On January 21, 2020, the Oakland City Council unanimously passed the Fair Chance Housing Ordinance (“FCHO”), which will restrict landlords in their ability to reject a potential tenant because of prior criminal history. It also impacts background check companies that offer a tenant screening product (“consumer reporting agencies”) because they will have to modify their processes and procedures to ensure that information that is “off limits” to landlords and property managers is not included in a tenant screening report (“consumer report”). The Council will take a final vote on February 4, 2020. Given that Oakland is not the first jurisdiction to enact such an ordinance, and there are other similar laws pending across the country, background check companies need to monitor this evolving area of the law and take affirmative steps to avoid a class action.

Seattle Paved the Way for Laws Restricting Reporting and Consideration of Criminal History for Rental Housing Purposes

In the context of tenant screening, restrictions on consideration of criminal history appear to be gaining traction. The first such law was passed in 2017, when the City of Seattle enacted its own “Fair Chance Housing Ordinance.” In Seattle, it now is an unfair practice for any “person” (broadly defined to include landlords/property managers and their agents) to, among other things, “[r]equire disclosure, inquire about, or take an adverse action against a prospective occupant, a tenant or a member of their household, based on any arrest record, conviction record, or criminal history.” The exceptions are quite narrow, however, Seattle allows landlords and property managers to consider a tenant applicant’s status as a registered sex offender (but an applicant only can be denied on this basis if there is a “legitimate business reason” to do so).

While at first blush it appears the Seattle ordinance only restricts the information that landlords and property managers may request and consider, Seattle’s FAQ expressly states that “[u]nless there is an exclusion, neither landlords nor any person may run criminal background checks,” adding that “any person” includes, but is not limited to “property managers, owners, screening companies, etc.” As a result, we previously have recommended that background check companies consider modifying their processes to ensure that criminal history information is not reported to Seattle landlords and property managers, absent clear proof that an exception applies (e.g., sex offender registry status).

Oakland Follows the Trend With a More Comprehensive Ordinance

Citing a need “to give previously incarcerated persons or other persons with a criminal history a fair opportunity to compete for rental housing and to be able to reside with family members and others,” and also to reduce the incidence of homelessness for persons with a criminal history, the FCHO will make it unlawful for a housing provider (e.g., landlord, property manager, etc.) to, “at any time or by any means, whether direct or indirect,” inquire about a rental or leasing applicant’s criminal history, require an applicant to disclose or authorize the release of their criminal history or, if such information is received, base an adverse action in whole or in part on an applicant’s criminal history. Retaliation against any individual for exercising or attempting in good faith to exercise any protected rights under the FCHO is expressly prohibited.

“Criminal history” is broadly defined to include virtually any type of criminal record, regardless of how it is transmitted or obtained, and from whom, including one or more convictions or arrests, convictions that have been sealed, dismissed, vacated, expunged, sealed, voided, invalidated, or otherwise rendered inoperative by judicial action or by statute, juvenile records, or records reflecting participation in or completion of a diversion or a deferral of judgment program.

There are limited exceptions. First, it is not unlawful for a housing provider to comply with federal or state laws that require the housing provider to automatically exclude tenants based on certain types of criminal history, including, but not limited to:

  • Ineligibility of Dangerous Sex Offenders for Admission to Public Housing (42 U.S.C. § 13663(a).
  • Ineligibility of Individuals Convicted for Manufacturing Methamphetamine on Premises of Federally Assisted Housing for Admission to Public Housing and Housing Choice Voucher Programs (24 C.F.R. § 982.553).

If such a requirement applies, however, the FCHO states that the housing provider may not inquire about, require disclosure of, or, if such information is received, review an applicant’s criminal history until after the housing provider does the following: (1) informs the applicant in advance that the housing provider will check for certain types of criminal history; and (2) requests written consent, or if the applicant objects, provides the applicant the opportunity to withdraw the rental application.

Next, a housing provider may review California’s sex offender registry, provided that it (1) has stated the lifetime sex offender screening requirement in writing in the rental application, and (2) does not inquire about, require disclosure of, or, if such information is received, review an applicant’s criminal history until after the housing provider:

  • determines whether the applicant is qualified for the rental under all of the housing provider’s criteria for assessing applicants (except for any criteria related to criminal history);
  • provides to the applicant a conditional rental agreement that commits to providing the rental to the applicant as long as the applicant meets the housing provider’s criminal history criteria with respect to the registry of lifetime sex offenders; and
  • informs the applicant in advance that the housing provider will be checking the sex offender registry and requests written consent or, if the applicant objects, provides the opportunity to withdraw the rental application.

If a housing provider takes adverse action against an applicant based in whole or in part on their criminal history, it must provide a written notice to the applicant regarding the decision that includes, at a minimum:

  • the reason(s) for the adverse action;
  • instructions regarding how to file a complaint about the decision with the City;
  • a list of local legal services providers, including contact information;
  • a copy of any criminal history, background check report, or other information related to the applicant’s criminal history that served as a basis for the decision; and
  • an opportunity to respond with rebutting or mitigating information prior to the denial of the application.

Notably, the FCHO requires that the adverse action notice go above and beyond what the Fair Credit Reporting Act (“FCRA”) and the California Investigative Consumer Reporting Agencies Act (“ICRAA”) require. While both statutes require a notice that simply advises of the adverse decision, the right to submit a dispute, the right to request a copy of the report, and the contact information for the consumer reporting agency that furnished the report, the FCHO adds to these by requiring a copy of the report, an explanation for the decision, and an opportunity for rebuttal (in addition to the other information described above).

