Data Security, Commercial Email and Employee Reviews Walk into a Bar …

Sorry folks, there is no punchline here, but there are bottom lines from a settlement the Federal Trade Commission (FTC) announced last week. We discuss three today: (1) the FTC continues to mount broad investigations and enter into settlements that include advertising, marketing and data security/privacy; (2) the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM) is back, and not just for "scammy" emails; and (3) a focus on employee and agent reviews is coming.

FTC Investigations Are Consistently Multipronged: Just when we were shutting down and thinking about some BBQ and family time on the Friday evening of Labor Day weekend, the FTC announced its settlement with Verkada, a company that sells video surveillance equipment to businesses. According to the complaint allegations, the company promised best-in-class data security that the FTC found wanting after the company experienced several breaches. The crux of the complaint and settlement relates to these allegations. (We'll have more to say on the data security piece in particular in our Data Counsel Blog.) But the complaint also includes counts for violations of CAN-SPAM and for encouraging employee reviews of the service without disclosing material connections. And the company agreed to pay $2.95 million to settle the case, all related to the alleged email marketing violations of CAN-SPAM. In the old days, most of the data security cases were limited to, well, data security. Clearly this investigation did a deeper dive into not only privacy promises in privacy policies but also into how the services were marketed in emails and on review websites. Companies need to be aware that today's FTC investigations are very broad. We are not prepared to say they are fishing expeditions, but what the staff deems relevant to an investigation is far from limited to a single topic. Bottom line: if one event initially brings your company into the FTC's purview, you could end up mounting defenses on a broad range of issues.

CAN-SPAM Enforcement Could Be Heating Up: Email marketing in the U.S. is far more permissive than in many other countries. While marketers continue to live in fear of a text marketing class action, given the Telephone Consumer Protection Act has statutory penalties and a private right of action, email marketing compliance has been fairly chill by comparison. CAN-SPAM provides for penalties but limited private rights of action - enforcement was placed into the hands of the FTC and state attorneys general, with the only private enforcement coming from Internet service providers. Congress charged the FTC with writing a rule to support the act. The FTC has given additional good guidance for businesses. CAN-SPAM sets up an opt-out, not opt-in, requirement regime, including some fairly ministerial requirements. In a nutshell, commercial emails need to include a nondeceptive header line, a physical postal address of the sender and a simple means to unsubscribe from future marketing emails. On the back end, of course, companies must implement a means to comply with any opt-out requests and scrub future emails against a current opt-out list. Enforcement of this rule has been relatively sparce. The FTC updated the CAN-SPAM rule in early 2019, and Verkada is only the fourth case since that time involving allegations of the act. Most of the enforcement regarding CAN-SPAM has been over emails that were fraudulent or deceptive. But with Verkada, we are seeing the commission bring CAN-SPAM cases involving marketing for legitimate products and services. And while the issues appear to be focused on the lack of an ability to unsubscribe, there is also a count for Verkada failing to include its physical address, meaning even technical violations may be actionable. Of course, the FTC could also be using CAN-SPAM as its hook to get a monetary award, since the FTC has fewer avenues to consumer redress post-AMG.

Employee Reviews Are a Key Concern: We wrote and recently talked about the FTC's final rule on the Use of Consumer Reviews and Testimonials, which will allow the commission to seek penalties for violations. There is a lot in the new rule about disclosing material connections - including for reviews left by employees, investors and others connected to a company. With so much focus on influencers, this category of reviewers had not gotten as much attention until the final rule. And even though the Verkada settlement came out before the final rule's effective date, that did not stop the FTC from challenging as deceptive online reviews allegedly written by the company's engineers and IT specialists and that the company was aware of this. You can be sure the next case containing similar allegations will involve civil penalties, so we renew our strong suggestion to take a look at your social media policies and practices related to employee reviews.