This week, the Federal Trade Commission (FTC or Commission) released an interactive tool (entitled the “Mobile Health Apps Interactive Tool”) that is intended to help developers identify the federal law(s) that apply to apps that collect, create and share consumer information, including health information. The interactive series of questions and answers augments and cross-references existing guidance from the US Department of Health and Human Service (HHS) that helps individuals and entities—including app developers—understand when the Health Insurance Portability and Accountability Act (HIPAA) and its rules may apply.  The tool is also intended to help developers determine whether their app is subject to regulation as a medical device by the FDA, or subject to certain requirements under the Federal Trade Commission Act (FTC Act) or the FTC’s Health Breach Notification Rule. The Commission developed the tool in conjunction with HHS, FDA and the Office of the National Coordinator for Health Information Technology (ONC).

Based on the user’s response to ten questions, the tool helps developers determine if HIPAA, the Federal Food, Drug, and Cosmetic Act (FDCA), FTC Act and/or the FTC’s Health Breach Notification Rule apply to their app(s). Where appropriate based on the developer’s response to a particular question, the tool provides a short synopsis of the potentially applicable law and links to additional information from the appropriate federal government regulator.

The first four questions cover a developer’s potential obligations under HIPAA. The first question explores whether an app creates, receives, maintains or transmits individually identifiable health information, such as an IP address. Developers may use the tool’s second, third and fourth questions to assess whether they are a covered entity or a business associate under HIPAA. The tool’s fifth, sixth and seventh questions help developers establish whether their app may be a medical device that the FDA has chosen to regulate.  The final three questions are intended to help users assess the extent to which the developer is subject to regulation by the FTC.

Although the tool provides helpful, straightforward guidance, users will likely need a working knowledge of relevant regulatory principles to successfully use the tool.  For example, the tool asks the user to identify whether the app is “intended for use” for diagnosis, cure, mitigation, treatment or disease prevention, but does not provide any information regarding the types of evidence that the FDA would consider to identify a product’s intended use or the intended use of a mobile app (e.g., statements made by the developer in advertising or oral or written statements). In addition, how specifically an app will be offered to individuals to be used in coordination with their physicians can be dispositive of the HIPAA analysis in ways that are not necessarily intuitive.

The tool provides a starting point for developers to raise their awareness of potential compliance obligations. It also highlights the need to further explore the three federal laws, implementing rules and their exceptions. Developers must be aware of the tool’s limitations—it does not address state laws and is not intended to provide legal advice. In fact, the tool does not provide links to the actual text of the laws or regulations and is clearly aimed at non-lawyers.  Nor does the tool highlight all applicable guidance documents provided on the websites for each federal regulator, which shed additional light on what that regulator has determined is within or outside of its oversight.

Earlier this year, AmeriFreight, a Georgia-based auto shipment broker, settled with the Federal Trade Commission (FTC) over charges that the company posted customer reviews on its website while failing to disclose that it had given cash discounts to customers in exchange for the reviews.  According to the FTC complaint, AmeriFreight touted on its website homepage that it had “more highly ranked ratings and reviews than any other company in the automotive transportation business” and that a majority of the online reviews on  AmeriFreight’s website failed to disclose that the reviewers were compensated $50 for posting reviews and were also eligible to receive an additional $100 if selected for the “Best Monthly Review Award.”  The FTC charged that AmeriFreight, by failing to disclose the incentives it had given to reviewers, had misrepresented its customer reviews as those of unbiased consumers.  The FTC’s position can be summed up best by the following quotes from its Director of the Bureau of Consumer Protection: “Companies must make it clear when they have paid their customers to write online reviews” and if companies “fail to do that – as AmeriFreight did – then they’re deceiving consumers, plain and simple.”

