December 2019
Advertising Law Year-In-Review
‘Twas two weeks before Christmas, and all through the town, every lawyer was working on their yearly count down.
The bills had been sent to clients with care, in hopes that the checks would fly through the air.
And me at my desk, Amazon prime on the way, I had just settled down to write a new blog for that day.
Then out in the foyer, there arose such a clatter…
For your reading enjoyment, here’s the December Ad Matter.
Ring in the New Year with the CCPA
The California Consumer Privacy Act promises to start 2020 off with a bang (and maybe a headache). While nationally we are still trying to find our footing with a uniform privacy law (see below on COPRA), California has launched their own version.
A few things to note before panic sets in: the law doesn’t apply to ALL businesses. You must have an annual gross revenue in excess of $25 million; possess the personal information of 50,000 or more consumers, households or devices (definition of household being debated currently); and your business must earn more than half of its annual revenue from selling consumers’ personal information.
Advertisers should pay close attention to the next few weeks when regulators release enforcement guidelines. Targeted advertising and tech firms’ use of data may be in the line of fire depending on what enforcement looks like. According to experts the CCPA’s definition of “sale” may or may not refer to digital advertising. A sale is defined as anything of value, not just the exchange of a California resident’s information, so the final definition could be quite expansive.
Further, there is no guidance as to how this affects programmatic impressions or the sharing of an IP list for purposes of targeted media buys. The big question is whether selling, passing or transferring personal information for advertising purposes is (or is not) considered a sale under the law. And what are the longer-term effects on other areas of advertising once this law passes?
One option may be for companies to become “service providers” under the law. Service providers can process data collected from third party companies even if the person whose data is collected has requested that such data not be sold. The caveat is that the service provider can only use the data for reasons specified in an agreement with the company selling it, which may hamstring more wide scale consumer tracking and targeting efforts.
While the law takes effect in a few short weeks, enforcement won’t begin until June of 2020. That’s the good news. The bad news is that any infraction has a “look back” to Jan 1. Happy New Year indeed.
Privacy Regulation is on the Wish List
A group of Senators recently released a set of “core principles” for a Privacy and Data Protection Framework as well as a proposed privacy bill called COPRA - the Consumer Online Privacy Rights Act.
The Framework includes key principles which cover several privacy topics and focus on specific goals. Specifically, argue the authors, any privacy regulation should establish data safeguards, invigorate competition, strengthen consumer and civil rights, and impose real accountability. It also places emphasis on ideas found in other privacy frameworks such as consumer control of their data, as well as presenting new ideas to allow more control over the sharing of consumer data. The Framework also emphasizes the growing support for corporate accountability regarding data and privacy practices.
COPRA, similar to the CCPA , includes additional data privacy and security concepts, particularly with respect to liability, enforcement and accountability. COPRA would have broad applicability but specific exclusions similar to the CCPA which would allow certain companies to be exempt. Entities that can establish all of the following—for the preceding three (3) calendar years—would not be covered: (1) average gross revenues of less than $25 million per year; (2) annual processing of covered data of fewer than 100,000 individuals, households or devices; and (3) less than 50% of revenue derived from transferring covered data. There are also other exclusions for companies regulated by other federal laws such as Gramm-Leach-Bliley Act, though such entities would still be obligated to comply with certain data security requirements. If enacted, COPRA would be enforced by the FTC and state attorneys general and would set up a new division in the FTC to exercise this authority and other federal laws regarding data and privacy. assist the Commission in exercising its authority under COPRA and other federal laws addressing privacy and data security.
Why This Matters:
There’s no evidence that this bill will be agreed to in a bipartisan manner, at least not before 2020 and some argue that once the CCPA passes, it will be harder to pass any law that isn’t as protective as the CCPA. But the parties are talking and that is some progress.
A Gift for YouTubers
Confused as to whether your content is “directed to children” per the Children’s Online Privacy Protection Act (“COPPA”)? You’re not alone. But there’s some good news. The FTC recently released guidance for channel owners and content developers.
A few months ago, Google and YouTube settled with the FTC for $170 million amidst allegations that YouTube collected information from children in violation of the COPPA rules. In addition to the settlement, Google and YouTube agreed to create and implement a system for YouTube channel owners to designate whether content is directed to children and to established standards for notifying owners of the content whether COPPA applied.
FTC will at some point after this settlement, conduct a “sweep” of the YouTube channels to ensure that the relevant content is being designated in accordance with the COPPA rules. The guidance provided in the settlement are intended to help channel owners and content creators understand if their content or channels are in fact “directed to children” under COPPA and if so, what the specific legal requirements are for notice and parental consent.
First and foremost, the FTC wants all channel and content owners to know that COPPA applies to YouTube exactly as COPPA would apply if the content was on an ap or website. The FTC analyzes content using numerous factors such as the subject matter, the visual content, the use of animation, music and audio, age of the models or child celebrities, and the kind and type of advertising to determine if the content is in fact “directed to children”.
The guidance also provides some general advice: for example, if the video is about “adult” topics such as finance or politics, or if the content is aimed at high school or college aged kids, it is most likely not covered by COPPA. Videos that look bright and colorful and have animated characters are not automatically covered since those can also be directed to an older audience. The complaint against YouTube cites specific examples of content that the FTC found to be directed to kids. The complaint can be found here: https://www.ftc.gov/enforcement/cases-proceedings/172-3083/google-llc-youtube-llc. More information about COPPA can be found here: https://www.ftc.gov/tips-advice/business-center/privacy-and-security/children%27s-privacy.
Why This Matters:
The guidance set forth in the settlement will help channel owners and content creators determine if they must comply with COPPA – a sort of heads up if you will - since the FTC will be conducting their own sweep of YouTube content for compliance. If you are unsure whether your content is subject to these rules, seek advice from an attorney familiar with COPPA.
Match.com Ends up on the Naughty List
The FTC recently filed a lawsuit against Match Group, Inc. – owner of Match.com, Tinder, OKCupid, PlentyofFish and other matchmaking websites alleging that Match used fake love interest advertisements to induce users into purchasing subscriptions on Match.com.
The FTC alleged that until the middle of 2018, the website knowingly sent communications to consumers from people who were scammers, and not actual love interests. Consumers, thinking they were being courted by legitimate suitors, could only respond to the communication by upgrading to a paid subscription model. Match further misled consumers by “guaranteeing” a free six-month renewal if the consumer did not match with someone. The guaranty came with conditions which were of course unbeknownst to the consumer.
The FTC also called out Match for violations of the Restore Online Shopper Consumer Act (ROSCA) because Match neglected to provide a mechanism by which consumers could stop recurring charges on their credit cards or accounts.
As a result of this matter, the FTC is seeking public comment on whether ROSCA should be more specific regarding cancellation procedures in online negative option issues. In addition, the FTC is examining and seeking public comment on its existing Negative Option Rule and the Telemarketing Sales Rule to establish a more consistent legal framework which can be applied in different kinds of media.
Why this Matters:
If you’re a marketer and employ online or other kinds of negative option offers, pay attention to the changes following public comment. They may have a direct effect on a number of aspects of your business including your website, e-commerce and marketing strategies.