• In This Issue


    Wyndham's Misrepresentations About Security Lead to FTC Suit

    Three data security failures in less than two years that caused millions of dollars in loss constituted a violation of the Federal Trade Commission Act, the agency alleged in a new suit against Wyndham Worldwide Corporation.

    The hotel company and three subsidiaries misrepresented security measures in Wyndham's privacy policy, the FTC said.

    "Since at least April 2008, defendants failed to provide reasonable and appropriate security for the personal information collected and maintained . . . by engaging in a number of practices that, taken together, unreasonably and unnecessarily exposed consumers' personal data to unauthorized access and theft."

    Since 2008 the Wyndham Web site has stated: "We recognize the importance of protecting the privacy of individual-specific information collected about guests, callers to our central reservation centers, visitors to our Web sites, and members participating in our Loyalty Program. . . . We safeguard our customers' personally identifiable information by using standard industry practices."

    But the FTC said "repeated security failures" had occurred over the last three years. Specifically, the defendants failed to use complex user IDs and passwords, did not implement firewalls and network segmentation between the hotels and the corporate network, and improperly used software configurations that stored sensitive payment card information as clearly readable text, the agency alleged.

    According to the FTC, when intruders gained access to a Wyndham hotel computer network in Phoenix, Arizona, they were able to connect to the entire corporate network of Wyndham hotels and property management servers. There they found payment card account information in clear, readable text and were able to install "memory-scraping" malware, which resulted in the compromise of more than 500,000 payment card accounts.

    Wyndham failed to remedy the security problems after the first breach and suffered two more breaches in March 2009 (upwards of 50,000 consumer payment accounts were compromised) and in late 2009 (when 69,000 accounts were accessed), the agency claimed. Both breaches resulted in fraudulent charges on consumers' accounts totaling more than $10.6 million.

    The failure to safeguard personal information and misrepresentations found in Wyndham's privacy policies constitute unfair and deceptive practices in violation of the FTC Act, according to the agency's complaint.

    To read the complaint in FTC v. Wyndham Worldwide Corporation, click here.

    Why it matters: The suit reinforces the agency's focus on data security and privacy issues and reminds companies to carefully draft and observe the promises made in their privacy policies.

    back to top

    Consumer Groups Take Aim at Claritin's Ad Campaign

    Objecting to a new advertising campaign by Children's Claritin, the Campaign for a Commercial-Free Childhood, the Center for Digital Democracy and other groups wrote to the Federal Trade Commission arguing that the company's social media promotions violate the agency's policy against marketing over-the-counter products to children.

    According to a letter authored by the Public Health Advocacy Institute, Merck customized its packaging for Children's Grape Chewables and Grape Syrup products and launched a series of tie-in promotions geared to coincide with the June 2012 release of Madagascar 3, an animated children's movie. The letter was also signed by the Berkeley Media Studies Group, Campaign for a Commercial-Free Childhood, Center for Digital Democracy, ChangeLab Solutions, and Corporate Accountability International.

    The promotions included free movie tickets with the purchase of a Claritin product at designated retailers, the inclusion of Madagascar character stickers with the product, and free, downloadable activity guides inspired by Madagascar characters on the Claritin Facebook page.

    In addition, Merck's "Children's Claritin Mom Crew" – a group of bloggers selected by the company as product endorsers – held viewing parties to watch the movie. An online search of the bloggers' sites revealed photographs of children's food placed on tables near product samples of Children's Claritin and children posing with Claritin product samples.

    The groups argued that since 1977, the agency has taken the position that children are unqualified to know whether or not they need products such as vitamins, a position that extends to over-the-counter drugs.

    "Merck's use of Madagascar characters exploits this vulnerability and is unfair and deceptive. The Madagascar campaign for Children's Claritin may induce children to request Merck's brand-name OTC drug, describe symptoms in order to get a sticker or to get medicine perceived to be candy. In addition, the inclusion of stickers with Children's Claritin is an invitation for children to seek out the drug on their own."

    Noting that the Madagascar 3 promotion is the company's first with an entertainment product, the letter asks that the FTC "send a clear message" before it becomes a widespread trade practice.

    "Marketing materials designed to appeal to children, like those used in Merck's Madagascar 3 campaign for its Children's Claritin products, violate the Commission's long-standing precedent in this area and are inherently unfair and deceptive," the groups contend.

    To read the letter to the FTC, click here.

    Why it matters: The FTC's 1977 decision held that television and print advertisements using Spider-Man to market vitamins directly to children were unfair and deceptive. "The same holds true, if not more so, with respect to OTC drugs," the groups argued in their letter to the agency. Merck told Adweek that it was reviewing the complaint. "We advertise in appropriate venues to reach parents and not directly to reach children themselves," a spokesperson said. "The advertising is directed to the parents of the children viewing the movies, not to the children themselves."

    back to top

    Facebook "Likes" California AG's App Agreement

    Signing on to an agreement between the California Attorney General and six major Internet companies – Amazon, Apple, Google, Hewlett-Packard, Microsoft, and Research in Motion – Facebook announced that it too will require app developers to post links to their privacy policies if the applications collect personal data from users.

    In February, the six operators of mobile application platforms agreed to improve privacy protections for consumers. The agreement with California AG Kamala D. Harris conforms to the AG's position that mobile app developers are bound by the state's Online Privacy Protection Act, which requires companies to post their privacy policies if they collect personal information such as names, e-mail addresses and phone numbers from state residents.

