FTC to Trade Associations: No Antitrust Slack for Associations

Agency blog post reminds industry groups that “competitors are expected to compete”.

If you’re a trade association and you’ve recently had that creepy feeling that someone’s watching you, you’re probably right. That would be the Federal Trade Commission (FTC), one of whose missions is to preserve competition in the marketplace. Since trade associations are cooperative entities composed of members who normally compete against one another, the potential for anticompetitive conduct is evident.

And in case anybody had forgotten about that, the FTC has in a recent blog post on its website reminded trade associations that they are subject to the same antitrust rules as other businesses. In particular, the FTC cautioned that it remains vigilant about trade association activity that restrains competition among its members without a legitimate business justification.

While acknowledging the great benefit that a trade association can provide to its industry, the FTC noted that some association practices have been condemned by the courts for antitrust violations. The FTC was focused particularly on association rules and bylaws that constrain the normal give-and-take among competing association members in the marketplace.

The FTC’s message in a nutshell: “Competitors are expected to compete” and “there are no special antitrust rules for trade associations.”

The announcement was apparently prompted by recent FTC enforcement actions involving a couple of associations which had imposed on their members anticompetitive restrictions lacking a legitimate business rationale. Historically, collusion among members to raise prices has long been one of the more obvious types of anticompetitive behavior. The misconduct flagged in the two recent actions was arguably less obvious. In one case, an association not only barred its members from taking out comparative ads but it also prevented members from offering discounted rates to another member’s clients or recruiting another member’s employees without giving prior notice. In the other case, the association prevented members from soliciting clients from a rival.

The FTC put the kibosh on all these provisions. In the view of the FTC, the prohibited activities – i.e., competing for customers, cutting prices, and recruiting employees – all limited the ability of members to compete against one another. The FTC concluded that, absent some “procompetitive justification”, such limitations were unreasonable restraints on trade that violate the Sherman Antitrust Act.

The FTC’s blog announcement is a clear warning to trade associations: their conduct (including organizational rules, bylaws, etc.) will be scrutinized to insure that they do not restrict competition in a way that harms consumers. And when an association’s conduct is determined to effect such restrictions, that conduct will be viewed by antitrust enforcers – and, presumably, the courts – as impermissible joint decision-making by otherwise independent competitors.

While the particular antitrust misbehavior described in FTC’s blog post may not look like the types of activities in which broadcast-related associations (including, e.g., state broadcaster associations) routinely engage, bear in mind that the FTC’s post is not all-inclusive. The FTC plans further reminders regarding other types of association activities likely to attract the attention of antitrust enforcement efforts – think group boycotts, advertising restrictions, information exchanges, exclusive membership benefits, etc. We’ll keep an eye out, so stay tuned.

Of course, any trade associations uncertain about their own organizational rules or activities should consult counsel.

FTC Seeks Comments on Proposed Terms of Nielsen/Arbitron Consent Agreement

Transaction has been approved, but with strings attached; agency is now looking to define those strings

As many readers probably realize, in a move that would shrink the competitive field of media measurement companies, the nice folks at Nielsen are planning to acquire the nice folks at Arbitron. As often happens when one competitor proposes to absorb another, the Federal Trade Commission (FTC) has involved itself in the proposed take-over. While the FTC has green-lighted the deal, it is insisting that the parties enter into a consent agreement.

And now the FTC has requested public comments about the terms of that proposed consent agreement.

The FTC’s concern arises from the proposed acquisition’s potential for the complete elimination of competition in the cross-platform media measurement service market. (A cross-platform media measurement service can measure the audience of a “television” program regardless of whether or not it was watched on a traditional television set, or through online or mobile devices.)  In order to offer cross-platform audience measurements on a national scale, a firm must have access to television audience data along with individual demographic data. Establishing the infrastructure to recruit and maintain a representative sample of the population and developing technology capable of collecting the underlying data would be extremely expensive.

Nielsen and Arbitron are currently the only two companies with the potential to provide these services, and their combination could lead to a lack of innovation and higher prices for customers.  Additionally, advertisers have come to trust Nielsen and Arbitron as the only reputable and reliable services. Any competitor would likely face pushback from the buyers of advertising time.

The FTC has concluded that the acquisition is likely to cause significant competitive harms in the market for national cross-platform audience measurement services.

In the consent decree, the FTC imposes several requirements on Nielsen designed to remedy those anticompetitive effects. The FTC is now seeking comments on those proposed remedies.  Among the terms the FTC is proposing are:

  • a requirement that Arbitron divest assets related to its audience measurement business to an as-yet-unidentifed “Acquirer” within three months;
  • a requirement that Nielsen provide that Acquirer with a perpetual, royalty-free license to data and technology related to Arbitron’s cross-platform audience measurement business;  
  • nullification of certain non-compete clauses in employment contracts that would otherwise deter certain Arbitron employees from accepting employment with the Acquirer; and
  • a requirement that Nielsen provide the Acquirer with technical assistance “to facilitate the Acquirer’s ability to replicate Aribtron’s position in the cross-platform audience measurement market.”

The FTC has appointed an agent to monitor and oversee Nielsen’s compliance with these requirements.

FTC Commissioner Joshua D. Wright dissented, mainly because he doesn’t believe that there’s enough evidence that the proposed deal will in fact substantially lessen competition.  In his view, the cross-platform measurement service is a “future market” and, because Nielsen and Arbitron do not currently compete in cross-platform audience measurement, any alleged anticompetitive effects are merely theoretical at this point.

Since the FTC has technically approved the transaction (albeit subject to the terms of the consent agreement), the deal will likely close, possibly in very short order. However, any comments submitted to the FTC will be taken into consideration in determining the final nature and extent of the remedies the FTC will impose on the parties and how vigorously the FTC will enforce those remedies. Anyone interested in offering the FTC their views on the proposed consent agreement (the terms of which are set out in here) may file comments with the FTC through October 21, 2013.

