Advertising Law

ANA, 4As Battle Over Transparency Guidance

Two industry groups are engaging in a public battle over transparency.

The dispute began when a joint task force was formed between the American Association of Advertising Agencies (4As) and the Association of National Advertisers (ANA) to produce a set of transparency principles for agencies, advertisers, and media vendors.

When the 4As released the Transparency Guiding Principles of Conduct in January that addressed issues such as client/agency relationships for media planning and buying services and client/agency governance, they were published without ANA support.

The ANA said it withdrew support to wait for the results of a study. Released in June, that study concluded that non-transparent business practices (such as cash rebates to media agencies) are a serious problem in the ad-buying ecosystem. With the study results in hand, the ANA then published its Guidelines for Achieving Media Transparency, as part of a new report, “Media Transparency: Prescriptions, Principles, and Processes for Marketers.”

In addition to providing an agency agreement template for marketers to use, the ANA recommended that advertisers require their agencies to disclose “all potential conflicts of interest” and create a new chief media officer role tasked with ensuring full transparency by agencies and related companies.

“We outlined actions marketers should consider to diminish or eliminate non-transparent and non-disclosed agency activities and to ensure that their media management processes are optimized,” ANA President and CEO Bob Liodice said in a statement about the new guidance.

But the 4As reacted just as the ANA responded to its guidance, with a rejection.

“We have reviewed the recommendations in the [ANA guidance] and feel they are not all consistent with what many of our members have said their clients are asking for in their MSAs,” Nancy Hill, the President and CEO of the 4As, said in a statement. “As such, we continue to believe that contractual negotiations are best left between agencies and clients. We urge transparency and recommend agencies use as guidance the 4As’ Transparency Guiding Principles of Conduct, which were designed to identify material media transparency questions and address them with constructive dialogue and pragmatic courses of action.”

To read the 4As’ Transparency Guiding Principles of Conduct, click here.

Why it matters: Although both organizations agree on the importance of media transparency, they have different opinions on which group’s guidance should be followed. A resolution may be possible, as the 4As has indicated its willingness to sit down with the ANA “to explore common ground and try to address important questions and concerns regarding media buying practices for both agencies and marketers.”

back to top

U.S. Olympic Committee Sued Over Social Media Olympic Rules

Although the 2016 Summer Olympics have come to an end, the U.S. Olympic Committee is still facing a lawsuit accusing it of “exaggerating” the strength of its legal rights to the detriment of advertisers.

Prior to the Olympics, the USOC cautioned businesses to avoid “social media posts that are Olympic themed, that feature Olympic trademarks, that contain Games imagery or congratulate Olympic performance unless you are an official sponsor.” It sent a warning letter to non-sponsor companies cautioning them against using the Olympics’ trademarks, even in hashtags (such as #Rio2016 and #TeamUSA).

One company decided to fight back.

A small carpet cleaning business in Minnesota, Zerorez communicates with customers on Facebook and Twitter on a variety of topics including holidays, cleaning tips and pets. With the Olympics on the horizon, the company anticipated discussing the event, contemplating social media posts such as: “Congrats to the 11 Minnesotans competing in 10 different sports at the Rio 2016 Olympics! #rioready” and “Are any Minnesotans heading to #Rio to watch the #Olympics? #RoadToRio.”

But when faced with the USOC’s Olympic and Paralympic Brand Usage Guidelines—which cautioned advertisers about the Committee’s marks in any form of advertising and stated that any use of the trademarks on a non-official sponsor site would be viewed as commercial in nature and consequently prohibited—Zerorez said it elected not to engage.

“But for the USOC’s Actions, Policies, and threats, Zerorez would exercise its First Amendment rights by discussing the Olympics on social media,” according to the company’s Minnesota federal court complaint, arguing that the Committee violated the First and Fourteenth Amendments to the Constitution. “The USOC’s Actions, Policies, and threats have had the effect of chilling, silencing, and censoring Zerorez’s speech about the Olympics on social media.”

Zerorez requested declaratory relief from the court in the form of an order that it “is possible for businesses, including those that are not official Olympic sponsors, to mention the Olympics, Olympic results, and Olympic athletes on social media without violating the legal rights of the U.S. Olympic Committee” and that the “mere mention of the Olympics, Olympic results, and Olympic athletes, by a business not sponsoring the Olympics is not necessarily a violation of the rights of the U.S. Olympic Committee.”

To read the complaint in HSK LLC v. United States Olympic Committee, click here.

Why it matters: The Olympics are over but the plaintiff’s complaint argued that the action remains relevant for subsequent Olympic events, such as the Winter Olympics and the Paralympics. Plaintiff requested that the court recognize that the “USOC violated fundamental Constitution rights” and that “[s]peech is not commercial in nature merely because it is on a business’s social media account.”

back to top

FTC Sets Standard for Consumer Harm in LabMD Decision

In an opinion authored by Federal Trade Commission Chairwoman Edith Ramirez, the three-member Commission determined that LabMD engaged in unreasonable data security practices in violation of Section 5 of the Federal Trade Commission Act, reversing an initial decision by an administrative law judge (ALJ).

