State Attorneys General
On December 6, 2023, Federal Communications Commission Chairwoman Jessica Rosenworcel announced a new initiative to strengthen and formalize the cooperation between the FCC and its state partners on privacy, data protection and cybersecurity enforcement matters.
As part of the work of the FCC’s Privacy and Data Protection Task Force, the FCC’s Enforcement Bureau has signed Memoranda of Understanding with Attorneys General of Connecticut, Illinois, New York and Pennsylvania to share expertise, resources and coordinated efforts in conducting privacy, data protection and cybersecurity-related investigations to protect consumers.
The Memoranda of Understanding
The new MOU affirm that the FCC and State Attorneys General “share close and common legal interests in working cooperatively to investigate and, where appropriate, prosecute or otherwise take enforcement action in relation to privacy, data protection or cybersecurity issues” under sections 201 and 222 of the Communications Act.
Coordinated action and information sharing will take place under all applicable federal and state laws, and privacy protections.
Federal and State Comments
FCC Chairwoman Rosenworcel said, in pertinent part, that “[d]efending consumer privacy is an all-of-government responsibility and a shared challenge. Today we take on evolving consumer threats with new formal partnerships with state law enforcement leaders, which have already been successful in obtaining record-breaking results in combatting illegal robocalls.”
FCC Enforcement Bureau Chief Loyann A. Egal said, in pertinent part, that “[u]se of information and communications technology and services have significantly enhanced our lives while at the same time increasing vulnerabilities to our privacy and sensitive data.
On October 18, 2023, the Federal Trade Commission announced that it has agreed to a $3.4MM settlement with New Jersey for-profit Sollers College over alleged deceptive ads that lured prospective students into unlawful contracts, purportedly falsely touting relationships with prominent employers and inflating job placement rates. The charges were brought by the FTC and the state of New Jersey.
According to the FTC’s complaint, Sollers, and its parent company, used their website, social media, and email campaigns to falsely advertise their partnerships with prominent employers in the fields of information technology, clinical research and drug safety. According to the complaint, Sollers falsely claimed that its partnerships with prominent employers, such as Pfizer, Weill Cornell Medicine, and Infosys, resulted in jobs for its graduates at those companies. Many of the businesses featured on Sollers’ website had no partnership with the school at all, says the FTC.
The complaint states that, since at least 2018, Sollers advertised that the vast majority of Sollers graduates are placed in jobs. For example, the company purportedly advertised, “90% of our students are placed within 3 months of graduation,” on its website. In reality, the job placement rate for Sollers graduates is substantially lower than the 80 percent, 82 percent, 90 percent or “near perfect” rates featured prominently on its website and in its advertising campaigns, the FTC states. According to the FTC, the school’s own data suggests that the current job-placement rate for graduates of its Life Sciences programs remains as low as 52 percent.
On October 10, 2023, California Governor Gavin Newsom signed the Delete Act (SB 362). The Act is new legislation that requires businesses that meet the definition of “data broker” to provide detailed disclosures about its practices, register with the state and delete any personal information relating to a California resident upon receiving a verifiable deletion request.
The Act requires the California Privacy Protection Agency to establish a simple deletion mechanism that permits individuals to submit deletion requests that data brokers must adhere to starting August 1, 2026. Importantly, beginning in 2028 data brokers will be subject to audits intended to demonstrate compliance with the Act.
What Businesses are Covered Under the Act?
The Delete Act defines “data broker” as a business that knowingly collects and sells personal information of a consumer that it does not have a direct relationship with, to third parties. Excluded are certain entities that may be covered by various federal and state laws relating to data, such as the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, the Confidentiality of Medical Information Act and the California Insurance Information and Privacy Protection Act.
Data brokers must register with the CPPA and pay registration fees, as well as fees for access to the deletion mechanism.
What are the Applicable Registration and Disclosure Requirements?
Data brokers are required to register with the CPPA on or before January 31 for each year that they meet the statutory definition of “data broker.” In fact,
FTC advertising compliance and defense attorney Richard B. Newman was recently quoted in an article for Cybersecurity Law Report titled “Xbox and Alexa COPPA Case Lessons: Avatars, Biometrics and Other New Expectations.”
The article discusses the FTC’s recent privacy enforcement run and how it reinforces regulators’ expanding expectations for companies using video and audio recordings, smart devices and AI. The article further discusses recent agency settlements with Microsoft, Amazon and educational technology provider Edmodo that drew $51 million in penalties, broke new ground on the Children’s Online Privacy Protection Act Rule enforcement and signaled new expectations for all companies’ privacy compliance.