The FCHO also makes it unlawful for a housing provider to require reimbursement or payment from the applicant for providing any criminal history or criminal background check report.

The FCHO requires housing providers to follow additional requirements, such as posting a notice advising of applicants’ rights (in a form to be published by the City), including a copy of that same notice with any rental or leasing application, and maintaining a record of any criminal history obtained for any applicant for a period of three years.

Aggrieved applicants can file a complaint with the City, who, upon the finding of a violation, may issue a civil penalty of up to $1,000 for each violation, recover the costs of any investigation or issuance of civil penalties, and/or issue a warning letter and assess costs in lieu of issuing a civil penalty for a violation. Alternatively, aggrieved applicants (as well as the City Attorney or a tax exempt organization whose mission is to protect the rights of tenants or incarcerated persons in Oakland or Alameda County) may file a civil lawsuit against the housing provider. Aside from equitable relief, damages may include liquidated damages (e.g., three times the greater of either actual damages (including damages for mental or emotional distress), one month’s rent that the housing provider charges for the rental unit in question, or the fair market value of such rental unit); punitive damages; and attorney’s fees and costs. The City Attorney also may include requests for civil penalties of up to $1,000 per violation.

Violations of the FCHO also are subject to criminal liability: an infraction for a violation, and a misdemeanor for a violation that is knowing and willful. Especially important for background check companies, the criminal penalties section of the FCHO recognizes an aiding and abetting theory of liability by stating that any person who “aids” a housing provider can be criminally responsible. Thus, like Seattle, background check companies should consider modifying their processes to ensure that criminal history information is not reported to housing providers in Oakland unless an exception applies and any request for such information comports with the procedural requirements set out above.

Increased Risk of Consumer Class Actions

Given the growing trend of reporting and restrictions on consideration of criminal history, there is an equivalent growing risk of consumer class actions against landlords, property managers, and/or background companies for non-compliance. Alternatively, an enterprising plaintiffs’ bar may look to create a new basis to bring class action claims against these parties. Both providers and recipients of criminal history information for any purpose should evaluate state and local laws that regulate use of such of information, modify their policies and practices, and take steps to stay abreast of this evolving area of law.

Seyfarth Synopsis: On January 29, 2020, Facebook announced that it had reached a settlement with plaintiffs in a class action brought under the Illinois Biometric Information Privacy Act (the “BIPA”) in the U.S. District Court for the Northern District of California. The settlement represents one of the largest payouts in a case brought under the BIPA since the law was passed in 2008. However, as the case against Facebook was not reflective of typical litigation brought under the BIPA, companies and their counsel should not be used it as a yardstick to value the majority of BIPA settlements moving forward.

Wednesday’s settlement puts an end to the largest BIPA case filed to date. Though the settlement included a hefty price tag, the Facebook litigation was an unusual case filed under the BIPA in both class size and subject matter and should not necessarily serve a guidepost for BIPA settlements in the future.

Case Background

In In Re Facebook, plaintiffs alleged that Facebook violated the BIPA when it unlawfully collected and stored biometric data on Facebook users without prior notice or consent. Plaintiffs’ claims arose out of Facebook’s “Tag Suggestions” function, which identifies other Facebook users through scanning uploaded photographs. Plaintiffs alleged that Facebook created and stored digital representations of people’s faces based on the geometric relationship of facial features unique to each individual.

The case was originally filed as three separate lawsuits in the U.S. District Court for the Northern District of Illinois. After the parties stipulated to transfer the cases to the Northern District of California, the Court consolidated the three suits into one class action complaint and Facebook moved to dismiss, asserting that the plaintiffs lacked standing under Article III to bring the suit because the collection of biometric information without notice or consent did not result in “real-world harms,” “such as adverse employment or even just anxiety.” Facebook’s motion to dismiss was denied. The District Court held that the plaintiffs had standing because they were never offered the opportunity to withhold consent from the storage of biometric data. The District Court also certified a class of “Facebook users located in Illinois for whom Facebook created and stored a face template after June 7, 2011.” Patel v. Facebook, Inc., 932 F.3d 1264, 1269 (9th Cir. 2019).

Facebook subsequently appealed the denial of the motion to dismiss and the class certification order to the U.S. Court of Appeals for the Ninth Circuit. In Patel v. Facebook, Inc., 932 F.3d at 1277, the Ninth Circuit affirmed the District Court’s decision in August 2019, holding that plaintiffs had alleged a harm sufficient to confer standing and that the class had been appropriately certified. Facebook then appealed the decision up to the U.S. Supreme Court, which denied certiorari last week on January 22, 2020. See Facebook, Inc. v. Patel, No. 19-706, 2020 WL 283288 (Jan. 21, 2020).

The Settlement

Facebook disclosed the settlement of the In Re Facebook case in conjunction with its quarterly financial results on January 29, 2020. Facebook’s disclosure indicated that, under the settlement agreement, Facebook will pay $550 million to eligible class members and plaintiffs’ attorneys. The parties have not yet released any additional information about the settlement, which follows closely on the heels of the Supreme Court’s decision last week not to hear Facebook’s appeal.

