Ad Law Access Updates on advertising law and privacy law trends, issues, and developments Wed, 29 Nov 2023 16:03:11 -0500 60 hourly 1 What We Learned From . . . New Hampshire Wed, 29 Nov 2023 12:00:00 -0500 From the Land of Lincoln, we went east to the Granite State. We met with Attorney General John Formella and Brandon Garod, Senior Assistant Attorney General, to learn about the New Hampshire Office of the Attorney General and the state’s priority of protecting seniors.

Background of the Office

The New Hampshire Attorney General (AG) is appointed by the governor and confirmed by the executive council. The AG oversees the Consumer Protection & Antitrust Bureau (the Bureau) which falls under the state’s Department of Justice.

Similar to what we’ve heard from other states, AG Formella explained that the Bureau sets its priorities based on “the needs of the state and what the state is experiencing.” The Bureau learns about these needs from a variety of sources including consumer complaints.

Additionally, New Hampshire has participated in many multistate investigations. AG Formella described multistate investigations as an “opportunity to pool resources to pursue an issue that is important not only to New Hampshire, but to the country.”

Though the Bureau does not offer a formal resolution process, the Bureau reviews the complaints and sends them to the business in order to elicit a response and a potential resolution. Garod added that if a business response does not fully address the complaint, then sometimes the Bureau will use the complaint as an opportunity to push back on a business and drill down on any potential UDAP (unfair and deceptive acts and practices) violations. Garod highlighted that the Bureau has been able to recover money for consumers and achieve results through this informal resolution process.

The Consumer Protection Act

The Bureau primarily relies on the Regulation of Business Practices for Consumer Protection (“Consumer Protection Act”). The Act provides several per se violations like “advertising goods with intent not to sell them as advertised” or using “deceptive representations of geographic origin in connection with goods or services.” According to Garod, the Bureau has both criminal and civil authority, which are both used frequently.

Under New Hampshire statues, the AG and the Bureau are authorized to conduct pre-suit investigations and can conduct depositions and request documents. While the AG and the Bureau cannot issue interrogatories, they can compel the appearance of a person to the office, put them under oath, and ask questions (similar to a deposition). Garod discussed that the Consumer Protection Act itself does not provide a statute of limitations; however, there is a statute of limitations of three years for all civil actions brought by the state.

The Consumer Protection Act can carry a hefty civil penalty of up to $10,000 per violation. Though the AG does not have the authority to obtain disgorgement, they can and often recover restitution as well as the costs of bringing the lawsuit. Garod noted that the office prioritizes obtaining restitution for its consumers as well as injunctive relief.

The Bureau can enter into an Assurance of Discontinuance (AOD) to settle claims; however, any violation of this AOD can be prima facie evidence of a UDAP violation.

Outside of the Consumer Protection Act, New Hampshire does not have specific laws to address price gouging, auto-renewals, or privacy rights (yet). Garod stated that many actions that would fall under those specific types of laws could be an unfair or deceptive act or practice under the Consumer Protection Act.

Prioritizing Seniors

AG Formella stressed that the state is prioritizing protecting seniors and combatting financial exploitation. He noted that New Hampshire is an “aging state” with the population of its citizens over 65 increasing – a common trend with other states.

The AG and the Bureau focus on seniors through the following three methods:

  • Education and outreach: Garod stated that the best way to combat illegal activity is to empower people to protect themselves through education. The Bureau has made efforts of educating financial institutions, medical providers, and other stakeholders in order to impact a diverse body of stakeholders throughout the state.
  • Investigations and Prosecution: The Bureau has revitalized its Elder Abuse and Exploitation Unit with more resources and staff.
  • Legislative Tools: RSA 631:9 criminalizes the financial exploitation of an elderly adult. The statute also empowers financial institutions to combat elder fraud and provides an extended term of imprisonment for intentionally taking advantage of a victim’s age or physical/mental disability.

The Bureau has already seen success with its education efforts, investigations, and enforcement of criminal laws against targeting seniors. Garod mentioned that the Bureau has won multiple jury trials prosecuting bad actors targeting vulnerable senior citizens.

Takeaways: States like New Hampshire are closely paying attention to consumer complaints, state trends, and nationwide concerns in determining their enforcement priorities. AG Formella’s focus on seniors is a reminder that states have special statutes and enhanced penalties that may apply where the victims are from vulnerable populations. It is crucial to have a deep understanding of each state’s laws and priorities when choosing where and how to operate your business to ensure robust compliance.


Be sure to join us on December 14 for a Conversation with NAAG and AGA Executive Directors. To register for the webinar, click here. To catch up and read the coverage of all our previous state AG webinars, click here.

NARB Reads Less Into Emojis Than NAD Mon, 27 Nov 2023 17:15:00 -0500 Earlier this year, Coca-Cola reformulated its Powerade beverage to include more electrolytes. In some ads, it boasted that the beverage now contained ​“50% more electrolytes vs. Gatorade Thirst Quencher.” One social media post featured a headline ​“Powerade vs. Gatorade Thirst Quencher” above a side-by-side comparison of the electrolyte and vitamin content of the two beverages. The caption read: ​“Don’t Underestimate our Electrolytes” followed by a flexed arm emoji. 💪

Although the claims about electrolyte content were literally true, Stokely-Van Camp – the maker of Gatorade – argued that the ads were misleading. Among other things, SVC argued that the emoji conveyed a “message that consumers who drink Powerade will be stronger than if they drink Gatorade.” In a decision that we noted could have broad implications for many ad campaigns, NAD stated that emojis could be “a powerful source of messaging” and agreed with SVC’s interpretation.

This week, the National Advertising Review Board (or “NARB”) announced that it disagreed with NAD’s conclusion that the emoji conveyed a strength claim. The decision states that “the panel does not find that the strong-arm emoji in the context of the comparative post communicates a superiority claim but merely draws attention to the fact that Powerade has increased its electrolytes, which are the core beneficial ingredients in any sports drink.”

(The panel also disagreed with NAD’s conclusion that Powerade’s electrolyte claims on labels were misleading but agreed with other parts of the NAD decision.)

Although there are certainly instances in which the use of an emoji may convey a claim, advertisers can breathe a little easier knowing that those instances may not be as many as the original NAD decision suggested. Nevertheless, advertisers should pay attention as this area of the law develops. In the meantime, you can read about other cases dealing with emojis here and here. And you can read more about the NARB’s decision here.

A Conversation with NAAG and AGA Executive Directors Wed, 22 Nov 2023 09:00:00 -0500 A Conversation with NAAG and AGA Executive Directors

December 14 | 2:00 p.m. – 3:00 p.m. ET

Join Kelley Drye State Attorneys General practice Co-Chair Paul Singer, Special Counsel Abby Stempson, and Senior Associate Beth Chun and the executive directors of The National Association of Attorneys General (NAAG) and the Attorney General Alliance (AGA) for a discussion on the significance of these organizations and state attorneys general to the business community. Guest speakers Brian Kane, Executive Director of NAAG and Karen White, Executive Director of AGA will highlight:

  • The importance of businesses understanding AG priorities which include hot topics such as:
    • Data privacy, artificial intelligence, consumer protection, organized retail crime, and cannabis
  • Each organization’s history, membership, and leadership
  • How businesses can use NAAG and AGA as a resource
  • State AG elections and other items of interest in the new year

Register Here

NAAG 2023 CP Fall Conference: Fake Reviews + Generative AI Mon, 20 Nov 2023 17:30:00 -0500 In our final installment of our NAAG 2023 Consumer Protection Fall Conference debriefing (click here for parts one and two), unsurprisingly, fake reviews and generative AI were the big topics that closed out the conference.

Fake Online Reviews

This panel was moderated by Victoria Butler, Consumer Chief of the Florida Attorney General’s Office, and Mike Wertheimer, Consumer Chief of the Connecticut Attorney General’s Office. Panelists included John D. Breyault, Vice President, Public Policy, Telecommunications and Fraud at the National Consumers League, Monica Hernandez, Senior Corporate Counsel at Amazon, Michael Ostheimer, Senior Attorney at the Federal Trade Commission, and Morgan Stevens, Research Assistant at the Center for Data Innovation.