In discussing how COPPA is a tool for financial penalties and how these cases highlight the value of COPPA enforcement to the FTC versus its Section 5 authority under the FTC Act, Mr. Newman noted that “[i]n Amazon, obviously, the $25‑million settlement amount leaps out” for Alexa’s improper retention of voice recordings in violation of COPPA.
Mr. Newman further shared that “not just the FTC, but state attorneys general are becoming increasingly interested in expanding regulation of the use and sharing of consumer data, including geolocation data.”
While the FTC contests the issue at the federal level, data brokers and those that interact with them should expect that the plaintiffs’ class action bar and state AGs may lodge claims under state “little FTC acts” that echo the FTC’s July 2022 statement about geolocation data or the biometric one,
Florida has become the latest state – approximately ten – to enact a comprehensive privacy law. On June 6, 2023, Governor DeSantis recently signed SB 262 which includes some new privacy provisions. Florida also recently passed a child privacy law that is notably similar to California’s Age Appropriation Act that becomes effective July 1, 2024.
The Florida Digital Bill of Rights Law
Covered entities (“controllers”) include those that earn $1 billion in global gross annual revenues and either (i) receive 50% of gross annual revenue from online ad sales; (ii) operate a consumer smart speaker and voice command service with an integrated virtual assistant through a cloud-connected service and hands-free verbal activation; or (iii) operate an app store or digital distribution platform that has at least 250,000 apps available for download.
Note, however, that non-covered entities that serve as data processors for covered entities may potentially be impacted. More specifically, such processors are required to support a covered entities’ compliance efforts and to maintain responsible contracts that include provisions governing data processing. In fact, the new law sets forth specific requirements that must be included in such data processing agreements.
Not unlike other states, the Florida Digital Bill of Rights Law has numerous exemptions and applies to consumer information. Exemptions include entities covered by HIPAA (and business associates), financial institutions and affiliates (subject to GLBA), non-profits, certain government entities, and higher education institutions. There are also specific data exemptions.
The Florida Telephone Solicitation Act (“FTSA”) has long been criticized for numerous reasons, including an overly broad and vague autodialer definition. Florida’s Governor recently signed HB 761, which makes significant, telemarketer friendly changes, to the FTSA (Fla. Stat. § 501.059).
Fewer Types of Telemarketing Equipment Covered
The amendments narrow the types of telemarketing equipment covered by the statute.
For example, prior the the amendments, autodialing restrictions applied to “automated system[s] for the selection or dialing of telephone numbers.” Now, the amended autodialing restrictions apply only to “automated system[s] for the selection and dialing of telephone numbers.” The foregoing effectively eliminates the legal argument that a dialing or texting platform falls under the statute even if the calling party manually selects or dials a telephone number to be called or texted.
Caveat, the amended version of the statutes continues to restrict “the playing of a recorded message when a connection is completed to a number called, or the transmission of a prerecorded voicemail.”
Text Message Notice and Cure Period
The revised statute provides for a fifteen (15) day notice and cure period before a plaintiff is permitted to initiate formal legal action. For example, by responding “STOP” to message.
Expanded Definition of “Signature”
The modified statute has a broadened definition of “signature” and includes “checking a box” and “responding affirmatively to receiving text messages.” Digital signatures may be acceptable to obtain prior express written consent provided that “such form of signature is recognized as a valid signature under applicable federal law or state contract law.”
Florida Telephone Solicitation Act class action cases that are not certified prior to the effective date of the statutory amendments are subject to the retroactive application of the new legislation.
As part of the independent, non-profit BBB National Programs, the National Advertising Division independently evaluates and regulates the truth and accuracy of national advertising. It also works to increase the public’s confidence in advertising. The NAD also offers dispute resolution process for advertisers.
Recently, the NAD reviewed Pier 1’s automatic renewal subscription rewards loyalty program that charges consumers a recurring monthly or annual fee for products discounts, and free shipping and returns on select items. In doing so, the NAD recommended that the company provide enhanced “clear and conspicuous” disclosures.
As described by the NAD, items added to a consumer’s cart on the company website automatically include the rewards subscription via a pre-checked box. Additionally, the terms of the renewal subscription program appeared under the pre-checked box. According to the NAD, consumers are required to take affirmative action to uncheck the box to opt-out of the automatically renewing subscription and cost related thereto.
According to the NAD, one issue was whether promoting a lower price for a product or service is deceptive if that price is only made available to those that agree to the automatically renewing subscription. The other issue was whether the material terms of the automatic renewal subscription program were “clearly and conspicuously” disclosed prior to a consumer’s decision to make a purchase.
The NAD ultimately concluded that, unless the terms of the automatically renewing subscription are appropriately disclosed, it is misleading to promote a discounted price if the discount is only available when a consumer consents to a subscription.