Website Operators: Be Aware, and Beware, of COPPA

If you’ve got a website, you could have a problem. Welcome to the COPPA Rule, a complicated FTC regulation with (a) potentially expensive ramification, and (b) some new provisions about to take effect.

If you operate a commercial website that collects personal information from visitors, you’d better be familiar with COPPA – the Children’s Online Privacy Protection Act – and the COPPA Rule adopted by the Federal Trade Commission pursuant to the Act. Even a single COPPA Rule violation can lead to a $16,000 penalty, and the FTC hasn’t been shy about doling out seven-figure fines for cumulative violations. (For the faint of heart unwilling to wade into the actual law or FTC rule, you can check out the FTC’s COPPA FAQs. But even that resource weighs in at the equivalent of 58 printed pages.)

The principal goal of COPPA is to ensure that personal information relating to children under the age of 13 is not collected or distributed by website operators without parental consent. Since many broadcast stations may be collecting information on their websites (even without realizing it), we figure it’s a good idea to remind all our readers about COPPA.

And now is an excellent time to do so because a number of important changes to the law are set to take effect on July 1, 2013.

I’ll address the five changes that I think are among the most important below, but be advised that I’m only scratching the surface. At minimum, anyone with a website that collects personal information from visitors, and that features links to advertisers who collect such information, would be well-advised at least to read the COPPA FAQs, if not everything on the FTC’s COPPA webpage

Before we get into the changes that are about to kick in, though, let’s take a quick look at the basics of the law to get a fix on: (1) what types of websites are covered by the law; (2) what types of “personal information” trigger the consent requirements; and (3) what covered websites are expected to do.
 

Covered Operations 

You’re subject to COPPA if you operate either:

a commercial website or online service (including mobile Apps) directed to children under 13 that collects, uses, or discloses personal information from children;

or

a general audience commercial website or online service and you have actual knowledge either that you are collecting, using, or disclosing personal information from children under 13.

Under COPPA you could also be liable for the collection of information that occurs on or through your site(s) and service(s), even if you yourself do not engage in such collection. That means that it’s important that you (in the FTC’s words) “make informed decisions before you permit advertising to run on your sites and services.”
 

Personal Information

“Personal information” for COPPA purposes means “individually identifiable information about an individual collected online”. It includes the obvious stuff (e.g., first/last name, physical address, telephone number, social security number) and the (perhaps) less obvious, such as:

online contact information (including a screen or user name that functions as online contact information);

a “persistent identifier” (e.g., a customer number held in a cookie or a processor serial number) that can be used to recognize a user over time and across different Web sites or online services;

geolocation information sufficient to identify street name and name of a city or town; or

information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described above.

Note that photos, videos, and audio recordings that contain a child’s image or voice are all “personal information”. And that term also encompasses “a combination of a last name or photograph of the individual with other information such that the combination permits physical or online contacting.”
 

Obligations of Covered Operations

Operators subject to the COPPA Rule are subject to seven basic requirements. According to the COPPA FAQs, such operators must:

  • post a clear and comprehensive online privacy policy describing their information practices for personal information collected online from children;
  • provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children;
  • give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents);
  • provide parents access to their child's personal information to review and/or have the information deleted;
  • give parents the opportunity to prevent further use or online collection of a child's personal information;
  • maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security; and
  • retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use.


What’s New?

So what are the five major aspects of the COPPA Rule set to take effect on July 1 that you need to be especially aware of?

The definition of a covered operator whose operation is “directed to children” has been refined to make it easier to trigger parental notice and consent requirements.

As noted, there are two ways in which a website operator might become subject to the requirements of the  parental notice and consent process. The requirements apply, first, to an operator whose website is “directed to children” and collects personally identifying information from a child under the age of 13. Second, they apply to an operator of a general audience website who has actual knowledge that it is collecting personal information from a child under the age of 13.  One big difference between these two alternatives: most sites that are “directed to children” cannot engage in “age screening” to prevent children under the age of 13 from even entering the site.   

This may not seem like a big deal at first blush, since many sites have no intention of spending any extra time, money or effort to engage in age screening anyway, especially when they simply don’t collect personal information from anybody, child or adult.  But, given the expanded definition of “personal information” (see below) and the changes affecting Plug-ins and Ad Networks (also see below), the fact that the FTC appears to have expanded its view as to what constitutes a site “directed to children” means this change has potentially wide-ranging ramifications.

The FTC has always taken a pretty contextual approach in determining whether a site is “directed to children”. The FTC considers “subject matter, visual or audio content, age of models, language or other characteristics of the website or online service, as well as whether advertising promoting or appearing on the website or online service is directed to children.”  But the site owner’s own intent was also a factor, as evidenced by enforcement actions where the FTC had applied the “directed to children” label only to sites that (a) knowingly targeted children under 13 as a primary audience or (b) were likely, based on the site’s overall content, to attract children under 13 as their primary audience.   However, sites that did not appear likely to attract children under 13 were generally left alone, even in cases where some such sites may have happened in fact to attract an unexpectedly disproportionate number of under 13 visitors.

In its August, 2012 Second Notice of Proposed Rulemaking the FTC provided a distinction along these lines:  on the one side were sites primarily targeting children or whose content is likely to attract children under 13 as the primary audience cannot engage in age-screening; on the other, those that simply have the unintended consequence of a disproportionate amount of child users can engage in age-screening.  Its final rules reflect this distinction.

According to the FTC, Congress never intended to require the website operator’s subjective intent to factor into the determination of whether a site is “directed to children”. As it specifically stated, “Certainly, a website or online service that has the attributes, look and feel of a property targeted to children under 13 will be deemed to be a site or service directed to children, even if the operator were to claim that was not its intent”. The FTC seemed to underscore this by expanding the non-dispositive list of likely “directed to children” factors to include: musical content, the presence of child celebrities, and celebrities who appeal to children.  It specifically noted that, even where it is asked to determine that a site is allowed to engage in age-screening (because the site has a disproportionate amount of visits from children under the age of 13), the FTC will first look at this context-based “totality of the circumstances” test.