Implications For Illinois Companies

While the size of this settlement should certainly be noteworthy to companies doing business in Illinois, it is not reflective of the typical value of settlements for BIPA cases. The class certified in In Re Facebook included all Facebook users located in Illinois for whom Facebook created or stored a face template after June 2011. Extrapolating from the Plaintiffs’ allegations, the class could have presumably included millions of members, each of whom may have been awarded statutory damages ranging from $1,000 to $5,000 under the BIPA had Facebook proceeded to trial. Further, Facebook’s alleged use of the biometric information was much different than the typical BIPA case, which usually involves fingerprint or retina scans for payroll or security purposes.

However, despite the unique posture of the Facebook lawsuit, this significant settlement amount may exacerbate an already growing trend in privacy lawsuits being filed across the nation, with Illinois serving as a hotbed for such litigation under the BIPA (we have previously discussed the rise in BIPA lawsuits and the onset of other biometric privacy legislation here). Companies conducting business in Illinois and utilizing biometric information (such as fingerprint scans, retina scans, or, like Facebook, facial mapping or imaging, among other types) should be mindful that they are aware of and compliant with the requirements of the BIPA.

Synopsis: On January 6, 2020, Andrew Smith, director of the Federal Trade Commission’s Bureau of Consumer Protection, outlined in a blog post the agency’s new approach to data security orders. The agency implemented this approach in 2019 following a December 2018 hearing it held on the topic and an 11th Circuit decision that struck down a data security order as unenforceably vague. Elevating data security considerations to the C-Suite and Board level and increasing third-party assessor accountability are key features of its new approach, which Smith described as resulting in “significant improvements.”

The FTC’s “improvements” fall into the following three categories:

Elevated data security considerations to the C-Suite and board level. Companies must now present their boards with a written information security program annually. Senior officers then must provide annual certifications of compliance to the FTC with an order’s provisions. As support for the FTC’s efforts to improve corporate governance on data security, the FTC cited a number of studies, including one that “found a 35% decrease in the probability of information security breaches when companies include the Chief Information Security Officer (or equivalent) in the top management team and the CISO has access to the board.”

More specificity. The orders continue to require that a comprehensive information security program is implemented, but now provide more specificity on how that is to be accomplished. As previously mentioned, this change was prompted in part by a 2018 case in which the Eleventh Circuit vacated an FTC order as unenforceably vague. The FTC had ordered LabMD to implement a comprehensive information security program that included: 1) designated employees accountable for the program; 2) identification of material internal and external risks to the security, confidentiality and integrity of personal information; 3) reasonable safeguards to control identified risks; 4) reasonable steps to select service providers capable of safeguarding personal information and requiring them to do so; and 5) ongoing evaluation and adjustment of the program. The court concluded that the order “mandate[d] a complete overhaul of LabMD’s data-security program and [said] precious little about how this [was] to be accomplished.”

The orders now require companies to implement specific safeguards targeted at addressing problems alleged in the complaint. Smith gave a number of examples of such safeguards, including yearly employee training, encryption, monitoring systems for data security incidents, patch management systems, and access controls.

Increased third-party assessor accountability. A third improvement focuses on increasing the rigor of third-party assessors. The FTC continues to rely on outside assessors to review the implementation of the comprehensive data security programs required by the orders. For each biennial assessment, the FTC now has the authority to approve or reject the selected assessor. The orders also require assessors to identify specific evidence to support their conclusions, including, but not limited to, documents reviewed, sampling and testing performed, and interviews conducted. Documents related to the assessment must be maintained, and the assessor cannot refuse to provide such documents on the basis of certain privileges.

On December 16, 2019, the United States Supreme Court declined to review Krakauer v. Dish Network LLC, thus leaving unresolved a circuit split regarding Article III standing under the Telephone Consumer Protection Act (“TCPA”). As you may recall, on June 3, 2019, we reported on the Fourth Circuit’s opinion in Krakauer v. Dish Network, an opinion upholding a historic, $61 million TCPA jury award in the face of an Article III standing challenge.

Dish Network’s Petition for Certiorari

Following the Fourth Circuit’s ruling, Dish Network petitioned for a writ of certiorari to the Supreme Court.  In the petition, Dish Network stated the question presented as “whether a call placed in violation of the [TCPA], without any allegation or showing of injury—even that plaintiffs heard the phone ring—suffices to establish concrete injury for purposes of Article III.”  Dish Network argued that there was no evidence that any of the 18,000 class members were even aware they received a telemarketing call.  Notably, Dish Network cited the post-Spokeo circuit split between the Eleventh Circuit and the Second, Third, Fourth, and Ninth Circuits as to the Article III concrete injury standing requirement.

Implications for Business

Business groups had hoped that the Supreme Court would take up these cases and issue a decision that would resolve the circuit split. As it stands now, consumers in the Second, Third, Fourth and Ninth Circuits can bring claims under the TCPA without showing a concrete injury beyond the mere receipt of a text message. We will continue to monitor the landscape of TCPA litigation and report on any developments. Stay Tuned.