On November 2, 2022, the Pennsylvania Office of Attorney General filed a lawsuit in federal court alleging that a group of companies offering lead generation services violated the Telemarketing Sales Rule and Pennsylvania consumer protection law. Specifically, the OAG alleges two unlawful advertising practices.
The first unlawful ad practice allegation is that the defendants utilized deceptive online advertisements to direct consumers to websites where they would purportedly be tricked into providing contact information and survey responses. The second unlawful ad practice allegation claims that consumers’ contact information and responses were sold to telemarketers despite numbers being on state of national Do No Call registries.
As stated in the complaint, defendants operate “dozens of websites designed for lead generating” that advertise “gift cards to popular retailers and digital payments to mobile apps” for answering various survey questions. According to the OAG, the websites require visitors to provide personal contact information and click a box indicating consent to mouseprint disclosures stating that consumer will receive prerecorded calls and text messages from marketing partners (the names thereof are disclosed to by a hyperlinked list). According to the OAG, these sellers’ products and services are oftentimes not related to the promotional offerings whatsoever.
Here, according to the OAG’s complaint, the websites violate state consumer protection law because they “create a likelihood of confusion or of misunderstanding” by “failing to include clear and conspicuous disclosures advising consumers that by registering their contact information with defendants they are purportedly consenting to be contacted by multiple third party sellers,
The Federal Trade Commission aggressively enforces the Restore Online Shoppers’ Confidence Act (“ROSCA”) against online marketers that offer Internet-based automatic renewals and subscriptions. Basically, ROSCA requires the clear and conspicuous disclosure of material terms, affirmative consent to certain cancellation requirements in online transactions.
The FTC has the ability to seek monetary relief, in addition to injunctive relief, for ROSCA violations. A violation of ROSCA is considered an unfair deceptive act or practice which subjects sellers to civil monetary penalties. State attorneys general may also have a cause of action.
What are the Bascis of a ROSCA Violation?
Some rather obvious components of a ROSCA violation include, but not are not limited to, a misleading “risk-free” trial offer, an undisclosed charge if consumers do not quickly cancel the “risk-free” trial, an undisclosed automatic shipment program that sends consumers unordered merchandise, difficult to follow upsells that add another layer of confusion, unlawful charges to consumers’ credit or debit cards, difficult cancellation procedures, straw owners that conceal operators’ activities and/or conceal operations from payment processing entities and banks.
Do Individual States Have Their own Automatic Renewal Laws?
Automatic renewal and subscription laws (ARLs) are in place in a number of states. Many have even recently amended and bolstered their ARLs. Failure to comply can result in private plaintiff actions, class action lawsuits and regulatory action.
At the state level, approximately two-dozen states have implemented ARL legislation. Some states impose additional consent and disclosure requirements if the subscription begins with a free trial.
“Up to” representations in promotional materials often draw regulatory and private plaintiff scrutiny insofar as whether such claims are truthful and can be properly substantiated. Which begs the question … how can an advertiser lawfully substantiate “up to” claims?
It may depend upon various factors, including, but not limited to, the context in which the “up to” claim is made, whether the claim is unqualified, and whether applicable conditions, limitations, exclusions and restrictions have been appropriately disclosed. It may also depend upon whether the matter involves the Federal Trade Commission, state attorneys general or a private plaintiff false advertising lawsuit. And/or, upon the forum in which the legal or regulatory matter has been initiated, such as state court, federal court or the National Advertising Division. Consumer perception testing prior to disseminating such claims can also be a useful tool when combating false advertising claims.
For example, at least one federal court has appeared to apply a “ceiling” test. Would reasonable consumers understand such language to be a floor rather than a ceiling that can be achieved under limited circumstances? Do the claims expressly or implied promise the best, maximum result? Is it implausible that reasonable consumers would be deceived? Would reasonable consumers understand such language to be a guarantee? Would reasonable consumers understand such language to be a promise?
Now, consider the National Advertising Division.
The NAD often considers whether an “appreciable number” of consumers actually achieve the top range of the claimed benefit under circumstances normally and expectably encountered by consumers.
About This Blog and Hinch Newman’s Advertising + Marketing Practice
Hinch Newman LLP’s advertising and marketing practice includes successfully resolving some of the highest-profile Federal Trade Commission (FTC) and state attorneys general digital advertising and telemarketing investigations and enforcement actions. The firm possesses superior knowledge and deep legal experience in the areas of advertising, marketing, lead generation, promotions, e-commerce, privacy and intellectual property law. Through these advertising and marketing law updates, Hinch Newman provides commentary, news and analysis on issues and trends concerning developments of interest to digital marketers, including FTC and state attorneys general advertising compliance, civil investigative demands (CIDs), and administrative/judicial process. This blog is sponsored by Hinch Newman LLP.