Advertising & Marketing
Subscribe to Advertising & Marketing's Posts

Digital Marketing Minute: No More Like Gates

We are pleased to present this inaugural post of the Digital Marketing Minute.  Each week will provide a short post on some news in the digital marketing world.   This week’s post is about a change on Facebook’s platform that affects how marketers conduct promotions.

In an August 7 post on its Developers blog page, Facebook announced that, effective November 5, 2014, use of a “Like Gate,” which requires Facebook users to “Like” a page before participating in a brand’s promotional activity, is not allowed.  In other words, marketers cannot require consumers to “Like” a brand page before entering a sweepstakes or a contest, participating in an offer or accessing certain content.

Facebook reasons that banning the Like Gate will help “ensure quality connections and help businesses reach the people who matter to them” and that consumers “’Like’ pages because they want to connect and hear from the business, not because of artificial incentives” (see https://developers.facebook.com/blog/post/2014/08/07/Graph-API-v2.1/).




read more

Planning a Sweepstakes, Contest or Game?

New technologies have made offering consumer promotions even easier for businesses but complying with the myriad laws, rules, regulations, industry standards and platform requirements is still challenging.  To learn how to avoid 12 common promotion execution traps, join McDermott’s Julia Jacobson today (Wednesday, June 25) for “Executing a Sweepstakes, Contest or Game,” the second of a six-session “Wednesday Webinars” series hosted by the Brand Activation Association.

For details and to register, click here.  If you are not able to join the live webinar, please visit Of Digital Interest again soon to download the program materials, or contact Julia Jacobson.




read more

The California AG’s New Guide on CalOPPA – A Summary for Privacy Pros

Last week, the California Attorney General’s Office (AGO) released a series of recommendations entitled Making Your Privacy Practices Public (Guide) designed to help companies meet the requirements of California’s Online Privacy Protection Act (CalOPPA) and “provide privacy policy statements that are meaningful to consumers.”

As we have previously discussed, CalOPPA requires website operators to disclose (1) how they respond to Do Not Track (DNT) signals from browsers and other mechanism that express the DNT preference, and (2) whether third parties use or may use the site to track (i.e., collect personally identifiable information about) individual California residents “over time and across third party websites.”   Since the disclosure requirements became law, however, there has been considerable confusion among companies on how exactly to comply, and some maintain that despite W3C efforts, there continues to be no industry-wide accepted definition of what it means to “respond” to DNT signals.  As a result, the AGO engaged in an outreach process, bringing stakeholders together to provide comments on draft recommendations over a period of several months, finally culminating in the AGO publishing the final Guide earlier this week.

The Guide is just that – a guide – rather than a set of binding requirements.  However, the recommendations in the Guide do seem to present a road map for how companies might steer clear of an AGO enforcement action in this area.  As a result, privacy professionals may want to consider matching up the following key recommendations from the Guide with existing privacy policies, to confirm that they align or to consider whether it is necessary and appropriate to make adjustments:

  • Scope of the Policy:  Explain the scope of the policy, such as whether it covers online or offline content, as well as other entities such as subsidiaries.
  • Availability:  Make the policy “conspicuous” which means:
    • for websites, put a link on every page that collects personally identifiable information (PII).
    • for mobile apps that collect PII, put link at point of download, and from within the app – for example: put a link accessible from the “about” or “information” or “settings” page.
  • Do Not Track:
    • Prominently label the section of your policy regarding online tracking, for example: “California Do Not Track Disclosures”.
    • Describe how you respond to a browser’s Do Not Track signal or similar mechanisms within your privacy policy instead of merely providing a link to another website; when evaluating how to “describe” your response, consider:
      • Do you treat users whose browsers express the DNT signal differently from those without one?
      • Do you collect PII about browsing activities over time and third party sites if you receive the DNT signal?  If so, describe uses of the PII.
    • If you choose to link to an online program rather than describe your own response, provide the link with a general description of what the program does.
  • Third Party Tracking:
    • Disclose whether third parties are or may be collecting PII.
    • When drafting the disclosure [...]

