Guides Go Into Effect earlier today; there’s an “Insiders” tab that identifies anyone with a material connection or that is associated with you (e.g., employees, agents, paid endorsers); and other tabs that enable you to customize and populate the channel. In addition, since the service appears to act both as an aggregation and a search tool for content about you, consumers can find all the Twitter traffic and channel information about you in one place, and at the same time, you can use the service to track and monitor conversations and references to you on Twitter. Right for consumers; right for you – clever.
Remember Facebook’s personalized URLs just a few months ago (Legal Bytes blog post Facebook Adds Personalization & a (Brand) New Dimension)? This is not simply another social media fad. Already companies are getting on the bandwagon (or should we say birdwagon). Today, the National Hockey League (www.nhl.com) will be among the first few enterprises launching its TweetMixx Channel – its own private label branded distribution platform using the TweetMixx service. TweetMixx even provides you with a widget that can be embedded on other websites (think bloggers, profile pages, etc.). The NHL’s “Chatter” tab on TweetMixx, for example, will provide streaming tweets from hockey fans, while a “Links” tab will keep track of the tweets that are retweeted most often, and will rank these favorites by putting them at the top of the TweetMixx Channel web page.
So for advertisers, brand managers, marketing professionals and agencies, this new tool is the beginning of enabling a clearer strategic use of Tweets. Just as branded pages and channels, enabling two-way conversations, have emerged on YouTube and Facebook, allowing brands and celebrities to engage with consumers and fans, TweetMixx seeks to provide an ecosystem for Twitter traffic. Chris McGill, founder and CEO of Mixx, noted that each TweetMixx Channel can be analogized to a “tree.” You have TweetMixx plant a customized tree of your choice, then you are given the tools to nurture it, to prune it and to watch it grow. Do it right and you have branches where Twitter users can “flock, sit and sing” about you – the people, products, services and things they care about. TweetMixx owns the forest!
Can you or your brand afford to stay out of the social media arena? Are you afraid of the new risk-reward paradigm and uncertain what to do? Do you know you have to do something, but are suffering from analysis paralysis? Have traditional models got you stuck in the mire? Call us. Our Advertising Technology & Media law practice group and our newly formed Social Media Task Force already have unparalleled depth, experience and bench-strength in understanding, working with, and advising clients in this brave new world. From developing policies to monitoring compliance; from protecting and enforcing your rights to developing relationships and partnerships with others to engage in the conversation. To win it, you have to be in it. If you need help, contact me, Joseph I. (“Joe”) Rosenbaum, or the Reed Smith attorney with whom you regularly work. We are happy to help.
This post was written by John P. Feldman.
Yesterday, Dec. 1, 2009, the revised "Guides Concerning the Use of Endorsements and Testimonials in Advertising" released by the Federal Trade Commission came into effect. If you are a loyal Legal Bytes' reader, you know we have been following this as early as November 2008, when we posted Endorsements & Testimonials - FTC Broom Proposes Some Sweeping Changes. Numerous updates and informational pieces have graced these pages since then (now when we say "pages," we mean web pages), and you can refer back to any or all of them, or you can check out any you may have missed right here: FTC Testimonial and Endorsement Guides Stimulate Industry Comment (March 2009); a presentation given at the University of Limerick on the subject entitled "Trust Me, I'm a Satisfied Customer: Testimonials & Endorsements in the United States," which you can download (If You Didn't Make It to Ireland ...); Ghostwriters: Medical Research or Paid Endorsers (and are they mutually exclusive?) and Rights of Publicity - Wake Up and Smell the Coffee! (both in August 2009); and FTC Releases Updated Endorsement & Testimonial Guidelines and Reed Smith Analysis of the New FTC Endorsement and Testimonial Guidelines (both in October 2009).