To jumpstart the discussion, Stevens outlined different types of review concerns (some of which we have previously reported):

  • Purchasing Reviews through Non-Customer Third Party Services – paying for positive reviews, or for negative reviews for competitors
  • Incentivizing Reviews – providing some kind of benefit for a review (i.e. revenue sharing)
  • Obtaining Reviews from Family/Friends – asking close connections to post positive representations
  • Using fraudulent reviews for social activism reactions
  • Paying individual customers for positive reviews or to post negative reviews on competitor sites
  • Suppressing or unnecessarily flagging reviews
  • Relying on review baiting by only allowing or encouraging positive feedback
  • Threatening to use the legal system to attack reviewers
  • Harassing reviewers into deleting negative reviews

Stevens cited a 2016 University of Central Florida and Case Western study that showed customers are more likely to consider extremely negative reviews useful than positive reviews. Therefore, regulators are concerned that businesses are willing to pay customers to remove negative reviews as a cost for a “good investment.”

Breyault asserted that platforms have a role to play and have invested a lot in protecting integrity, and the solution to protect integrity of user reviews will require coordination from all stakeholders involved. Consumers need to learn to recognize warning signs of bad reviews and vote with their wallets. Finally, the AG community and the FTC should have the resources necessary to go after bad actors.

Breyault also recommended platforms maintain clear policies that prohibit inauthentic reviews, require that all reviews reflect honest opinions, and allow users to report abuse. The policies should outline clear consequences for violations such as removing related products, terminating, and/or withholding payment. Later, Hernandez echoed the message of working together to combat harms of fake reviews, and stated Amazon has made significant investments and created policies to address the issue.

Ostheimer referenced the updated FTC Endorsement Guides, which cover fake and incentivized reviews. The Guides also provide new specific examples on how and when reviews should include a clear and conspicuous disclosure. In addition to the Guides, Ostheimer emphasized the importance of appropriately training employees and monitoring reviews to ensure compliance.

Understanding the Consumer Impacts of Generative AI

In the final panel for the conference moderated by Rashida Richardson, Assistant Professor of Law and Political Science at Northeastern University School of Law, panelists tackled the role state consumer regulators must play to balance business innovation and consumer safety. This panel included Dr. Solon Barocas, Principal Researcher at Microsoft Research, Sayash Kapoor, a PhD Candidate at the Center for Information Technology Policy, Princeton University, and Ben Rossen, Associate General Counsel for AI Policy and Regulation at OpenAI.

Panelists discussed the concern that generative AI models are not created to be task-specific, leading to potential additional risks if not created and used carefully. For instance, questions can arise as to who owns the data used for training and how are people using generative AI in practice. Panelists also discussed the desire for transparency and aligning consumer expectations.

Rossen noted platforms have already taken a number of steps to mitigate potential harms like hate speech and fraud and called for companies to watch how people are actually using their tools and monitor closely. Rossen referenced President Biden’s recent Executive Order on AI calling for agencies and platforms to evaluate and reduce risks associated with generative AI.

Several panelists noted that the FTC should be able to regulate businesses that falsely claim their generative AI can do something, and general UDAP and Section 5 models can be used as tools to combat discrimination resulting from generative AI where appropriate. Barocas said that AG authority would likely be insulated from a challenge like the CFPB so the AGs have more room to maneuver. Richardson agreed as UDAP is a broader tool for states.

Bottom line

For best practices, remember:

  • Fake reviews can take many forms, including not disclosing incentivized reviews, purchasing positive reviews, or suppressing negative reviews.
  • Generative AI is here to stay and can provide benefits to consumers. However, consumer protection laws apply to generative AI and companies should be transparent and honest about how they obtain the data for their models, and how they are training the models for potential general use.
FTC Sends Warning Letters to Companies and Influencers Over Disclosures in Posts Thu, 16 Nov 2023 09:30:00 -0500 Earlier this year, we examined how changes to the FTC’s Endorsement Guides might affect influencer campaigns and suggested that companies may want to monitor FTC actions in this area to see what types of conduct grab the FTC’s attention. Yesterday, we got some initial clues when the FTC announced that it had sent warning letters to two trade associations – the American Beverage Association and The Canadian Sugar Institute – and 12 health influencers over their posts.

The letters start with a reminder that influencers must “clearly and conspicuously” disclose any “material connection” they have to a brand (unless that connection is otherwise clear from the context) and then summarize the FTC’s view of what constitutes a “clear and conspicuous” disclosure. With that background, FTC staff goes on to express specific concerns about the posts. Here are some of the highlights about what caught their attention:

  • Some of the posts didn’t include any disclosure or any other indication that the influencer was connected to the association.
  • Some posts included a disclosure in the description, but not in the video. The letters state that because viewers can watch the videos without reading the descriptions, “there should be clear and conspicuous disclosures in the videos themselves, for example, by superimposing much larger text over the videos.” Audible endorsements require audible disclosures and visual endorsements require visual disclosures.
  • Some of the disclosures in the descriptions weren’t sufficiently clear or conspicuous since they were truncated on TikTok and Instagram, such that viewers wouldn’t see them unless they clicked on the text. Staff also wrote that they “do not think that disclosure in a TikTok or Instagram Reels post’s text description is clear and conspicuous.”
  • Some influencers relied upon the “paid partnership” disclosure tool offered by the platforms in making their disclosures. Staff reiterated previous “concerns about the conspicuousness of such built-in disclosure tools alone” and think it is “too easy for viewers” to miss them. Those tools are not a substitute for the other disclosures the FTC wants to see in the posts.
  • Even if viewers read the “Paid partnership,” “#sponsored,” and “#ad” disclosures, FTC staff thought they might be inadequate in the context of the posts, because some of the influencers did not identify the sponsor of the posts. Viewers should know who is sponsoring the posts, not just that a post was sponsored.

The letters “strongly urge” the associations and influencers to review their posts to ensure they comply with FTC requirements and ask the recipients to respond within 15 business days. The letters also included the FTC’s Notice of Penalty Offenses Concerning Deceptive or Unfair Conduct Around Endorsements and Testimonials with a warning that the recipients – including the influencers – are “on notice that engaging in conduct described therein could subject you to civil penalties of up to $50,120 per violation.”

As we noted in our original post, making disclosures in the way the FTC outlines in the revised Endorsement Guides (and now in these warning letters) may be a departure from common industry practice, which usually involves an influencer making a single disclosure in the first few lines of a post. Companies and influencers who were waiting for FTC action before changing their practices may want to factor these warning letters into their decisions.

Diagnosis: Fake Reviews = Refunding Copays, Destroying Patients on Social Media, and Everything in Between Tue, 14 Nov 2023 13:00:00 -0500 Like we previously reported, reviews matter. The New York Attorney General (NY AG) announced a $100,000 settlement out of its Bureau of Internet and Technology with a Manhattan-based orthopedic doctor for manipulating patient reviews on multiple websites such as, ZocDoc, Google, Yelp, Vitals, Adviise, Healthgrades,, and the Better Business Bureau. The doctor’s wife also settled separately but with no monetary penalties.

According to the Assurance of Discontinuance, the doctor and his wife conducted a variety of schemes to both inflate positive reviews and suppress negative ones. Among their most egregious alleged acts:

The settlement outlines ways in which patients were misled by these deceptive reviews noting that “prospective patients would have been able to ascertain some common complaints voiced by patients . . . including poor bedside manner, poor communication, surprise charges, and not listening to patient concerns.” As such, the prospective patients were “enticed” to book appointments based on “manipulated online profiles.”

The doctor and his practice are required to pay a $100,000 penalty and to take down all fake positive reviews, and use best efforts to notify those with connections asking to remove their reviews. Attorney General Letitia James stressed that these fake reviews were “illegal and unacceptable, particularly for critical services like medical care.”

Takeaways: As we continue to report, state AGs are not slowing down, and are at the front of the fight against fake reviews. But whether it is through a multistate, the FTC, or even a consumer watchdog (like Fake Review Watch which assisted NY AG on this investigation), all eyes are on using any kind of manipulation tactic on reviews.

