Recent legal developments in the advertising and marketing industry signal heightened regulatory and consumer concerns in various areas, most particularly, the health, environmental, and privacy sectors. At the forefront of these actions is the Federal Trade Commission, which has brought several cases against companies alleged to have made unsubstantiated health claims and violated their stated privacy policies. Underscoring the FTC's concerns in these areas are settlements that include strong injunctive provisions.
In addition, consumer class actions and cases initiated by competitors and self-regulatory bodies have also played a large part in shaping the legal landscape for industry members. As discussed in greater detail below, these cases have involved social media, cosmetic advertising, and "natural" claims. However, consumer class actions based on allegedly false or misleading advertising claims and failure to honor privacy policies, each of which have proliferated in the past year, faced significant hurdles, as courts have declined to hear such cases in the absence of actual harm to consumers.
The following is a brief summary of various developments in the past year that have had a significant impact in the advertising and marketing industries.
PRIVACY AND DATA SECURITY
Google. In March 2011 the FTC conducted an investigation of Google's networking feature, Buzz. When Buzz launched, Google claimed that if the personal information collected during a user's registration was to be used "in a manner different than the purpose for which it was collected" they would ask for permission prior to the usage. Nevertheless, private information of roughly 31.2 million users was shared without permission, the FTC alleged. As is typical in most FTC consent orders, Google agreed to cease making future misrepresentations about its privacy or confidentiality policies. However, the settlement also included a novel provision requiring Google to create and implement a comprehensive privacy program and to regularly audit its privacy and data protection practices for the next 20 years.[FOOTNOTE 1]
Earlier this year, Google was charged with violating the provisions of the above consent order when the FTC alleged that it had placed tracking cookies on consumer computers without consent. Google agreed to pay a $22.5 million fine to settle the charges, the largest penalty ever for a violation of a FTC order.
Facebook. In a similar case, in November 2011 the FTC alleged that Facebook deceived consumers by telling them they could keep their information on Facebook private, while repeatedly sharing this information. Further, the FTC complaint listed numerous instances in which Facebook allegedly failed to protect information designed as private, including changing its website to make this information public without warning users. Facebook's settlement banned the company from making misrepresentations about the privacy or security of consumers' personal information, and requires it to give clear and prominent notice and obtain a consumer's express consent before sharing information beyond their privacy settings.[FOOTNOTE 2] The consent order also contains similar auditing and privacy program requirements as those in the Google order.
Class Actions. In contrast, consumer class actions claiming violations of the Electronic Communications Privacy Act by companies following security breaches and unauthorized access to private information have been generally unsuccessful. For example, a class action filed against Facebook, which claimed that it intercepted personal information in violation of the ECPA when consumers clicked on an advertisement, was dismissed. The court noted that whatever the consumer's intent, the advertisers were the intended recipients, so Facebook did not unlawfully intercept the messages.
Other class actions concerning allegations of data breaches have been dismissed due to a failure to state harm. In July 2012, a U.S. District Court in Kentucky dismissed a data breach lawsuit against various Countrywide Financial Corporation entities.[FOOTNOTE 3] The plaintiffs alleged injury from a data theft because they were forced to take measures to protect themselves from identity theft. The court ruled that although plaintiffs had standing, they did not state a clear financial injury resulting from the breach.