So, why might this affect you?  Imagine that you create a new site, a mobile version of your current site, especially a Mobile App.  Further imagine that you have no intent to direct your site or App to children.  But now imagine that the FTC takes a look at your site and because you have, say, Justin Bieber (based on a look at my not-yet-13-year old niece’s iPod, this appears to be a relevant example) featured because he’s coming in concert soon. And, if the mobile version of your site or App doesn’t happen to have a significant amount of other content, you might be viewed as a site that is “likely to attract children” – which in turn would mean that you can’t age-screen before collecting personal information. But hold on there – you might be collecting such information in the form of geolocation information anyway, even if you don’t intend to. That could put you in violation of COPPA.
 

Plug-ins and Advertising Networks can now trigger COPPA obligations.

COPPA’s reach has been expanded beyond mere commercial “websites and online services” in a way that means you’ll have to get real cozy with the suppliers of all the advertisements or plug-ins to your site. Two of the changes in particular are important.

First, the definition of “covered operator” has been fleshed out to make clear that the website operator is responsible for everything on the site, even if you didn’t physically put it there or review it at all. So, if you’re a general purpose site and you take ads directed at kids, you might have a COPPA problem. Advertisers collecting personally identifying information from children might trigger COPPA parental notice and consent obligations for you.

Second, “the definition of a website or online service directed to children is expanded to include plug-ins or ad networks that have actual knowledge that they are collecting personal information through a child-directed website or online service”. So if you’re a site directed at children, your advertisers – who may think they don’t have a COPPA problem, might now have one. 
 

The definition of “personal information” has been expanded to include four new categories.

The term “personal information”, while always somewhat broad, was also pretty understandable: things like name, phone number, address, email address, etc. The new rules add four key categories to that definition:

Geolocation Information: If you collect “geolocation information sufficient to identify a street name and name of city or town”, you are collecting “personal information”. (While this was not expressly stated in the original version of COPPA, the FTC has apparently been treating it as such all along. The new rule makes that treatment explicit.) Since virtually all mobile devices provide this information and many, if not most, sites (especially Apps) collect it, the potential to trigger the parental notice and consent requirements has significantly increased.

Photos or videos or audio files: Any photo, video or audio file that contains a child’s image or voice is considered personal information and will trigger the parental notice and consent requirements if submitted by the child (although such a file submitted by the parent does not trigger the requirements). As the COPPA FAQs indicate, operators covered by COPPA must either: (a) prescreen and delete from children’s submissions any photos, videos, or audio recordings of themselves or other children; or (b) first give parents notice and obtain their consent prior to permitting children to upload any photos, videos, or audio recordings of themselves or other children.

Screen or user name: A screen or user name is personal information if it functions as online contact information – so use of an email address as the online contact information will not relieve you of COPPA obligations.

Persistent identifiers: We’re talking cookies here, people – “cookie” as in a computer file containing an IP address, a processor or device serial number, or a unique device identifier that can be used to recognize a user over time and across different Web sites or online services. A cookie in that sense is “personal information” even if it’s not overtly paired with a name, email address, screen name, etc.

One possibly unexpected manner in which this is likely to arise is via the use of Mobile Apps, which aren’t generally thought of as “websites” (but, under the rule changes, clearly are) and which often rely heavily on the use of geolocation information and allow for simplified sharing of photos and videos. So, while everybody is rushing to create that new App for your station or company, many don’t realize that the streamlined, functionally superior contact with the world these Apps offer often comes with a hidden price tag.
 

The direct notice requirements have been streamlined and clarified.

Under the new version of Section 312.4 of the COPPA rule, the notice you must place on your website has gotten somewhat easier. You must simply provide:  

  • the name, address, telephone number, and email address of all operators collecting or maintaining personal information through the site or service (or, after listing all such operators, you can simply provide the contact information for one that will handle all inquiries from parents);
  • a description of what information the operator collects from children, including whether the operator enables children to make their personal information publicly available, how the operator uses such information, and the operator’s disclosure practices for such information; and
  • notification that the parent can review or have deleted the child’s personal information and refuse to permit its further collection or use, and state the procedures for doing so.

This must be posted via a “clearly and prominently labeled link” on the home or landing page of the site or service and anywhere personally identifying information is collected from children. One wrinkle here is that a general audience site with a portion directed at children must post this separate COPPA-focused notice on that children-focused page. 

However, the rule has gotten much more stringent with regard to the direct notice given to parents when personal information is being collected. These changes, in fact, are so extensive that it’s not worth even listing them here. You should certainly consult with an attorney before providing direct notice to a parent.
 

The non-exhaustive list of acceptable methods for obtaining prior verifiable parental consent has been expanded.

You must get verifiable parental consent before collecting a child’s personal information. The COPPA Rule does not dictate precisely how that is to done. The COPPA FAQs advise that you can use “any number of methods to obtain verifiable parental consent, as long as the method you choose is reasonably calculated to ensure that the person providing consent is the child’s parent.” However, the permissible methods are somewhat broader if you plan to use the personal information only for your own internal purposes.

If you are going to use such personal information externally or share it with third parties, you can:

  • provide a consent form to be signed by the parent and returned via U.S. mail, fax, or electronic scan (the “print-and-send” method);
  • require the parent, in connection with a monetary transaction, to use a credit card, debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder;
  • have the parent call a toll-free telephone number staffed by trained personnel, or have the parent connect to trained personnel via video-conference; or
  • verify a parent’s identity by checking a form of government-issued identification against databases of such information, provided that you promptly delete the parent’s identification after completing the verification

If you are only going to use the information internally, you can simply use any of the above methods, or you can use the “email plus” approach, which involves the following steps:

  • request in your initial message to the parent that the parent include a phone or fax number or mailing address in the reply message, so that you can follow up with a confirming phone call, fax or letter to the parent; or
  • after a reasonable time delay, send another message via the parent’s online contact information to confirm consent. In this confirmatory message, you should include all the original information contained in the direct notice, inform the parent that he or she can revoke the consent, and inform the parent how to do so.

