chevron-down Created with Sketch Beta.

The Business Lawyer

Winter 2021-2022 | Volume 77, Issue 1

Developments in Advertising and Consumer Protection

Richik Sarkar


  • This survey begins with several cases involving the Telephone Consumer Protection Act (“TCPA”).
  • It continues with cases concerning account ownership and publicity rights in the context of social media (Part III).
  • The U.S. Supreme Court and lower courts reviewed the scope of the Computer Fraud and Abuse Act (“CFAA”) (Part IV).
  • The survey concludes with cases involving deceptive business practices (Part V) and cybersecurity (Part VI).
Developments in Advertising and Consumer Protection
iStock/©Shannon Fagan

Jump to:

I. Introduction

This survey begins with several cases involving the Telephone Consumer Protection Act (“TCPA”): the impact of the U.S. Supreme Court’s decision last year in Barr v. American Association of Political Consultants and a new U.S. Supreme Court decision determining what constitutes an “automatic telephone dialing system” under the same statute (Part II). It continues with cases concerning account ownership and publicity rights in the context of social media (Part III). The U.S. Supreme Court and lower courts reviewed the scope of the Computer Fraud and Abuse Act (“CFAA”) (Part IV). The survey concludes with cases involving deceptive business practices (Part V) and cybersecurity (Part VI).

II. TCPA Litigation

A. Fallout from Barr

Before 2015, the TCPA prohibited almost all robocalls to cell phones in the United States. In 2015, as part of the Bipartisan Budget Act, Congress lifted the robocall restriction for calls “made solely to collect a debt owed to or guaranteed by the United States.” In 2020, the American Association of Political Consultants filed a lawsuit challenging the government-debt exception and seeking to invalidate the TCPA as a whole. As reported in last year’s survey, in Barr v. American Association of Political Consultants, Inc., the U.S. Supreme Court held that the government-debt exception was unconstitutional but that the provision was severable, thus leaving the rest of the statute in place. Ironically, the U.S. Supreme Court’s resolution of this issue led to a new split among federal courts, focusing on the question: can courts consider claims that arose between the nascence of the 2015 exception and its severance in Barr?

In Creasy v. Charter Communications, Inc., the U.S. District Court for the Eastern District of Louisiana found that it did not have jurisdiction to adjudicate TCPA claims based on robocalls made between the passage of the 2015 exception and the 2020 Barr decision. The court based its decision on “the timeless principle that ‘[a]n unconstitutional law is void, and is as no law.’” The Northern District of Ohio found similarly in Lindenbaum v. Realgy, LLC, saying that it “cannot wave a magic wand and make that constitutional violation disappear. Because the statute at issue was unconstitutional at the time of the alleged violations, this Court lacks jurisdiction over this matter.” However, the U.S. Court of Appeals for the Sixth Circuit reversed in Lindenbaum v. Realgy, LLC because severance is not a remedy, and prospective application could only happen through a legislative act, the Barr decision could not impact the plaintiff ’s already pending claim as the U.S. Supreme Court determined that the government-debt-collector exception was automatically displaced from the start and then interpreted what the statute has always meant in its absence.

This Sixth Circuit decision was in line with other district courts. In LaGuardia v. Designer Brands, Inc., the Southern District of Ohio held that the TCPA, with the exception of the invalidated provision, remained effective between 2015 and 2020. The court concluded that the effect of the U.S. Supreme Court’s decision “is as if the amendment had never happened and the pre-2015 statute’s enforceability is unaffected by the amendment.” District courts in the Eighth, Ninth, and Eleventh Circuits have also held that they may enforce violations of the constitutional provisions of the TCPA that occurred between 2015 and 2020.