Stay tuned for our next state AG webinar where we will interview representatives of the National Association of the Attorneys General (NAAG) and the Attorney General Alliance (AGA).

NAAG 2023 CP Fall Conference: Advertising – Honing in on California’s Views Mon, 13 Nov 2023 13:00:00 -0500 We return to NAAG’s 2023 Consumer Protection Fall Conference for “Advertising Psychology and Law Primer.” While it lived up to its name covering many basic advertising law concepts, the panel also covered specific perspectives from California on junk fees and other advertising principles that are valuable tips to help stay off their radar. This panel was moderated by Nick Akers, Senior Assistant Attorney general at the California Attorney General’s Office and Beth Blackston, Consumer Fraud Bureau, Chief of the Southern Bureau of the Illinois Attorney General’s Office. Panelists included Rafael Reyneri, an attorney in the Division of Advertising Practices at the FTC and Michele VanGelderen, Supervising Deputy Attorney General at the California Attorney General’s Office.

Reyneri discussed basic concepts of advertising law, highlighting the recent endorsement guides amendments which were discussed in more detail in a later panel. He also pointed to recent FTC developments such as its use of notice of penalty offense authority in an effort to obtain monetary relief post-AMG. Reyneri reminded the audience that the .com Disclosures are in the process of being updated, and also highlighted the rulemaking for Junk Fees.

VanGelderen started her presentation by noting that marketers are increasingly spending money on behavioral research, which she explains shows that people use decision-making shortcuts when overloaded with information, have time pressures, or are making trivial decisions relying on heuristics to simplify decisions. She said that people choose the first product that minimally meets needs. VanGelderen then went on to describe some of their office’s positions on recent advertising cases.

Senate Bill 478 (Junk Fees)

Likely the hottest topic discussed during the panel, VanGelderen provided some insight into how the California AG’s office views the new junk fee law, which we covered here. She reminded the audience that the legislative intent was to prohibit drip pricing and that bait and switch and unbundling of prices was already deceptive under the AG’s previous authority. The purpose of the new law was to prevent ambiguity.

VanGelderen provided several examples of fees that California would find deceptive:

  • A 4% sustainability fee on all transactions would be deceptive if disclosed separately from the rest of the price.
  • Advertising a $0 delivery fee when there is actually a $3 service charge that helps operations would also be deceptive where the service itself was delivery.
  • A 5% surcharge to help pay for increased costs due to a government mandate (she framed as a “protest fee”) would also be deceptive if not included with the total price.

In a question by AG staff from Illinois, it was mentioned that a similar junk fee law may be considered in that state as well, so clearly deceptive fees continue to be on the minds of more than just California.


VanGelderen discussed multiple recent labeling cases and the office’s view of the rulings:

  • The California AG’s office wrote an amicus brief in a 2018 case on appeal related to the vitamin brand “One a Day,” but which included a recommended dosage of two gummies for certain products. VanGelderen agreed with the court’s ruling that this was an issue because reasonable consumers were unlikely to review all the details on the bottle before purchasing.
  • VanGelderen highlighted another case, in which white baking chips were shown on a bag; even though the bag didn’t say the chips were made of white chocolate, VanGelderen’s and the appellate court’s view were that this was misleading in part because consumers don’t look at ingredient labels.
  • Finally, she described a case where Manuka honey was labeled as 100% despite only being 60-70% Manuka honey. The court found the label permissible in part because FDA guidelines allowed it and that consumers would understand it is impossible to make a honey 100% derived from one source. But VanGelderen said she disagreed with this outcome -- though she admitted it is currently the law, she alluded that it may have come out differently in state court.

Nontraditional Marketing

VanGelderen described some of the more recent actions by the California AG’s office that shed light on the office’s views of advertising claims. For instance, in People v. Johnson & Johnson, et al., she described the company’s surgical mesh “surround sound marketing campaign” to create demand from patients. California considered these education awareness events and brochures to be marketing materials because the intent was to sell mesh, and alleged the company downplayed or concealed serious health risks obtaining a $362 million verdict.

In People v. Ashford et al., California said that using telemarketers branded as admission counselors was deceptive where the sales environment incentivized representatives to mislead consumers (potential students) about the costs of attendance, ability to obtain certain jobs, and transferability of credits.

Bottom line: To stay in line with California (and many other states) positions on advertising, remember:

  • Consumers may not look at the entire label – so consider accordingly.
  • Advertising can take many forms, including consumer education.
  • Don’t mislead customers about existence of fees, or what a fee is for.
NAAG CP Fall 2023: Dark Practices? Fri, 10 Nov 2023 11:00:00 -0500 On November 7, the National Association of Attorneys General (NAAG) 2023 Consumer Protection Fall Conference held its public day with a number of substantive and interesting discussions about the current state of consumer protection enforcement by the FTC and, of course, state AGs. We will be bringing you a series about the conference panels, each of which discusses a hot topic of enforcement for the coming year.

First, Attorneys General Kwame Raoul of Illinois and John Formella of New Hampshire kicked off the day with a discussion on “Dark Practices Impacting Consumer Privacy,” focusing on dark patterns with our very own Alysa Hutnik from Kelley Drye and Ben Wiseman, Associate Director of the Division of Privacy and Identity Protection with the FTC. We have previously covered dark patterns here and here and how they relate to typical UDAP claims; that sentiment was echoed throughout the morning’s panel.

AG Views

Attorney General Raoul started off self-deprecatingly, describing himself as an average consumer in regard to tech savviness, impacting his perspective regarding convenience versus vulnerability when it comes to consumer privacy and dark patterns. Attorney General Formella mentioned the struggle with trying to avoid becoming a nanny state while still protecting consumers, and compared some of the practices on the internet to having someone in a department store physically follow a person around watching everything they look at or nudging them to buy things. He posited that what we are talking about today on the internet is very similar but “in a more devious way.”

Defining Dark Patterns

Wiseman defined dark patterns for the audience and described the four types of dark patterns outlined in the FTC’s recent report, calling guarding against dark patterns the core of consumer protection and unfairness. Hutnik elaborated that the common theme in the FTC’s report are common unfair and deceptive acts and practices concepts – failing to conspicuously disclose material information, but noted the struggle in identifying what is material to consumers and when there may be an adverse impact. Importantly, businesses should consider whether their practices would frustrate or surprise a consumer in a negative way.

Data Collection

General Formella moved the discussion, asking what type of data companies are collecting and what they are doing with the data. Hutnik explained that companies want positive and continuing relationships with their customers/consumers and to provide them with what they are interested in. Businesses also need to account for the obligation to be clear about their data practices, and any data sharing needs to address privacy obligations. Wiseman agreed that there can be benefits to certain data collection practices, but as consumers increasingly transfer their lives online, there is an increase of sensitive information and monetization of data without much regulation. General Raoul asked about consumer attitudes on data privacy and notices, and Wiseman said several recent studies have shown consumers are not satisfied with the current notice and consent regime. However, Hutnik noted that companies are making significant changes in response to recent state comprehensive privacy laws, and consumers are showing up with loyalty for companies that are upfront and responsible with consumer data, with user-friendly privacy options available to the consumer. Hutnik also pointed out the significant investment some of these businesses have been making in data management infrastructure to be able to comply with these laws and deliver a better user experience for consumers.

As far as privacy goes, Wiseman said that the FTC is looking increasingly to unfairness to handle these issues. But Hutnik responded that not every state has unfairness, but with comprehensive privacy laws cropping up in so many states, the challenge for businesses is looking ahead and building data strategies that account for the regulatory trend line. Attorney General Formella chimed in that New Hampshire is on the verge of passing their own comprehensive privacy law, with the legislature already committing resources to enforce.