Finally, one more word about penalties for non-compliance. As mentioned above, COPPA provides for a penalty of up to $16,000 per violation. Even a single violation would definitely hit just about any small- to medium-sized business hard. And it seems more than likely that, if you haven’t been complying with the law, the FTC would be able to determine that you’re really on the hook for multiple violations, which would only worsen the blow.

Again, it’s important to recognize that COPPA is a very complicated law whose general applicability and requirements cannot be easily summarized. This post provides, at most, only a quick glimpse at some of the highlights. If you need guidance in determining whether your website is subject to COPPA obligations and, if so, how to ensure compliance, we strongly urge you to contact an FCC attorney or any other attorney familiar with COPPA.

FTC Posts Bounty on Robocallers

You can win $50,000 and a trip to Washington. And the undying, everlasting gratitude of your fellow telephone subscribers.

Sometimes technology just takes a wrong turn. Yes, it has vastly improved our lives. No one wants to go back to the days before smallpox vaccine, or power steering, or existential cat videos. But technology also provides its share of daily annoyances. High on that list is the “robocaller”: a machine that dials your phone, and when you answer, delivers a recorded message.

The economics of robocalls works much like email spam: the perpetrators can reach so many people, at such a low cost per contact, that they don’t care if 99.9% hang up without hearing the message. But robocalls are much more intrusive than spam. They prompt the victim off the couch to answer a ringing phone. And, unlike other kinds of telemarketing calls, robocalls even deny us the satisfaction of telling off the person who called.

The Federal Trade Commission has decreed most robocalls to be illegal. But the rules do allow some kinds. Political parties can robocall at will, thanks to that pesky First Amendment – and in these final days leading up to an election, they exercise that right with a vengeance. Also legal are robocalls from charities and health care providers, and “reverse 911” calls that warn people about local emergencies – for example, calls to a particular neighborhood about contamination of the water supply.

But the FTC is confident that illegal robocalls make up the vast majority (even though it does not provide any hard supporting data). And enforcement has been lax. We know that because we get so many of them. As yet there is no easy way for the recipient to block robocalls – no equivalent of the email “junk filters” that protect us from most email spam.

That is where the FTC comes in.

In search of a solution, it has now turned to crowd-sourcing. The concept is simple: find the best way to block illegal robocalls, while letting the legal ones through, and the FTC will write you a check for $50,000 and pay your way to Washington to pick it up. It’s pretty much that simple, believe it or not, despite six dense pages of rules in the Federal government’s preferred font size (tiny).

Entries will be judged on three criteria:

Does it work? (50%) How likely is the entry to block all illegal calls and let all legal calls ring through? On how many kinds of phones does the proposal work (landline, cell, VoIP, etc.)? How easily can robocallers circumvent the scheme?

Is it easy to use? (25%)  How hard will it be for consumers to use the solution? What kinds of mistakes might consumers make, and how severe are the consequences? (Hint: keep it simple. The Federal government has a pretty low opinion of consumers’ abilities.)

Can it be rolled out? (25%) Will the solution work in the ecosystem as is, without having to change phone providers’ infrastructure? (Further hint: “yes” is a good answer here.)

If you have an idea, first read the rules (really), then wait till after 5 pm EDT on Thursday, October 25, 2012, and sign up here. The deadline for entries is January 17, 2013.

Oh, one more thing. We’d really appreciate it if you let us in on your idea right away. We promise not to submit it to the FTC. But we do want to install it on our phone.

White House Proposes Approach to Privacy Protection On-line

Statutory “Consumer Privacy Bill of Rights”, FTC-reviewed/FTC-approved private codes of conduct highlight Administration’s opening gambit

Hoping to shape the development of national – and possible international – consensus on the privacy protections to which on-line consumers should be entitled, the Obama Administration has issued a report on “Consumer Data Privacy in a Networked World” in which it lays out a “blueprint for privacy in the information age.” A central component of the report is a proposed “Consumer Privacy Bill of Rights”. That “bill of rights” reflects a set of principles which are, at this point, merely aspirational, with no independent legal force. The White House is hoping to change that on at least two fronts.

First, it is calling on Congress to pass laws that would impose the “bill of rights” on commercial sectors not currently subject to federal data privacy laws. And second – presumably because it recognizes that Congressional action is far from a sure thing – the Administration is calling on a wide range of “stakeholders” to develop their own “codes of conduct” effectively implementing the “bill of rights”. The idea is that such codes, once publicly and affirmatively adopted by companies subject to Federal Trade Commission (FTC) regulation, could be legally enforced by the FTC. The stakeholders the White House is targeting include companies, privacy and consumer advocates, “international partners”, state attorneys general, criminal and civil law enforcement representatives and academics.

This approach appears to have the support of major on-line companies such as Google and Yahoo. Some consumer advocates remain wary about the process and concerned that rigorous enforceable protections may not be achieved.

At this point, it's impossible to reliably predict the chances that the “bill of rights” will ultimately be adopted – whether by Congress or by a significant number of the commercial “stakeholders” identified by the White House. Still, the process of developing broad privacy standards has now been started, and all companies that do business on the Internet should be aware not only of the proposed “rights” (and the burdens that they could impose), but also of the process by which any such “rights” are likely to be developed and implemented.

What Rights? –Just what “rights” are on the table?

The White House’s “bill of rights” is intended to provide a “baseline of clear protections for consumers and greater certainty for companies.” It is based on longstanding, globally recognized, Fair Information Practice Principles (FIPPs), and bears a striking similarity to the European Union’s influential Data Protection Directive. Under the Administration’s proposals, consumers would be entitled to the following, while affected companies would be expected to respond as indicated:

Individual Control – Consumers would get the right to exercise control over what personal data companies collect from them and how they use it. Companies would be expected to enable consumer choice over use of their personal data by providing easy-to-use mechanisms reflecting the “scale, scope and sensitivity” of the data being collected.