B. Definition of ATDS—U.S. Supreme Court’s Decision in Facebook, Inc. v. Duguid

The U.S. Supreme Court resolved a circuit split by deciding Facebook, Inc. v. Duguid, clarifying what kinds of automatic telephone dialing systems are subject to the TCPA. The TCPA restricts the use of an automatic telephone dialing system (“ATDS”), defined in the statute as a piece of equipment that has the ability “to store or produce telephone numbers to be called, using a random or sequential number generator,” and “to dial such numbers.” Duguid sued Facebook over text messages notifying him that someone was attempting to access his Facebook account from a different device. Duguid never had a Facebook account, and he sued Facebook as part of a putative class under the TCPA, alleging that Facebook stored users’ phone numbers and automatically messaged them without their consent. The U.S. District Court for the Northern District of California dismissed the suit, finding that Duguid had failed to allege that Facebook sent randomly or sequentially generated text messages. The Ninth Circuit reversed, holding that to qualify as an ATDS a system only needed the capacity to store and dial numbers automatically.

The U.S. Supreme Court granted certiorari to resolve a circuit split on this issue. It reversed the Ninth Circuit, holding that to be an ATDS a system had to use a random or sequential number generator. Applying various canons of statutory construction, the Court concluded that the definition in the TCPA excluded any equipment that did not have this feature. It proceeded to reject Duguid’s non-textual arguments that Congress had a goal of broad privacy protection when it enacted the TCPA and that this decision would result in a “torrent of robocalls.”

III. Social Media Litigation

JLM Couture, Inc. v. Gutman was brought by JLM Couture, a clothing design firm, against Hayley Paige Gutman, the lead designer for JLM’s bridal collection before her resignation. The dispute was over the control of Gutman’s social media accounts. In Gutman’s contract with JLM, she signed over rights to the intellectual property in her name and designs. The history of her accounts showed high levels of cooperation between herself and JLM, promoting products, lines, and JLM itself. JLM moved for a preliminary injunction to prevent Gutman from making any changes to social media or using any of the intellectual property associated with her name or designs, on the grounds that she had breached her contract. The U.S. District Court for the Southern District of New York granted JLM a preliminary injunction prohibiting Gutman from changing or using the social media accounts. However, the court refused to enjoin Gutman from publicly disparaging JLM, inasmuch as she had not contractually waived her right to speak about JLM, and given the First Amendment rule against prior restraints.

In Takeguma v. Freedom of Expression LLC, plaintiffs were models whose images were used, without their permission, in social media advertising for a strip club owned and operated by the defendant. Plaintiffs asserted claims for misappropriation of likeness, violations of the Lanham Act, and false light invasion of privacy.

In deciding the cross-motions for summary judgment, the court first found that the false light tort was time-barred because the statute of limitations began to run with the initial publication of the social media advertisements. Not time-barred, however, were plaintiffs’ common law right of publicity claims. The court began by finding a common law right of publicity in Arizona based on a combination of state decisional and statutory law. The court then found that the right of publicity in Arizona was a property claim, not a libel or slander claim, and thus was subject to a two-year, not a one-year, statute of limitations. Lastly, the court found that triable issues remained in deciding plaintiffs’ false association claims under the Lanham Act. On the other hand, the court granted summary judgment to defendant on the false advertising claims, finding that plaintiffs’ claimed injuries were not within the “zone of interests” protected by the Lanham Act and that the alleged wrong was not the proximate cause of plaintiffs’ injuries.

IV. Computer Fraud and Abuse Act Cases

The Computer Fraud and Abuse Act of 1986 imposes criminal penalties against one who “intentionally accesses a computer without authorization or exceeds authorized access.” How to determine when someone “exceeds authorized access” has been problematic for courts because the intricacies of computer programs have expanded with time and the lines of authority and permitted access have blurred. In Van Buren v. United States, the U.S. Supreme Court shed some light on the meaning of that term.