From 2001 until 2014, LabMD operated as a clinical laboratory conducting tests on patient specimen samples and reporting the test results to its physician customers. Over the years, LabMD collected sensitive personal information—including medical information—from over 750,000 patients, including their names, addresses, Social Security numbers, diagnosis codes, and insurance information.

But according to a complaint filed by the FTC in August 2013, LabMD did not have basic data security practices in place for its network, which lacked file integrity monitoring or an intrusion detection system. According to the agency, the company also failed to provide data security training to employees in violation of its own internal compliance program, it neglected to update its software and protect against known vulnerabilities, it utilized a lax password policy, and it provided administrative rights to employees over their computers.

For example, employees had the ability to change security settings and download software applications and files from the Internet, including peer-to-peer file-sharing applications that were unrelated to the business. Using a P2P network, a forensic analyst discovered and downloaded a copy of one of LabMD’s reports that contained 1,718 pages of sensitive personal information for approximately 9,300 consumers.

Even after the analyst informed the company the data had been exposed, LabMD failed to improve its data security efforts, the FTC alleged, or notify the affected patients.

LabMD responded to the complaint with a motion to dismiss, challenging the FTC’s authority to bring the enforcement action. That argument was rejected by the Commission as well as a district court judge and the Eleventh Circuit Court of Appeals in a collateral attempt to enjoin the action in federal court.

After an evidentiary hearing, an ALJ, in dismissing the complaint, determined that the FTC’s counsel had failed to prove that LabMD’s computer data security practices “caused” or were “likely to cause” substantial consumer injury as required by Section 5.

On appeal, the full Commission concluded that the ALJ applied the incorrect standard for unfairness. The central focus of any inquiry regarding unfairness is consumer injury, as determined on a case-by-case basis.

In the case of LabMD, the file obtained by the analyst contained a host of personal information about patients. In addition, FTC counsel introduced evidence of a range of harms that can and do result from the unauthorized disclosure of sensitive personal information contained in the file. In applying a test recognized by federal, state courts and federal law, Chairwoman Ramirez concluded that, “the exposure of sensitive medical and personal information via a peer-to-peer file-sharing application was likely to cause substantial injury and that the disclosure of sensitive medical information did cause substantial injury.”

The sensitive personal information contained in the file “was exposed to millions of online P2P users, many of whom could have easily found the file,” the FTC said, and the file was available over an extended period of time. While the ALJ noted that no evidence existed that the patients had been victims of identity theft or suffered any harm, “given the absence of notification by LabMD, a lack of evidence regarding particular consumer injury tells us little about whether LabMD’s security practices caused or were likely to cause substantial consumer injury,” the Commission wrote. “We need not wait for consumers to suffer known harm at the hands of identity thieves.”

The Commission noted that “there were many free or low-cost software tools and hardware devices” and low-cost employee training programs available for LabMD to use, and that the company also “could have purged the personal information of consumers for whom it never performed testing.”

Writing that the FTC was applying the “same basic data security standard it has consistently articulated for nearly fifteen years,” the Commission rejected LabMD’s fair notice and due process objections. “Our complaints, as well as our decisions and orders accepting consent decrees … make clear that the failure to take reasonable data security measures may constitute an unfair practice,” according to the opinion. “Those complaints, decisions, and orders also flesh out the specific types of security lapses that may be deemed unreasonable.”

Having found the company violated the FTC Act, the Commission entered an order “that will ensure LabMD reasonably protects the security and confidentiality of the personal consumer information in its possession,” Chairwoman Ramirez said. The FTC ordered LabMD to notify affected consumers, establish a comprehensive information security program reasonably designed to protect the security and confidentiality of the personal consumer information in its possession, and obtain independent assessments regarding its implementation of the program.

To read the opinion and order in In the Matter of LabMD, Inc., click here.

Why it matters: Frequently citing the Third Circuit Court of Appeals’ decision in the FTC v. Wyndham Worldwide Corp. case, the Commission’s opinion reiterated the FTC’s authority to regulate data security practices and made clear that the agency believes the exposure of personal information, even without evidence of compromise or misuse, is likely to cause substantial consumer injury and create liability under Section 5 of the FTC Act. LabMD disagrees and reportedly plans to appeal the opinion, potentially setting the stage for another showdown on the FTC’s power to regulate data security practices.

back to top

Zipping Out of Court: D.C. Circuit Tosses Privacy Suit

In a victory for the defendants in a zip code class action, the D.C. Circuit Court of Appeals dismissed a case against Urban Outfitters and Anthropologie based on the retailers’ request that consumers provide zip codes at the time of purchase.