Transparency – Consumers: the right to easily understandable and accessible information about privacy and security practices. Companies: provide clear descriptions of what personal data they collect, why they need the data, how they will use it, when they will delete or de-identify it, and whether and for what purposes they will share the data with third parties.

Respect for Context – Consumers: the right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data. Companies: “heightened measures of Transparency and Individual Choice” would be required if, after collecting data, a company were to decide to use the data for purposes inconsistent with the original context under which it was collected

Security – Consumers: the right to secure and responsible handling of personal data. Companies: assess their data collection and protection practices, and maintain reasonable safeguards to control risks of loss, unauthorized access, and improper disclosure.

Access and Accuracy – Consumers: the right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate. Companies: use reasonable measures to ensure that they maintain accurate personal data.

Focused Collection – Consumers: the right to reasonable limits on the personal data that companies collect and retain. Companies: collect only as much personal data as they need, consistent with the Respect for Context right.

Accountability – Consumers: the right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights. Companies: accountability to enforcement authorities and consumers for adhering to these principles.

These concepts are obviously broad and vague. But that appears to be purposeful, since the “bill of rights” as envisioned by the White House is intended to serve merely as a basic framework for protections in the myriad commercial areas not already subject to more specific federal privacy regulation (e.g., healthcare, financial services, education, telecommunications.)

Implementation – As it stands now, the “bill of rights” is little more than a wish list, a set of desirable goals the Administration would like the commercial world to embrace. Turning the “rights” into enforceable codes of conduct will not be simple. The White House proposes to do that through an “open, transparent, multistakeholder” process. The stakeholders would include “international partners” in the process. The goal there is presumably to assure that any U.S. codes of conduct would qualify for international “safe harbor” standards, thus facilitating international trade for U.S. companies.

The job of soliciting input from all of the stakeholders has been given to the Department of Commerce’s National Telecommunications and Information Administration (NTIA). While Commerce has previously waded into privacy policy, the FTC has as well. The choice of NTIA as the locus of the process may be an effort to encourage on-line industry participants to participate. Also, since the White House appears to contemplate that the FTC would be the agency with primary enforcement authority relative to any codes of conduct that get developed, the Administration may feel it more appropriate to leave the development to a separate agency.

Several consumer groups have already expressed concerns, though, that one or more stakeholders may attempt to impose “unilateral solutions” on consumers. Those groups have proposed their own process principles.

Notwithstanding the involvement of NTIA, or the FTC, in the development phase of any codes of conduct, the Administration sees such codes as being primarily private initiatives that “can provide the flexibility, speed, and decentralization necessary to address Internet policy challenges.” As models, the White House is looking at such non-governmental organizations as the Internet Engineering Task Force, and the Internet Corporation for Assigned Names and Numbers (ICANN) which are responsible for important Internet-related technical standards.

Is This Enforceable?Um, no.   As matters now stand, the components of the Administration’s “bill of rights” are not enforceable. But there are at least two ways in which they might become enforceable, directly or otherwise.

First, as noted above, the White House hopes that the stakeholder discussions it is initiating will lead to the adoption of specific codes of conduct to which companies will publicly commit themselves. Such commitment to compliance could provide the FTC the hook necessary to enable it to bring enforcement actions against companies whose conduct falls short of their commitment to the code they have embraced. (This would be similar to the FTC’s current practice, under its authority to prevent deceptive trade practices, of bringing enforcement actions based on a company’s violation of its own website privacy statements.)  

Along the same lines, private codes of conduct might also serve as a measure of the reasonable standard of conduct applicable to parties engaged in on-line activities involving data collection. For instance, plaintiffs in defamation cases often seek to use the Code of Ethics of the Society of Professional Journalists to establish that a defendant acted negligently because he or she failed to strictly adhere to that Code.  The consumer privacy code of conduct envisioned by the White House could provide a similar yardstick for treatment of personal information collected on-line.

Second, the White House Report urges Congress to pass legislation adopting the proposed “Consumer Privacy Bill of Rights”, but with more specific terms that would be worked out between the White House and Congress during the drafting stage. 

As the White House sees it, that legislation would provide a number of enforcement mechanisms. First, the FTC would be given the authority to (a) review any private codes of conduct that companies might adopt and (b) effectively grant those companies forbearance from enforcement under the statutory provisions provided that the companies commit to adhere, and do in fact adhere, to their private codes.  Such FTC review would be subject to a number of limitations (e.g., require public comment, complete agency review within 180 days, etc.). Importantly, such private codes would have to reflect the “consensus of all participants in the multistakeholder process”.  

The “safe harbor” approach – i.e., forbearance from compliance with a statutory “bill of rights” – would theoretically encourage companies to devise their own codes of conduct, subject to the FTC review process. (While the White House Report does not address the possibility expressly, it appears at least possible that a company that adopts a code not reviewed and approved by the FTC might still also be subject to FTC enforcement for violating that code, under the FTC’s existing Title 5 authority to prevent deceptive trade practices.)

Second, the FTC would be given authority to directly enforce each element of the statutory “bill of rights”. 

So would state attorneys general (at least as long as they coordinate their enforcement actions with the FTC). But the ability of individual states to provide their own separate privacy protections would be limited. In the hope of establishing nationally uniform privacy rules, the White House recommends that state privacy laws be preempted to the extent that they are inconsistent with whatever “bill of rights” Congress may enact. And companies that adopt FTC-approved private codes of conduct would be exempt from enforcement activities based on state privacy laws. The Administration Report does suggest that states could enact their own privacy laws, but only so long as they “not disrupt the broader uniformity the Report seeks in consumer data privacy protections.” State officials are not likely to be happy with the proposed federal preemption of their existing privacy laws.

While it may be politically necessary for the Administration to suggest joint federal/state enforcement of federal privacy requirements, the result could become a confusing and dangerous quagmire for consumers, and negate the regulatory certainty that companies seek.

