The Federal Trade Commission Act’s Section 5 prohibition on unfair and deceptive practices that harm consumers may date back to 1938, but it has been applied by FTC in recent years to social media companies in enforcement actions and guidance documents.
Anthony E. DiResta, a partner with Winston & Strawn LLP’s Washington office, told Bloomberg BNA that four core consumer protection principles have guided the FTC in social media cases: transparency, accuracy, honesty and respect. He said those principles mean the FTC wants companies to ensure that any material connections between a reviewer and a reviewed product are disclosed, provide substantiation of claims, make sure speakers are objective and respect the privacy of third parties.
D. Reed Freeman Jr., a partner at Morrison & Foerster LLP’s Washington office, told Bloomberg that the FTC tends to follow a certain pattern—a “deliberative march”—when it applies Section 5 of the FTC Act to new industries or new concepts. The commission, he said, will share what it sees as best practices, then publicize its expectations and officials will eventually give speeches on the issue.
The FTC then turns to an enforcement action against a company engaging in conduct that is clearly unfair or deceptive, Freeman said. Later, the commission starts applying the same principles to “mainstream companies.”
“Shame on you,” Freeman said, if a company is not aware of the FTC’s stance at that point.
Lisa J. Sotto, a partner with Hunton & Williams LLP’s New York office, told Bloomberg BNA Dec. 17, that one problem in determining the core principles guiding the FTC in the consumer protection area is the fact that “there are so many guidance documents.” Although it is true, she added, that “the compendium of documents gives you clarity if you have time.”
Privacy Enforcement.
Attorneys seeking to understand how the FTC approaches privacy enforcement in the realm of social media should examine enforcement actions against three industry players: Facebook, Myspace LLC and Google Inc.
Facebook’s tweaks to its privacy settings in late 2009 received scrutiny not just from users but from the FTC. The commission alleged in a complaint made public in November 2011 that Facebook’s 2009 privacy policy changes deceived users in violation of Section 5 of the FTC Act. The commission said that users’ personal information that previously could be restricted had become public or accessible to platform applications as a result of the changes.
The FTC also alleged that Facebook misled users regarding whether it shared personal information with advertisers and whether third parties would have access to deactivated or deleted user accounts.
Facebook settled the case, resulting in an order announced in August 2012 (In re Facebook Inc., F.T.C., No. C-4365)155 DER A-1, 8/13/12). The settlement required Facebook to obtain the express consent of users before sharing any information beyond what account holders had authorized, run a comprehensive privacy program and obtain biennial independent third-party audits for 20 years.
The FTC also brought Section 5 actions against Myspace and Google, regarding its now-defunct Google Buzz social media product.
The commission said in its Myspace complaint, first made public May 2012, that the company deceptively told users that it would not disclose personally identifiable information to third parties without their permission, but in reality, it was sharing that information with advertisers.
The FTC, in announcing September 2012 a final order with Myspace, explained that the company agreed to settle the case by promising not to make misrepresentations its privacy policy, establishing a comprehensive privacy program and obtaining biennial third-party assessments of its compliance for 20 years from the initial review (In re Myspace LLC, F.T.C., No. C-4369.
According to the FTC’s complaint in the Google Buzz case that was made public March 2011, the company in February 2010 asked users of its Gmail service whether they wanted to use the newly launched social networking Buzz product. Gmail users who selected “Nah, go to my inbox” instead of “Sweet! Check out Buzz” still had personal information shared, the FTC alleged. Google also made it difficult to turn off Buzz, and it was “confusing and difficult” to find out how to change the default privacy settings, the complaint said.
The FTC’s October 2011 final order with Google required the company not to misrepresent its privacy policies, to clearly and prominently disclose privacy policy changes and to obtain user consent, establish a comprehensive privacy program and obtain biennial third-party assessments for 20 years (In re Google Inc., F.T.C., No. C-4336).
DiResta said these consent orders constitute “company best practices with respect to privacy.” DiResta said the FTC wants to see privacy “baked into a company’s practices.”
