• In This Issue


    FTC, Facebook Reach Settlement Over Privacy Violations

    Two years after announcing changes to its privacy settings that angered consumers and resulted in a complaint filed with the Federal Trade Commission, Facebook has reached a proposed settlement with the agency.

    Under the consent agreement, the social network must receive express consent from users before their information is shared beyond the privacy settings they had established, is banned from making any further deceptive privacy claims, and is subject to biennial audits of its privacy practices for the next 20 years.

    In 2009, Facebook announced changes to its privacy settings so that information like a user’s name, gender, pictures, geographic location, friend list, and pages they are “fans” of were all made public by default. Users had to affirmatively opt out of sharing such information.

    The Electronic Privacy Information Center, along with other groups, filed a complaint with the FTC alleging that the change was an unfair and deceptive business practice.

    In its complaint against Facebook, the FTC agreed. It also listed additional violations of Section 5 of the FTC Act, including the site’s promising users that it would not share their personal information with advertisers when it actually made information available for a period between September 2008 and May 2010; claiming that when users deactivated or deleted their accounts, photos and videos would be inaccessible even though the site allowed continued access to such content; and failing to certify the security of apps participating in its “Verified Apps” program although it claimed to do so.

    Facebook also told users they could restrict sharing of data to certain audiences, like their “Friends,” but according to the complaint, making such a selection did not prevent their information from being shared with third-party applications used by their friends and the site failed to comply with the U.S.-EU Safe Harbor Framework governing data transfer despite claiming it did.

    Finally, the social network told users that third-party apps would only have access to user information needed to operate when in fact, the apps could access “nearly all” of users’ personal data, the agency said. “A platform application with a narrow purpose, such as a quiz regarding a television show, in many instances could access a user’s relationship status, as well as the URL for every photo and video that the user had uploaded to Facebook’s Web site, despite the lack of relevance of this information to the application.”

    Under the terms of the proposed settlement, Facebook is barred from making misrepresentations about the privacy or security of users’ personal information and is required to establish and maintain a comprehensive privacy program “designed to address privacy risks associated with the development and management of new and existing products and services.”

    Further, the site must prevent access to users’ material 30 days after the account has been deleted as well as obtain affirmative, express consent before enacting changes that override users’ existing privacy preferences.

    The compliance and monitoring program mandates that within 180 days – and every two years for the next 20 years – Facebook must obtain an independent, third-party audit certifying that a privacy program is in place that meets or exceeds the requirements of the FTC order.

    No monetary penalties were included in the settlement, although the site is subject to a fine of $16,000 per violation per day if it fails to comply with the terms of the order.

    In a blog post Facebook founder Mark Zuckerberg acknowledged that the company had “made a bunch of mistakes.” But he said he was “committed to making Facebook the leader in transparency and control around privacy,” noting that he had created two new corporate officer roles relating to privacy.

    “Today’s announcement formalizes our commitment to providing you with control over your privacy and sharing – and it also provides protection to ensure that your information is only shared in the way you intend. As the founder and CEO of Facebook, I look forward to working with the Commission as we implement this agreement. It is my hope that this agreement makes it clear that Facebook is the leader when it comes to offering people control over the information they share online,” Zuckerberg wrote.

    The consent agreement will be open for comment for a 30-day period, until Dec. 30.

    To read the complaint in In the Matter of Facebook, click here.

    To read the consent decree, click here.

    Why it matters:  “Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users,” Jon Leibowitz, Chairman of the FTC, said in a press release about the proposed settlement. “Facebook’s innovation does not have to come at the expense of consumer privacy. The FTC action will ensure it will not.” The settlement further reinforces the FTC’s focus on privacy, particularly with regard to new media, following similar settlements with Google and Twitter. Similar to Facebook, Google agreed to 20 years of monitoring and compliance as part of a comprehensive privacy program including annual outside reviews after launching its social networking feature, Buzz, by automatically adding it as a feature to all users of Gmail, Google’s e-mail system. The agency said the company used deceptive tactics and violated its own privacy policy in the process. In the Twitter case, the microblogging site is now subject to a decade of security audits after hackers broke into the site, leading the FTC to charge it with failing to protect users’ personal information.

    back to top

    Suit Alleges DISH Violated TCPA – Again

    A plaintiff has filed suit against DISH Network LLC alleging that the company made more than a dozen unsolicited telemarketing phone calls in violation of the Telephone Consumer Protection Act by using authorized retailers acting on its behalf.

