Regulatory Issues with Social Media — Beyond the FDA

June 24, 2015

Lindsey Tonsager Covington & Burling

(415) 591-7061 ltonsager@cov.com

2

Agenda

Legal Framework

Application to Common Social Media Activities

3

Section 5 of the FTC Act

No comprehensive federal data privacy or security law

in the U.S.

Section 5 authorizes the FTC to address "deceptive" or

"unfair" acts or practices

Applies to consumer and B2B relationships

Deception

• Likely to mislead consumers

• Considered from the perspective of a reasonable consumer

• Material — i.e., likely to affect consumer’s choice or conduct regarding a product

Unfairness

• Likely to cause substantial consumer injury

• Not reasonably avoidable by consumers

• Not outweighed by countervailing benefits to consumers or competition

4

Section 5 Implementation

Limited rulemaking authority under Section 5

Guidance through reports, workshops, and

other informal materials

This informal guidance is NOT legally binding,

but good best practices

5

Section 5 Enforcement

Typically resolved through privately-negotiated

consent decrees – but not always

Implication of entering into a consent decree

Generally no statutory financial penalties under

Section 5, UNLESS there is a violation of a consent

decree

Consent agreements are NOT binding on

competitors

With few exceptions, tend to last a very long time

(e.g., 20 years)

6

State “Mini FTC Acts”

Many states have adopted unfair competition

laws that similarly prohibit deceptive or unfair

acts and practices

Key difference from FTC Act ― a number of

states allow for private rights of action

7

Other Federal and State Laws

Industries

Healthcare Providers (HIPAA)

42 U.S.C. § 300gg, 29 U.S.C § 1181 et seq. and 42 USC

1320d et seq.

Financial Institutions

(Gramm-Leach-Bliley)

15 U.S.C. § 6801, et seq.

Activities

Email Marketing (CAN-SPAM)

42 U.S.C. §§ 7101-7713

Telemarketing (TCPA)

47 U.S.C. § 227

Access to Communications

(ECPA)

18 U.S.C. § 2510 et seq.

Consumers

Children under 13 (COPPA)

15 U.S.C. §§ 6501-6506

California Minors’ Digital Privacy Law

Cal. Bus. & Prof. Code §§ 22580-22582

A variety of other federal and state laws govern

specific:

8

Self-Regulation

Voluntary Industry Guidelines and Best Practices

Privacy Policies

Terms of Use

Social Media Policies, BYOD, Network/Internet Use

Limited to authorized company spokesperson?

Company-branded or personal social media

accounts?

Using company-owned or personal equipment?

9

Agenda

Legal Framework

Application to Common Social Media Activities

10

What Is “Social Media”

11

Regulatory Issues: Social Media

Heightened regulatory attention on social media platforms

FTC consent decrees involving Twitter, Google Buzz, Facebook

Companies using social media also should be aware of potential legal risks:

Consumer notice (and choice)

Testimonials and endorsements

Native advertising

Ad substantiation

Compliance with platform policies

Children’s privacy

Copyright and reuse of user-generated content

Use of vendors and service providers

12

Consumer Notice

Advertisers are responsible for false or unsubstantiated

statements made through endorsements and testimonials,

or for failing to disclose material connections.

Case Study

• Drug Company commissions research on its product by an

outside organization. Drug Company determines subject of

the research and pays a substantial share of the expenses,

but the research organization determines the study’s

protocol and is responsible for conducting it.

• Drug Company pays HCP to write a blog mentioning the

research results as ‘‘findings’’ of that research organization.

• HCP promotes the blog post on Facebook, Twitter, and

LinkedIn.

13

Consumer Notice

14

User-Generated Social Media Endorsements

“We believe that participants' pins featuring Cole Haan products were endorsements of the Cole Haan products . . . [W]e were concerned that Cole Haan did not instruct contestants to label their pins and Pinterest boards to make it clear that they had pinned Cole Haan products as part of a contest. We do not believe that the "#WanderingSole" hashtag adequately communicated the financial incentive- a material connection- between contestants and Cole Haan.” – FTC Cole HaanClosing Letter

15

Third-Party Social Media Endorsements

Fellow Deutschers – The PlayStation Team has been working hard on a campaign to launch Sony’s all-new handheld gaming device, the PS Vita, and we want YOU to help us kick things off! . . . To generate buzz around the launch of the device, the PS Vita ad campaign will incorporate a #GAMECHANGER hashtag into nearly all creative executions. . . . The campaign starts on February 13th, and to get the conversation started, we’re asking YOU to Tweet about the PlayStation Vita using the #GAMECHANGER hashtag. Easy, right?