Synopsis: On December 6, 2019, the Federal Trade Commission issued a unanimous ruling against political data firm Cambridge Analytica for violating Section 5 of the FTC Act by misrepresenting that it would not download personally identifiable information when it in fact harvested this information from over 50 million Facebook users. Specifically, Cambridge Analytica represented that it would not download Facebook users’ name or any other identifiable information. To the contrary, its app collected a bevy of personally identifiable information, notably including Facebook User IDs, in creating voter profiles and targeted advertising leading up to the 2016 US Presidential election. The FTC also found that Cambridge Analytica made false or misleading representations that it still participated in the EU-US Privacy Shield Framework, an agreement designed to protect personal data transferred from the EU to the United States. The FTC imposed a 20-year injunction which, among other things, required that Cambridge Analytica delete or destroy the Facebook data it deceptively obtained and any information or work product, including any resultant algorithms or equations. While Cambridge Analytica is now in bankruptcy, this injunction also restrains its successors, assigns, officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, from disclosing, using, selling or receiving any benefit from the information collected about the individual consumers. The FTC further ordered, among other things, that none of these affiliates of Cambridge Analytica shall possess or control personal information from an EU resident without complying with the EU-US Privacy Shield framework principles.

Background

Cambridge Analytica obtained Facebook data in 2014, which it used to develop methods that allegedly could identify personality traits of American voters and influence their behavior through targeted advertising. Cambridge Analytica obtained this data by paying Facebook users small sums to take a survey and download an app, which harvested private information from their profiles and their Facebook friends’ profiles. An outside researcher then used the survey responses and public Facebook page “likes” harvested from users and their friends to populate and train an algorithm that predicted users’ personality traits.

To gain access to the users’ data, Cambridge Analytica misrepresented to users the collection of data as follows: “In this part, we would like to download some of your Facebook data using our Facebook app. We want you to know that we will NOT download your name or any other identifiable information—we are interested in your demographics and likes.” Cambridge Analytica only included this representation after finding that half of the survey participants initially refused to grant the app permission to collect their profile data. Contrary to this representation, the app collected the Facebook User ID of these users, which is a unique identifier that connects individuals to their profiles. The app also harvested additional profile data, such as users’ gender, birthdate, location, friends list, and Facebook page “likes.” Cambridge Analytica ultimately harvested profile data from approximately 250,000 to 270,000 app users located in the United States and approximately 50 to 65 million friends of these users, without the users’ knowledge or informed consent.

In the wake of this scandal, the FTC imposed a $5 billion penalty on Facebook on July 24, 2019, and required it to, among other things, submit to new compliance restrictions and greater accountability at the board of directors level by establishing an independent privacy committee. That same day, the FTC filed a Complaint against Cambridge Analytica and simultaneously filed proposed settlements with its former chief executive Alexander Nix and app developer Aleksandr Kogan, which have since then been approved. Those settlements included restricting how Nix and Kogan conduct business in the future and requiring them to delete or destroy any personal information they collected. Cambridge Analytica filed for bankruptcy prior to the issuance of the Complaint. The Complaint alleged that Cambridge Analytica, Nix and Kogan deceived consumers by falsely claiming they did not collect personally identifiable information from Facebook users and by falsely claiming the Company still participated in the EU-US Privacy Shield Framework and that it adhered to Privacy Shield principles.

Takeaways

The FTC Act’s prohibition on deceptive acts or practices includes misrepresentations with respect to how companies handle consumers’ personal information. The FTC in its Opinion explained that an act or practice will be found to be deceptive if “(1) there is a representation, omission or practice, (2) that is likely to mislead consumers acting reasonably under the circumstances, and (3) the representation, omission, or practice is material.” Through a three-step inquiry, the FTC determines “(1) what claims are conveyed [to consumers]; (2) whether those claims are false, misleading or unsubstantiated; and (3) whether the claims are material.” Claims are considered material if they involve “information that is important to consumers and, hence, likely to affect their choice of, or conduct regarding a product.” Express claims, including both explicit statements made in a claim and necessary implications derived from the statements, are presumptively material.

Here, the FTC pointed to the express claims that personally identifiable information would not be downloaded and the EU-US Privacy Shield framework principles would be followed. The FTC also pointed to other evidence of materiality, including that Cambridge Analytica only included the statement regarding not downloading identifiable information in its request to collect data from survey participants after half of the participants had refused to grant access to data absent that assurance. The FTC, therefore, inferred that the assurance provided by that statement likely affected the choices and changed the decisions of a substantial number of users.

With respect to the Privacy Shield misrepresentation, this case is one of several that the FTC has brought or settled in recent months against companies for deceiving consumers over their participation in the Privacy Shield. This case is yet another reminder that companies must ensure that any representations they make to consumers about participation in the Privacy Shield or any other privacy regimen are accurate and up-to-date.

The FTC took a broad view of what is personally identifiable information in finding that Cambridge Analytica’s statement that it would not download names or other identifiable information was false and misleading. In addition to users’ Facebook ID, the FTC viewed the covered information to include any persistent identifier, such as a customer’s number held in a “cookie,” a mobile device ID, or processor serial number or information collected from data fields through Facebook about users’ “likes,” “hometowns,” “birthdates,” “photos,” “gender,” “educational information,” “religious or political views,” or “marital” or other “relationship” status and any data regarding a consumer’s activities online (e.g., searches conducted, web pages visited, or content viewed).

While the Opinion itself focused principally on the express deceptive claim that Cambridge Analytica would not download users’ names or other identifiable information, it also noted that Cambridge Analytica then went on to use the data it surreptitiously collected. Perhaps because the non-use of that data would flow as a necessary implication of the claim that no users’ identifiable information would be downloaded, the FTC did not address the undisclosed use of the data as a separate deceptive act, even though the use of that data in voter targeting is what seemed to have stoked public ire when news of the scandal broke in 2018.