Freeman said mobile and social media companies are at the “vortex” of the FTC’s interest because users provide them with personal data. Freeman said the cases revolved around the fact that the companies made promises in their policy statements that were not true.
A company “should never say we will always” and “never say we will never do that” in its policies, Freeman said.
Justin Brookman, director of the Center for Democracy & Technology’s project on consumer privacy, told Bloomberg BNA Dec. 16 that although he would like to see more work on requiring companies to be transparent in their privacy policies, he thought the FTC had been fairly aggressive in protecting consumer privacy. Brookman noted that some people have faulted the amount of time it takes for the FTC to act and that two years can be a long time in an area such as social media. He said, however, that he thought the FTC has moved quickly with social media companies.
FTC Commissioner Julie Brill, in a December 2011 speech on the “Privacy Implications of Social Media,” said companies should incorporate privacy and security protections into all new products, simplify their privacy policies so that “consumers can actually understand” them and provide greater transparency around data collection, use and retention.
Children and Social Media.
Another privacy area of concern highlighted in a 2008 FTC staff report, “Next Tech-ade,” was the collection of children’s data by social media companies.
The Children’s Online Privacy Protection Act of 1998 (COPPA),
The FTC has sued a few social media companies over allegations that they violated COPPA by collecting sensitive children’s information. In a complaint filed January 2013 in the U.S. District Court for the Northern District of California against Path Inc., the FTC said the social networking service accepted registrations from users younger than 13 and knowingly collected the personal information of about 3,000 minors in violation of the COPPA Rule. The commission explained that Path failed to provide sufficient notice of how it collected information from children, give direct notice to parents of what information was collected from their children and obtain verifiable parental consent.
The FTC also alleged Path’s privacy practices that applied to all users were deceptive because its mobile application collected users’ address book information, in violation of Section 5.
Path settled the matter, according to a February 2013 consent decree. It agreed to pay an $800,000 fine to settle the COPPA charges and—similar to the settlements in the Facebook, Myspace and Google cases—establish a comprehensive privacy program and obtain biennial third-party privacy assessments (United States v. Path Inc., N.D. Cal., No. 3:13-cv-00448-RS) (
A much earlier FTC lawsuit involved the blogging service Xanga.com. The commission’s 2006 complaint filed in the U.S. District Court for the Southern District of New York said that over the preceding five-year period, about 1.7 million accounts opened by children younger than 13 had been created on Xanga, even though the website initially told those opening an account that users had to be at least 13. The FTC said Xanga had actual knowledge that it was collecting personal information from minors younger than 13, and alleged the blogging service did not provide sufficient notice of what information it collected from children, give direct notice to parents of information that was collected about their children or obtain verifiable parental consent.
According to a consent decree filed September 2006, Xanga agreed to pay a $1 million penalty for the alleged COPPA violations, delete personal information the site collected on minors younger than 13 and display prominent disclosures over the next five years to users that contain links to information about protecting children’s privacy online (United States v. Xanga.com Inc., S.D.N.Y., No. 06 Civ. 6853 (SHS)).
Data Security Actions.
Another major concern for the commission is how social media and other companies protect the sensitive information they collect. The FTC brought a complaint against Twitter Inc., first made public June 2010, that alleged alleging that the popular service failed to safeguard its millions of users’ personal information.
According to the FTC’s complaint, hackers obtained unauthorized administrative control of Twitter’s system between January and May 2009. The FTC said that despite Twitter’s statement in its policies that it was “very concerned” about safeguarding user information, Twitter engaged in inappropriately lax data security practices in violation of Section 5.
During the period in which Twitter’s system was compromised, the FTC said the hackers could see nonpublic tweets and user information, reset users’ passwords and even send unauthorized tweets. The commission added that an unauthorized tweet was sent from then-President-elect Barack Obama’s Twitter account that offered his followers the chance to win $500 in free gasoline if they completed a survey.
The case settled with a March 2011 final order. Twitter agreed not to mislead its users regarding its data security practices, establish a comprehensive information security program and obtain biennial third-party audits for the next 10 years (In re Twitter Inc., F.T.C., No. C-4316).
