FTC Act
Subscribe to FTC Act's Posts

Government Issues New Tool to Help Mobile App Developers Identify Applicable Federal Laws

This week, the Federal Trade Commission (FTC or Commission) released an interactive tool (entitled the “Mobile Health Apps Interactive Tool”) that is intended to help developers identify the federal law(s) that apply to apps that collect, create and share consumer information, including health information. The interactive series of questions and answers augments and cross-references existing guidance from the US Department of Health and Human Service (HHS) that helps individuals and entities—including app developers—understand when the Health Insurance Portability and Accountability Act (HIPAA) and its rules may apply.  The tool is also intended to help developers determine whether their app is subject to regulation as a medical device by the FDA, or subject to certain requirements under the Federal Trade Commission Act (FTC Act) or the FTC’s Health Breach Notification Rule. The Commission developed the tool in conjunction with HHS, FDA and the Office of the National Coordinator for Health Information Technology (ONC).

Based on the user’s response to ten questions, the tool helps developers determine if HIPAA, the Federal Food, Drug, and Cosmetic Act (FDCA), FTC Act and/or the FTC’s Health Breach Notification Rule apply to their app(s). Where appropriate based on the developer’s response to a particular question, the tool provides a short synopsis of the potentially applicable law and links to additional information from the appropriate federal government regulator.

The first four questions cover a developer’s potential obligations under HIPAA. The first question explores whether an app creates, receives, maintains or transmits individually identifiable health information, such as an IP address. Developers may use the tool’s second, third and fourth questions to assess whether they are a covered entity or a business associate under HIPAA. The tool’s fifth, sixth and seventh questions help developers establish whether their app may be a medical device that the FDA has chosen to regulate.  The final three questions are intended to help users assess the extent to which the developer is subject to regulation by the FTC.

Although the tool provides helpful, straightforward guidance, users will likely need a working knowledge of relevant regulatory principles to successfully use the tool.  For example, the tool asks the user to identify whether the app is “intended for use” for diagnosis, cure, mitigation, treatment or disease prevention, but does not provide any information regarding the types of evidence that the FDA would consider to identify a product’s intended use or the intended use of a mobile app (e.g., statements made by the developer in advertising or oral or written statements). In addition, how specifically an app will be offered to individuals to be used in coordination with their physicians can be dispositive of the HIPAA analysis in ways that are not necessarily intuitive.

The tool provides a starting point for developers to raise their awareness of potential compliance obligations. It also highlights the need to further explore the three federal laws, implementing rules and their exceptions. Developers must be aware of the tool’s limitations—it does not address state laws and is not intended to provide [...]

Continue Reading




FTC Approves Final Order with AmeriFreight: Websites Must Disclose Endorsements

Earlier this year, AmeriFreight, a Georgia-based auto shipment broker, settled with the Federal Trade Commission (FTC) over charges that the company posted customer reviews on its website while failing to disclose that it had given cash discounts to customers in exchange for the reviews.  According to the FTC complaint, AmeriFreight touted on its website homepage that it had “more highly ranked ratings and reviews than any other company in the automotive transportation business” and that a majority of the online reviews on  AmeriFreight’s website failed to disclose that the reviewers were compensated $50 for posting reviews and were also eligible to receive an additional $100 if selected for the “Best Monthly Review Award.”  The FTC charged that AmeriFreight, by failing to disclose the incentives it had given to reviewers, had misrepresented its customer reviews as those of unbiased consumers.  The FTC’s position can be summed up best by the following quotes from its Director of the Bureau of Consumer Protection: “Companies must make it clear when they have paid their customers to write online reviews” and if companies “fail to do that – as AmeriFreight did – then they’re deceiving consumers, plain and simple.”

The FTC’s Endorsement Guidelines

Guidelines issued in 2009 by the Federal Trade Commission (the “FTC Endorsement Guidelines”) make clear that an advertiser must fully disclose any connection between the advertiser and an endorser of the advertiser’s product or service that might materially affect the weight or credibility of the endorsement, such as the fact that the endorser received compensation or some other benefit or incentive from the advertiser in exchange for providing a favorable review.  An advertiser’s failure to disclose an endorser’s material connection with the advertiser constitutes an unfair and deceptive trade practice as well as false advertising, both in violation of Section 5(a) of the Federal Trade Commission Act.  The requirement of disclosure of material connections applies not only to celebrity, expert or professional endorsers, but also to ordinary consumer-endorsers.  Many companies today use consumer endorsements in promoting their products or services, including the so-called “word-of-mouth advertising” whereby satisfied customers tell other people how much they like a product or service.  A common example of this form of advertising is publishing consumer-submitted reviews on the internet.  Good word of mouth generated by favorable customer reviews can make a big difference in a company’s online ad campaign.  However, companies that are looking to incentivize customers to submit good reviews must be wary of not running afoul of the FTC Endorsement Guidelines.  In particular, where a company offers money or other benefits to customers in exchange for good reviews, it must disclose such fact when publishing reviews.