    “Over the past four years, DISH and/or its retailers or authorized agents have engaged in widespread advertising via unsolicited prerecorded telemarketing calls and auto-dialer use in violation of the TCPA” to both residential phone numbers and cell phones, according to the complaint.

    Filed in Colorado federal court, the suit seeks to certify a nationwide class. According to the complaint, the plaintiff received 16 prerecorded and live calls from DISH representatives between January 2006 and March 2009, even after he placed his phone number on both the company’s internal and the federal Do Not Call list. When he received live calls, he repeatedly requested that they stop, the suit contends.

    The plaintiff argued that the satellite television programming company knew or should have known its retailers were engaging in telemarking via auto-dialer and/or prerecorded messages to consumers, including those who were listed on the Do Not Call registry.

    The complaint emphasizes that a person or entity can be liable under the TCPA “for calls made on its behalf, even if the person or entity does not directly place the calls.”

    The suit seeks injunctive relief to stop the calls as well as damages – $500 for negligent violations and $1,500 for knowing violations of the TCPA.

    To read the complaint in Donaca v. DISH Network LLC, click here.

    Why it matters: DISH is no stranger to such allegations. It reached a settlement agreement with 48 state attorneys general in 2009 over unlawful telemarketing and was named in a federal lawsuit the same year by the Federal Trade Commission for making telemarketing calls to numbers on the Do Not Call list. The agency, in conjunction with attorneys general from California, Illinois, North Carolina, and Ohio, alleged that DISH had been making such calls since 2003. In an argument that it could deploy in the civil suit, DISH said at the time that it had complied with the law and should not be held responsible for violations by independent retailers. “An independent audit demonstrates that DISH Network is in compliance with ‘do-not-call’ laws, has proper controls in place, and is well within the safe-harbor provisions of the law,” the Colorado-based company said.

    back to top

    New Trademark Suits Implicate Muhammad Ali, President Obama

    Two new trademark infringement suits were recently filed by President Barack Obama’s reelection campaign and Muhammad Ali’s “Celebrity Fight Night” Foundation.

    In the first suit, Obama for America claims that Washington Promotions & Printing and its Web site, Demstore.com, are selling unauthorized merchandise featuring the President’s trademarked “Rising Sun” logo. The logo was trademarked for items including bumper stickers, rally stickers, yard signs, clothing, plastic water bottles and jewelry.

    The original logo and the more recent iteration, the 2012 Rising Sun, are “recognized around the world,” according to the complaint, and have been used by the campaign in 2007 and 2011, respectively.

    “Controlling the message associated with the Rising Sun Trademarks is of vital importance to [the plaintiffs],” the suit contends, and the defendants’ use of the trademarks on campaign merchandise is likely to create confusion and damage the campaign’s ability to gain revenue.

    The suit, filed in Illinois federal court, seeks permanent injunctive relief, as well as compensatory, treble, and/or statutory damages.

    In the second case, the Celebrity Fight Night Foundation filed suit against FilmOn.com, a company that promotes, markets, and hosts amateur boxing matches between “public figures and quasi-celebrities,” according to the suit.

    The Foundation, established 17 years prior, identifies itself as “a star-studded charity event” that has raised more than $70 million to primarily benefit the Muhammad Ali Parkinson Center in Arizona.

    According to the plaintiffs, the defendant intends to use the “Celebrity Fight Night” mark to host amateur boxing events featuring combatants such as Joey Buttafuoco, Kato Kaelin, Nadya “Octomom” Suleman, and Jose Canseco.

    The defendant’s use of the mark has already resulted in actual confusion, according to the complaint: one reporter confused the events in an article, another reporter called, and the number of donors has diminished.

    One benefactor e-mailed the Foundation and declined to donate for the current year’s event based on his belief that it was associated with Tareq Salahi (best known for crashing a White House event with his wife, another combatant in the defendant’s event.

    The B-list celebrities associated with the defendant’s event have tarnished the Foundation’s good name and years of goodwill, the suit contends.

    The complaint seeks both monetary damages and injunctive relief and an order to destroy all of the defendant’s materials using the mark. The parties have since notified the Arizona federal court that they have reached a settlement in principle. Details of the settlement agreement were not included.

    To read the complaint in Obama for America v. Demstore.com, click here.

    To read the complaint in Celebrity Fight Night Foundation v. FilmOn, click here.