John P. Feldman, a partner with Reed Smith LLP’s Washington office, told Bloomberg BNA Dec. 12 that the FTC’s March 2012 consumer privacy report made clear the commission’s expectation that companies will “bake in” an adequate level of data security as well as engage in “privacy by design.” The FTC’s report defined privacy by design as the principle that “[c]ompanies should promote consumer privacy throughout their organizations and at every stage of the development of their products and services.”
Sotto said the FTC has not provided a comprehensive set of rules for how companies should manage cybersecurity risks. Cases have shown, Sotto said, that certain practices do not provide sufficient safeguards.
She pointed to the cybersecurity framework from the Department of Commerce’s National Institute of Standards and Technology, which she said will be finalized in February 2014. Sotto said the NIST framework is “the closest thing we have to a set of guidelines” and provides companies with a sense of how to set up a cybersecurity program.
Addressing the FTC’s data security stance, Eric Goldman, a professor at Santa Clara University School of Law and director of the school’s High Tech Law Institute, criticized the Twitter matter and related FTC actions. He said the FTC has been too aggressive and is essentially saying that companies should not be hacked if they collect consumer data.
Goldman said that obtaining a judicial determination of the FTC’s “amorphous and unbounded” authority was difficult because a company like Twitter, which viewed itself as a victim in the hacking, was not going to challenge the FTC and litigate its security practices. He called for the creation of safe harbor practices that companies could comply with and receive immunity from a Section 5 data security lawsuit.
Freeman said the FTC has sought civil penalty authority in the realm of data security. He added that it is possible Congress may act on cybersecurity legislation in 2014 if there continue to be high-profile breaches, adding that the “level of sophistication of the international criminal hackers” has grown.
Advertising and Marketing.
Advertising and marketing, like privacy, has been a major regulatory focus for the FTC in addressing social media. . The commission has applied and updated its advertising rules based on Section 5 to social media, which many companies are now using to reach customers and potential customers.
A major concern for the commission is that consumers should not be deceived by product reviews on social media that actually are paid endorsements or are written by someone who was given an incentive to praise a product or service.
Revisions made in October 2009 to the FTC’s Guides Concerning the Use of Endorsements and Testimonials in Advertising,
The commission also updated its Dot Com Disclosures in March 2013 to reiterate that consumer protection laws apply to new media, including space-constrained platforms such as a mobile phone or a social media platform such as Twitter. The guidelines explained that disclosures must be clear and conspicuous and as close as possible to the relevant claim.
A few examples in the updated disclosures referenced Twitter and described how a paid celebrity endorser could provide relevant disclosures despite the very tight character limit on the social media platform. One example was a tweet from a celebrity endorser of diet pills, who mentioned losing 30 pounds in six weeks on the product, but also explained that one pound per week was a typical result.
The commission applied those principles when it investigated an April 2012 “TweetUp” event involving the opening of a Nordstrom Rack store in Boise, Idaho. According to the FTC’s closing letter on the matter, the commission was concerned that invited guests who were social media influencers were not told that when writing about the event they should disclose the receipt of presents, such as a $50 Nordstrom Rack gift card.
The February 2013 closing letter said the FTC declined to bring an enforcement action because Nordstrom had revised its social media policies to address the commission’s concerns, the limited nature of the event and the fact that many of the social media influencers did disclose the gifts.
An April 2010 closing letter regarding Ann Taylor Stores Corp. said that Ann Taylor held a January 2010 preview of its LOFT division’s summer 2010 collection and provided gifts to attending bloggers, who were expected to write about the company’s clothing line. The FTC said Ann Taylor updated its social media policies to require that staff inform bloggers of their disclosure obligations before they are given gifts.
Better Business Bureau Role.
The Better Business Bureau’s National Advertising Division, which refers some advertising and marketing cases to the FTC for enforcement, also has investigated social media marketing and raised concerns when disclosures appeared to be missing.