Van Buren was a former police sergeant who ran a license-plate search in a state law enforcement database in exchange for $5,000, despite being aware that he was only allowed to use the database for law enforcement purposes. The government charged Van Buren with a felony violation for “exceed[ing] authorized access” of the computer system. The Eleventh Circuit found that Van Buren’s misuse of the computer was a violation of the CFAA because he had accessed the license plate database for an “inappropriate reason.” However, because other circuits had taken a narrower view of what it meant to exceed authorized access, the Court granted certiorari to settle the issue.

The Court reversed the Eleventh Circuit and held that Van Buren did not violate the CFAA. Even though he had an improper purpose for obtaining the data, he did not “exceed[] authorized access” because he had access to the database and was authorized to use it to retrieve license plate information. In dicta, the Court said that it would have been a violation if Van Buren had authorization to access the computer but then accessed folders, files, or databases that were off-limits to him. Commentators have said that the Court adopted a “gates up or down” approach to the CFAA, meaning that to violate the provision, a person must “bypass a gate that is down that the person isn’t supposed to bypass.”

In United States v. Eddings, the U.S. District Court for the Eastern District of Pennsylvania relied on the “gates up or down” approach to decide a case where an ex-employee who retained password access to her former employer’s computers accessed documents from the company’s e-mail server and sent them to donors and media members as part of an extortion plot. Her defense was simple: the gate was up, so she could not have violated the CFAA. The court, however, found that mere possession of a password was not enough to make access “authorized,” citing instances of password trafficking which are forbidden by the CFAA, and distinguishing Van Buren. The same court relied on Van Buren in deciding KBS Pharmacy, Inc. v. Patel. The facts more closely resembled those in Van Buren; pharmacy employees who had authorized access to the pharmacy’s database misused the information in starting their pharmacy nearby. The court found that the CFAA claim should be dismissed because, as in Van Buren, the defendants had access to the database at the time and only later misused the information.

In United Federation of Churches LLC v. Johnson, the plaintiff, perhaps better known as the Satanic Temple, brought claims against former members who hijacked two of its Facebook pages. Collectively, the two Facebook pages have over 17,500 followers. Access to the Facebook pages was controlled by the Church and limited to approved administrators who were subject to a code of conduct. The defendants in the case had been authorized administrators. After they renounced their membership in the Church, they took control of the Facebook pages and posted manifestos on the pages about what they claimed were abuses of the Church.

The Church brought several claims against the defendants, including claims under the CFAA, the Anti-Cybersquatting Consumer Protection Act (“ACPA”), and defamation. The court held that plaintiff failed to state a claim under the CFAA because it did not allege it had revoked the defendants’ authorization to access the Facebook pages. It also held that a post-domain path (i.e., “TheSatanicTempleWashington” in is not a “domain name” and therefore use of plaintiff ’s trademark in that path is not a violation of the ACPA. Lastly, it declined to rule on the defamation claim, invoking the doctrine of “ecclesiastical abstention” and finding it “may not resolve the defamation claim without delving into doctrinal matters.”

V. Deceptive Business Practices

MoviePass, a subscription service launched in 2011, allowed members to watch as many movies as they wanted at any theater they wanted. According to the complaint issued by the Federal Trade Commission (“FTC”) in 2018, MoviePass realized that it was facing a significant cash deficit and decided to implement fraudulent business practices. For the subscribers using MoviePass most frequently, MoviePass implemented “password disruption,” a practice that invalidated the passwords of 75,000 subscribers and forced them to reset their passwords. It also imposed ticket verification requirements on 20 percent of users, which obstructed the use of the product due to problems with the software. MoviePass also failed to protect its customer data from unauthorized access. These practices, the FTC alleged, violated the FTC Act, and the negative option subscription plan violated the Restore Online Shoppers’ Confidence Act. MoviePass settled the claims with the FTC in exchange for promises to refrain from misrepresentations and comply with mandated security programs and third-party monitoring. MoviePass was bankrupt at the time of the consent order and unable to pay any money judgment.