      Continue Reading



read more

The New Normal: Big Data Comes of Age

On May 1, 2014, the White House released two reports addressing the public policy implications of the proliferation of big data. Rather than trying to slow the accumulation of data or place barriers on its use in analytic endeavors, the reports assert that big data is the “new normal” and encourages the development of policy initiatives and legal frameworks that foster innovation, promote the exchange of information and support public policy goals, while at the same time limiting harm to individuals and society. This Special Report provides an overview of the two reports, puts into context their conclusions and recommendations, and extracts key takeaways for businesses grappling with understanding what these reports—and this “new normal”—mean for them.

Read the full article.




read more

Disclosures Need Not Contain Customers’ Actual Names to Violate the Video Privacy Protection Act Rules Hulu Court

In the latest of a string of victories for the plaintiffs in the Video Privacy Protection Act (VPPA) class action litigation against Hulu, LLC, the U.S. District Court for the Northern District of California ruled that Hulu’s sharing of certain customer information with Facebook, Inc. may have violated the VPPA, even though Hulu did not disclose the actual names of its customers.  The ruling leaves Hulu potentially liable for the disclosures under the VPPA and opens the door to similar claims against other providers of online content.

The decision by U.S. Magistrate Judge Laurel Beeler addressed Hulu’s argument on summary judgment that it could not have violated the VPPA because Hulu “disclosed only anonymous user IDs and never linked the user IDs to identifying data such as a person’s name or address.”  The court rejected Hulu’s argument, stating that “[Hulu’s] position paints too bright a line.”  Noting that the purpose of the VPPA was to prevent the disclosure of information “that identifies a specific person and ties that person to particular videos that the person watched” the court held that liability turned on whether the Hulu’s disclosures were “merely an anonymized ID” or “whether they are closer to linking identified persons to the videos they watched.”

Under this principle, the court held that Hulu’s disclosures to comScore, a metrics company that Hulu employed to analyze its viewership for programming and advertising purposes, did not violate the VPPA.  According to the court, Hulu’s disclosure to comScore included anonymized user IDs and other information that could theoretically be used to identify the particular individuals and their viewing choices.  But the plaintiffs had no evidence that comScore had actually used the information in that way.  As the evidence did not “suggest any linking of a specific, identified person and his video habits” the court held that the disclosures to comScore did not support a claim under the VPPA.

But the court held that Hulu’s disclosure to Facebook had potentially violated the VPPA.  Hulu’s disclosures to Facebook included certain cookies that Hulu sent to Facebook that allowed Hulu to load a Facebook “Like” button on users’ web browsers.  The court held that the cookies that Hulu sent to Facebook to accomplish this task “together reveal information about what the Hulu user watched and who the Hulu user is on Facebook.”  The court noted that this disclosure was “not merely the transmission of a unique, anonymous ID”; rather it was “information that identifies the Hulu user’s actual identity on Facebook” as well as the video that the Facebook user was watching.  Thus, the court held, Hulu’s disclosures to Facebook potentially violated the VPPA.

The Court’s ruling that disclosure of seemingly anonymous IDs can potentially lead to liability under the VPPA should cause companies that are potentially covered by the law to reexamine the ways in which they provide data to third parties.  Such companies should carefully consider not only what information is disclosed but also how the recipients of that data can reasonably be expected [...]

Continue Reading




read more

Copyright Office Fees

On March 24, 2014, the U.S. Copyright Office issued a Final Rule that establishes new fees for certain of its services.  The new fee schedule is effective as of May 1, 2014 and available here.  The fees were last updated in 2009.

The Office increased fees for certain registration and recordation and associated services, as well as search and review services for FOIA requests.  The Office reduced renewal application and addendum fees in an effort to “encourage the filing of more renewal claims” and thereby help improve the public record about copyright ownership.

According to the Copyright Office’s announcement, the fee increases result from its “responsibility, like other Federal agencies, to establish sound financial policies and develop a budget derived largely from fees” and enable it to “recover a significant part of the costs to the Office for services that benefit both copyright owners and the public.”

(And, while on the subject of copyright, if your website accepts and hosts user-generated content, we encourage you to check that you have registered a “DMCA agent” under the Digital Millennium Copyright Act (DMCA).  The DMCA is a federal law that provides “safe harbor” protection for claims of copyright infringement for website operators that follow certain procedures, including designating a DMCA agent.)