FTC Enforcement

General Formella asked about the FTC’s priorities regarding enforcement in the area. Wiseman responded that the dark patterns report shows a lot of examples. During the panel, he referenced Vonage, BetterHelp, GoodRX, and Epic Games as recent examples of FTC enforcement in the area of dark patterns. While most people recognize Epic Games as a COPPA case, Wiseman specifically pointed to the design choices regarding unauthorized charges of “V-bucks” where the company changed its “undo” button to be less prominent after testing revealed it would reduce consumer clicks. He also discussed the state AGs’ Google location tracking practices matter which Wiseman said included dark patterns in hiding material information and inducing false beliefs regarding settings.


As Hutnik explained, businesses should keep the following in mind when it comes to dark patterns and privacy:

  • Tell consumers the truth and they tend to come back. It’s a long game.
  • Monitor consumer complaints for trends to determine whether you have an unintentional design issue that is leading to consumer frustration.
  • Consider whether you truly need sensitive information for your business, and in any event align any collection and use with consumer expectations.

And from Wiseman’s perspective, businesses should look to these resources to assist with compliance:

  • 2022 Dark Patterns Report, which includes an appendix of prior enforcement
  • Enforcement orders as well as complaints, because they give insight into how the FTC views practices and where they may become unlawful
  • Current rulemaking efforts related to dark patterns: Negative Option and Junk Fees

To sum it up, both Hutnik and Wiseman agree that businesses should compete based on privacy for the benefit of consumers.

Chargebacks911 Settlement Highlights FTC and AG Scrutiny of Chargeback Mitigation Practices Thu, 09 Nov 2023 10:00:00 -0500 This week, the FTC and Florida AG announced a settlement with Chargebacks911, a chargeback mitigation company that touted its ability to help companies respond to and reverse consumer credit card disputes. The FTC and Florida AG sued the company in April 2023, alleging that Chargebacks911 used deceptive techniques to contest chargebacks and lower clients’ chargeback rates.

The chargeback mitigation practices specifically described in the complaint as unfair under Section 5 of the FTC Act and the Florida UDAP statute involve:

  • Using inaccurate documentation to challenge chargeback requests. For example, the complaint alleges that Chargebacks911 submitted screenshots of terms and conditions pages that did not actually exist on the websites that consumers used to purchase the disputed product. In other instances, Chargebacks911 is alleged to have affirmatively edited website screenshots to add disclosures that did not appear in the original purchase flow.

The complaint alleges that Chargebacks911 ignored obvious red flags that should have put it on notice of its clients’ problematic practices. For example, some of the company’s clients sold products through hundreds of separate merchant accounts over a relatively short period of time. In other instances, the brand of the product under dispute conflicted with the branding depicted in the documentation disputing the chargeback. Additionally, Chargebacks911 is alleged to have continued unsubstantiated chargeback disputes despite being put on notice that the FTC was investigating several of its clients for deceptive negative option practices.

  • Using “microtransactions” to artificially lower a client’s overall chargeback rate. The complaint alleges that Chargebacks911 helped clients run numerous small-value transactions, known as “microtransactions,” in order to artificially inflate the overall number of transactions processed through their merchant accounts and thus lower their chargeback rates. (The chargeback rate is calculated by dividing total chargebacks by the total number of transactions within a monthly period.)

Notably, Chargebacks911 assisted three companies that the FTC has targeted in recent years for engaging in deceptive negative-option marketing (Apex Capital, F9 Advertising, and AH Media Group). According to the complaint, Chargebacks911 disputed over one hundred thousand chargebacks on behalf of those three clients over a four-year period. It appears from the complaint that Chargebacks911’s practices likely came under scrutiny as part of the agency’s investigation into these other entities’ activities.

The settlement, which includes two individual officers, bans the company from providing chargeback mitigation services to companies selling cosmetics, dietary supplements, or drugs through negative option features and using affiliate networks to generate customers. (The order makes exceptions for publicly traded companies or companies with annual revenues over $100 million.) The order further prohibits Chargebacks911 from contesting consumer disputes using materials it knows or should know are inaccurate or misleading, and from engaging in practices that would artificially lower chargeback rates. The order requires a $150,000 payment to the Florida AG.

The take-away: chargeback mitigation services should never be used to suppress legitimate consumer disputes or circumvent card networks’ fraud monitoring systems. Companies offering these services should ensure the bases for disputes are reasonably supported and do not raise obvious red flags. Simply accepting documentation provided by clients while ignoring clear inconsistencies and suspicious behavior will not stave off federal or state scrutiny.

CFPB Issues Proposed Rule to Expand Supervisory Authority, Conduct Examinations of Digital Wallets and Mobile Payment Apps Wed, 08 Nov 2023 14:00:00 -0500 Yesterday, the Consumer Financial Protection Bureau (CFPB) released a notice of proposed rulemaking that would allow the agency to supervise and conduct examinations of certain non-bank providers of digital wallets and payment apps. The move is intended to address perceived “regulatory arbitrage by ensuring large technology firms and other nonbank payments companies are subjected to appropriate oversight,” according to CFPB Director Rohit Chopra.

While the Bureau has always had enforcement authority over digital wallets and payment apps, the proposed rule would newly authorize the Bureau to “supervise” the providers, including by conducting periodic examinations, which can include on-site or remote inspections, review of company compliance policies and procedures, testing transactions and accounts, and evaluating management and recordkeeping systems. Examinations may result in supervisory letters, compliance ratings, or, if inspectors identify perceived legal violations, enforcement actions with fines and civil penalties.

The Bureau’s proposed rule – its sixth effort to supervise nonbank providers of financial services – comes as an increasing number of financial transactions occur outside the traditional banking system. “Payment systems are critical infrastructure for our economy,” Director Chopra said in a press release announcing the new rule. “These activities used to be conducted almost exclusively by supervised banks” and the proposed rule is intended to require fintech providers to “play by the same rules as banks and credit unions.”

The rule would open up supervision and inspection for “larger participants” offering “general-use digital consumer payment applications,” including digital wallets, payment apps, funds transfer apps, person-to-person (P2P) payment apps, or similar. The proposed rule notes that subject entities would be examined for compliance with federal consumer financial laws and their prohibition against unfair, deceptive, and abusive acts and practices, the privacy provisions of the Gramm-Leach-Bliley Act and Regulation P, and the Electronic Fund Transfer Act and Regulation E, amongst other laws.

The rule would only apply to companies that the CFPB defines as “larger participants” and proposes a threshold of companies that process five million transactions in a year (including affiliated companies) that are not considered a “small business concern” by the Small Business Administration. The Bureau estimates that 17 providers of general-use digital consumer payment applications would currently meet the proposed threshold and that those providers handle roughly 88% of known transactions in the nonbank market for general-use digital consumer payment applications. Notably though, those numbers are just estimates – and could be based on incomplete or inaccurate data. Either way, that number is likely to grow as fintech transactions continue to grow in popularity.

A few additional highlights on scope and key definitions:

  • The proposed rule applies to larger participants providing a “covered payment functionality through a digital application for consumers’ general use in making consumer payment transactions.”
  • A “covered payment functionality” is a “funds transfer functionality,” a “wallet functionality” or both. Wallet functionality is defined broadly to include any product or service that stores account or payment credentials, and that transmits, routes, or otherwise processes such stored account or payment credentials to facilitate a consumer payment transaction.
  • “Digital applications” are defined as software programs run from a personal computing device, like a mobile phone, watch, or a tablet. The application should be available for “general use,” meaning it does not have significant limitations on its use for consumer payment transactions. According to the proposed rule, if the application can only be used to buy a specific category of products or services (i.e., transportation, lodging, food), it does not meet the definition of general use.
  • The proposed rule defines “consumer payment transactions” to include paying another person for a “personal, family, or household purpose” and to exclude international money transfers or foreign exchange transfers, or a transaction conducted by a person for the sale of goods/services at that person’s store or marketplace.

The Bureau solicits comments on all aspects of the proposed rule, as well as specific definitions and limitations, and will accept comments until January 8.