Randon Morris, through a group of companies that he controlled, initiated millions of robocalls to households throughout the United States, promising work-from-home positions that would pay hundreds of dollars a day and falsely claiming to be associated with People who paid defendants to create a website that would purportedly allow them to earn commissions from Amazon were left with a useless and occasionally defunct website with no way to recover their money. The FTC alleged that they had violated the FTC Act and the Telemarketing Sales Rule. Defendants stipulated to an order banning them from using robocalls or offering work-from-home business schemes and requiring them to pay over $2 million to settle the claims.

Flo is a popular and accessible smartphone app that allows consumers to track their menstrual cycles and gives them predictive information about ovulation and general gynecological health. Given the nature of the app, women must input sensitive health data to use it. In its privacy policy, Flo assured users that information shared with third parties did not include data related to the user’s menstrual cycle, pregnancy, or symptoms. However, Flo allegedly did share some of this information with third parties, including Facebook and Google. The Wall Street Journal broke the story that Facebook could use snippets of code to intercept a user’s sensitive health information transmitted from apps like Flo. The FTC alleged that Flo made numerous misrepresentations about privacy of users’ data, in violation of section 5 of the FTC Act. Flo agreed to a consent order prohibiting it from making misrepresentations about privacy and requiring it to instruct third parties to delete its users’ personal data.

Everalbum is a photo storage company and app that used facial recognition technology as part of its service. It allowed users to tag faces that its software would then group with similar faces. The FTC alleged that the facial recognition service was turned on by default despite Everalbum’s representations that it required affirmative action to use. When users deactivated their accounts, the app informed them that Everalbum would delete their photos. However, Everalbum allegedly retained photos in deactivated accounts indefinitely. The FTC alleged that through these misrepresentations Everalbum had violated section 5 of the FTC Act. Everalbum entered into a consent decree with the FTC, which requires deletion of photos on deactivated accounts and prohibits misrepresentations.

VI. Cybersecurity

Drizly, an alcoholic beverage delivery company, faced a class-action lawsuit in Massachusetts that alleged that a data breach had occurred, leading to customer information (including e-mail addresses, dates of birth, phone numbers, and IP addresses) being leaked to third parties on the “dark web.” Drizly agreed to a settlement with the class, paying $7.1 million in total. Each member of the class is anticipated to get around $14. The settlement agreement benefitted both sides: Drizly could have faced massive exposure had the suit been allowed to continue, and the plaintiffs might have had difficulty overcoming hurdles such as standing and proving injury.

Skymed sells emergency travel and medical evacuation services. Skymed’s website displayed a very prominent “HIPAA compliance” seal. Skymed admitted that the seal should not have been on the website and removed it in April 2019. The company allegedly failed to secure customers’ data leading to a security incident in May 2019. The FTC alleged that Skymed violated the FTC Act by misrepresenting its compliance with HIPAA and failing to secure customers’ data. The company agreed to a consent order requiring it to adopt a comprehensive security plan to prevent future incidents.

Ascension is an analytics company that provides mortgage data to other companies. One of its vendors, OpticsML, received mortgage information that contained the personal information of tens of thousands of consumers. Ascension was required to vet the security measures of OpticsML but failed to do so. OpticsML allegedly allowed the information to sit on an insecure server, allowing approximately fifty-two unauthorized IP addresses to access the information, some tied to Russia and China. The FTC alleged that this was a violation of the Gramm-Leach-Bliley Act Safeguards Rule. Ascension agreed to settle the claims in exchange for a mandated data protection plan.

VII. Conclusion

The survey period has provided numerous decisions with far-reaching implications. Practitioners should monitor the continuing evolution of the TCPA and CFAA as case law continues to limit liability. Considering the dramatic increase in online commerce, the FTC will undoubtedly continue to police cyber business practices. Similarly, disputes involving social media accounts will continue to proliferate.

Richik thanks Nathan J. Hall, Washington University School of Law, J.D. candidate 2022, for his immense contribution to this survey.