In This Issue:

• Connected Toy Maker Settles With FTC Over Alleged COPPA Violations
• Professors Stick Up for Game Producers Against Lindsay Lohan Swipe
• FTC Takes a Crack at Get-Rich-Quick “Code”
• Public Gets Two-Year Refresher on Do-Not-Call Registry
• Ink Is Dry on Final Lenovo/FTC Settlement

Connected Toy Maker Settles With FTC Over Alleged COPPA Violations

Investigation of VTech marks 'commission’s' first-ever foray into world of connected toys

Rising Tide

The internet of things – the holy grail of tech enthusiasts and bane of dystopian prophets – has established yet another beachhead in its presumably inevitable march toward whatever future awaits us: toys.

Take, for example, Hong Kong-based VTech’s line of attractive, kid-oriented electronic devices. The company manufactures watches, tablets and even stuffed animals that leverage an online platform (dubbed the “Learning Lodge”), similar to the Apple App Store, from which books, apps and other kid-friendly content can be downloaded through the toys.

As a communications overlay for its myriad devices, the company created “Kid Connect” – a messaging platform for children that allows kids to chat with peers on a personalized contact list. Kid Connect apps share text, audio messages and personal photos, and even create chat rooms built around the user’s contact list.

Insecurity

The Kid Connect user’s contact list and other settings are controlled by their parents through a separate app available from the Apple and Android App stores. In order to monitor usage, parents would register with Learning Lodge, providing their names and addresses (physical and email) along with the names of their children, their dates of birth and gender.

The case came to the attention of the Federal Trade Commission (FTC or Commission) after a hacker stole personal information about the kids and parents who used the company’s products. This is the FTC’s first connected toys case.

The FTC aimed a barrage of Children’s Online Privacy Protection Act (COPPA) violations at VTech in a complaint filed Jan. 8, 2018, in the Northern District of Illinois, Eastern Division.

The Commission alleged that privacy policy links for both the kids’ and parents’ apps were not prominently displayed or clearly labeled and that the policy failed to provide required information about VTech itself: the company’s addresses, for starters, and an account of exactly what information the company would be collecting from children – and how it would be used.

The Commission also alleged serious security breaches under COPPA, including a complete lack of a security plan and a failure to train its own employees to help them safeguard the sensitive information.

Breached

There were real-world consequences for these failures, according to the FTC.

A hacker breached the VTech network in the fall of 2015, making off with the names and personal account information of parents of Kid Connect users, which were not encrypted even though the privacy policy stated they would be. Moreover, although the company had encrypted the children’s photos and audio files, the encryption keys for those files were allegedly left in plain sight in a separate database that the hacker also violated. The hacker, the FTC maintained, simply exploited commonly known network vulnerabilities – weaknesses that should have been addressed by VTech. The allegations also claimed that VTech did not have a COPPA-compliant mechanism in place to verify that the people who were registering an account were parents and not children. VTech, the FTC says, was unaware of the breach until a journalist informed it after the fact.

The Takeaway

The FTC charged VTech with unfair or deceptive practices and false and misleading statements under COPPA, seeking a permanent injunction against future violations and civil penalties.

VTech settled on the same day. The company will pay a $650,000 civil penalty, is prohibited from future COPPA missteps and is required to build a “comprehensive data security” plan that will be audited every other year for the next 20 years.

For a detailed analysis of the implications of this case, see our blog post here.

Professors Stick Up for Game Producers Against Lindsay Lohan Swipe

Amicus brief says in-game likeness of Lohan is no privacy violation

Mean Girl?

Yes, Lindsay Lohan’s bad behavior has earned her a certain notoriety. That much is a given. But her infamy cuts both ways: She’s lodged firmly in the public’s consciousness, but like many celebrities that came before, her notoriety has turned into a cottage industry.

If we believe the complaint Ms. Lohan lodged back in 2014, Take-Two Entertainment and Rockstar Games, producers of the juggernaut Grand Theft Auto video game franchise, did their best to leverage her public profile to boost sales of the latest installment in their series, GTA V.

Three months prior to the game’s September 2013 release, the complaint alleges, the producers announced her name in reference to a “look-alike” mission within the game, in which a character modeled on Lohan, Lacey Jonas, asks the player to take her home – away from lurking paparazzi.