For more information, please contact Jennifer Mikulina, global head of McDermott’s trademark prosecution practice, or Julia Jacobson, author of this blog entry and ODI editor.




read more

FTC Enforces Facebook Policies to Stop Jerk

The Federal Trade Commission (FTC) recently accused the operator of www.Jerk.com (Jerk) of misrepresenting to users the source of the personal content that Jerk used for its purported social networking website and the benefits derived from a user’s purchase of a Jerk membership.   According to the FTC, Jerk improperly accessed personal information about consumers from Facebook, used the information to create millions of unique profiles identifying subjects as either “Jerk” or “Not a Jerk” and falsely represented that a user could dispute the Jerk/Not a Jerk label and alter the information posted on the website by paying a $30 subscription fee.  The interesting issue in this case is not the name of the defendant or its unsavory business model; rather, what’s interesting is the FTC’s tacit enforcement of Facebook’s privacy policies governing the personal information of Facebook’s own users.

Misrepresenting the Source of Personal Information

Although Jerk represented that its profile information was created by its users and reflected those users’ views of the profiled individuals, Jerk in fact obtained the profile information from Facebook.  In its complaint, the FTC alleges that Jerk accessed Facebook’s data through Facebook’s application programming interfaces (API), which are tools developers can use to interact with Facebook, and downloaded the names and photographs of millions of Facebook users without consent. The FTC used Facebook’s various policies as support for its allegation that Jerk improperly obtained the personal information of Facebook’s users and, in turn, misrepresented the source of the information.  The FTC noted that developers accessing the Facebook platform must agree to Facebook’s policies, which include (1) obtaining users’ explicit consent to share certain Facebook data; (2) deleting information obtained through Facebook once Facebook disables the developers’ Facebook access; (3) providing an easily accessible mechanism for consumers to request the deletion of their Facebook data; and (4) deleting information obtained from Facebook upon a consumer’s request.  Jerk used the data it collected from Facebook not to interact with Facebook but to create unique Jerk profiles for its own commercial advantage.  Jerk’s misappropriation of user data from Facebook was the actual source of the data contrary to Jerk’s representation that the data had been provided by Jerk’s users.

Misrepresenting the Benefit of the Bargain

According to the FTC, Jerk represented that purchase of a $30 subscription would enable users to obtain “premium features,” including the ability to dispute information posted on Jerk and alter or delete their Jerk profile and dispute the false information on their profile.  Users who paid the subscription often received none of the promised benefits.  The FTC noted that contacting Jerk with complaints was difficult for consumers:  Jerk charged $25 for users to email the customer service department.

A hearing is scheduled for January 2015. Notably, the FTC’s proposed Order, among other prohibitions, enjoins Jerk from using in any way the personal information that Jerk obtained prior to the FTC’s action – meaning the personal information that was obtained illegally from Facebook.




read more

Settlement on the Horizon in Massachusetts ZIP Code Litigation

A recent proposed settlement in Massachusetts may signal readiness on the part of retailers to end so-called “ZIP code” litigation.  In 2011, customers of the arts and crafts retailer Michaels Stores Inc. filed a proposed class action in Massachusetts federal district court stemming from the company’s collection of customers’ ZIP codes during point of sale transactions.  The complaint alleged that Michaels used the ZIP codes that it collected to acquire customers’ addresses and telephone numbers and then used that information for direct marketing purposes.

Last year, after the plaintiffs had filed their complaint, the Massachusetts Supreme Judicial Court held that under a 1991 Massachusetts law, ZIP codes are considered “personal identification information” and retailers are prohibited from collecting such information during credit card transactions.  The court also gave plaintiffs an opening to overcome the sometimes difficult harm threshold for consumer class actions: it found that a retailer’s subsequent use of personal identification information for direct marketing purposes constituted sufficient harm to the consumer to subject the retailer to liability.  The court’s holding left Michaels with few defenses under the statute, which states that merchants accepting credit cards shall not “write, cause to be written or require that a credit card holder write personal information, not required by the credit card issuer, on the credit card transaction form.”

The district court recently gave preliminary approval to a settlement of the claims against Michaels. The proposed settlement, totaling nearly $875,000, covers all customers from whom Michaels requested and recorded personal identification information in conjunction with a credit card or debit card transaction in a Massachusetts retail store after May 23, 2007.  The settlement divides customers into two subclasses depending on how Michaels used the information it collected.  The first sub-class includes approximately 15,000 customers for whom Michaels was able to obtain a mailing address using the ZIP codes collected.  The second subclass, numbering approximately 4,300, includes customers whose addresses Michaels obtained using a source other than the collected ZIP codes.