The FTC’s Endorsement Guidelines

Guidelines issued in 2009 by the Federal Trade Commission (the “FTC Endorsement Guidelines”) make clear that an advertiser must fully disclose any connection between the advertiser and an endorser of the advertiser’s product or service that might materially affect the weight or credibility of the endorsement, such as the fact that the endorser received compensation or some other benefit or incentive from the advertiser in exchange for providing a favorable review.  An advertiser’s failure to disclose an endorser’s material connection with the advertiser constitutes an unfair and deceptive trade practice as well as false advertising, both in violation of Section 5(a) of the Federal Trade Commission Act.  The requirement of disclosure of material connections applies not only to celebrity, expert or professional endorsers, but also to ordinary consumer-endorsers.  Many companies today use consumer endorsements in promoting their products or services, including the so-called “word-of-mouth advertising” whereby satisfied customers tell other people how much they like a product or service.  A common example of this form of advertising is publishing consumer-submitted reviews on the internet.  Good word of mouth generated by favorable customer reviews can make a big difference in a company’s online ad campaign.  However, companies that are looking to incentivize customers to submit good reviews must be wary of not running afoul of the FTC Endorsement Guidelines.  In particular, where a company offers money or other benefits to customers in exchange for good reviews, it must disclose such fact when publishing reviews.

Key Takeaways for Businesses

The FTC’s complaint against AmeriFreight is the first time the agency has charged a company with misrepresenting online reviews by failing to disclose that it gave cash discounts to customers to post the reviews.  This has significant implications for businesses that use customer reviews as part of their advertising or marketing initiatives.  The AmeriFreight case makes clear that advertisements, regardless of form, must be transparent.  When a business touts its products or services, whether in endorsed advertisements or customer reviews, it must make clear that it has paid its customers and/or endorsers to review or endorse the product or service.  A business may not tout its “highly ranked ratings and reviews” or the like if it offered incentives to its reviewers without first disclosing the material connection between its endorsers and the business.  Hiding this fact may subject a business to the FTC Act and associated fines and penalties.

2014 was a busy year for the Federal Trade Commission (FTC) with the Children’s Online Privacy Protection Act (COPPA).  The FTC announced something new under COPPA nearly every month, including:

