Advertising Law

Sen. Franken Hits Pause on Pokémon GO

After the Pokémon GO app was downloaded approximately 7.5 million times in the United States alone in its first week of release, Sen. Al Franken (D-Minn.), the chairman of the Judiciary Subcommittee on Privacy, Technology and the Law, wrote to the company about its privacy policy.

In a letter to John Hanke, CEO of Niantic, the California-based company behind the explosively popular game, the senator requested information about the app's data privacy, collection and sharing practices.

"I am concerned about the extent to which Niantic may be unnecessarily collecting, using, and sharing a wide range of users' personal information without their appropriate consent," Sen. Franken wrote. "When done appropriately, the collection and use of personal information may enhance consumers' augmented reality experience, but we must ensure that Americans'—especially children's—very sensitive information is protected."

Pokémon GO's own privacy policy suggests that Niantic can collect "a broad swath" of personal information from its players, the legislator said, that ranges from a user's general profile information to his or her precise location data and device identifiers. Users must affirmatively opt out of this collection, Sen. Franken noted, and the policy further provides that the data can be shared with "third-party service providers" for a non-exhaustive list of purposes.

Adding to the problem, media reports highlighted that Pokémon GO had full access to some users' Google accounts. Niantic responded quickly to this issue, the lawmaker acknowledged, but he asked for "continued assurance" that a fix will be implemented swiftly.

In light of these uncertainties, Sen. Franken sought "greater clarity" in how the company is addressing issues of privacy and security, particularly that of its younger players. For example, "exactly which information collected by Pokémon GO is necessary for the provision or implementation of services? Are there any other purposes for which Pokémon GO collects all of this information?" he asked.

Pokémon GO also requests permission to access a number of mobile capabilities, including the ability to control vibrations on a phone, the ability to prevent a phone from sleeping, and the capability to find contact accounts on the device. Again, Sen. Franken queried the purpose behind such requests, and wondered if they were necessary for the provision of services and if Niantic would consider making them opt in as opposed to opt out.

Looking for more details on "third-party service providers," the letter requested a list of the third parties as well as an "exhaustive[]" description of the purposes for which Pokémon GO shares or sells user data to third parties.

As for child users, Sen. Franken wondered how Niantic ensures that parents provide meaningful consent for their child's use of the app and the collection of their personal information.

Finally, he requested an update on the fix to the Google access issue and confirmation that Niantic never collected or stored any information it acquired as a result of the mistake.

To read Sen. Franken's letter to Niantic, click here.

Why it matters: While Niantic previously said that Google access was an error and that the company fixed the bug, this and other issues surrounding the hugely popular virtual game generated enough headlines to trigger a closer look by Sen. Franken. The notorious privacy advocate (who has pushed for data security legislation and sent similar letters to other companies regarding privacy issues, including Uber) pushed for a clarification of the app's privacy policy, including what information is being shared and with whom, as well as the logic behind an opt-out system in lieu of opt-in. As with similar developments in the popular app space, developers are on notice that with mass adoption of their games come scrutiny and skepticism about how and what user information is collected and used.

back to top

Can FTC Protect Kids From IoT? Senator Expresses Concern

The intersection of the Internet of Things and children's toys merited a letter from Sen. Mark Warner (D-Va.) to Federal Trade Commission Chair Edith Ramirez, in which he expressed concern about so-called "smart toys" and mobile apps.

"With the increasing prevalence of connectivity and data processing abilities in children's toys and other household products, consumers must now evaluate and weigh new—and complex—risks to their children's safety and privacy," Sen. Warner wrote.

He cited instances such as dolls that record conversations and store the data in the cloud where it can be accessed by hackers. He also noted, as co-chair of the Senate Cybersecurity Caucus, a data breach that occurred last year where the personal information of an estimated 6.4 million children who played with a VTech smartphone toy was exposed.

When Congress enacted the Children's Online Privacy Protection Act in 1998, legislators "never envisioned" that the legislation would need to be applied to interconnected devices such as baby monitors and stuffed animals, Sen. Warner noted.

"The ever-declining cost of digital storage and Internet connectivity have made it possible to connect an unimaginable range of products and services." "As the Internet of Things expands to include millions of additional devices each day, more and more Internet-connected devices are making their way into children's hands. This steady increase makes our efforts to protect children's data even more imperative."

Although the FTC is "already leading the way" on IoT issues, Sen. Warner urged the agency to work with members of Congress to "identify ways that we can better protect our children as technology changes the way they access and use the Internet." To that end, he posed several questions for the Commission.

Does current law provide the FTC with sufficient regulatory authority to protect children in the age of the IoT? And has the agency changed its position that IoT-specific legislation would be premature?

Sen. Warner also asked how the FTC determines if a device, website, or app is directed to children, whether current mechanisms for parental consent are clear and sufficient—particularly in the context of online purchasing—and whether parents have an effective means by which to revoke consent.

To read Sen. Warner's letter to the FTC, click here.

Why it matters: Children are becoming increasingly vulnerable to identity theft and other privacy violations as the number of IoT toys and apps proliferates. While the lawmaker acknowledged that technological innovation can benefit consumers, he encouraged the agency to strengthen its efforts to protect children's personal information.

back to top

NAD: Disclosures Lacking in Ads for "Worry-Free" Computer

Although MyGait LLC could support claims that its Elite II Computer was "designed for seniors," the National Advertising Division recently recommended that the company modify its product benefit claims and disclosures about how to obtain technical support.

The self-regulatory body took a closer look at ads that appeared in the American Association for Retired Persons' monthly newsletter, as well as claims that appeared on MyGait's website, promoting the company's $999 computer that is designed to meet the needs of elderly consumers. Express claims included "The failure-free, worry-free computer designed just for seniors," "Does everything a costly complicated computer does," and "Lifetime Unlimited Support** ** Computer includes a worry-free $19.95 monthly service program."