Yesterday, John P. Feldman, an authority in these types of advertising regulations and compliance and who is based in Washington, D.C., put together some thoughts concerning the implications of these Guides upon coming into effect, continuing his thoughtful and practical analysis. While we will maintain bringing you news and information about the Guides, John's analysis is timely and helpful, and outlines some considerations every advertiser – online, in social media and off-line – and every blogger, viral marketer, celebrity endorser or consumer making a testimonial, should take into account. John's analysis, which you can download and read in its entirety by selecting the link below, asks and answers the following questions about these Guides:
You can download your own copy of John's analysis or you can read it online right here: "FTC Endorsement Guides (Revised) - Some Thoughts As They Become Effective". You won't be disappointed. In addition, if you want to know more about these issues or have questions about your particular circumstances, please do contact John P. Feldman directly, or you can call Joseph I. Rosenbaum or Douglas. J. Wood or, of course, any Reed Smith attorney with whom you regularly work.
The New York Times today has published some of the views of David C. Vladeck, the new head of the Bureau of Consumer Protection at the Federal Trade Commission, regarding the FTC’s role in protecting consumer privacy.
By way of background, in announcing Mr. Vladeck’s appointment April 14, 2009, the FTC noted that “David C. Vladeck, who will serve as Director of the Bureau of Consumer Protection, has been a Professor of Law at Georgetown University Law Center, teaching federal courts, government processes, civil procedure, and First Amendment litigation. He co-directed the Center’s Institute for Public Representation, a clinical law program for civil rights, civil liberties, First Amendment, open government, and regulatory litigation. Vladeck previously spent almost 30 years with Public Citizen Litigation Group, including 10 years as Director.”
The FTC has been, and likely will continue to be, among the most aggressive federal agencies in the U.S. privacy arena. Traditionally, the FTC had prosecuted companies for how they collect and use consumer information, if consumers had been deceived, or if consumers had suffered economic harm. Although you can read The New York Times article in full, Mr. Vladeck has proposed adding a new thrust to the future of FTC privacy enforcement. He is reported to have suggested that if companies collect too much information from a consumer, that, in itself, is a harm to the inherent privacy of individuals AND (if his views turn out to be prophetic) is prosecutable, no matter how conspicuously or completely the nature and extent of information collection is disclosed to the consumer. This concept of damage to the "dignity" of the consumer goes well beyond the traditional U.S. privacy principles that have typically compensated consumers only when economic harm or damage has occurred, or when there are statutory penalties for violations of law or regulation.
If Mr. Vladeck’s views transform into regulatory policy and enforcement activity, this highly subjective and vague standard (How much is too much? Why shouldn’t proper disclosure and choice be sufficient?) could have a huge impact on data collection, could lead to a huge flurry of litigation, and would arguably create a "big chill" for all—including consumers. Stay tuned.
Earlier today, the FTC staff issued a report concerning consumer protection issues arising in the mobile commerce marketplace. A copy of the full report, Beyond Voice, Mapping the Mobile Marketplace is available by clicking the link. The key findings in the report:
Given the numbers of wireless and mobile devices in the hands of individuals under the age of 18 (and 13), and the increasing proliferation of mobile devices, this will become a hotter topic in the months and years ahead. As if this point needed to be emphasized, it has been reported that as of January 2007—two years ago—there were approximately 800 million cars, 850 million personal computers, 1.5 billion television sets, but already 2.7 billion (yes, billion) wireless and mobile devices in use around the globe, with more than 800 million e-mail and 1.8 billion SMS text-messaging users.
The sheer numbers are staggering, and we are on top of this issue big time. Contact Joe Rosenbaum, John Feldman or Douglas Wood if you need more information or assistance.
Reed Smith acts as counsel to many of the advertising industry’s leading trade and membership associations – The Association of National Advertisers, The Word of Mouth Marketing Association, the Interactive Advertising Bureau, to name only a few. As you may have notices, a recent Legal Bytes blog post noted that just last month the FTC supplemented its December 2007 “Self-Regulatory Principles for Online Behavioral Advertising” report.