Know Your Fake Reviews: State AGs Signal Enforcement Tue, 07 Nov 2023 11:00:00 -0500 Reviews Can Drive Business

Reviews matter. In a survey conducted by Yelp, 83% of consumers who read reviews say they trust online reviews about local businesses. However, fake reviews may mislead consumers. Recently, there was media attention around a one-night-only restaurant in New York City that arose from fake reviews. The idea for a restaurant spawned from a joke. A group of friends had renamed (on Google Maps) the house they lived in to “Mehran’s Steakhouse” and left reviews about the “restaurant.” It was not an established “restaurant” at the time, though some of the reviews suggested otherwise. “Mehran’s Steakhouse” had 91 reviews and a near-perfect Google rating. The friends set up a website and created a waiting list, where over 900 people signed up. Eventually, the friends put together a one-night-only dining experience. They obtained a liquor license, food handling permits, printed menus, and set up a number of “fake”-themed performances (e.g. fans of the artist, Drake, stood outside the restaurant holding posters to get Drake’s attention, though Drake was not there; a fake proposal occurred in the dining room).

Though this was an isolated and arguably amusing incident, there are greater harms that regulators, such as the FTC and state AGs, consider in how they’re approaching fake reviews.

AGs Comment on Rules for Unfair or Deceptive Reviews in NPRM

In July, the FTC published its NPRM on “banning fake reviews and testimonials.” We have previously summarized the proposed prohibitions of the NPRM.

Last month, a bipartisan group of AGs of 21 states and the District of Columbia led by the D.C., Illinois, and Pennsylvania AGs also submitted a response to the FTC’s NPRM. The comment generally commends the FTC for the proposal and provides recommendations specific to the “Review Suppression” sections of the proposed Rule based on the AGs’ experience from consumer protection cases. The AGs make two main recommendations:

First, the AGs agreed with the FTC that merchants shouldn’t retaliate against consumers who post negative reviews, particularly with threats and/or legal action against the consumer. The AGs stated that such action could have a chilling effect by bullying consumers into removing their reviews. Current language in the NPRM defines unlawful review suppression as including an “unjustified legal threat or a physical threat, intimidation, or false accusation.” The AGs recommend, however, that the FTC change the language from “unjustified” to “unfounded, groundless, or unreasonable,” to provide greater clarity and a more objective legal standard. They also recommend adding a standard to differentiate between enforceable and unenforceable NDA and similar agreements to allow for “bona fide legal threats” regarding enforceable agreements. The AGs provide a reminder that both they and the FTC can enforce the Consumer Review Fairness Act (CRFA) prohibiting certain contracts that impede consumer reviews. Further, the letter notes that AGs, such as the D.C. AG, have taken the position that NDAs used to quash reviews may violate state consumer protection laws, citing the Smile Direct Club action as an example. The AGs point out that using the word “unjustified” in the current version of the rule may present a problem where businesses assert “that their legal threats were justified by their NDAs” which should have been unenforceable by the CRFA in the first place.

Second, the AGs further addressed review suppression and agreed with the FTC that by not posting both positive and negative reviews, a merchant is potentially misleading consumers. As written, the proposed Rule prohibits a company from indicating that reviews are representative when in reality, reviews are being suppressed based on their ratings or their negativity. The AGs recommend deleting the phrase, “based on their ratings or their negativity,” claiming it is both redundant and that it may create an unintended loophole. The AGs point out that without removing that phrase, companies may try to circumvent the Rule by suppressing a review not because it is negative, but because it violates “contracts or policies.” The AGs believe “legitimate suppression” would still be permitted for businesses under other parts of the proposed Rule.

The AGs conclude by strongly endorsing the NPRM and say they “look forward to continuing [their] partnership with the FTC.”

These comments should serve as a reminder and warning that not only are state AGs also paying attention to the impact of consumer reviews and the potential deceptive practices, but are advocating for even stronger positions than the FTC. Whether it be through the Consumer Review Fairness Act or their state UDAP laws, we can anticipate the states will be looking for potential enforcement targets given the increase in consumer reliance on reviews in making purchasing decisions.

NAD Decision Provides Guidance on Disclosures for Endorsements Mon, 06 Nov 2023 09:00:00 -0500 NAD recently issued a decision in a challenge that Bath & Body Works (or “B&BW”) brought against Goose Creek that touches upon a number of common issues advertisers face. The decision covers a lot of ground, and yesterday we focused on issues related to comparative claims against unnamed competitors. In this post, we’re going to focus on a few issues related to disclosures for endorsements.

B&BW challenged videos on Goose Creek’s website and social media channels which featured blindfolded people who smelled and commented on Goose Creek and competitor candles. B&BW argued that although the people in the videos were paid actors, viewers were likely to believe that they were actual consumers, with no connection to the company. NAD agreed that this was a likely interpretation.

Goose Creek argued that it clearly disclosed that some of the people in the videos were endorsers. For example, a banner accompanying some videos disclosed that the video “includes paid promotion.” And a disclosure on the company’s YouTube page further states that “some videos may contain paid endorsements, paid promotions, or paid performance by actors.”

NAD concluded that Goose Creek’s disclosures were not sufficient for a number of reasons. For example, the banner stating “includes paid promotion” does not “adequately disclose that the individuals featured are actors and not real consumers.” Moreover, the disclosure that “some videos may contain paid endorsements, paid promotions, or paid performance by actors” also fails because it doesn’t indicate “which specific videos contain which type of endorsement.”

NAD recommended that any Goose Creek videos, ads, marketing emails, or social media posts “featuring actors portraying consumers be modified to clearly and conspicuously disclose in both audio and video the fact that actors have been employed in the videos.”

NAD also considered videos posted by a vlogger who reviewed Goose Creek candles. Although, the vlogger is currently a designer for Goose Creek, none of the videos disclose a connection between the parties. NAD recommended that Goose Creek instruct the vlogger “to modify any video created after the date of employment with Goose Creek to include a material connection disclosure that is clear and conspicuous in audio and video, keeping in mind that clear and conspicuous means unavoidable or difficult to miss.”

This analysis is generally consistent with previous NAD precedent and themes in the current version of the FTC’s Endorsement Guides, so there aren’t any surprises here. Still, this case serves as an important reminder that companies don’t just have to worry about the FTC examining their compliance with the Endorsement Guides – competitors may do the same, and they may turn to NAD for help.

NAD Decision Provides Guidance on Claims Against Unnamed Competitors Mon, 06 Nov 2023 08:30:00 -0500 NAD recently issued a decision in a challenge that Bath & Body Works (or “B&BW”) brought against Goose Creek that touches upon a number of common issues advertisers face. Although the decision covers a lot of ground – B&BW challenged a combination of 18 express and implied claims – in this post, we’re going to focus on a few issues related to comparative claims against unnamed competitors.

Can claims against unnamed competitors be considered claims against specific competitors?

Goose Creek advertised that its “body care products are clean, cruelty-free, vegan, non-GMO & dermatologist tested” and encouraged consumers to “avoid the harmful chemicals found in other body care products.” B&BW argued this falsely implied that their products were harmful, even though Goose Creek never mentioned B&BW (or any other company) by name.

The first question is whether generic claims against “other products” can be considered to be claims against specific products. The answer is “yes.” NAD noted that “it is well-established that an advertiser need not mention a particular competitor specifically in order for the claim to be considered comparative to a rival company” and determined Goose Creek’s ads could convey a claim against B&BW’s products.

Notably, in other cases in which NAD has come to a similar conclusion, NAD often based its decision on the fact that the challenger was a “market leader,” such that consumers would likely assume the claim referred to the challenger. This decision doesn’t address whether NAD thought the B&BW held that status, so it’s not clear whether they are simply following previous precedent or expanding on it.

Ultimately, NAD held that Goose Creek couldn’t substantiate its broad claim. NAD scrutinizes “denigrating claims to ensure they are truthful, accurate, narrowly drawn, and do not falsely disparage a competitor’s product.” In this case, although two ingredients found in B&BW products could allegedly cause irritation or allergic reactions, Goose Creek went too far by calling them “harmful.”

How should a company substantiate claims against unnamed competitors?

Goose Creek also advertised that its candle fragrances “beat the competition” and are “so much stronger than other store brands.” In evaluating this claim, NAD started with the premise that “when an advertiser makes a comparative claim against all other competitors, it is well-established that they must support that claim against the top 85% of the competitive market.” (Click here for another recent decision on point.)