  • In January, the FTC issued an updated version of the free consumer guide, “Net Cetera:  Chatting with Kids About Being Online.”  Updates to the guide include advice on mobile apps, using public WiFi securely, and how to recognize text message spam, as well as details about recent changes to COPPA.
  • In February, the FTC approved the kidSAFE Safe Harbor Program.  The kidSAFE certification and seal of approval program helps children-friendly digital services comply with COPPA.  To qualify for a kidSAFE seal, digital operators must build safety protections and controls into any interactive community features; post rules and educational information about online safety; have procedures for handling safety issues and complaints; give parents basic safety controls over their child’s activities; and ensure all content, advertising and marketing is age-appropriate.
  • In March, the FTC filed an amicus brief in the 9th U.S. Circuit Court of Appeals, arguing that the ruling of U.S. District  Court for the Northern District of California in Batman v. Facebook that COPPA preempts state law protections for the online activities of teenagers children outside of COPPA’ coverage is “patently wrong.”
  • In April, the FTC updated its “Complying with COPPA:  Frequently Asked Questions” (aka the COPPA FAQs) to address how COPPA applies in the school setting.  In FAQ M.2, the FTC discussed whether a school can provide the COPPA-required consent on behalf of parents, stating that “Where a school has contracted with an operator to collect personal information from students for the use and benefit of the school, and for no other commercial purpose, the operator is not required to obtain consent directly from parents, and can presume that the school’s authorization for the collection of students’ personal information is based upon the school having obtained the parents’ consent.”  But, the FTC also recommends as “best practice” that schools provide parents with information about the operators to which it has consented on behalf of the parents.  The FTC requires that the school investigate the collection, use, sharing, retention, security and disposal practices with respect to personal information collected from its students.
  • In July, COPPA FAQ H.5, FAQ H.10, and FAQ H.16 about parental consent verification also were updated.  In FAQ H.5, the FTC indicates that “collecting a 16-digit credit or debit card number alone” is not sufficient as a parental consent mechanism, in some circumstances, “collection of the card number – in conjunction with implementing other safeguards – would suffice.”  Revised FAQ H.10 indicates that a developer of a child-directed app may use a third party for parental verification “as long as [developers] ensure that COPPA requirements are being met,” including the requirement to “provide parents with a direct notice outlining [the developer’s] information collection practices before the parent provides his or her consent.” In revised FAQ H.16, the FTC addresses whether an app store operator that offers a verifiable parental consent mechanism is exposed to liability under COPPA.  Since an app store operator does not qualify as an “operator” under COPPA, the app store is not liable under COPPA “for failing to investigate the privacy practices of the operators for whom [they] obtain consent,” but could be liable under the FTC Act for false or deceptive practices.
  • In August, the FTC approved the Internet Keep Safe Coalition (iKeepSafe) program as a safe harbor oversight program. The FTC also called for public comments on AgeCheq, Inc.’s parental verification method, which sought to verify parental identity via a financial transaction or a hand-signed declaration.  The FTC subsequently rejected the proposed method in November because these methods have already been recognized as valid means of obtaining verifiable parental consent under COPPA and emphasized that companies are free to develop common consent mechanisms without Commission approval.
  • In September, Yelp was fined $450,000 for failing to comply with COPPA.  (See our blog post here).  Also in September, TinyCo (the developer of Tiny Pets, Tiny Zoo, Tiny Village, Tiny Monsters and Mermaid Resort) was fined $300,000 for collecting children’s email addresses, in exchange for in-game bonuses, without parental consent in violation of COPPA.
  • In November, AgeCheq, Inc. proposed a second parental consent verification method to ensure COPPA compliance.  The second proposed method consisted of a device-signed parental consent form with a multi-step method requiring entry of a code sent by text message to a mobile device. The Center for Digital Democracy urged the FTC to reject AgeCheq’s method in comments filed on December 29, 2014.  On January 29, 2015, the FTC announced its rejection of AgeCheq’s second proposed parental verification method.
  • In December, the FTC warned BabyBus, a China-based children’s app developer, that its apparent collection of user geolocation information may violate COPPA if (i) user geolocation information is indeed being collected and (ii) if the company does not get parents’ consent before collection the information from children under age 13.  The FTC noted that “COPPA and its related rules apply to foreign-based Web sites and online services that are involved in commerce in the United States.”

Given California’s new student privacy law, Student Online Personal Information Protection Act (effective January 1, 2016), and the recent increased focus on student privacy resulting from President Obama’s announcement about the Student Privacy Act, we expect that 2015 also will be an active year for children’s privacy.  Stay tuned!

On January 27, 2015, U.S. Federal Trade Commission (FTC) staff released an extensive report on the “Internet of Things” (IoT). The report, based in part on input the FTC received at its November 2013 workshop on the subject, discusses the benefits and risks of IoT products to consumers and offers best practices for IoT manufacturers to integrate the principles of security, data minimization, notice and choice into the development of IoT devices. While the FTC staff’s report does not call for IoT specific legislation at this time, given the rapidly evolving nature of the technology, it reiterates the FTC’s earlier recommendation to Congress to enact strong federal data security and breach notification legislation.

The report also describes the tools the FTC will use to ensure that IoT manufacturers consider privacy and security issues as they develop new devices. These tools include:

  • Enforcement actions under such laws as the FTC Act, the Fair Credit Reporting Act (FCRA) and the Children’s Online Privacy Protection Act (COPPA), as applicable;
  • Developing consumer and business education materials in the IoT area;
  • Participation in multi-stakeholder groups considering guidelines related to IoT; and
  • Advocacy to other agencies, state legislatures and courts to promote protections in this area.

In furtherance of its initiative to provide educational materials on IoT for businesses, the FTC also announced the publication of “Careful Connections: Building Security in the Internet of Things”.  This site provides a wealth of advice and resources for businesses on how they can go about meeting the concept of “security by design” and consider issues of security at every stage of the product development lifecycle for internet-connected devices and things.   

This week’s report is one more sign pointing toward our prediction regarding the FTC’s increased activity in the IoT space in 2015.