For a copy of the Opinion, click here. For a copy of the Final Order, click here.

Synopsis: FTC publishes a quick-resource guide for influencers to encourage advertising compliance on social media.

For the last several years the Federal Trade Commission has been addressing the misleading marketing of consumer goods through social media influencers. At the beginning of this month, the FTC reinforced its concern with social media influencers by publishing a short guide and a video directed at those that endorse products online. Misleading influencer conduct triggers Section 5 of the FTC Act, 15 U.S.C. § 45, which prohibits unfair or deceptive acts or practices in or affecting commerce. The focus on educating influencers is part of the FTC’s increasingly aggressive action against influencers and companies using online endorsements that do not properly disclose the connection between the influencer and the company.

On April 19, 2017, the FTC announced that it sent out more than 90 letters reminding influencers and marketers to clearly and conspicuously disclose their relationships to products and companies. Less than five months later, the FTC settled its first complaint against individual social media influencers. In that case, the respondents paid influencers $2,500 to $55,000 to promote their company on YouTube, Twitch, Twitter, and Facebook, but the influencers did not disclose this financial relationship in their promotions. At the time, the FTC insisted that the action “should send a message t

hat such connections must be clearly disclosed so consumers can make informed purchasing decisions.” The following year, a public relations firm and publisher settled similar claims with the FTC, where they had not only paid two gold medal Olympians to advertise a product but also asked their employees and “friends” to do the same, all without revealing these relationships to the public. In June 2019, the FTC, this time in conjunction with the Food and Drug Administration, sent warning letters to four sellers of e-liquids, in which it “urge[d] [the recipients] to review your marketing, including endorsements by your social media influencers, and ensure that necessary and appropriate disclosures are made.”

The new guide “lays out the agency’s rules of the road for when and how influencers must disclose sponsorships to their followers.” Titled, “Disclosures 101 for Social Media Influencers,” the guide contains tips from the FTC staff about when disclosures are required. This publication joins the other existing resources on topic, including the FTC’s 2009 Endorsement Guides and 2017 Informal FAQ Sheet. Importantly, the FTC’s press release accompanying the new guide underscores that the responsibility of disclosures “lies with the influencer.”

Key take-aways from the new guide include:

(1) Material Connection: Influencers are required to make it obvious to consumers when they have a “material connection” to the product or company he or she is endorsing. A “material connection” — “in other words, a connection that might affect the weight or credibility that consumers give the endorsement” — extends beyond a business relationship with the brand and incudes a personal, family or employee relationship.

(2) Financial Isn’t Limited to Money: Influencers who receive other benefits in exchange for promoting a product, including discounted products or services, free products or other perks, still have to disclose their relationship.

(3) Endorsements Beyond Pictures: Tags, pins, reposts, likes and other methods of supporting a brand on social media qualify as endorsements.

(4) Clear and Conspicuous Disclosure: Disclosures need to be made so that they are seen by consumers. The FTC advises that, “to be both ‘clear’ and ‘conspicuous,’ the disclosure should use unambiguous language and stand out.” The disclosure should not be hidden in text, covered with multiple hashtags, or buried in a video. For example, where text for a social media post requires a consumer to click “more,” the disclosure should appear above the “more” button.

(5) Be Honest: Influencers cannot attest to a product or experience that they have not tried and misrepresent their true results. Just the same, influencers cannot make up claims about the product.

The foregoing reminders from the FTC are consistent with the prior guidelines and warning letters but are presented in a more concise and current format. The new guide is also accompanied by a short video providing advice for social media influencers. These resources are intended to remind influencers that they need to take responsibility for their role in influencing consumers and not to assume that consumers understand their relationship to the product or services they are endorsing.

This latest guidance from the FTC also serves as a reminder to those involved in social media marketing, whether as a brand, a marketer, or an influencer, to ensure the FTC’s guidelines are followed. As the FTC states in its form enforcement letter: “If your company has a written social media policy that addresses the disclosure of material connections by endorsers, you may want to evaluate how it applies to” posts made by your endorsers. “If your company does not have such a policy, you may want to consider implementing one that provides appropriate guidance” and “ensure[s] that posts contain necessary disclosures and they are clear and conspicuous.”

Seyfarth’s False Advertising, Product Labeling & Warnings practice group is here to help you understand the implications of FTC’s latest guidelines and answer any questions.

Synopsis: Last month, the Ninth Circuit issued an opinion, affirming broad Article III standing and holding that, for permissible-purpose claims, a consumer-plaintiff need allege only that his/her credit report was obtained for a purpose not authorized by the statute to survive a motion to dismiss, regardless of whether the report is published or otherwise used by the third party.

Case Background

In June 2016, Plaintiff Freshta Nayab discovered that a banking institution (“the Bank”) had made several inquiries on her Experian credit report. She sued the Bank alleging that the unauthorized inquiries violated the Fair Credit Reporting Act (“FCRA”) because she never conducted any business with nor incurred any financial obligations to the Bank.

The Bank moved to dismiss the complaint for failure to state a claim. Instead of opposing the motion, Nayab filed an amended complaint where she cited various permissible purposes for obtaining a credit report under the FCRA, and alleged that the Bank did not have any of those permissible purposes to make inquiries on her credit report.