In this case, it appears that Goose Creek may not have tested against any specific competitors. Instead, the relied on a clinical study on emissions from burning candles in which the authors asserted that “most candle companies use a 5% fragrance load in their products.” Goose Creek also provided test results from three fragrances of Goose Creek candles showing they carried a 10-14% fragrance load.

NAD thought the substantiation was insufficient for two reasons. First, the study’s authors didn’t cite any authority to support their assertion of the typical fragrance load. Because NAD dismissed the study in only one sentence, there isn’t much detail, but this shows that simply relying on a third party study isn’t always enough. Second, NAD noted Goose Creek’s tests on the fragrance loads of three of their candles were not enough to substantiate a claim for all of their candles.

More to Come

Some advertisers assume that making a claim against unnamed competitors is easier or less risky than naming a specific competitor, but this case shows that’s not always true. Not only can you still be challenged by a competitor, but your substantiation requirements can be more expansive.

In our next post, we’ll look at another issue NAD considered in this case: disclosure requirements for endorsements.

FTC Alleges FinTech Provider Engaged in Dark Patterns, Concealed Fees for Cash Advances in Reaching $18 Million Settlement Fri, 03 Nov 2023 11:28:00 -0400 The FTC yesterday filed a complaint and stipulated order against Bridge, It (dba “Brigit”), a fintech company that operates a personal finance mobile application that advertises cash advances to consumers. According to the complaint, Brigit targeted low income consumers with offers for short-term cash advances of “up to $250” if they enrolled in a $9.99 per month membership program. The FTC alleged that only approximately 1% of customers actually received access to the $250 advance and approximately 20% were denied access to cash advances entirely.

Followers of the FTC (and this blog) will recognize common recent enforcement themes from other actions: most notably, hidden fees and dark patterns that allegedly made it difficult for consumers to cancel their subscription. A few substantive notes on the FTC’s allegations:

  • Up to” claims. The complaint highlights Brigit’s claims that consumers could get “up to $250” with “no credit check” and “no interest.” The FTC did not bring allegations related to the latter two claims. As to the “up to $250” claim, the FTC has long acknowledged that “up to” claims do not require everyone to attain the represented maximum result, but cases and guidance have varied over time on what percentage is necessary to support an “up to” claim. Context is key too. Here, taking the FTC’s facts as true (which Brigit disputes in a press release responding to the complaint), 1% of customers being eligible to receive the $250 cash advance would fall well below established principles requiring, at minimum, an “appreciable number” of consumers to achieve the maximum represented benefit.
  • “No hidden fees.” The complaint also addresses the company’s claims that the cash advance was available without “hidden fees” and alleges this to be false and misleading because: (1) it charged consumers an additional $0.99 fee for “express delivery” of the cash advance; and (2) it required consumers to maintain their $9.99/month subscription while their cash advance was still being paid off.
  • Alleged dark patterns. The FTC repeated a common recent allegation against Brigit by alleging that it engaged in dark patterns by making it difficult for consumers to cancel their monthly subscription, including by: (1) refusing to honor cancellation requests made through email or chat; (2) forcing customers to navigate through a number of pages on the mobile application and then navigate back to the Brigit website to cancel; and (3) forcing customers to select a reason for cancellation prior to honoring the request; and (4) using repeated, more prominent calls to action to encourage customers to inadvertently retain their membership.

The complaint alleges separate counts for deception and unfairness, along with violations of the Restore Online Shoppers’ Confidence Act (ROSCA). As we’ve discussed in previous posts, the FTC is increasingly relying on ROSCA (along with the Gramm-Leach-Bliley Act and other avenues) as a mechanism to obtain money post-AMG Capital Management. And as we discussed here, the FTC has proposed to significantly expand its ability to obtain civil penalties and monetary relief in connection with automatic renewal and repeat delivery contracts by proposing to overhaul the Negative Option Rule. Here, the settlement requires Brigit to pay $18 million and imposes far-reaching injunctive relief that prohibits certain misrepresentations and lays out how Brigit will be required to obtain consumers’ affirmative consent to any negative option offers going forward.

Safeguards Snafu? The Anomalous New Provision in the FTC’s Gramm-Leach-Bliley Safeguards Rule Tue, 31 Oct 2023 15:00:00 -0400 Last week, the FTC announced that it had finalized its rulemaking to add data breach notification provisions to the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule. As expected, the new provisions require non-bank financial institutions to provide notice to the FTC of data incidents meeting certain thresholds and detail the trigger for, and content and timing of, the notice. The FTC’s proposal elicited only 49 comments, perhaps because most stakeholders thought that the new requirements were inevitable and would be fairly routine. After all, the federal banking agencies have long required data breach notification under GLBA, every state in the country has a data breach law, and the Commission was only proposing that notice be given to the FTC, not to consumers.

However, there’s a surprising feature in the data breach provisions as finalized. In particular, the FTC added a new definition of “notification event,” which will now serve as the trigger for notification. The new definition states, in relevant part:

  • Notification event means the acquisition of unencrypted customer information without the authorization of the individual to which the information pertains.

By contrast, as originally proposed, the Rule would have tied the data breach notification provisions to the Rule’s existing definition of “security event,” which reads:

  • Security event means an event resulting in unauthorized access to, or disruption of misuse of, an information system, information stored on such information system, or customer information held in physical form.

This change is far more significant than it may look at first glance. It also conflicts (at least partially) with the privacy provisions of GLBA, and is likely to create confusion. Here are more details about the consequences of this change:

The new definition more clearly covers both data security breaches and unauthorized disclosures of data.

Following in the footsteps of the FTC’s proposal to amend the Health Breach Notification Rule (HBNR), the new notification trigger, by focusing on the concept of “unauthorized acquisition,” seems designed to cover, not only data security breaches, but also unauthorized data disclosures. While the HBNR proposal is explicit on this point, the materials accompanying the final Safeguards Rule don’t mention it. Instead, the Statement of Basis and Purpose (SBP) accompanying the Safeguards Rule explains that the new definition was necessary to avoid a confusing reference to data misuse in the original proposal.

The new definition requires notice to the FTC for any disclosure not authorized by the consumer. This conflicts (at least partially) with the privacy provisions of GLBA.

Use of the phrase “without the authorization of the individual” in the Rule’s new definition of “notification event” means that an acquisition of data isn’t authorized (and thus requires notification) unless it’s authorized by the consumer. Further, the term “authorization” is often understood to mean affirmative express consent (opt in), although the final Rule doesn’t say that, or even discuss the issue. (By contrast, the FTC asks questions about the meaning of “authorization” in its HBNR proposal.)

If “authorization by the consumer” means opt in, then the new trigger for notification is at odds with the privacy provisions of GLBA. That’s because GLBA specifically allows the disclosure of covered data to an affiliated entity without consumer consent, and to third parties pursuant to an opt out. Further, even if “authorization of the individual” is considered to encompass the GLBA opt out for disclosures to third parties, it still clashes with the GLBA provisions governing disclosures to affiliates.

So how can disclosures to affiliates and (maybe) third parties be treated as unauthorized for data breach purposes when they’re specifically authorized under the law? And where in GLBA does the FTC find authority for its new breach notification trigger? The SBP doesn’t answer these questions.

The new definition creates inconsistencies within the Rule itself.

Following this latest amendment, the Safeguards Rule now includes two different definitions of a breach (or breach-like event), each with its own requirements.

The first definition – “security event” (see definition above) – still appears in the Rule as something companies must avoid, plan for, respond to, and report on as part of their data security programs. This term also implicitly links to the term “authorized user,” which the Rule defines as “an employee, contractor, agent, customer, or other person that is authorized to access any of your information systems or data,” and which would encompass affiliates and third parties that acquire data in compliance with GLBA. Thus, in the data security portion of the Rule, companies need not defend against disclosures of data that comport with GLBA because such disclosures are authorized.