    The agreement contains four compliance principles. The companies agreed to (1) recognize that the Act applies to mobile apps, (2) create a data field for a hyperlink to the app's privacy policy or the text of the privacy policy itself to allow developers to comply with the law, (3) establish a format for consumers to report apps that do not comply with their privacy policies, and (4) implement a process for responding to the reported noncompliance.

    In a letter to Harris requesting that Facebook become a signatory to the agreement, its chief privacy officer Erin M. Egan wrote that the company was "guided by the principles" of the agreement when it built the App Center, a new feature that functions as a search engine for apps designed for use on the social networking site.

    Facebook said that any application in its App Center will be required to include a privacy policy to inform consumers about what information it collects and how that information will be used.

    "The App Center provides a centralized place where our users can learn more about participating Facebook apps, read their privacy policies, and, where necessary, report problems. We are committed to building transparency, control, and accountability into all of our products, and we believe that the App Center empowers users to learn about the policies that will apply to data collected when they use mobile apps included in the Facebook App Center and to make informed choices about which apps they wish to use," Egan wrote.

    To read AG Harris' press release about Facebook's inclusion in the agreement, click here.

    Why it matters: The intersection of mobile devices and privacy concerns has received a great deal of attention recently. Three different agencies are addressing various issues relating to the topic. The Federal Trade Commission said it plans to include guidance in its forthcoming update to the "Dot Com disclosures," and the Federal Communications Commission is seeking comment on how wireless service providers store customer information on their devices. In addition, the Commerce Department's National Telecommunications and Information Administration is holding meetings as it begins the process of establishing privacy guidelines for mobile applications.

    back to top

    ADA Applies to Online Businesses, Court Rules

    Finding that the Americans with Disabilities Act (ADA) applies with equal force to online businesses, a U.S. District Court judge declined to dismiss a lawsuit against Netflix for failing to provide captions for Web video streams.

    The National Association of the Deaf filed suit against the video service provider under Title III of the ADA, which prohibits discrimination against those with disabilities in "place[s] of public accommodation."

    Netflix moved to dismiss the suit, arguing that the ADA applies strictly to brick-and-mortar entities.

    But U.S. District Court for the District of Massachusetts Judge Michael A. Ponsor ruled that the Act is not limited to actual physical structures.

    "In a society in which business is increasingly conducted online, excluding businesses that sell services through the Internet from the ADA would 'run afoul of the purposes of the ADA and would severely frustrate Congress's intent that individuals with disabilities fully enjoy the goods, services, privileges and advantages, available indiscriminately to other members of the general public.'"

    Accordingly, the Netflix Web site falls within the definition of public accommodations as set forth in various categories enumerated in the ADA, Judge Ponsor concluded.

    The site qualifies as a "service establishment" as it provides consumers the ability to stream video programming; is a "place of exhibition or entertainment" in that it displays movies, television programming, and other content; and is a "rental establishment," because it charges customers a fee for the rental of video programming.

    Further, even services accessed in a private residence constitute a "place of public accommodation" under the Act, the court said. "The ADA covers the services 'of' a public accommodation, not services 'at' or 'in' a public accommodation. . . . While the home is not itself a place of public accommodation, entities that provide services in the home may qualify as places of public accommodation."

    To read the court's order in National Association of the Deaf v. Netflix, click here.

    Why it matters: Judge Ponsor engaged in a very broad interpretation of the Act and went further than prior court decisions in finding that the ADA applied to online businesses. A federal court in California previously held that because defendant Target operated brick-and-mortar stores, its Web site was connected to its physical locations. Opting not to appeal the decision, Target settled the suit for $6 million and made changes to its Web site. Now companies with an online presence should be aware of the growing body of law recognizing the application of the ADA to Internet businesses.

    back to top

    Red Bull Gives You Wings – and Spam?

    Red Bull sent unsolicited text messages to consumers nationwide in violation of the Telephone Consumer Protection Act, a new federal class action claims.

    The texts began in 2011, plaintiff Thi Thieu Miller alleges, and were sent without her consent. On January 30, she received a text message that read "Red Bull: Give us your biggest, coolest, most amazing idea and Red Bull could Give YOU Wings," and included the URL for a Red Bull Web site.

    On May 2 she received another message, this time asking "Red Bull: Are you influential? Get Red Bull perks based on your Klout score," again with a Red Bull Web site link.

    According to the complaint, she was denied the opportunity to opt out from receiving future messages, she suffered actual harm in the form of the aggravation and nuisance, and she incurred a monetary loss by having paid money to her wireless carrier for the receipt of the messages.

    In seeking to certify a nationwide class, Miller claims that Red Bull sent, or directed a third party to send, the texts using an automated telephone dialing system. She asked the court for injunctive relief as well as statutory damages of $500 per violation under the TCPA, to be trebled upon a finding that the defendant's conduct was willful and knowing.

    To read the complaint in Miller v. Red Bull, click here.

    Why it matters: Class actions alleging TCPA violations over unsolicited text messages are becoming increasingly common. Companies such as Taco Bell and Payless ShoeSource (which recently paid $6.25 million to settle a case) have faced similar suits.

    back to top