The district court dismissed the case, finding that Nayab did not have standing to pursue her FCRA claim because, even if the Bank’s credit inquiries were impermissible under the FCRA, “absent disclosure to a third party or an identifiable harm from the statutory violation, there is no privacy violation.” Nayab, slip op. at 5. The district court also dismissed Nayab’s complaint for failure to state a claim, finding that “bare allegations that the defendant did not have a permissible purpose for obtaining a credit report, without more, are insufficient.” Id. at 5.

Nayab appealed.

The Ninth Circuit’s Opinion

In an opinion by Judge Rice, the Ninth Circuit considered two issues: (1) whether a consumer suffers a concrete Article III injury in fact when a third-party obtains her credit report for a purpose not authorized by the FCRA, and (2) whether the consumer-plaintiff must plead the third-party’s actual unauthorized purpose in obtaining the report to survive a motion to dismiss. Id. at 4.

The Ninth Circuit rejected the district court’s holding that Nayab lacked standing because she did not suffer concrete harm where the unauthorized inquiries were not disclosed or used by the Bank. Relying on Robins v. Spokeo, Inc. (Spokeo III), the Ninth Circuit reiterated that some statutory violations alone confer Article III standing. 867 F.3d 1108, 1113 (9th Cir. 2017), cert. denied, 138 S. Ct. 931 (2018). In Spokeo III, the Ninth Circuit held that a statutory violation can by itself manifest concrete injury where “the procedural right [was created] to protect a plaintiff’s concrete interests and where the procedural violation presents ‘a risk of real harm’ to that concrete interest.” Spokeo III, 867 F.3d at 1113.

Based on this reasoning, the Ninth Circuit held that Nayab had standing to pursue her FCRA claims because “obtaining a credit report for a purpose not authorized under the FCRA violates a substantive provision of the FCRA,” and thus “Plaintiff need not allege any further harm to have standing.” Nayab, slip op. at 11. The court disagreed with the district court’s finding that a user must disclose or otherwise use the credit report for the consumer to suffer an injury. Id. at 15.

Next, the Ninth Circuit found that the district court erred in holding that Nayab, as the plaintiff, had the burden of pleading the actual purpose behind the Bank’s procurement of her credit report. Id. at 16. The court instead found that the authorized purposes listed under the FCRA were exceptions that the defendant must plead as affirmative defenses. Id. at 20. The Ninth Circuit also determined that placing the burden on Nayab would be unfair because that would require her to plead a negative fact peculiarly within the knowledge of the defendant. Id.

Against this backdrop, the Ninth Circuit found that Nayab pleaded facts sufficient to give rise to a reasonable inference that the Bank obtained her credit report for an unauthorized purpose. Id. The Bank argued that Nayab’s allegations failed because there were numerous possible reasons that the Bank may have accessed her credit report that would be fully lawful under the FCRA. But the Ninth Circuit rejected this argument, noting that Nayab’s factual assertions negating each permissible purpose for which the Bank could have obtained her credit report, together with Nayab’s allegation that the Bank, in fact, obtained her report, stated a plausible claim for relief. Id.

A split Ninth Circuit reversed the district court’s dismissal of Nayab’s FCRA claim and remanded the case to the district court.

Judge Rawlinson partially dissented. Although agreeing that Nayab had standing to pursue her action under the FCRA, Judge Rawlinson took issue with the pleading standard set forth by the majority. Id. at 29. She strongly disagreed that Nayab had laid out a sufficiently plausible case. Id. at 35. Further, Judge Rawlinson found that the majority’s conclusion that Nayab had no obligation to plead the unauthorized purpose for which the credit report was obtained was inconsistent with Twombly and Iqbal.

Implications for Businesses

Businesses obtaining consumer reports, including credit reports or criminal background checks, should review their compliance practices to ensure that the business has procedures in place to ensure that reports are obtained only for permissible purposes only. Businesses may also want to consider having a process for documenting the permissible purpose for each report and for conducting periodic audits to ensure compliance with company policy. Having sound policies and procedures will ensure regular compliance and will limit liability for willful violations, which expose businesses to punitive damages.

Consumer reporting agencies (“CRAs”) furnishing consumer reports, particularly credit reports, should also review their procedures for confirming permissible purpose. All businesses obtaining reports (“users”) should be credentialed and should provide a permissible purpose before receiving any reports. Having procedures in place for periodic review of users will also reduce a CRA’s potential liability risk.

Synopsis: Unhappy with the FDA’s position on branding, Congressional representatives seek to define “natural” narrowly to limit its use in consumer advertising.

As the cosmetic industry moves on to new marketing lingo connoting healthier and safer cosmetics, including “clean beauty,” “sustainable,” “vegan,” and “pure,” New York Representative Sean Patrick Maloney introduced the Natural Cosmetics Act (the “Bill”) last week in the US House of Representatives. While the US Food and Drug Administration (FDA) has declined to define natural, through this legislation, Rep. Maloney seeks to define the terms “natural” and “naturally-derived ingredient” as used with personal care products. As Rep. Maloney pointed out in his announcement of the Bill, the FDA does not qualify false labeling of “natural” as misbranding, mainly because it is an unregulated and undefined term when used with cosmetics.