The second definition – “notification event” – triggers the new data breach notice requirements. Because this definition turns on whether the consumer has authorized the disclosure of data, it sets up a different (and broader) standard for breach notification than for the Rule’s data security obligations. Read literally, it would also require notice to the FTC even for disclosures to affiliates and (possibly) third parties that comply with the privacy provisions of GLBA.

Even apart from the legal questions raised by these competing definitions, they are bound to create confusion. For example, to follow the Rule as written, companies may need to develop two breach notification plans – one for “security events” and another for “notification events.”

Looking Ahead

We have yet to see how the FTC will enforce the new provisions of the Rule. Many of them (e.g., regarding the format and timing of the notice) appear straightforward and, as noted above, the FTC is only requiring notice to itself, not to consumers.

However, if the FTC tries to enforce the new provisions in a way that conflicts with GLBA (i.e., claiming that disclosures of data that comport with GLBA should nevertheless trigger notice to the FTC), it will likely have some trouble. Companies will be able to point to conflicting requirements in the law, as well as in other parts of the Rule (including the definition of “authorized user”), to counter such an interpretation.

Health Data Coding Error Costs Inmediata $1.4 Million with AGs Wed, 25 Oct 2023 09:00:00 -0400 We posted just last week about the Blackbaud multistate settlement, and as we have discussed, health privacy remains a hot topic and is already back in the news. On October 17th, 33 AGs led by Indiana, announced a multistate settlement in the form of a judgment with a Puerto Rico-based health care clearinghouse, Inmediata, for what the AGs alleged was a failure to appropriately safeguard data and a delayed and flawed notification to consumers of a coding issue. As a result, the states said protected health information (PHI) of approximately 1.5 million consumers was exposed to public online searches for almost three years. The AGs alleged, among other things, violations of the Health Insurance Portability and Accountability Act’s (HIPAA) Security Rule and its Breach Notification Rule.

Although the U.S. Department of Health and Human Services’ Office for Civil Rights is the most well-known enforcer of HIPAA compliance, state AGs have played a growing role in enforcing compliance with HIPAA’s Rules. In 2009, the Health Information Technology for Clinical and Economic Health (HITECH) Act authorized state AGs to bring civil actions on behalf of state residents impacted by violations of the HIPAA Privacy and Security Rules, as well as its Breach Notification Rule. The Connecticut AG was the first to exercise this enforcement right in 2010 against Health Net Inc. for a security breach involving private medical records and financial information. While much attention has been given to the passage of recent broad comprehensive state privacy laws and those specific to health, such as Washington’s My Health My Data Act and Connecticut’s recent amendments to its data privacy law adding provisions specifically related to health data, it is important to remember that states may also have specific laws that are similar to HIPAA but include more expansive definitions, such as the Texas Medical Records Privacy Act.

Here, the AGs alleged that Inmediata violated HIPAA’s obligations by failing to implement reasonable data security, including failing to conduct a secure code review at any point prior to the breach, and then failing to provide affected consumers with timely and complete information regarding the breach, as required by law. The settlement requires Inmediata to pay a $1.4 million fine, divided among the participating states, and requires the company to implement strong security practices going forward. This is just the most recent example of the increasing activity by state AGs utilizing their HIPAA enforcement authority. We will keep you apprised of any developments in this area as they unfold.

California: Changes to Consumer Protection Authority Tue, 24 Oct 2023 08:30:00 -0400 California has a new tool in the toolbox when it comes to remedies available for certain consumer protection law violations. The governor of California recently signed legislation adding the remedy of disgorgement for AG actions under false advertising and unfair competition laws (Consumer Laws), which would require a party to repay all amounts obtained through illegal or wrongful acts. In addition, the law created a Victims of Consumer Fraud Restitution Fund (Fund) to help make victims whole in consumer protection lawsuits brought by the California Attorney General. The Fund is funded through payments made by those who violate consumer protection laws, and not through taxes or fees charged to law-abiding businesses.

Starting January 1, 2024, in an action brought by the California AG pursuant to Consumer Laws, the court can award disgorgement in addition to other remedies already provided for in those statutes, which include the often confused remedy of consumer restitution. The difference between the two remedies is one of focus; restitution focuses on how much the victims were harmed by the conduct, while disgorgement focuses on what the wrongdoer gained as a result of the illegal conduct. Of importance, disgorgement does not require a showing of the specific harmed consumers that need to be compensated, making it an attractive, flexible remedy for enforcers.

When determining whether to award disgorgement, the court shall take into account the amount of civil penalties and consumer restitution awarded, “in addition to other appropriate factors.” Currently, the California AG has authority to seek civil penalties of $2500/violation. The funds recovered as disgorgement shall be deposited into the new Fund, established in the State Treasury. Monies in the Fund may, upon appropriation by the legislature, be used by the AG to provide restitution to victims of acts or practices for which consumer restitution has been ordered but not paid in an action brought by the AG pursuant to the Consumer Laws. Should the AG recover funds from a defendant after payment from the Fund has been made, the AG can reimburse the Fund.

California Attorney General Bonta sponsored this bill, declaring that it is a game changer and will allow consumers to get restitution when a business has been successfully prosecuted, but becomes insolvent. Companies should take note that the flexibility to obtain disgorgement will likely give California greater authority to obtain additional monetary recoveries in the state’s actions. Disgorgement however is specific to AG actions which necessarily excludes California District Attorney and private actions. Because a “violation” for penalty purposes and “appropriate factors” under the new statute are undefined, it will be worth watching how California wields this new source for payment when it comes to negotiating resolutions. We also note that several other state AGs already claim disgorgement authority (which the FTC currently lacks). See, e.g., New York and Texas.

As California is a very active state when it comes to consumer protection, one can assume that this new tool will be used to a great extent, and that California will want to quickly ensure that the Fund maintains a robust amount of money to be used in future enforcement matters.

New Gmail Marketing Requirements Will Impact Most Advertisers Fri, 20 Oct 2023 15:00:00 -0400 This month, Google announced that it would soon implement new requirements for “bulk senders” – defined as senders who send more than 5,000 messages to Gmail addresses in one day – that will likely impact most companies that send marketing emails.

By February 2024, Gmail will start to require that bulk senders:

  • Authenticate their email: Bulk senders will have “to strongly authenticate their emails following well-established best practices” outlined by Google.
  • Enable easy un-subscription: Bulk senders will have to give Gmail recipients the ability to unsubscribe from commercial email in one click, and they will be required process unsubscribe requests within two days.
  • Ensure they’re sending wanted email: Google will enforce a clear spam rate threshold that senders must stay under to ensure Gmail recipients aren’t bombarded with unwanted messages.

Google advises companies “to follow the guidelines in this article as soon as possible. Meeting the sender requirements before the deadline may improve your email delivery. If you don’t meet the requirements described in this article, your email might not be delivered as expected, or might be marked as spam.”

Notably, these are not legal requirements, but given that Gmail remains the most popular email platform with over 1.8 billion users worldwide, these requirements will likely impact most advertisers.

SharkNinja Faces Heat Over Temperature and Non-Stick Claims Thu, 19 Oct 2023 08:00:00 -0400 In 1985, Bon Jovi released their second studio album, 7800° Fahrenheit. As a good New Jersey resident with good taste in music, I bought the album. I remember learning that the title supposedly referred to the melting point of rock, though I don’t remember if I ever attempted to verify that fact. (I also don’t remember how people verified facts before the advent of the internet.)

About 35 years later, SharkNinja released a line of cookware that is purportedly manufactured at 30,000° Fahrenheit. New Jersey resident Patricia Brown purchased two of the pans. She later used the internet to attempt to verify the claims and learned that 30,000° F is three times the surface temperature of the sun and that the melting point of aluminum is 1,220° F. That made her suspicious.

You may ask – as eventually did Ms. Brown – why you’d buy a pan with maximum manufacturing temperature of 30,000° F when you could buy one with a maximum manufacturing temperature of 900° F for less money. SharkNinja has an answer: “the difference is in the degrees,” and unlike cookware that is manufactured at cooler temperatures, theirs “never sticks, chips, or flakes.”