Well the FTC has been busy in re-examining it’s policies regarding testimonials and endorsements in this digital age. As previously reported in Legal Bytes, the FTC indicated it was revising it’s Testimonial and Endorsement Guides (the first time since the 1980s). Well comments have now been submitted and we strongly recommend that anyone in the advertising and marketing business take a look at some of them. In fact, to help you, Legal Bytes has a couple you can look at right now – Comments for The Association of National Advertisers and Comments for The Word of Mouth Marketing Association – and when you finish reading them ask yourself:
If you need to know, you need to contact John Feldman, Douglas Wood or Joseph Rosenbaum - or your favorite Reed Smith attorney - who will be more than happy to help you.
FTC Releases Revised Ad Guidelines: Are New Marketing Practices in Your Wallet?
On February 12, 2009, the FTC supplemented its December 2007 “Self-Regulatory Principles for Online Behavioral Advertising” report, highlighting the FTC’s voluntary best practices for the behavioral advertising industry. While continuing to support self-regulation, that should not be taken as a vote of confidence for continuing the status quo. Change is in the air and you may well need to:
. . . and if you think your privacy policies are ok, as is, think again. The FTC has taken a broad brush to paint a picture of what it considers personally identifiable information (PII) and what ‘sharing’ of that information may require. Our experts Amy S. Mushahwar and John P. Feldman have written an alert that describes what you need to know in more detail. To read the full alert, with links to the FTC releases, click here.
The FTC is expected to release a Report on how violence is being used to market to children—in movies, music and video games. Some insiders fear the FTC will suggest the entertainment industry has violated or outgrown its voluntary standards—can you say “regulation.” Both the FTC and the FCC have targeted children’s advertising, programming and products. Want to know more? Contact John P. Feldman in our Washington, D.C. office; me or Douglas J. Wood in our New York office; or Stephen Edwards, Michael Skrein or Carolyn Pepper in our London office. Please also visit our www.KidAdLaw.com web pages. If you market or advertise to children or if you are a company that carries advertising which is or could be targeted to children, why would you look anywhere else for legal counsel.
The FTC, in a recent advisory opinion, highlighted the possibility that a seller’s failure to disclose the connection with an endorser could result in a violation of the FTC Act. This opinion has legal implications for blogging by employees, even on personal time and even if the company is unaware of the employee’s activities. Employees should be advised to strictly abide by their employer’s blogging policy, and if they blog about a product, they must identify their employment status. What? You don’t have an employee blogging policy? Shame on you. Come get one. Come to Reed Smith. Need to know more? Read our Labor & Employment e-flash bulletin "According to the FTC, Employee Blogging May Subject Employers to Liability" and contact the authors, Angela M. Washelesky in our Chicago office or Sara A. Begley in our Philadelphia office.
Based on a complaint that Xanga knew it was collecting (and sharing) personal information from children under the age of 13 (they asked for and were given the birth dates from registrants), the FTC reached a settlement agreement in which Xanga.com agreed to pay a civil penalty of $1 million. The complaint also alleged that Xanga didn’t notify children’s parents, nor did they give parents access to or control over their children’s information.
The Children’s Online Privacy Protection Act (“COPPA”) mandates that commercial web sites give parents notice and get consent before collecting personal information from children they know to be younger than 13 years old. The order which is part of the settlement with the FTC forces Xanga to erase any personal information collected and stored that violates the Act. Xanga also will have to put up hypertext links for the next five years to FTC-designated consumer educational materials.
Social networking has been in the news recently for many reasons. Recently, Facebook was faced with controversy when it started serving automated alerts about users’ friends and classmates. Facebook has less than 10 million users, compared with MySpace—which is now owned by News Corp.—which has in excess of 100 million users.