FTC alleged Deutsch LA misled consumers because they did not disclose that they were

written by employees of Deutsch LA

“One thing can be said about

PlayStation Vita...it’s a #gamechanger”

“This is sick. . . .See the new PS Vita in

action. The gaming #GameChanger”

“Got the chance to get my hands on a PS Vita

and I'm amazed how great the graphics are.

It’s definitely a #gamechanger!”

16

Native Advertising

17

Key Takeaways

Make endorsement relationship clear

All claims must be complete, accurate, and not misleading

Determine appropriate level of control and monitoring

Consider all the possible platforms and devices

Try to incorporate disclosures into the content

18

Online Advertising

In addition to behavioral advertising using cookies and similar browser-based technologies, companies increasingly are trying to find and reach their existing or potential customers on social media

Example:

Advertiser has a list of existing or potential customers (e.g., email addresses, phone numbers, Apple IDFA, Google Ad ID) and wants to deliver an ad to those people.

The person also is a registered user of a social media service.

Data is hashed (de-identified), and hashed data of advertiser and social media service is compared.

If there is a match, the social media platform delivers the ad to the user.

The process can be supplemented by information from data brokers for more refined ad targeting.

19

How Hashing Protects Consumer Privacy

C242010385759788A

G739503820494675B

C242010385759788A

Advertiser Social Media Platform or Third-Party Ad Service

Match

No match

C242010385759788A

20

Platform Policies

Policies may address promotions, advertising, and privacy

Platform may offer plugins or embed tools to distribute third-party content consistent with copyright laws

May permit (or restrict) use of user-generated content for your own purposes

Once you post content, it may no longer be yours exclusively

21

Forward-To-A-Friend Campaigns

CAN-SPAM Act regulates sending of commercial email

Applies to commercial emails sent to consumers and B2B

communications

Accurate

Transmission Information

No Deceptive Subject Lines

Opt-Out Notice Functioning Electronic Opt-Out

“Ad” Disclosure, Unless Consent

Valid Physical Postal Address

Honor Opt-Out Within 10

Business Days

Onward Transfer Prohibitions

22

Forward-to-a-Friend Campaigns

Case Study: Drug Company encourages a HCP, consumer, or other third-

party to forward Drug Company’s e-mail messages to others.

Determine whether the “primary purpose” of the message is commercial

Confirm whether there is any payment or other consideration (e.g., coupon, discount) for forwarding the message

Consider level of control you’ll have over the message

Contracts with affiliate marketers should cover CAN-SPAM compliance

If applicable, implement list scrub and opt-out mechanisms

23

Telemarketing, Text Messaging, Pre-Recorded Calls

The Telephone Consumer Protection Act (TCPA)

Recent FCC Order interprets Act expansively, but some exceptions for

HCPs and drug companies

What Does it Cover?

Telemarketing (residential wireline and wireless phones)

Text Messaging

Autodialers / Prerecorded Calls (some rules are content agnostic)

Other Laws to Consider

Telephone Consumer Fraud and Abuse Prevention Act, 15 USC §

6101, and FTC implementing regulations, 16 CFR § 310

Section 14 of the CAN-SPAM Act, 14 USC § 7712

State Laws

24

Why Does The TCPA Matter?

Private Right of Action

Very actively enforced by plaintiffs’ bar

Statutory damages of up to $1500 per call or text

Regulatory Enforcement by FCC, FTC, State AGs

Regulatory fines of up to $16,000 per call or text

25

Service Providers

Play important role in analytics, conversion

tracking, measurement, optimization, etc.

Privacy and data security diligence critical to

mitigating legal and reputational risk

26

Questions

Lindsey Tonsager

One Front Street

San Francisco, CA 94111-5356

(415) 591-7061

LTonsager@cov.com

To keep current on developments in global privacy and data security matters,

visit www.InsidePrivacy.com