Lohan alleged that Take-Two and Rockstar used various aspects of her likeness without her consent, including a character model draped in clothes inspired by Lohan’s fashion sensibility, the signature “peace” sign she used in photos – even recordings of her actual voice. To round it out, the Jonas character was involved in situations seemingly inspired by Lohan’s life; for example, the look-alike was shown on the cover of one of the game discs in an “arrest pose.” The likenesses were used in the game itself and in advertisements for it.

Intervention

Lohan sued for violations of right of privacy under New York civil rights law, seeking punitive damages and restraint of use of her likeness. The case survived a motion to dismiss in New York Supreme Court, but Take-Two and Rockstar appealed the denial and won in September 2016, effectively ending the case for Lohan. She immediately filed her own appeal.

In support of the game producers, a number of First Amendment and intellectual property law professors filed an amicus brief in late December 2017, taking on specific arguments advanced by Lohan in her case. They also analyzed arguments made in another similar case against the game producers by Karen Gravano, who alleged nonconsensual use of her likeness in the same game. (Gravano, daughter of former mob informant Sammy “The Bull” Gravano, is a reality TV star.)

Two Tests

The amici curiae took special exception to the central arguments of Gravano’s and Lohan’s separate cases. Gravano’s case, the brief states, asked the court to analyze the actions of the defendants under the “predominate purpose test.” Under this test, the right of privacy is violated when the work in question is predominately commercial rather than expressive in nature. The professors argue that this test is fundamentally unsound, as it separates motives on the part of the defendants that often coincide – there’s no reason, they argue, that art cannot be a commercial enterprise. Additionally, it forces judges to become, in effect, art critics, deciding on their own subjective criteria the expressiveness of any given work.

Lohan’s case, in their interpretation, implied a different test – the “transformative use” test favored by California circuit courts. In this case, right of privacy is not violated if the work transforms the likeness in some way – through parody, caricature or ironic commentary, for example. Again, the professors maintain the test is too subjective, pointing to Ninth Circuit right-to-privacy cases that seem to arbitrarily embrace or reject the test based on subjective artistic assessments made by the courts.

The Takeaway

The professors display an Empire State of mind throughout the brief, which notes repeatedly the wisdom of the New York statute governing both cases. By narrowly restricting the right of privacy to the nonconsensual use of a likeness in commercial activity (for advertising or trade purposes, for example), New York “dodged a bullet.” In their interpretation, the statute’s strict boundary frees the court from making aesthetic judgments and creates an objective test for right of privacy violations, leaving First Amendment protections of creative work intact.

The amici also noted that advertisements for creative works that use likenesses deployed in the original work – in this case, billboard ads for GTA V and the game’s packaging, which featured Lohan’s double – were not, under New York law, violations of the right to privacy, offering another argument on behalf of Rockstar and Take-Two.

This case has implications for creative content productions and the advertising of those productions. However, the arguments of Rockstar and Take-Two, and of the law professors supporting them, would NOT apply to the use of a celebrity likeness (or other right-of-publicity usage) in an ad for a noncreative product, absent another potential fair use defense, such as a true parody. The case law on parodies in ads is mixed. For more information on the different applications of the First Amendment as it relates to rights of publicity and editorial versus advertising content, read this article.

FTC Takes a Crack at Get-Rich-Quick “Code”

Commish: Multiprong effort misrepresented … well, everything

Behind the Curtain

Is there a better get-rich-quick scheme than offering to help other people get rich quick?

The Federal Trade Commission (FTC or Commission) recently lodged a complaint in the Middle District of Florida against three men who it alleged have perfected the art.

Ronnie Montano, Hyong Su “Jimmy” Kim and Martin Schranz are accused of using a fleet of affiliate marketers to push money-making products to consumers – consumers who soon discovered that there wasn’t much there.

Decoder Ring

The product names themselves seem almost disarmingly forthright: Mobile Money Code, Easy Cash Code, Full Money System and Secret Money System, to name a few. Product marketing promised consumers access to a “secret code” or “money-making machine” that could generate income without effort. The trio charged $49 to $149 for the privilege of earning stunning sums of money.

Claims included “… beginners and normal people just like you, making $4,000 a Day using their cell phones;” “This weekend, you can start your journey to generating 60k a month on 100% autopilot” and “You can make 1,000 to 5,000 a day just by having this app running in the background ...”

