"Red Flag". . . or White Flag?

The latest in the ongoing saga/delay with regard to the effective date for those subject to the Federal Trade Commission’s version of the Identity Theft Red Flag Rules is that the FTC has announced that the deadline by which affected businesses must comply has been extended – yet again – to November 1, 2009.  This is the third extension of the compliance deadline, for which the “mandatory compliance” date was originally November 1, 2008.  It was later extended – first to May 1, 2009, then to August 1, 2009, and now to November 1, 2009 – after confusion arose as to whom the rules applies and how to comply with them.  This raises the question, which the FTC itself has acknowledged, of whether Congress wrote the rules too broadly.

When the FTC announced the first extension, it stated it was stepping up outreach efforts to explain the rules to the various entities to which they apply.  With the second extension, the FTC released a “How-To Guide for Business” to assist those faced with complying.  Meanwhile, the FTC created a dedicated Red Flags Rule website, but rejected a request by the American Medical Association for clarification that the rules do not apply to doctors, which begat consternation over whether the rules could apply to lawyers as well.  With the ABA seemingly poised to take the FTC to litigation over the matter with the twice-extended compliance deadline nearly at hand, and confusion otherwise lingering generally, the FTC extended the compliance date again.

This time, the FTC stated it was extending the effective date yet again to “assist small businesses and other entities,” so that it could “redouble its efforts to educate them about … and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply.”  In particular, “redoubled” efforts are intended to assist small and low-risk entities who may face compliance concerns.  However, if it is truly “low risk” businesses on which the FTC is focused at this point, with three extensions (now totaling one year) needed to deal with any uncertainty among such “low-risk” businesses, does that validate previously-voiced concerns from the business community that the rules are too broad?  This may well be an area Congress should consider revisiting, and sooner, rather than later.

A $6 Million Reminder That FCC Still Has Work To Do On Telemarketing And Federal Preemption

Last week came news that DISH Network LLC signed an Assurance of Voluntary Compliance (“AVC”) with the Attorneys General of 46 states, in which it agreed to pay nearly $6 million – plus, potentially, additional restitution – and to modify its sales practices to settle claims that it failed to follow telemarketing do-not-call laws and engaged in unfair trade practices.  The agreement, which DISH executed with regulators from every state but California, Illinois, North Carolina, and Ohio, notes that among the alleged violations were failure “to comply with federal, state and/or local laws regarding telemarketing,” but denies any wrongdoing.  The AVC also called for DISH to comply with such state laws going forward.

The extent to which Attorneys General leveraged their states’ telemarketing laws in the settlement, and to require future compliance, is a troubling reminder that it has been more than half a decade that the Federal Communications Commission (“FCC”) has sat on petitions, declaratory ruling requests, and other calls for it to follow through on its promise to preempt the application of state laws to interstate telemarketing if they differ from federal standards.  Specifically, when it joined the Federal Trade Commission to update federal telemarketing rules in 2003, including creating of a National Do-Not-Call Registry, the FCC established certain limitations on application of state law thereafter.  It said its rules implementing the Telephone Consumer Protection Act (“TCPA”), which underlie the Registry, would serve as a “floor” with respect to all interstate and intrastate telemarketing calls.  That is, federal rules would govern all interstate calls, and with respect to intrastate calls, state rules that were less restrictive than their federal counterparts were preempted.  And, while the TCPA allows states to impose more restrictive rules to intrastate calls, the FCC said its rules would “almost certainly” preempt the application of such laws to interstate calls.  It also said that, rather than establishing blanket preemption (as with less-restrictive state laws), it would address preemption of such laws on a case-by-case basis.

In the ensuing years, in the related context of unsolicited fax ads, the TCPA’s preemption provision, which applies equally to the law’s telemarketing and fax provisions, was interpreted in accord with the FCC’s position.  At the same time, multiple petitions were filed, targeting sundry state laws, asking that the FCC preempt various state telemarketing prohibitions or requirements.  In other cases, trade associations asked the FCC to impose 50-state preemption with respect to certain state laws and rules.  Some of these petitions have languished since 2004, or even 2003, and while the FCC has sought comment, all these matters remain pending.

The AVC that DISH has entered with all but 4 states requires it to comply with state telemarketing rules that likely were preempted by federal law.  This is a significant reminder that the FCC needs to bring closure to this issue.  Indeed, it is likely that many of the calls at issue in the DISH enforcement action were interstate in nature and should not have been subject to state laws that differ from the TCPA rules.  The point is not that if preemption were clarified by the FCC, the issues surrounding DISH’s marketing practices would have disappeared.  Nonetheless, the settlement serves as a hefty reminder that telemarketers making interstate calls still face state laws that differ from – and as the FCC has said, are “almost certainly” preempted by – federal regulations intended to unify the rules in this area and to eliminate the patchwork of state requirements and prohibitions.  Perhaps, now that a new FCC installed by a new administration is poised to be at full strength, there is an opportunity to complete this last piece of long-unfinished business.