What’s Next?The process the White House hopes will ultimately lead to enforceable private codes of conduct has started. The NTIA has called for comments on the “substantive consumer data privacy issues that warrant the development of legally enforceable codes of conduct, as well as procedures to foster the development of these codes.” (Comments are due by March 26, 2012.) The NTIA is seeking input on a wide range of threshold issues, including privacy issues associated with mobile apps, cloud computing services, and on-line services targeted to children. The NTIA also asks numerous questions regarding process, including how the term “consensus” should be defined.

With regard to the prospects for legislation, it’s probably best not to hold your breath. While some Senators and Representatives have publicly concurred that legislation to protect on-line consumers is a good idea, let’s not forget that a number of privacy bills have been sitting on the Hill for years already with no action. Given that, a betting man would not stake much on seeing such legislation any time soon.

Of course, it’s impossible to predict what impact, if any, the White House proposal will ultimately have. Time alone will tell.

What we do know is that the Obama Administration has clearly embraced the issue of on-line privacy and is seeking to position itself as a champion of the on-line consumer. In view of recent, highly public, privacy flaps involving a number of the major on-line players (e.g., Apple, Google), that may be a smart move, particularly with a presidential election fast approaching. But note also that the White House proposal constitutes yet another effort by the Administration to try to assert some measure of federal control over Internet-related conduct. Such efforts might ordinarily alienate many on-line companies – as have the FCC’s net neutrality initiatives. But the White House’s proposed approach to privacy protection does include the notion of “private” codes of conduct. That notion arguably gives companies some opportunity to take control of their own fates (if you don’t focus too closely on the “consensus” obligation the White House Report would impose), which might deflect some opposition.

In any case, the White House is trying to set the tone, and possibly establish some preliminary parameters, of the debate about on-line privacy protections. We won’t know whether that effort is going to be successful for some time. Check back here on CommLawBlog – we’ll keep you updated as developments warrant.

FCC Hammers Crammers

Companies billing for unauthorized services are fined $11.7 million.

The FCC has proposed multi-million dollar fines against four companies for allegedly “cramming”: billing telephone customers for services they did not ask for. At the same time, the FCC issued guidelines to both telephone companies and the public about how to detect and prevent cramming, and plans to offer new rules against the practice.

Cramming problems usually relate to charges by third-party companies for services supposedly ordered by the phone company’s customers, and included on the phone bill. The FCC’s “Truth-in-Billing” rules require phone bills to include clear descriptions in plain language for each service, with a toll-free number for customers to question or dispute the charges.  Until a customer complains, though, the phone company has no way of knowing whether the charges are legitimate. This leaves it up to customers to review their bills for suspect charges. Knowing this, crammers sometimes try charging just two or three dollars a month, hoping that busy consumers won’t notice. The FCC’s Enforcement Bureau says thousands of people have fallen victim. 

The FCC and the Federal Trade Commission (FTC) share responsibility for protecting consumers from cramming. The FCC has jurisdiction over the telephone carriers and other communications service providers. The FTC has jurisdiction over the third-party service providers whose charges (for things like chat lines, diet plans, etc.) are wrongly added to a telephone customer’s bill. The two agencies coordinate their enforcement activities to protect the public.

In the most recent cases, the FCC proposed fines ranging from $1.5 million to $4.2 million against four companies. (The individual “Notices of Apparent Liability” are here, here, here and here.)

All four companies provided a “dial-around” long distance telephone service in which customers paid a monthly fee for a certain number of long distance minutes. The customers could access the service by dialing a toll-free access number and then entering a PIN to make long distance calls – although, in fact, the vast majority never did. The monthly fees were nonetheless included in bills received by the consumers from their local telephone carriers. Some of the dial-around service companies cited by the FCC had common ownership and all, coincidentally, were based in Pennsylvania. 

The companies claimed they had multi-step procedures for verifying each customer’s order for the dial-around service. Aggrieved customers responded that they had never heard of the companies before noticing suspicious charges on their phone bills. Records provided to the FCC by the companies showed that fewer than one-tenth of one percent of the customers who were billed actually used the service.

The FCC concluded that the companies had deliberately engaged in illegal cramming activities. Even if the actions were not deliberate, said the FCC, the companies should have known they were improperly charging people who hadn’t ordered their service, based on the large number of complaints (and possibly also based on the large number of customers who never used the service they were paying for).

Cramming is a violation of Section 201(b) of the Communications Act of 1934, which requires all charges for communications services to be “just and reasonable.” The Act authorizes the FCC to charge up to $150,000 for each violation. The FCC proposed fines calculated to exceed the allegedly fraudulent charges, to serve as a deterrent. In addition, the FCC will be monitoring these companies for future compliance, and threatens to revoke their operating authority if they continue cramming. Unfortunately for the affected consumers, these fines are remitted to the U.S. Treasury, and not to them individually. The customers who took the time to go through the complaint process at least have the satisfaction of knowing the four companies have been punished for their cramming ways.

Size Still Matters To The Feds

2011 threshold triggers for federal scrutiny of mergers and acquisitions announced

Broadcasters and telecommunications operators contemplating possible deals for the coming year should remember that, as far as the federal government is concerned, there may be such a thing as Too Big. The Feds will step in to review an anticipated deal for potential antitrust problems if the deal exceeds certain threshold dollar amounts.  The law mandates that those threshold amounts be revised every year for inflation. The 2011 thresholds have just been announced, and will take effect on February 24, 2011. If your deal exceeds one of the revised thresholds, you should plan for increased government scrutiny, with all the additional hassle, expense and delay that such scrutiny entails.

Under federal antitrust law, certain mergers or acquisitions which exceed the specified thresholds must be submitted to the Federal Trade Commission (FTC) and the Department of Justice for Uncle Sam’s review before the transaction can be consummated.  (The theoretical basis for federal concern here: any transaction big enough to pass the thresholds is presumably big enough to affect interstate commerce.) The government’s internal process for adjusting these thresholds – based on the traditional measure of the gross national product – has been on the books for decades.