Unfortunately, the FTC alleges, the products turned out to be nothing remarkable at all – merely generic apps that helped users build microniche and mobile-friendly websites.

Soup to Nuts

This alleged empty payoff was supported by a complex, comprehensive marketing blitz. The defendants, the FTC claims, lured in consumers with spam emails, pop-up ads and search engine results targeting people who were looking for work-at-home opportunities. They were offered no chance to opt out of future communications.

When consumers arrived at the Money Code sites, the false claims intensified, and consumers who tried to head for the hills were blocked from leaving the site by a stream of pop-up windows promising discounts and further earnings. Disclosure statements containing more realistic information about the promised income were tucked away on remote areas of the webpage, far from the outlandish claims.

Finally, once paying customers entered the site’s exclusive members’ area, the upsell began; extra features and add-on products were touted as the ways to truly succeed with the system. The upsells could build up to hundreds of dollars in charges, but in the end, these extras offered only more generic or useless information.

Moreover, the FTC alleges, the trio misrepresented their refund policy. Those who could even reach a customer service representative were routinely upsold yet again.

Regarding the emails that were sent to potential customers, the Commission also claimed that misleading subject headings were used and that the emails failed to include a clear means to opt out of future messages.

“In all phases of their scheme,” the complaint states, “defendants used a variety of misleading and deceptive tactics that violated the Federal Trade Commission Act, the CAN-SPAM Act, or both.”

The Takeaway

The FTC accused Schranz of making millions off the sale of lists of information that Montano gathered on customers who fell for the scheme; Montano was reimbursed by being allowed to hawk the lists as well. Kim was paid handsomely for creating the generic products that customers received.

In response, the FTC is accusing the trio of violations of the Federal Trade Commission Act – misrepresentation of earnings, misrepresentation of the nature of the offered product and misrepresentation of their refund policy – and the CAN-SPAM Act – misleading subject headings, failure to provide an opt-out and failure to provide a physical address.

The Commission seeks a permanent injunction of the above violations, restitution or refund of monies paid, and court costs.

While reputable companies are not involved in fraudulent, get-rich-quick schemes, there are lessons here for all merchants. Namely, be sure to have an accurate refund policy that is followed, and ensure email marketing meets all of the technical requirements of CAN-SPAM.

Public Gets Two-Year Refresher on Do-Not-Call Registry

Registry a shield against unprecedented flood of illegal calls

New Edition

Ever since Congress passed the widely popular Do-Not-Call Registry Fee Extension Act of 2007 back in early 2008 (did anyone tell them to get the dates to match?), the Federal Trade Commission (FTC or Commission) has been required to provide the public with a “state of the registry” of sorts every two years. The reports offer a glimpse into the Registry’s operations, information regarding the impact of new technology on the Registry, and other issues pertaining to the Act and its implementation.

The 2017 edition was recently released, and it contains some worthwhile information.

Call Virus

Illegal telemarketing calls are proliferating. According to the latest report, technological advances like voice over internet protocol have enabled scammers to make an unprecedented number of calls at little expense. Other technical advances have made spoofing calls – hiding the true identity of the originating caller through fake caller ID – easier than ever.

The result? Scammers are running wild, and consumer complaints to the FTC and the Federal Communications Commission (FCC) have skyrocketed over the past few years; in the final quarter of 2017, the FTC received 375,000 complaints per month, up from 63,000 during the same period in 2009 and the FCC received nearly 185,000 complaints since Aug. 1, 2016.

In response, the FTC held a series of contests challenging technologists to create technical solutions to the increasing call volume. From 2012 to 2015, the Commission awarded tens of thousands of dollars to individuals and small teams who created apps, honeypots and algorithms designed to thwart illegal callers – although it’s curious that the report does not mention a follow-up competition taking place after 2015. The competitions have led to various technology innovations, and telecommunication and technology companies have several programs in place designed to counter the uptick in illegal calls.

Worst Action Movie Ever

The Commission’s call-blocking efforts are addressed by the report as well. The FTC has recently teamed up with the dashingly named Robocall Strike Force, an organization that includes “providers of traditional landline, mobile, and VoIP services, handset manufacturers, operating system developers, and VoIP gateway providers.”