Key Takeaways for Businesses

The FTC’s complaint against AmeriFreight is the first time the agency has charged a company with misrepresenting online reviews by failing to disclose that it gave cash discounts to customers to post the reviews.  This has significant implications for businesses that use customer [...]

Continue Reading




The FTC Did Some Kid-ding Around in 2014

2014 was a busy year for the Federal Trade Commission (FTC) with the Children’s Online Privacy Protection Act (COPPA).  The FTC announced something new under COPPA nearly every month, including:

  • In January, the FTC issued an updated version of the free consumer guide, “Net Cetera:  Chatting with Kids About Being Online.”  Updates to the guide include advice on mobile apps, using public WiFi securely, and how to recognize text message spam, as well as details about recent changes to COPPA.
  • In February, the FTC approved the kidSAFE Safe Harbor Program.  The kidSAFE certification and seal of approval program helps children-friendly digital services comply with COPPA.  To qualify for a kidSAFE seal, digital operators must build safety protections and controls into any interactive community features; post rules and educational information about online safety; have procedures for handling safety issues and complaints; give parents basic safety controls over their child’s activities; and ensure all content, advertising and marketing is age-appropriate.
  • In March, the FTC filed an amicus brief in the 9th U.S. Circuit Court of Appeals, arguing that the ruling of U.S. District  Court for the Northern District of California in Batman v. Facebook that COPPA preempts state law protections for the online activities of teenagers children outside of COPPA’ coverage is “patently wrong.”
  • In April, the FTC updated its “Complying with COPPA:  Frequently Asked Questions” (aka the COPPA FAQs) to address how COPPA applies in the school setting.  In FAQ M.2, the FTC discussed whether a school can provide the COPPA-required consent on behalf of parents, stating that “Where a school has contracted with an operator to collect personal information from students for the use and benefit of the school, and for no other commercial purpose, the operator is not required to obtain consent directly from parents, and can presume that the school’s authorization for the collection of students’ personal information is based upon the school having obtained the parents’ consent.”  But, the FTC also recommends as “best practice” that schools provide parents with information about the operators to which it has consented on behalf of the parents.  The FTC requires that the school investigate the collection, use, sharing, retention, security and disposal practices with respect to personal information collected from its students.
  • In July, COPPA FAQ H.5, FAQ H.10, and FAQ H.16 about parental consent verification also were updated.  In FAQ H.5, the FTC indicates that “collecting a 16-digit credit or debit card number alone” is not sufficient as a parental consent mechanism, in some circumstances, “collection of the card number – in conjunction with implementing other safeguards – would suffice.”  Revised FAQ H.10 indicates that a developer of a child-directed app may use a third party for parental verification “as long as [developers] ensure that COPPA requirements are being met,” including the requirement to “provide parents with a direct notice outlining [the developer’s] information collection practices before the parent provides his or her consent.” In revised FAQ H.16, the FTC [...]

    Continue Reading



FTC Releases Extensive Report on the “Internet of Things”

On January 27, 2015, U.S. Federal Trade Commission (FTC) staff released an extensive report on the “Internet of Things” (IoT). The report, based in part on input the FTC received at its November 2013 workshop on the subject, discusses the benefits and risks of IoT products to consumers and offers best practices for IoT manufacturers to integrate the principles of security, data minimization, notice and choice into the development of IoT devices. While the FTC staff’s report does not call for IoT specific legislation at this time, given the rapidly evolving nature of the technology, it reiterates the FTC’s earlier recommendation to Congress to enact strong federal data security and breach notification legislation.

The report also describes the tools the FTC will use to ensure that IoT manufacturers consider privacy and security issues as they develop new devices. These tools include:

  • Enforcement actions under such laws as the FTC Act, the Fair Credit Reporting Act (FCRA) and the Children’s Online Privacy Protection Act (COPPA), as applicable;
  • Developing consumer and business education materials in the IoT area;
  • Participation in multi-stakeholder groups considering guidelines related to IoT; and
  • Advocacy to other agencies, state legislatures and courts to promote protections in this area.

In furtherance of its initiative to provide educational materials on IoT for businesses, the FTC also announced the publication of “Careful Connections: Building Security in the Internet of Things”.  This site provides a wealth of advice and resources for businesses on how they can go about meeting the concept of “security by design” and consider issues of security at every stage of the product development lifecycle for internet-connected devices and things.   

This week’s report is one more sign pointing toward our prediction regarding the FTC’s increased activity in the IoT space in 2015. 




STAY CONNECTED

TOPICS

ARCHIVES

2021 Chambers USA top ranked firm
LEgal 500 EMEA top tier firm 2021