Under the settlement, members of the two subclasses are to receive vouchers of $25 and $10, respectively, for total payments to the class of approximately $418,000.  The proposed settlement also calls for Michaels to pay attorneys’ fees of up to $425,000.  A final fairness hearing is set for May 20.

Whether the Michaels settlement will have an effect on other class action litigation is an open question.  The language of the Massachusetts statute differs in key respects from similar laws of other states.  For example, California’s Beverly Song Credit Card Act imposes liability only where the merchant requests or requires personal identification information “as a condition of accepting credit card payment.”  This language in the California law has been used to defeat class certification on the basis that the customers’ beliefs as to whether providing personal identification information was a condition of using a credit card was a necessary element of liability that could not be decided on a class wide basis.  It is unclear a similar argument could prevail under the [...]

Continue Reading




read more

In with the New, Part III: 2014 Privacy, Advertising and Digital Media Predictions

Boston-based litigation partner Matt Turnell shares his predictions about class action litigation under the Telephone Consumer Protection Act (TCPA) and Electronic Communications Privacy Act (ECPA) in 2014 and Boston-based white-collar criminal defense and government investigations partner David Gacioch shares his predictions about government responses to data breaches.

Class Action Litigation Predictions

2014 is already shaping up to be an explosive year for privacy- and data-security-related class actions.  Last December’s data breach at Target has already led to more than 70 putative class actions being filed against the retailer.  With recently disclosed data breaches at Neiman Marcus and Michaels Stores—and possibly more to come at other major retailers—court dockets will be flooded with these suits this year.  And consumers are not the only ones filing class actions; banks that have incurred extra costs as a result of the data breaches are headed to court as well, with at least two putative class actions on behalf of banks filed so far against Target.

That volume of litigation related to the Target data breaches likely will be matched by a steady stream of class actions filed under the TCPA.  2013 was a busy year for the TCPA docket and I expect that the Federal Communications Commission’s (FCC) stricter rules requiring express prior written consent from the called party, which took effect in October 2013, means that 2014 will be just as busy since the majority of TCPA class actions seek statutory damages for companies’ failure to obtain consent before making autodialed or prerecorded voice calls or sending unsolicited text messages or faxes. 

In 2014, I expect to see key decisions under the ECPA related to social media platforms and email providers capturing and using content from customers’ emails and other messages for targeted advertising or other purposes.  One district court has already denied a motion to dismiss an ECPA claim challenging this conduct and I predict that other decisions are forthcoming this year.  Needless to say, decisions in favor of class-action plaintiffs in this area could have major implications for how social media sites and email providers do business.

Matt Turnell, Partner

Government Responses to Data Breaches

As significant data breaches continue to dominate the news, public awareness of data privacy and security issues will increase, as will their political appeal.  I expect to see in 2014:

  • Record numbers of breach reports to state and federal regulators, as awareness of reporting obligations spreads further and further across data owner, licensee, broker and transmitter groups;
  • More states committing more enforcement resources to data privacy and security, including budget dollars and dedicated attorney general’s office units;
  • More state/federal and multi-state coordination of investigations, leading to increased settlement leverage by enforcement authorities vis-à-vis firms under investigation; and
  • Greater numbers and dollar values of settlements by the Federal Trade Commission (FTC) and state attorneys general than ever before.

Similarly, with the HIPAA Omnibus Final Rule going into effect on September 23, 2013, coupled with the late-2013 Department of Health and Human Services [...]

Continue Reading




read more

Data Privacy Day 2014

In Boston, we celebrated Data Privacy Day (January 28) by presenting “U.S. Privacy and Data Protection: 2013 Year In Review and a Prediction of What’s to Come in 2014” for participants in an IAPP KnowledgeNet.  Our panel of speakers discussed significant U.S. data privacy and protection events from 2013 and shared thoughts about what’s ahead for 2014 in U.S. data privacy and protection.  You may download the presentation slides here.

We hope you find our presentation materials informative.   Of course, please do not hesitate to contact any member of the Of Digital Interest editorial team with questions or comments.




read more

STAY CONNECTED

TOPICS

ARCHIVES

2021 Chambers USA top ranked firm
LEgal 500 EMEA top tier firm 2021
U.S. News Law Firm of the Year 2022 Health Care Law