Those name brands appearing in hit shows. Those logos on the motion picture screen. The characters at the breakfast table with a favorite cereal. The star driving around in a particular automobile. The airline shown flying the lead character off to an exotic destination. Reality? Coincidence? Hardly. They are the result of contracts between the entertainment company or producers and the advertisers, and they represent a growing and important trend in marketing to consumers, along with the Internet, as reaching market segments through traditional radio and television advertising becomes increasingly difficult in our on-demand, fast-forward world.
In some cases, such “branded” entertainment is subtle—inserting itself into a scene or a sequence quite seamlessly and, not necessarily inconsistent with, reality. In other cases—“Harold and Khumar Go to White Castle”—yes, this really was the name of a movie, as was “Akeelah and the Bee,” which Starbucks helped finance and promote. In case you didn’t know, the FCC (and the FTC) regulate advertising on television—the FCC’s regulations concerning disclosure arose primarily from the quiz show scandals in the 1950s. When does creative control over programming yield to paid sponsorship and financing dollars or Euros (or British Pound Sterling). At what point does a program or movie become an infomercial or advercast? Are there vulnerable groups (e.g., children) that might not distinguish so readily between advertising and programming and at what point is that deceptive? What does SAG say about their actors being de facto appearing to endorse a product or brand inserted into their scenes and programs? If an actress is under contract with a cosmetic brand exclusively and a movie scene requires her to use a different brand—actionable? When the trailer with that clip airs on broadcast television—problem? Witness the following quote from Jonathan Adelstein, FCC Commissioner: “Now, products have even seeped into plot lines. Soap operas have woven cosmetic lines into their tales of who-did-what-with-who, while “The Apprentice” sounds more and more like an hour-long infomercial for the latest corporate sponsors.”
Trademark issues, endorsement and competitive/ambush marketing issues, free speech, freedom of expression, adequacy of disclosures, misleading or deceptive advertising—the list of potential issues is growing as the balance between creative control and commercial reality infect the entertainment industry. At one extreme is the traditional product placement in which an advertiser pays a fee for the hopes that the scene with its product doesn’t get cut and wind up on the editing room floor. At the other extreme is a placement fee and promotional campaign that is so integrally tied with the plot and the program that the two are indistinguishable—think “The Apprentice” or “Home Makeover.”
The deals are becoming more complex, and more fraught with potential legal and regulatory issues, and the stakes are higher. Need help? Contact Doug Wood or me—we would be happy to help.
The FTC recently held that Rambus, a developer of computer memory technology, violated Section 5 of the FTC Act, engaging in monopolistic practices—abusing the process for setting industry standards for memory chips (DRAM). Rambus participated in the standard setting, but didn’t reveal it applied for and obtained patents that included technology incorporated into the very standards Rambus helped to craft. The FTC held that as a result of Rambus’ deceptive conduct, it engaged in anticompetitive conduct. The FTC found Rambus had intentionally and willfully engaged in deceptive conduct and misled others in the standards-setting organization—clearly to its detriment.
The Commission determined that Rambus’ conduct enabled it to acquire patent monopoly power in a number of relevant and related markets, while its deceptive behavior within the standards-setting organization led to the adoption of standards by the industry group that unwittingly incorporated Rambus’ patent rights. At least one FTC Commissioner went even farther and wrote that the abuse and deception within the standards-setting process was not only in violation of antitrust laws, but also constituted an unfair method of competition in violation of the broad scope of the FTC Act.
A proposed new “Truth in Video Game Rating Act” (H.R. 5912), would require the Federal Trade Commission to promulgate rules prohibiting unfair and deceptive acts or practices by video game marketers, and would require ratings to be based on video or computer game content as a whole. It would also be a violation if any producer or maker of these games hid or grossly mischaracterized the content of the game. Joysticks ready?
The Mobile Marketing Association has promulgated guidelines, now adopted by many leading wireless carriers and programming networks, to deal with the growing use of email, SMS (text messaging) and similar mechanisms in advertising and marketing. As you will recall, legal and regulatory actions have arisen based on the fact that some companies’ marketing practices fail to adequately disclose the charges, whether subscription or imposed by the wireless carriers, that apply to some of their services and, in some cases, to the advertisements and marketing messages themselves.