Recognizing consumers’ concerns, Rep. Maloney advocated, “[w]e’re talking about safety and health of millions of Americans who use these products. My bill will set the standard for ‘natural’ personal care products and do right by American consumers by putting transparency first.” Joining Rep. Maloney’s bill is Representative Grace Meng (also from New York), who stated, “[i]ncreasing protections, transparency and oversight of personal care products is desperately needed, and this legislation would go a long way towards ensuring strict standards for items claiming to be ‘natural.’” A number of leading brands in the dubbed “clean beauty” space have also joined Representatives Maloney and Meng in supporting passage of this new Bill.

Meanwhile, the FDA remains mum about formally defining “natural” for cosmetics despite its solicitation of comments from the public over three years ago. The FDA has a longstanding policy concerning the use of “natural” in human food labeling. In regulating food products, FDA has considered the term “natural” to mean that “nothing artificial or synthetic (including all color additives regardless of source) has been included in, or has been added to, a food that would not normally be expected to be in that food.” Similarly, the Federal Trade Commission has not acted on the term “natural” since 2016, when it approved four final consent orders against companies that allegedly misrepresented their personal care products as “All-Natural” or “100% Natural,” despite the fact that they contain man-made ingredients. Additionally, the National Advertising Division (NAD) has not addressed “natural” and “naturally” claims in cosmetics since 2016 when it recommended that a company discontinue use of these terms because the company’s labeling implied that the products were formulated without aluminum when in fact they contained aluminum.

Last year, then-FDA Commissioner Scott Gottlieb delivered a speech at the National Food Policy Conference in which he indicated that, just like other claims made on products regulated by the FDA, the “natural” claim must be true and based in science. At the same time, he recognized that there are wide differences in beliefs regarding what criteria should apply for products termed “natural” and some of those criteria are not based on public health concerns. In a letter addressed to Rep. David Valadao, dated December 19, 2018, Dr. Gottlieb added that the “FDA is actively working on this issue, and in 2019, FDA plans to publically communicate next steps regarding Agency policies related to ‘natural.’” These statements generally relate to food regulation and have not yet been followed by any formal action by the FDA.

Despite the rather dormant federal regulatory activity over “natural” advertising with cosmetics, class actions regarding misuse of the term “natural” continue to populate the federal docket. See, e.g., Yolanda Turner v. Trans-India Products, Inc., Case No. 19-cv-03422, pending in the E.D.N.Y. Courts who have addressed the issue of defining “natural” have found it means “an affirmative claim about a product’s qualities and is, therefore, not ‘an exaggeration or overstatement expressed in broad, vague, and commendatory language’” (Suarez v. California Nat. Living, Inc., No. 17 CV 9847 (VB), 2019 WL 1046662, at *7 (S.D.N.Y. Mar. 5, 2019)), and it is indicative of “the absence of synthetic ingredients” (Petrosino v. Stearn’s Prod., Inc., No. 16-CV-7735 (NSR), 2018 WL 1614349, at *7 (S.D.N.Y. Mar. 30, 2018)). But, courts are split as to whether “all natural” claims “are more within the conventional expertise of judges or whether they involve technical or policy considerations within the FDA’s particular field of expertise.” See de Lacour v. Colgate-Palmolive Co., No. 16-CV-8364 (RA), 2017 WL 6550690, at *2 (S.D.N.Y. Dec. 22, 2017). This consideration has caused some courts to stay litigation pending regulatory guidance, leading parties to settle instead of waiting in vain.

This House activity is yet another instance in which Congressional leaders are trying to keep up with regulating industry trends while the FDA lags behind. See, e.g., Senator Schumer’s call to action. Like vaping and CBD, we may see “natural” and “clean” resurface in the FDA’s priorities because of the safety concerns these marketing terms hold.

Tonya Esposito and Renee Appel of Seyfarth’s Washington, D.C. office continue to monitor these developments and welcome any questions regarding this topic.

The Federal Trade Commission recently published a preliminary staff report on two studies it conducted to understand the effectiveness of class action settlement notices and develop information to help improve consumer settlement outcomes. While the report highlights its findings relating to low refund claim rates by class members, defense counsel may be more interested in the consumer research conducted to evaluate how email sender names, subject lines, and email formats can influence a consumer to successfully complete steps to file a claim.

The FTC’s Internet-based consumer research study found that recipients’ understanding of both the nature of the email itself and the next steps needed to receive their refund was low overall. About 38 percent of respondents understood the nature of the email when viewing it in their inbox and that number rose to slightly less than half when viewing the actual email. Only around 40 percent actually understood the steps required to receive a refund.

Interestingly, the FTC found that how an email subject line is phrased impacts consumer perceptions to a greater degree than the sender name does. For example, the inclusion of a $100 refund amount in the subject line made respondents 12 percent less likely to understand the nature of the email, with some mistakenly deeming such an email as an untrustworthy scam or spam. Unsurprisingly, respondents were correspondingly 4 percent less likely to even open the email if the refund amount was listed in the subject line.

In the other study covered by this report, the FTC found in analyzing data from 149 consumer class actions that the median refund claims rate in these cases, regardless of the form of notice, was low at 9 percent. For class action members who only received email notices of their refunds rather than traditional mailings, the median claims rate dropped to 2 percent. The FTC report comes on the heels of a 2018 amendment to Fed. R. Civ. P. 23, which now specifically notes that electronic notification is an appropriate means of providing notice to a class. The report’s insights can help parties craft more effective email notices to increase email claims rates.