The newly-adjusted thresholds require pre-transaction notification if either:

  • the total value of the transaction exceeds $263,800,000; or
  • the total value of the transaction exceeds $66 million and one party to the deal has total assets of at least $13.2 million (or, if a manufacturer, has $13.2 million in annual net sales) and the other party has net sales or total assets of at least $131.9 million.

When negotiating deals, all parties would be well-advised to bear these thresholds in mind. Once those lines are crossed, the prospect of additional time, expense and hassle to navigate the federal review process is a virtual certainty.

Coming Soon To A Screen Near You: "Energy Guide" Labels

FTC mandates consumer info tags on new TVs.

We’ve all seen “Energy Guide” labels on refrigerators, washers, and dryers, telling us how much energy they use.  Get set: the big, yellow, sticky label is coming to your next TV.  And, thanks to the Federal Trade Commission (FTC), it will be big, and yellow . . . and sticky (see below).

TV sets are often turned on many hours each day – for labeling purposes, the FTC assumes about five hours, although some commenters suggested that eight was closer to the truth – and not all consume the same amount of energy.  To promote energy conservation, the Federal Trade Commission has adopted new rules requiring that all TV sets manufactured on or after May 10, 2011 be labeled to show their estimated annual energy cost and where they stand in comparison to other sets of similar size.  In so doing, the FTC is flexing regulatory muscles that Congress gave it in the Energy Independence and Security Act of 2007 (which, as we all know, amended the Energy Policy and Conservation Act).

The text of the FTC’s Order has not yet been published in the Federal Register, although it is available in pre-publication form on the FTC’s website. Micromanagement Alert: The rules are extraordinarily detailed regarding the size, font, color, and content of the label, as well as how good the stick-um has to be to hold the label on the TV screen. For example, the official specs on the design shown above, in yellow, are as follows:

Minimum label size: 1.5” x 5.23”. And all the minutiae detailed above apply just to the front. For the back, adhesive labels must have “an adhesion capacity sufficient to prevent . . . dislodgment during normal handling”. A “minimum peel adhesion capacity for the adhesive of 12 ounces per square inch is suggested.” Alternative means of affixing the label (e.g., “cling labels” using the screen’s static charge) are also permitted.

Variations on the horizontal example shown above include a vertical design and a triangular design.

Surprisingly, the rule as initially proposed applied to any device with a built-in viewing screen, regardless of screen size.  Didn’t they realize that pasting a big label on a Dick Tracy wristwatch TV screen wouldn't be easy? The FTC appears to have gotten the word, though. The final version of the rule exempts TVs that “are designed to operate on built-in rechargeable batteries or inserted batteries.”

The FTC is also looking at requiring similar labeling for devices without screens, such as cable boxes and DVRs – but that’s for another day.

No word yet on when the new rules will appear in the Federal Register but, as noted above, they are currently set to apply to all non-exempt TVs manufacturer on or after May 10, 2011. Energy Guide labels will also have to be included in catalogs and website listings as of July 11, 2011.

And finally, the careful and law-abiding observer will note that the labels must include the warning that “Federal law prohibits removal of this label” –  just like a mattress or pillow label! Oh sure, the TV version limits that prohibition to “before consumer purchase”, suggesting that it’s OK to remove the label once you’ve got the TV all set up at home. But do you really want to take that chance?

A Lobbyist's Look At The Comcast Question

Looking for net neutrality authority at the FCC? You might be one letter off. 

[Blogmeister’s Note: CommLawBlog.com welcomes back guest blogger Catherine McCullough, principal of Meadowbrook Strategic Government Relations, a D.C. lobbying firm. We are pleased that Catherine has agreed to share with our readers her thoughts on how the Administration might deal with its Comcast problem.]

Across the post-Comcast playing field, the governmental players are staking out their positions on the question of who, if anybody, has the authority to enforce network neutrality. 

A recent hearing before the Senate Commerce Committee provided examples: Chairman Rockefeller, emotionally describing how lack of service affected his constituents during the recent West Virginia coal-mining disaster, said he will put his considerable power behind writing a bill to give the FCC unambiguous authority to protect consumers; Ranking Member Hutchison – who doesn’t have the final say over any majority bill now, but whose party could hold all the cards if elections go Republicans’ way in November – warned the FCC that there would be consequences if it acted to reclassify. 

And in an exercise I’ve seen repeated in that Committee room by other agency leaders, Chairman Genachowski stuck to his written testimony and gently tiptoed around the hard questions (like how the FCC might plan to make the National Broadband Plan a reality given the new hazy regulatory climate).

If you were Mr. Genachowski, how would you deal with the conundrum of network neutrality in the aftermath of Comcast?

You could take up Rockefeller’s suggestion and ask Congress to give the FCC express statutory authority. But there are downsides of going to Congress for a remedy: chairs could shift during the November elections, and besides – would you really want to risk opening the Communications Act to amendments (shot clock, anyone?) And let’s not forget about timing – you want the NBP to move ahead now, not at some indefinite future point, after the full range of Congressional process has managed to inch its way to some (unpredictable) conclusion at some point in the indefinite future.

Or you could take Hutchison up on her challenge and reclassify internet access as a Title II telecommunications service. But as many have observed, that would almost certainly lead back to court. 

Or maybe, as Fletcher, Heald’s own Mitchell Lazarus has suggested, the FCC could find a more tailored way out.

Both of the last two options, however, involve the FCC re-jiggering its own legal authority from within – which risks potential punishment from the minority party (not a purely hypothetical risk, as Hutchison’s comments, noted above, demonstrate).

So what’s the answer? 

If I were Mr. Genachowski, stuck between a legal rock and a political hard place, I might look for some other way out of the bind – a way that would permit regulation of net neutrality while keeping my agency both out of court and out of any politically costly cross-fire in Congress. If only I had a protector. Or in this case, a consumer protector. You see where I am going with this: I would consider handing off the net neutrality hot potato to my regulatory siblings at the Federal Trade Commission (FTC). 