Advertising Industry Publishes Self-Regulatory Principles for Online Behavioral Data Collection

By Robert J. Driscoll, Paul Glist and Jennifer Small

On July 2, 2009, a group of advertising industry associations published the Self-Regulatory Principles for Online Behavioral Advertising (PDF)—a set of guidelines concerning the collection and use of online behavioral data by advertisers, service providers, publishers and ad networks.

The principles, drafted by the American Association of Advertising Agencies (4A’s), the Association of National Advertisers (ANA), the Direct Marketing Association (DMA), the Interactive Advertising Bureau (IAB) and the Council of Better Business Bureaus (BBB), focus on the areas that the Federal Trade Commission (FTC) has identified as desirable for industry self-regulation.  The principles set forth recommended practices for providing consumers with greater control over online behavioral advertising.

These proposed self-regulatory principles arise against a backdrop of growing political and consumer awareness of privacy issues.  FTC Chairman Jon Leibowitz has twice warned the industry that it is facing the “last clear chance” to avoid specific governmental regulation.  The FTC has stepped up enforcement action in the area, recently proposing an order against Sears that treats formal notices of Web tracking buried in fine print as “unfair” or “deceptive” under current law.

This advisory provides a brief overview of the new principles.  Businesses involved in online behavioral advertising should be aware of them and consider taking steps toward their implementation.

Of particular note is an enhancement of consumer notice and education about the collection and use of predictive profiling information, with new, easier-to-use tools for consumers to “opt out” of such collection and use by online ad networks.   In addition, the principles propose more significant restrictions on service providers—specifically, Internet service providers and providers of desktop application software such as browsers and tool bars—who would be permitted to engage in the collection and use of data for online behavioral advertising purposes only on an “opt in” basis.

The principles do not address display advertising or contextual advertising; rather, they focus on advertising targeted to the user based upon data regarding that user’s activities across various Web sites, a practice that has attracted considerable political attention.

The proposed requirements are summarized briefly below.

  • Transparency.  Online behavioral advertising will be accompanied by enhanced notice to consumers.  Among other things, the principles contemplate that a uniform link or icon indicating that behavioral data is being collected will be displayed in or around behavioral ads.  In addition, ad networks and other entities that collect and use data from others’ Web sites would be required to include notices of their online behavioral advertising practices on their Web sites, along with a mechanism for consumers to opt out of the collection and use of behavioral data.  Service providers would also be required to provide online notices of their behavioral advertising practices, and Web sites at which behavioral data is collected would be required to display links to the ad networks’ notices.
  • Consumer control.  The principles require entities involved in online behavioral advertising to provide users with a means of controlling the collection and use of data relating to them. Ad networks could satisfy this obligation by providing a means for consumers to opt out of such data collection and use.  Service providers, on the other hand, would be prohibited from collecting or using data for online behavioral advertising purposes without securing affirmative consumer consent, i.e., by deploying an opt-in mechanism.
  • Data security.  Data will be reasonably secured and discarded when no longer necessary to fulfill a legitimate business or law enforcement purpose.  This principle extends to offer reasonable assurances that the anonymization process will prevent the re-identification of anonymized profiles.
  • Material changes.  Consent is required for any retroactive material change in the use of collected data.
  • Sensitive data.  Children known to be under 13 are provided additional protections, as is health and financial data.  The principles note that what is “sensitive” information may change over time.
  • Accountability.  Enforcement of the principles will be handled principally by nongovernmental bodies, perhaps analogous to the Children’s Advertising Review Unit of the Better Business Bureau with respect to children’s advertising issues.  Enforcement mechanisms may include internal and third-party monitoring and self-reporting systems, and possible reports to the applicable government agencies in the event of an uncorrected violation.
  • Education.  Participants are encouraged to educate individuals and businesses about online behavioral advertising.  It has been reported that industry groups expect to conduct a large educational campaign—on the order of 500,000,000 impressions—over the next 18 months.

Currently key House members are drafting new legislation on online privacy.  We expect that even if such legislation is pursued, it may still provide room for effective self-regulatory programs to operate.   In the meantime, the BBB will spearhead implementation of the Self-Regulatory Principles for Online Behavioral Advertising, with an implementation program expected to be launched by early 2010.