Wireless carriers are beginning to adopt content guidelines for what they will or will not transmit from content partners—regulating such things as sexually explicit, graphic violence, profanity, hate speech and other topics, words and images—in some cases including lengthy lists of “forbidden words.” CTIA, the wireless industry trade association, issued fairly broad content guidelines last November, but left the specific implementation to the individual carriers. Some carriers have carried this implementation to a level of detail that covers everything from games, music, images and video, and in some cases even governs the file names of anything downloaded or transmitted.
Wait until you wake up to the issues raised by transmission and posting of “user generated content.” As you may know, in addition to the FTC regulating advertising and certain content in the U.S., and on top of state laws, the Federal Communications Commission (“FCC”) having authority to regulate indecent content on television and radio and the mobile phone as a media and entertainment device is no longer fiction, but fact in many cases. Did you know that our Advertising, Technology & Media Law group has significant experience in all these areas (Judith Harris for FCC and communications; Doug Wood for advertising and marketing; and, of course, any of us or me, if you simply can’t figure out where your need fits).
In November 2005, Legal Bytes told you about how branded entertainment and product placement was one of the forces shaking up the world of advertising and marketing. We add to these forces even more creative innovations that are challenging the advertising and marketing world, as well as the legal and regulatory experts. “Buzz” or “viral” marketing is word-of-mouth advertising that promotes a product without disclosing any direct connection between the advertiser and the message. If you are a marketing professional, of course you want to identify people who will be interested in a particular message, and deliver the message in a way that makes it enjoyable and encourages them to share it with more people—you remember the hair color commercial on TV that ends with something like “she tells two friends and they tell two more friends and so on and so on….”
Now clearly, if an individual makes deceptive or misleading statements that weren’t induced, authorized or controlled by the advertiser, it’s hard to hold that advertiser responsible. But now advertisers are paying buzz “agents” to relay messages and encourage further word-of-mouth advertising. Thus, if the advertiser pays, it is hard to argue the advertiser is not liable for the truthfulness of authorized statements. But what happens if the buzzer’s unscripted message (i.e., their own message in their own words) is deceptive? Are their words similar to testimonials, regulated by the Federal Trade Commission, or a form of social spam, requiring disclosure like that mandated in the CAN SPAM Act? False testimonials have been the subject of state and federal actions for years. In some cases, actors in commercials looked so real, some Attorneys General required them to superimpose the words “dramatization” as a disclaimer on the TV screen. Years ago, a motion picture studio had billboards and commercials praising their movies. Unfortunately, the quotes and the purported journalist were invented by marketing staff at the studio.
These cases clearly establish that an advertiser is responsible for deceptive or misleading net impressions created by its advertising. Similarly, the FTC’s Guides Concerning Use of Endorsements and Testimonials in Advertising provides that, “When there exists a connection between the endorser and the seller of the advertised product which might materially affect the weight or credibility of the endorsement (i.e., the connection is not reasonably expected by the audience) such connection must be fully disclosed.” There is no reason to believe these same standards do not apply to buzz marketing.
If an otherwise ordinary consumer becomes a buzz agent and is paid or given free products or other consideration in exchange for creating “buzz,” appropriate disclosure is likely to be required. Keep in mind, that to prevail in an action alleging a violation, the FTC must still show the activity was deceptive or misleading under Section 5 of the FTC Act—recall from November’s issue, that to make advertising actionable under Section 5 of the FTC Act depends on whether there is a representation or omission likely to mislead the consumer, viewed from the perspective of a reasonable consumer in the situation involved, and the representation or omission must be “material.” As noted in that issue, “if the consumer knew or was told the truth, is it likely to affect a consumer’s behavior in connection with the product.”