Noting that technology and Internet connectivity are "integral parts of modern life in the United States," the NAD expressed concern that MyGait's ads implied the one-time purchase price of $999 provided a purchaser with worry-free technical support. In reality, the purchase price did not include a mandatory and separate $19.95 monthly charge for the support program.

Particularly when considering the vulnerable nature of the audience targeted by the ads, "the advertiser's 'failure-free' and 'worry-free' claims are directly tied to its computer, not to its monthly service program," the NAD wrote. "NAD noted that without the advertiser's ongoing service, its computer is not particularly 'failure-free' or 'worry-free.'"

These claims should be modified "to ensure that consumers understand that the benefit is related to the purchase of the MyGait service program, not the purchase of the MyGait computer alone," the self-regulatory body said.

MyGait's functionality claims were similarly overbroad. The NAD took issue with the claim that the computer "Does everything a costly complicated computer does." For example, the MyGait computer included a word processor but did not have a CD-ROM drive, photo or video editing software, or spreadsheet and slideshow development programs.

"This simplification pares away some of the functionality available on more standard personal computers—the very functionality that makes them more 'complicated,'" the NAD said. "While the MyGait [computer] may provide its consumers with the functionality it believes its consumers need (and in a way that is easily accessible and understandable), it does not provide all of the complex functionality that many other personal computers provide."

The NAD's most fundamental concern "was the manner in which the advertiser disclosed the fact that, to attain most of the benefits of purchasing a MyGait computer, consumers must also purchase the advertiser's 'worry-free $19.95 monthly service program.'" Print ads touted numerous features of the computer without informing consumers that they would not obtain such benefits simply with the one-time purchase of the computer.

"What is actually being marketed are the benefits that senior citizen consumers can attain by purchasing a product and service plan in combination: the MyGait computer and the MyGait worry-free service program," the NAD wrote. The NAD found that the advertising reasonably conveys the unsupported message that consumers can attain these benefits by simply making a one-time purchase of the physical MyGait computer. To avoid the potential for any consumer confusion, NAD recommended that the advertiser modify its main claims to "expressly state that the claimed benefits require the purchase of its computer together with a monthly service program."

The NAD was not persuaded by the advertiser's position that consumers learned about the cost of the recurring monthly fee at some point prior to purchase. "NAD has held that disclosure of material terms must be within the four corners of the advertising in which the related claim appears," the decision emphasized. "Reviewing the claims in the context in which they appear, NAD found that consumers, particularly less technologically savvy consumers, would not understand that the advertiser's product benefits necessarily requires two interrelated purchases … not one."

To read the NAD's press release about the decision, click here.

Why it matters: While addressing claims and marketing practices for a product directed specifically to mature consumers, the NAD decision offers some valuable lessons for advertisers generally. In addition to providing a reminder that the self-regulatory body will consider the audience targeted by the advertiser—in this case, a vulnerable population—the NAD reiterated the importance of disclosures. "Clear and conspicuous disclosures should specifically be easily noticed, read and understood by the audience of consumers targeted by the advertising," according to the decision.

back to top

Crossed Lines on Cross Border Certification, FTC Cautions

The Federal Trade Commission sent warning letters to 28 companies that touted their certified participation in the Asia-Pacific Economic Cooperation's Cross Border Privacy Rules.

The self-regulatory rules are designed to facilitate the protection of consumer data transferred across the APEC region, which consists of 21 Pacific Rim member economies including the United States. The APEC CBPR system is based on eight data privacy principles: preventing harm, notice, collection limitation, use choice, integrity, security safeguards, access and correction, and accountability. To participate, companies must undergo a review by an APEC-recognized Accountability Agent to establish their compliance with program requirements and undergo annual reviews to retain their status as certified participants.

In a sample letter published by the agency (recipients were not identified), the FTC expressed concern that the companies were violating Section 5 of the Federal Trade Commission Act with such claims.

"[O]ur records indicate that your organization has not taken the requisite steps to be able to claim participation in the APEC CBPR system, such as undergoing a review by an APEC-recognized Accountability Agent," wrote Maneesha Mithal, Associate Director of the FTC's Division of Privacy and Identity Protection.

Companies that falsely claim participation in the APEC CBPR system may be subject to an enforcement action, Mithal warned, noting a recent case involving Very Incognito Technologies, Inc. The manufacturer of hand-held vaporizers settled with the agency in May after the FTC charged it with falsely representing its participation in the certification system. The company agreed to a prohibition on future misrepresentations about participation, membership, or certification in any privacy or security program sponsored by a government or self-regulatory or standard-setting organization.

Letter recipients were given a choice about the next step. The FTC instructed that the companies "immediately remove" all representations that could be construed as claiming APEC CBPR participation from their websites, privacy policy statements, and any other public documents, and contact the agency within 45 days to inform it of the removal.

Alternatively, if the organization has in fact undergone the review and certification required to support the claim that the company is certified to participate in the APEC CBPR system, the FTC should be notified.

"To protect the integrity of the APEC CBPR system, we reserve the right, if a timely and satisfactory response is not received, to take appropriate legal action," Mithal wrote.

To read a sample warning letter from the FTC, click here.

Why it matters: Advertisers beware: the FTC has stepped up enforcement of claims of participation in the APEC CBPR system. In May, the FTC settled its first case related to a deceptive claim of participation, followed by the delivery of 28 warning letters. Similarly, the FTC has brought several actions against companies that have falsely represented their certification under the Department of Commerce's Safe Harbor Program for allowing transatlantic transfers of data from the European Union to the United States. These matters remind companies to ensure their affiliation and compliance with data protection safe harbors before publicly representing their participation.

back to top