The NAD said in an October 2013 decision that eSalon, a custom hair product company, failed to provide an adequate disclosure that it was sponsoring the Hair Color for Women blog. The decision said eSalon’s disclosure at the bottom of the blog that it sponsored the content did not comply with the Dot Com Disclosures, which it said required a disclosure at the top of the home page and each page. The blog now displays a “by eSalon” disclosure image at the top right of each page.
The NAD also noted the use of celebrities on eSalon’s “Hair Colors We Love” Pinterest board, and said images should not be used unless the celebrity actually endorsed the product. The Pinterest board now contains a disclosure that “the use of any celebrity images does not imply an endorsement of any kind for the eSalon brand or eSalon products, nor eSalon’s affiliation with the individuals pictured” (
A June 2012 NAD case report regarding Nutrisystem Inc. noted that the weight loss company’s Pinterest board displaying “Real Customers, Real Success” showed, for example, that “Christine H. lost 223 lbs. on Nutrisystem” or “Michael H. lost 125 lbs. on Nutrisystem.” The NAD said these pins violated the FTC endorsement guidelines because they failed to explain that the results were not typical.
The report said Nutrisystem agreed to add to the pins on its board that the results were not typical and the average Nutrisystem customer lost one to two pounds per week.
Disclosure Requirements.
DiResta said the FTC has been applying these disclosure requirements for decades and is now applying those principles to social media.
Feldman noted that it was “completely reasonable” to extend those principles to blogs and social media; however, he said he was concerned about statements by some FTC staff regarding how it would approach novel online marketing. He said it was not clear how the agency would react to content on social media or websites that was paid for by a company but did not mention its brand or products.
He provided the example of a lens manufacturer that ran a “beautiful views” contest where consumers shared their photos. Feldman said that under the FTC’s traditional principles, the company would not be required to provide any disclosures. He said, however, that statements by commission staff at a recent native advertising workshop implied disclosures would be required.
Marc Roth, a partner at Manatt, Phelps & Phillips LLP’s New York office, told Bloomberg BNA Dec. 16 that the FTC had been “sensitive to changes in industry” by updating its Dot Com Disclosures, originally published in 2000, for social media and mobile devices.
Roth said, however, that some stances taken by the FTC in the disclosures were “aggressive.” He cited the request in the disclosures for companies to measure whether hyperlinks providing required disclosures were effective by measuring click-through rates.
Roth said that was a burden not placed anywhere else in advertising law and that may be outside the capabilities of smaller companies.
Roth added that it was not clear if the FTC was looking for companies to measure whether more than a certain percentage of consumers clicked disclosure hyperlinks. He noted, however, that it might not be appropriate in this area for the commission to set bright-line boundaries. Instead, it might be better for the FTC to evaluate advertising and required disclosures on a case-by-case basis, he said.
Enforcement.
The settlements that major companies such as Facebook, Twitter and Google enter into with the FTC give the FTC ongoing authority to enforce the terms of the settlements. When Facebook recently announced changes to its terms, partly in response to a class action settlement over its Sponsored Stories advertising program, numerous advocacy groups signed a September 2013 letter that called upon the FTC to find that the changes violated Facebook’s earlier consent order with the agency.
Roth said the commission has numerous factors to consider when determining whether to allege that a company has violated the terms of one of its consent orders. It is not always clear that new policies actually violate an order, he said. Also unknown is whether a company will choose to fight if the commission alleges that an order has been violated.
If there is a “slam-dunk violation” of a settlement, the FTC will seek compliance, he said. However, the commission will be hesitant to act if it could lose because that would be a “black eye” for the FTC.
He cited the Wyndham Hotels case, in which the hotel chain is challenging the FTC’s authority to bring an enforcement action under Section 5 in a data security case (FTC v. Wyndham Worldwide Corp., D.N.J., No. 13-1887 (ES)). A loss in that case, Roth said, would undermine the FTC’s Section 5 enforcement authority.
To contact the reporter on this story: Michael O. Loatman in Washington at mloatman@bna.com
To contact the editor responsible for this story: Barbara Yuill at byuill@bna.com
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.