The 149 class action settlements examined by the FTC contained a wide variety of alleged consumer harm. The most common types of allegations included improper payment charges (30) and misrepresentation (29). Other types of consumer cases with strong showings included debt collection (15), mortgage-related (15) and privacy (14).

In slightly more than half of the cases in the sample, mailed notice packets were used to notify class members. The remainder of the cases were split between postcard and emailed notice campaigns. Less than half of the cases provided direct notice in conjunction with a more expensive publication notice. Claims rates for notice campaigns using mailed notice packets were the highest, with a median claims rate of 16% and a weighted mean rate of 10%. Postcards received a median and weighted mean of about 6 to 7 percent, while email received the lowest median and mean claim rates of 3% and 2%, respectively. The FTC noted that, surprisingly, notice by publication did not have a significant impact on the claims rate. Since publication can be expensive, potentially avoiding publication in the future could allow for a larger percentage of settlement funds returned to class members.

Of particular interest to defense counsel and the businesses they represent, a negligible number of those notified objected to the proposed settlement (0.0003%) and only 0.01% excluded themselves from the settlement.

The FTC’s preliminary finding of low claims rates reinforces previous findings from smaller scale studies, including a 2013 study conducted by Mayer Brown for the U.S. Chamber of Commerce that found few class members ever receive funds. Of the six cases in its data set for which Mayer Brown could locate claims data, five had claims rates ranging from less than 1 to only 12% of the class.

On October 29, 2019, the FTC held a public workshop on improving class action settlement notices, including examining the issues raised in the preliminary report. A video of that workshop is available here. Public comments on these or related topics can be submitted electronically at Regulations.gov through November 22, 2019, or mailed per the instructions provided here.

Seyfarth Synopsis: FTC publishes proposed consent order with cosmetic company that posted fake customer reviews but some FTC commissioners place doubt on its effectiveness because there is no financial penalty.

Earlier this year, we reported that fake news consumer reviews was on the federal regulators’ radar, especially with the passage of the Consumer Review Fairness Act in late 2017.  We identified a cosmetic company that faced negative media after a former employee leaked an internal, company email that insisted employees post positive reviews of a new product and even provided detailed instructions on what to say about the product as well as how to avoid tracing a review back to the company’s IP address.  As a result of that activity, on October 21, 2019, the FTC brought a complaint for two violations under the Federal Trade Commission Act: (1) making false or misleading claims that the fake review reflected the opinions of ordinary users of the products and (2) deceptively failing to disclose that the views were written by the company’s CEO and her employees.

In the press release announcing a proposed settlement of the complaint, Andrew Smith, Director of the FTC’s Bureau of Consumer Protection states: “Dishonesty in the online marketplace harms shoppers, as well as firms that play fair and square.”  Consistent with the press coverage last year, the FTC’s investigation revealed that the cosmetic company’s CEO, managers, and other employees posted reviews of their products under fake accounts on a third-party retailer’s website.  Pursuant to the proposed settlement agreement, the company consented to (i) not make any misrepresentations about the status of any endorser or person providing a review of the product, (ii) that any of the company’s officers, agents, employees, and attorneys and all other persons who participate with any of them who make a representation about a product must disclose their connection; and (iii) notify each employee, agent, and representative with clear disclosure responsibilities for endorsements.  In addition, the company is subject to compliance reporting and monitoring requirements.  Noticeable absent from the settlement agreement is any monetary fine or penalty, which Commissioner Rohit Chopra raised in a separate statement and Commissioner Rebecca Kelly Slaughter joined.

In dissenting the proposed order, Commissioner Chopra pointed out it “includes no redress, no disgorgement of ill-gotten gains, no notice to consumers, and no admission of wrongdoing.” Commissioner Chopra voices that because there is no financial penalty, the proposed settlement is unlikely to deter other potential wrongdoers.  To this point, she explains that for companies, the potential benefits of posting false reviews, including, “higher ratings, more buzz, better positioning relative to competitors, and higher sales,” can outweigh the potential cost of getting caught.  Review fraud, however, goes largely undetected, unless, as in this particular case, there is some whistleblower action. By the proposed resolution, Commissioner Chopra believes it suggests that even the narrow subset of wrongdoers who are caught will face minimal sanctions from law enforcement.  This, of course, sends the wrong message to the marketplace.  Commissioner Chopra insists that while monetary relief can be difficult to calculate, it should not deter form the FTC from seeking it.

This matter raises two critical take-aways:

(1) As Commissioner Chopra identifies, review fraud is permeating the online marketplace on popular websites, demanding FTC action, including analyzing the problem and determining whether e-commerce firms have the right incentives to police their platforms.

(2) Deterrence is a key factor in an enforcement action, but it is undermined when wrongdoers are merely asked to not break the law again.  This case was an instance in which the company and even its CEO were strategically involved with review fraud and are getting by with nothing more than a “stern talking to” not to do it again. This type of conduct goes beyond strict liability in that the parties were aware of the implications of their reviews, raising product rankings, and by imposter means, hiding their IP address and making multiple posts under different identities.

At this time, the proposed consent order has been placed on the public record for 30 days for receipt of comments by interested persons. After 30 days, the Commission will review the order again along with the comments received to decide whether it should withdraw the order or make it final.