(You may also ask – as immediately did I – whether you could use a SharkNinja pan to melt rocks. SharkNinja has an answer to that, too: the pan is only “oven safe to 500° F,” so probably not. In that case, it’s best to leave melting rocks to professionals, like Jon and the band.)

Ms. Brown filed a lawsuit arguing that SharkNinja’s claims are false and that the claims violate (a) the laws of New Jersey and (b) “the laws of physics and thermodynamics.” (Only the former have a private right of action.) In support of her allegations, Ms. Brown cites a 2021 case in which NAD reviewed SharkNinja’s “never stick” claims. The temperature claims weren’t part of the challenge.

NAD had several concerns with the company’s test methodology. For example, SharkNinja only conducted tests with one food: scrambled eggs. NAD determined that SharkNinja “did not provide sufficient support that scrambled eggs are representative of all the types of foods that consumers typically cook in nonstick pans.” Although NAD didn’t opine on how many foods or variables had to be tested, one was not enough. Accordingly, NAD recommended that SharkNinja drop the comparative claims.

We’ll have to wait to see whether SharkNinja uses the same protocols to support its comparative claims in this lawsuit or whether it has expanded its testing to address NAD’s concerns. It’ll be interesting to see whether the court relies on the 2021 NAD decision when evaluating those tests. It’ll also be interesting to see whether the court delves into the substantiation for the 30,000° Fahrenheit claims. Otherwise, unless Bon Jovi uses that for a new album title, we may never know.

What We Learned From … Illinois Wed, 18 Oct 2023 10:00:00 -0400 Our State AG webinar series continues. After spending time in the Centennial State, we went east to the Land of Lincoln. We met with Illinois Attorney General Kwame Raoul, Susan Ellis, Consumer Protection Division Chief, and Lyle Evans, Chief of Investigations, to learn about the office, their priorities, and more about Organized Retail Crime and the INFORM Consumers Act. Highlights of what we learned are recapped below.

Background and Priorities of the Office

Illinois’ primary consumer protection statute is the Consumer Fraud and Deceptive Business Practices Act (CFA). The state also has a Uniform Deceptive Trade and Practices Act but it is bootstrapped into the CFA. The CFA is primarily a civil law with some criminal penalties, and is enforced by the AG and county state attorneys. There is also a private right of action.

The CFA authorizes the AG’s office to conduct pre-suit investigations which could include a civil investigative demand (CID) or subpoena depending on whether they want to ask interrogatories (a CID allows the state to ask for more information while a subpoena requires the business to appear in court or hand over specified documents). Although the CFA does not state whether the party can object or set aside a CID, under Illinois’ Rules of Procedure, the party could file a motion to quash if needed. The office does not need to provide any pre-suit notice to the proposed defendant.

According to Ellis, the office can enforce compliance with a CID through a variety of ways – such as filing an enforcement action and asking for a “broad swath of relief” from the court. This may include restraining a business from certain conduct until they respond, suspending their authority to do business in the state, etc. There is no statute of limitations for the AG to bring a violation under the CFA in contrast to the three-year limit for private right of actions.

The CFA allows the office to receive up to $50,000 total as a civil penalty with some potential enhanced penalties if the allegations include vulnerable populations. However, the civil penalty can increase to $50,000 per violation if the office can demonstrate intent.

Ellis also noted that the office receives around 20,000 consumer complaints annually and has designated staff that handle informal resolutions for those complaints. These consumer complaints are attainable by a public records request though they are redacted to remove name and contact information.

Organized Retail Crime

Since the pandemic, AG Raoul explained that organized retail crime (ORC) has continued to increase resulting in losses up to billions of dollars annually. He noted that bad actors tend to target big box stores, pharmacies, hardware stores, auto dealerships, and other retailers, and resell stolen goods below market value on online marketplaces. General Raoul said that some of the profits from ORC are frequently connected to human, gun, and drug trafficking and other crimes. As such, AG Raoul emphasized, “we cannot dismiss these thefts as isolated, brazen, retail theft because oftentimes there is an organized retail ring behind these acts.”

Due to these problems, states such as Illinois have expanded their criminal and civil authority to combat ORC. In 2021, AG Raoul created the Organized Retail Crime Taskforce. The Illinois taskforce fosters cooperation among retailers, online marketplaces, law enforcement agencies, and state’s attorneys. AG Raoul analogized the collaboration as if the platforms were “invited in the restaurant to help us cook a meal and solve the problem of ORC within the state. . . however, if they were not willing to come to the table, then they would be on the menu.”

To assist with investigations, Evans emphasized the importance of retailers working with state enforcers to help track down stolen goods and disrupt their flow into the online marketplace.

INFORM Consumers Act & States

Illinois’s enacted its version of the INFORM Consumers Act (Illinois Act) in May 2022, effective in January 2023, about six months before its federal counterpart. Ellis said that the Illinois Act provided an “interesting intersection” of criminal and civil issues as consumers are unknowingly purchasing stolen goods. Ellis also noted that the Act requires important information be provided to consumers about who they are purchasing products from, as well as a tool to report suspected activity. Evans stressed that the Illinois Act is a “start” and will be very good at resolving issues with ORC. The reporting requirements will provide better insight into how law enforcement can stop ORC.

General Raoul said that they have already seen early success with funding the Illinois Act. Evans added that the law has provided enhanced criminal penalties and enforcement provisions which have been instrumental in targeting ORC specifically.

Other than small changes, both the federal and Illinois INFORM Consumers Act are relatively similar:

  • Both cover “high volume” third party sellers. For collection of information, this means 200 or more discrete sales plus $5,000 or more in aggregate gross revenues in 12-month period. For disclosure of information, this means the aforementioned requirements plus $20,000 or more in annual gross revenues.
  • Both create collection requirements. An online marketplace must collect certain information within 10 days of seller qualifying as high volume and verify the information.
  • Both require disclosures. An online marketplace must disclose identity information to consumers.
  • Both require reporting mechanisms. The marketplace must clearly and conspicuously disclose on the product listing a reporting mechanism that allows for electronic and telephonic reporting of suspicious marketplace activity to the marketplace.
  • Both require suspension. The marketplace must suspend future sales activity of high-volume seller if, after providing notice and an opportunity for compliance, the seller does not comply with these provisions. The suspension is in effect until the seller complies.
  • Enforcement by Attorney General.
    • Federal Law: A state Attorney General may bring a civil action. The AG can obtain injunctive relief, civil penalties ($50,120/violation), or other remedies permitted under state law, and damages, restitution, etc.
    • Illinois State Law: The Illinois Attorney General may bring a civil action. A court can order an injunction, the revocation of authority to do business in the state, and restitution. The Illinois AG can also issue a pre-suit subpoena.

Ellis said that “it will depend” on whether the state will enforce the federal or state INFORM Act. She said that it is certainly “not a local problem” and is a “cross-jurisdictional issue” and states will need to work together to tackle the problem. AG Raoul emphasized that partnering with federal, state, and local law enforcement is “critical.”

In addition, the omnibus bill that created the Illinois INFORM Consumers Act also created enhanced criminal penalties for persons engaging in ORC. If a person is accused of committing organized retail theft (stealing merchandise worth $300 or more when acting together with one or more people), under the Act, they can be charged with a Class 3 felony, which is typically punishable by up to five years in prison. If the alleged offender stole from multiple stores, the act is punishable by up to seven years in prison.

Takeaways: As ORC presents a substantial disruption on a federal and state level, we continue seeing more collaboration between federal and state law enforcement, and also among states. Ellis concluded that there is an obligation on platforms to not turn a blind eye to criminal activity on their platforms. The AG can enforce this obligation through the INFORM Act, the CFA, or UDAP authority. Illinois’s authority is broad and covers both deceptive and unfair conduct. It’s important to understand one’s obligations, especially under the INFORM Act, to ensure that you won’t get hit with both federal and state litigation.


Be sure to join us this Thursday, October 19th as we meet with New Hampshire Attorney General John Formella and his Consumer Protection office at 2:00 pm ET. To register for the webinar, click here. To catch up and read the coverage of all our previous state AG webinars, click here.