Whitney Hancock and Jamie White made purchases using a credit card at retail stores Urban Outfitters and Anthropologie. In both transactions, the cashier first swiped the card and then asked for the customer’s zip code, which was entered into the store’s point of sale register.

Hancock and White alleged the transactions violated D.C.’s Use of Consumer Identification Information Act, which provides that no party may “request or record” the address or telephone number of a credit card holder as a condition of accepting a credit card as payment for a sale.

A federal court judge granted the retailers’ motion to dismiss and the plaintiffs appealed. The D.C. Circuit Court took a step back to consider the jurisdictional question of whether the plaintiffs had standing, ruling that they did not.

Although the plaintiffs told the court that a statutory violation was sufficient to satisfy the requirements of Article III standing, the court disagreed.

“The complaint here does not get out of the starting gate,” the three-judge panel wrote. “It fails to allege that Hancock or White suffered any cognizable injury as a result of the zip code disclosures. Indeed, at oral argument, Hancock’s and White’s counsel candidly admitted that ‘the only injury … that the named plaintiffs suffered was they were asked for a zip code when … [under] the law they should not have been.’ In other words, they assert only a bare violation of the requirements of D.C. law in the course of their purchases.”

In the U.S. Supreme Court’s recent decision on standing, Spokeo v. Robins, the Justices explained that an asserted injury even to a statutorily conferred right “must actually exist,” and must have “affect[ed] the plaintiff in a personal and individual way.” Some statutory violations could result in no harm, the Court said.

“The Supreme Court’s decision in Spokeo thus closes the door on Hancock and White’s claim that the [defendants’] mere request for a zip code, standing alone, amounted to an Article III injury,” the D.C. Circuit wrote. “[A] plaintiff cannot ‘allege a bare procedural violation, divorced from any concrete harm, and satisfy the injury-in-fact requirement of Article III.’ ”

Hancock and White did not allege any invasion of privacy, increased risk of fraud or identity theft, or pecuniary or emotional injury, the panel noted. “And without any plausible allegation of Article III injury, the complaint fails to state a basis for federal court jurisdiction.”

Vacating the district court’s dismissal motion, the federal appellate panel remanded the case with instructions to dismiss the complaint for lack of jurisdiction.

To read the opinion in Hancock v. Urban Outfitters, click here.

Why it matters: Class actions based on a retailer’s request for a zip code took off after the California Supreme Court’s decision in Pineda v. Williams-Sonoma in 2011, where the state’s highest court ruled that zip codes are considered “personal identification information” under a state statute and that retailers could not request and record the data. The cases spread to other jurisdictions including Massachusetts and the District of Columbia. With the Hancock decision, retailers in D.C. can breathe a sigh of relief as long as a plaintiff sticks simply to statutory violations and doesn’t allege additional injury such as invasion of privacy or emotional injury.

back to top

News and Views

Legal Newsline interviewed Marc Roth, co-chair of the firm’s TCPA compliance and class action defense practice, about TCPA lawsuits in the banking industry for an article titled “TCPA Settlements Continue to Cost Banks Millions.” The most problematic part of TCPA compliance, Roth told Legal Newsline, is that it can be entirely out of a company’s control. When a company attempts to contact a consumer who had consented to contact but for whatever reason abandons the number, the company can still be held responsible for TCPA violations when the number is reassigned to another party. “So even if I have consent from you to contact you on your cellphone, and you abandon that number, and it gets assigned to someone else, and I call it thinking it’s you, I have liability,” Roth explained. “That’s the dangerous part—that it’s out of my control.”

Roth also talked to Bloomberg BNA about the FCC’s updates for companies seeking to collect on student loans, mortgages and other debts. The greatest change, Roth highlighted, is that debt collectors can use “skip tracing,” or the process of obtaining a borrower’s undisclosed phone number through a third party service, to make a covered robocall or robotext. “That, to me, is a sea change,” Roth said. “In no other event under the TCPA can you call someone on a cell phone using a number not provided by the consumer.”

back to top

Most Read Stories

In case you missed any, here are our top 10 most widely read stories in July:

1. Sen. Franken Hits Pause on Pokémon GO
2. Julia Child's Foundation Hungry for a Publicity Rights Lawsuit
3. Wikipedia Link Trips up Ninth Circuit False Ad Suit
4. "Natural" Claims Cost Seventh Generation $4.5M
5. VW Will Pay $14.7B in Largest FTC False Ad Suit
6. iHeartMedia Hearts a Deal: $8.5M in TCPA Suit
7. Ad Company's Geotargeting Locates a $1M Penalty
8. TCPA Case Still Not Moot, California Court Holds on Remand
9. Revlon's "Age Defying" Product Line Defies Class Action With $900,000 Deal
10. FCC: U.S. Government Is Not a Person Under TCPA

back to top



pursuant to New York DR 2-101(f)

© 2023 Manatt, Phelps & Phillips, LLP.

All rights reserved