    Why it matters: Trademark cases turn on whether or not the defendant’s use of a similar word or phrase will cause consumer confusion as to the source, sponsorship, or approval of such goods. President Obama’s reelection campaign repeatedly stresses in its complaint that confusion about the source of the defendants’ products must be avoided, in part to maintain contributions to the campaign.

    back to top

    OBA Accountability Program Releases First Six Decisions

    The Online Interest-Based Advertising Accountability Program released decisions in its first six compliance cases, with each company agreeing to voluntarily modify its practices to comply with the self-regulatory principles.

    The ad industry’s Self-Regulatory Principles for Online Behavioral Advertising require companies that collect or use data for online behavioral advertising purposes to use the Advertising Option Icon in or around their ads, as well as provide notice to consumers about data collection and allow consumers to opt out of receiving targeted ads.

    The Accountability Program’s initial cases focused on the Consumer Control Principle, which requires companies to provide consumers with a mechanism for choosing to opt out.

    To be in compliance, “a company’s choice mechanism must be fully functional, clearly disclosed to users, and the opt-out cookie must be set to the industry standard minimum of five years from the date that the consumer exercises choice,” the Accountability Program explained.

    The Accountability Program tested the functionality, usability, and duration of the consumer-choice mechanism across five Internet browsers (Internet Explorer, Firefox, Chrome, Safari, and Opera) and opened inquiries into six companies: Forbes Media Extension (FMX), Martini Media, PredictAd, QuinStreet, Reedge, and Veruta, aka MyBuys.

    Four of the actions addressed problems with the length of the opt-out mechanisms. FMX’s and Martini Media’s opt-outs were set to expire in less than six months from the date of the request, while PredictAd’s was set for just one month and Reedge’s opt-out was set to expire one year from the date of the request. All four companies agreed to extend the duration of their opt-out mechanism to five years, consistent with the industry standard. In addition, FMX’s opt-out process took three to four minutes when accessed from Internet Explorer, the Accountability Program said, so the company took steps to remedy the delay.

    The other two actions dealt with missing or broken images for the “Opt Out Now” button.
    Tested on four browsers, QuinStreet’s “Opt Out Now” buttons appeared as broken images or were missing, which could potentially confuse consumers or prevent them from exercising their choice, the Accountability Program said. As a result of the inquiry, the company corrected the problem.

    Finally, Veruta’s opt-out mechanism was inaccessible to consumers via its Web site due to a missing link, but the company stated that it was inadvertently omitted during a software upgrade and took immediate steps to correct the problem.

    To read the NAD’s press release about the decisions, click here.

    Why it matters: Enforcement by the Accountability Program, which launched in August, is in full swing, and companies that conduct online behavioral advertising should be prepared for an inquiry. “I was very happily surprised at how quickly these companies responded and how positively they responded,” Genie Barton, Vice President of the Council of Better Business Bureaus, which oversees the program, told The Washington Post about the first set of cases. Barton said that all the companies responded to the complaints and changed their policies “well within” the mandatory two-week period. “I think that independent enforcement demonstrates that self-regulation can work and that it is being taken very seriously by this program,” she said.

    back to top

    CAN-SPAM Preempts Michigan State Suit

    A U.S. District Court in Michigan held that CAN-SPAM preempts claims brought under the state’s antispam law.

    Michigan law prohibits commercial e-mails that misrepresent information about the point of origin or transmission path of the e-mail, as well as those that do not contain certain required information. The plaintiff filed suit in Michigan state court alleging that the defendant sent six unsolicited e-mail messages that breached the law by not including “ADV” in the subject line and excluding contact and opt-out information.

    The defendant removed the suit to federal court and then moved to dismiss the complaint, arguing that the plaintiff’s claims were preempted by the federal CAN-SPAM Act. CAN-SPAM expressly preempts state statutes regulating the use of e-mail with the exception of laws prohibiting “falsity or deception.”

    Because the plaintiff’s claims did not rise to the level of material falsity or deception – despite the allegedly missing or misrepresented information – the court dismissed the suit.

    “The Michigan Act proscribes e-mail that misrepresents certain information about the point of origin or transmission path, but it does not set a materiality standard for misrepresentation. Moreover, none of the terms of the Michigan Act explicitly addresses claims of falsity or deception. The technical violations regarding header, sender, and opt-out information that plaintiff alleges as violations of the Michigan statute are not allegations of materially deceptive actions. His allegations are thus subject to preemption under CAN-SPAM,” U.S. District Court Judge Janet T. Neff wrote.

    To read the decision in Hafke v. Rossdale Group, click here.

    Why it matters: The court noted that only two federal appellate courts – the Fourth Circuit and the Ninth Circuit – have ruled on whether CAN-SPAM preempts state law, and both courts determined that it does.

    back to top