Requests made by the Strike Force have led directly to official Commission guidance on how providers can block illegal calls without running afoul of regulation. For instance, in response to a Strike Force query, the FTC clarified that providers may block spoofed calls if the original subscriber to the number asks for them to do so.

The report indicates that the Commission is currently working on rules that will allow providers to block illegal calls directly and methods by which originating phone numbers can be authenticated, thereby defeating call spoofers.

Developments in the Established Business Relationship Carve-out

The report also discussed the Telemarketing Sales Rule (TSR) and the FCC’s rules contain exemptions that permit a seller or telemarketer to call a person who has listed his or her telephone numbers on the Registry if the call is to a person with whom the seller has an “established business relationship" (EBR). This exception allows telemarketers to call customers who have recently made purchases or have made inquiries, even if their telephone numbers are on the Registry. In 2015, the Commission amended the TSR to make clear that sellers and telemarketers have the burden of proof to demonstrate the existence of an established business relationship, as they had found that many telemarketers were abusing the exception. 

The Takeaway

Finally, there are some hard numbers on the ongoing success of the Registry. According to the Commission, by the end of September 2017, the Registry had 229,816,164 active registrations.

In a nation of 325 million people, often riven by hyperpartisan conflict, is not the Registry the definition of a successful government program?

Companies involved in telemarketing need to not only understand how to access and honor the Registry and obtain consent or fall within the TSR’s EBR exception, but they must also comply with complex operational requirements of the TSR and the Telephone Consumer Protection Act (TCPA). The repercussions for noncompliance are significant. Do not assume your call center vendor knows what they are doing. We regularly advise merchants on compliance and call center vendor engagements.

Ink Is Dry on Final Lenovo/FTC Settlement

Computer maker

Man in the Middle

On Jan. 2, 2018, the Federal Trade Commission (FTC or Commission) finalized its settlement with Lenovo Inc. regarding charges that the computer giant engaged in some risky business with its customers’ information.

The original complaint, which was filed back in September 2017, alleged that Lenovo’s VisualDiscovery software, which was preinstalled on some of the company’s laptop models between 2014 and 2015, set itself up as a local proxy on each machine. When a laptop user browsed the internet, VisualDiscovery would sit in the middle, routing and observing IP traffic flowing between the laptop and the sites the user visited. The software could monitor any piece of sensitive data..

Good Intentions?

Ostensibly, VisualDiscovery monitored user traffic to serve pop-up ads related to the user’s current browsing decisions, which might have been enough to raise certain users’ hackles. However, in order to allow the pop-up ads to work over encrypted connections, VisualDiscovery triggered third-party software that replaced the security certificate of visited encrypted sites with its own unencrypted certificate. Users might have thought they were communicating over an encrypted connection, but their information was hardly secure.

The FTC alleged that Lenovo deceptively failed to disclose the unfair preinstallation of VisualDiscovery and the faulty security that the software engendered. The Commission also claimed that Lenovo did not adequately disclose the third-party software through a pop-up window that appeared upon the initial opening of a web browser. This pop-up failed to disclose adequately that VisualDiscovery would act as a man in the middle between consumers and all websites with which they communicated and did not have an opt-out mechanism that customers could easily use.

The Takeaway

The final settlement prohibits Lenovo from misrepresenting any features of software preloaded on laptops that will inject advertising into consumers’ internet browsing sessions or transmit sensitive consumer information to third parties. The settlement also requires Lenovo to get consumers’ affirmative consent before any such software runs on their laptops. In addition, the company is required for 20 years to implement a comprehensive software security program for most consumer software preloaded on its laptops. The implementation will be assessed by a third party every two years, in addition to the usual FTC audits. In an interesting side note, the two commissioners issued additional, conflicting statements regarding what should be considered a deceptive omission. Commissioner McSweeny held that the complaint could have gone further. He found that Lenovo’s failure to disclose the pop-up ad feature and its effect on the browsing experience was deceptive.

Acting Chairman Ohlhausen disagreed. She held that the Commission generally took a more limited approach to determining deceptive omission. Since the disclosure admitted that advertising would become part of the browsing experience, further disclosure of its effects was unnecessary; disclosing every piece of information about every product would actually cause more harm than it spared.

For a more detailed analysis of the implications of the case, see our blog post here.