The FTC has proposed rules under the CAN-SPAM Act, in which an advertiser is not subject to the Act’s technical requirements if the “send this to a friend” forwarding or sending feature on the website or in the e-mail is not “procured” by the advertiser. In other words, the advertiser hasn’t paid or provided other consideration or induced anyone to initiate the message on behalf of the advertiser—otherwise, the advertiser must comply with all of the CAN-SPAM Act requirements, including disclosing that the message is an advertisement.
While traditional advertising law principles apply, in fact there has been very little actual regulation of viral or buzz marketing. Don’t feel complacent. We should expect the lack of enforcement activity to change reasonably quickly as more advertisers turn to non-traditional avenues to get their message across. New approaches to buzz or viral marketing and, as mentioned in prior issues, product placement, serve to only increase legislative concerns and pressure from consumer advocacy, protection and other groups. As these marketing techniques become more sophisticated and advertisers become more involved in the creative surrounding the medium and the message, the risks increase. Are consumers deceived by information that appears to reflect independent views, when the relayers are actually being compensated for delivering an advertiser’s message? The law appears quite clear that lack of disclosure could violate state and federal law, depending upon the materiality of the statement to a reasonable consumer and corresponding consumer harm.
Psssssst—pass it on.
Product placement is an advertising activity which has grown for decades in the motion picture industry, going virtually unnoticed by legislators. When television began aggressively using product placement for advertising, concerns (and regulation) began increasing. Unlike motion pictures, television is legally required to distinguish between advertising and programming.
First, “infomercials” that looked and felt like programming were targeted by regulators, because they believed the infomercials were deceiving. After a number of cases, the industry developed and implemented disclosures to allay fears of regulators at the FCC and the FTC. Enter reality TV. Suddenly programs were using affiliations with sponsors as part of the content or story line, prompting fresh concerns. As cable television, pay-per-view and video-on-demand services, time-shifting and digital recording devices, and fast-forward buttons have become commonplace, advertisers have struggled to capture viewers’ attention with product placement. In 2004, product placement advertising rose to about $4.25 billion.
Why the fuss? Because product placement is advertising, subject to the same laws and regulations that govern commercials. On television, both the FTC and the FCC can regulate advertising, mandate disclosures and determine if something is deceptive or misleading. Where the line between harmless product placement and deceptive practices is drawn is increasingly blurred.
Whether a product placement is deceptive or misleading—sufficient to make it actionable under Section 5 of the FTC Act—depends on whether there is some representation or omission likely to mislead the consumer. The depiction of the product must be viewed from the perspective of a reasonable consumer in the situation and the representation or omission must be “material.” In other words, if the consumer knew or was told the truth, the consumer’s behavior would likely be affected in connection with the product.
The FCC also regulates deceptive product placements: viewers may not realize they are advertisements, hence the FCC requires disclosure. Failure to properly disclose the commercial nature of a product placement could amount to “payola” and would be illegal. Again, where the line is drawn between harmless inclusion of products in programming versus commercialization which misleads consumers is hardly clear.
The FTC and FCC regulations puts advertisers between a rock and a hard place. The FCC requires disclosure for a paid placement—which makes the product placement commercial speech. If it is commercial speech, is the placement then also subject to FTC disclosure rules? What if the advertiser has no control over the creative content and no approval over scripts or editing or even the extent of the product placement itself? Under those circumstances, how could the advertiser be responsible for the depiction of its product; the director, producer, actors, even the editorial staff, have ultimate creative control of what shows up on the screen. The advertiser could pay a substantial sum of money to watch its product wind up on the cutting room floor in post-production. Ouch.
But what if the advertiser seeks approval over content to ensure it gets what it pays for? Can that advertiser argue it shouldn’t be liable for false representations or the net impression created about the product—especially if the advertiser has some say in the creative surrounding a product placement? Does one risk a negative placement by foregoing participation in the creative, or fight to ensure favorable depiction of a product with the corresponding risk that liability will increase with participation in the content and placement.