The FTC can’t regulate common carriers. But so far ISPs aren’t common carriers, thanks to the FCC’s consistent reluctance thus far to so categorize them. And if ISPs aren’t common carriers, the FTC can step in. (See tech attorney Glenn Manishin’s analysis of Comcast on this point.) 

Section 5(a) of the FTC Act gives the agency jurisdiction over “unfair or deceptive acts or practices”, and FTC Chairman Leibowitz has been willing in the past to assert jurisdiction in order to protect consumers. 

Remember, dear Readers, Chairman Leibowitz has sunk significant political capital into asserting his agency’s power over online commerce issues and other consumer protection initiatives that are threatened if someone in the government can’t enforce net neutrality. So the FTC could be expected to welcome the authority to regulate ISPs and implement net neutrality.

And – just as politically important here – if the FTC were to be deemed the principal locus of control over the issue, Chairman Rockefeller and his Senate Commerce Committee – and their colleagues on the House side – would lose no power. The Commerce Committees have oversight authority over both the FCC and the FTC, so allowing one of the two agencies to take up regulation in an area – say, net neutrality – previously controlled by the other agency would not realign Congressional power in any way. All Chairman Rockefeller has to do is ask his Consumer Protection Subcommittee Counsels to join his meetings with his Communications Counsels. 

But even if the FTC is standing by, ready, willing and able to take over, and even if that approach would likely be acceptable to the powers-that-be on the Hill, there’s still one big question: would Mr. Genachowski voluntarily give up the power he believes his agency has? Jurisdiction does not switch hands easily or often in this town, but Mr. Genachowski’s boss, President Obama, might not care which of his agencies holds authority, as long as his National Broadband Plan’s infrastructure is protected.

One thing, I believe, is certain: net neutrality enforcement authority will be assigned eventually. Like a handful of chips thrown into the air on a casino floor, no part of government’s power will be left un-gathered and unused. The only question left is who will pick them up.

Calendar Update

Robocall NPRM comment deadlines set

Two months ago we reported on a Notice of Proposed Rulemaking in which the FCC was looking to clamp down on unsolicited “robocalls”. That NPRM has at long last appeared in the Federal Register, which in turn establishes the deadlines for comments and reply comments on the Commission’s proposals. Comments are due by May 21, 2010, reply comments by June 21, 2010.

FCC Clamps Down on Automated Dinner Interruptions

Proposed rules would increase FCC restrictions on “robocalls”

You would think marketing experts would realize that making you crawl off your couch to field an unsolicited phone solicitation – especially one delivered via prerecorded message (i.e., a “robocall”) – is a poor way to generate loyal customers. But the practice persists.

Robocalls and other forms of telephone solicitation have been such an irritant that Congress, over the years, has passed several laws to regulate them, giving both the FCC and the Federal Trade Commission (FTC) authority to adopt telemarketing regulations. The two agencies’ regulations generally track one another, but sometimes gaps appear.

The FTC recently amended its rules to tighten the robocall restrictions. The FCC now wants to come into sync with the FTC, and accordingly released a detailed Notice of Proposed Rulemaking

You might ask: Why do we need both agencies to adopt regulations? Can’t we just rely on the FTC? Well, you probably could, if things were set up differently. But as it is, the FTC’s jurisdiction to regulate telemarketing, oddly enough, is less than universal: it doesn’t cover common carriers (e.g., telephone companies or airlines) when they are “engaged in common carrier activity”. Similarly, the FTC telemarketing rule does not reach banks, federal credit unions, federal savings and loans, or non-profit organizations. The FCC’s telemarketing jurisdiction, by contrast, covers promotions by all those industries.  Moreover the FCC has jurisdiction over both interstate and intrastate telephone solicitations, while the FTC’s rules cover only interstate telemarketing.

Under the proposed the FCC’s proposed new rules:

  • Robocallers would be required to get “express written consent” before delivering prerecorded telemarketing messages to any residential customer, whether or not he/she has registered on the FTC’s “do not call” list. (Current FCC rules require such written consent only for those on the “do not call” list.) The proposed requirement would apply even if an established business relationship exists between the caller and the customer which otherwise permits live telemarketing calls. Under the FCC’s proposal, “written” consent for robocalls would not actually need to be “written”, but could also be obtained in other ways, including pressing a particular number on the phone keypad. That flexibility would, of course, cushion the blow for telemarketers. BUT the written “consent” would have to: (a) reflect that the telemarketer had provided “clear and conspicuous notice” to the consumer that he/she was authorizing delivery of robocalls and that the consumer is willing to receive such calls; and (b) make clear that the consent was not obtained as a condition to the purchase of any good or service; and (c) include the consumer’s phone number.
  • Robocaller messages would be required to include an automated, interactive mechanism to allow consumers to opt out of receiving future robocalls from that particular company.
  • During any one campaign, telemarketers using automated dialing equipment to connect consumers to live pitchmen (or pitchwomen) would be permitted to abandon no more than three percent of the calls that people answer. (A call is abandoned, according to the FCC, if the consumer is not connected with a sales representative within two seconds after the end of the greeting.) The FCC’s current rule allows the same abandonment rate over a 30-day period, thereby permitting the telemarketer to average its rate over multiple campaigns.
  • Healthcare-related prerecorded messages from certain federally regulated entities would be exempt. This includes messages such as flu shot and prescription refill reminders, requests for documents needed for insurance billing, and calls to encourage enrollment in treatment programs.

The proposed amendments would not change other robocall exemptions, such as fundraising calls from non-profit organizations, calls from politicians or political campaigns, and calls from commercial entities that are purely informational, such as airline flight cancellation notices. Emergency alerts are also exempt.

Comments regarding the proposed rules are due 60 days after the Notice of Proposed Rulemaking is published in the Federal Register, which has not yet occurred. Reply comments are due 30 days after the comment deadline.   We will publish the dates when they become available.