Ultimately, the question of whether disclosure is required, whether product placement will be seen as misleading or acceptable, will depend on the “reasonable consumer.” Artistic expression of the creators of programming content, or blatant advertisement? In one case no disclosure is necessary. In the other, the law requires disclosure so the consumer is informed. As product placement becomes increasingly clever and interwoven into the fabric of programming content, and as advertisers increasingly participate in creative decisions surrounding placement and depiction of products, the risks of regulatory action increase.
Outside the United States, it doesn’t get any easier. In Ireland and Finland, product placement is prohibited in all media; in Austria, Norway and Italy it is specifically forbidden in television programming; Germany, Greece, Denmark and Liechtenstein allow it if it is integral to editorial content; and the Netherlands allows only product placement that lasts a “few seconds.” Then there is the European Commission Television without Frontiers Directive—but we digress.
Product placement will continue to challenge the balance between advertising and creative programming. Where and when disclosures will be required are likely to challenge advertisers, consumers, regulators and legislators for some time to come.
Thanks to Doug Wood for contributions to the material in this article. If you have any questions or need help with any of the issues, please contact Doug or contact me.
What if you offer a tutorial service that teaches how to use peer-to-peer file-sharing programs and refers members to P2P networks but doesn’t actually license file-sharing programs, and doesn’t operate a file-sharing network itself? Sounds like it would be tough to prove copyright infringement—the Grokster case notwithstanding.
But what if you advertise that by becoming a member, subscribing and paying a fee, your P2P file-sharing is legal. “PEOPLE ARE NOT GETTING SUED FOR USING OUR SOFTWARE. YES! IT IS 100% LEGAL,” or “Rest assured that File-Sharing is 100% legal.” What if customers are deceived into thinking that by becoming a member, P2P file-sharing is legal? Remember, when anyone uses a P2P file-sharing program to download copyrighted material, or to make that material available to others without the copyright owner’s permission, it’s copyright infringement. Well the FTC has charged Cashier Myricks Jr., doing business as MP3downloadcity.com, with deceptive advertising by falsely claiming that membership in the service makes P2P file-sharing legal; and acting on the FTC’s action, a U.S. District Court judge has stopped the deceptive ads. The FTC is seeking to make the ban permanent.
Want to know more? The FTC has published “P2P File Sharing: Evaluating the Risks.” Oh, and you should also probably call Reed Smith…after all, we know advertising, marketing and promotion like nobody else.
The FTC has been checking compliance with its e-mail opt-out requirements promulgated under CAN-SPAM, and recently announced the results of a compliance survey it undertook with e-Tailers. The survey indicates that 89 percent of those online merchants who participated in the survey were complying with consumer requests to opt-out of future commercial e-mail. The FTC essentially selected 100 merchants that are big users of the Internet in retail sales and then visited their websites, created test e-mail accounts and registrations, and signed up for promotions—using the retailers systems to prompt both an initial message and their ability to reply with an “opt-out” request. All of the merchants selected did provide clear notice to consumers of their opt-out rights and a relatively easy means to do so. After six weeks of monitoring, about 89 percent of the merchants honored all opt-out requests, with 93 percent honoring some. In case you were thinking the FTC doesn’t take CAN-SPAM enforcement seriously or can’t possibly monitor and track your compliance efforts, think again. Use e-mail/e-Tail advertising and marketing? Need to understand your obligations? Need to develop policies and practices for compliance? How quickly and with what level of accuracy do you honor the requests? Need help in understanding when and to what CAN-SPAM applies? Contact either Joe Rosenbaum or Doug Wood at Reed Smith. We can help.
At least that’s what the FTC thinks. They charged BJ’s Wholesale Club with failing to maintain adequate computer security—it is the first time the FTC has used Section 5(a) (the section that says if you engage in an unfair or deceptive act, or practice in or affecting commerce, it’s unlawful). The FTC cited failures to encrypt consumer information, storing sensitive computer information for a needlessly long time in files with common or default passwords, and lax measures regarding prevention of unauthorized access, detection and security investigations: The complaint alleged that when taken together, BJ’s failed to provide legally adequate security for sensitive consumer information. The Chairman of the FTC has called for Congress to enact legislation requiring notification to consumers if there is significant identity theft risk, and has asked Congress to consider extending the Gramm-Leach-Bliley Safeguards Rule currently applicable to financial institutions, to non-financial institutions.
As we mentioned in last month’s issue, sweepstakes, contests and promotions are primarily regulated by state law, although federal statutes and regulations must be considered. Jurisdiction and eligibility across borders, language, currency restrictions, licensing and export of technology, liability, billing and payment, whether a deposit to play might be construed an account for banking purposes, or whether gathering non-public, personally identifiable information about contestants may have privacy implications, are just a few of the issues that transcend the “gaming” aspects of any legal analysis.
On the U.S. federal level, although the FTC can take regulatory action and sue advertisers for deceptive or unfair acts and practices, it relies heavily on the states to regulate the industry. The FTC has, however, promulgated rules that do have significant impact on promotions. For example, the Children’s Online Privacy Protection Act (“COPPA”) was enacted to protect children from marketers who collect or use personal information obtained online from under-age children without parental permission, and authorized the FTC to develop a rule that requires “verifiable parental consent.” Because contests are extremely popular for Internet marketing, online advertisers must be cognizant of COPPA if a portion of their online traffic is, or is likely to be, children under the age of 13.
To illustrate the maze of legal and regulatory issues, let’s use an example: Joe’s Airline, Widget and Screen Door Company wants to conduct a contest on the Internet in which participants are charged $2 to play successive rounds of chess, with prizes at various levels and a grand prize of a million dollars. Our promotion is really a unilateral offer to enter into a contract, subject to terms and conditions (e.g., rules) agreed upon through some manifestation of acceptance. Participants accept the offer by performing a required act—registering, paying, selecting an “I ACCEPT” link—and a binding contract is formed. Point number 1: if Joe fails to adequately disclose the rules upon which the offer is made, the promotion could be construed as an illegal lottery, rather than a contest. Point number 2: Joe better get the rules right and disclose them properly because there are cases which indicate once a participant enters (“accepts”), Joe cannot change the rules (i.e., unilaterally amend the contract). Something to think about: Could each chess game be viewed as a new contest, permitting amendments prospectively?
In general, to qualify as a contest, skill, and not chance, must determine the outcome, and chance may not determine the winner or prize amount. Most, but not all, state laws distinguish games of skill from games of chance, although states do not use a uniform standard to differentiate between the two. While some states prohibit requiring consideration to engage in a promotion where a prize is awarded, most states do not prohibit the payment of money if the promotion is a bona fide contest of skill. What constitutes skill? Good question. The decision is often a question of fact, and when the Internet is involved, evidence can be complex and technology-based, straining judges and juries. Two criminal courts in New York judging the legality of a shell game and a card game reached opposite conclusions.
A number of states have disclosure statutes which apply. Some (e.g., California) arguably apply to skill-based contests, while others do not. Many prize notification statutes were not intended to apply to skill contests, but are worded broadly to include any promotion requiring an entry fee or a purchase. Joe should also be aware that some state gambling laws do not limit their application to games of chance, but focus on whether players are asked to risk or wager something of value. In those states, a skill-based contest that involves betting or offers prizes dependent on the number of entries or the amount of entry fees should be reviewed carefully against state gambling laws. Remember the three elements that constitute an illegal lottery? A prize, consideration and chance. By including an equal and alternate means of entry in which there is “no purchase necessary” to enter or win, and by avoiding a payment (i.e., consideration), Joe can introduce the element of chance in the determination of the winner and not be in violation of federal or state law.
Maybe!
– Albert Einstein“We can’t solve problems by using the same kind of thinking we used when we created them.”
Enter keywords:
