chevron-down Created with Sketch Beta.

The Business Lawyer

Winter 2022-2023 | Volume 78, Issue 1

Developments in Advertising and Consumer Protection

Richik Sarkar


  • This survey begins with developments at the FTC concerning consumer protection for digital consumers and reviews the FTC’s updates of its Disclosures and Endorsement Guides and recent TCPA and CFAA developments.
Developments in Advertising and Consumer Protection
Photo by Samuel Schroth on Unsplash

Jump to:

I. Introduction

This survey begins with developments at the Federal Trade Commission (“FTC”) concerning consumer protection for digital consumers (Part II). It continues with a review of the FTC’s updating of its .com Disclosures and Endorsement Guides (Part III). With respect to Telephone Consumer Protection Act (“TCPA”) and telemarketing developments, focus is given to recent actions by the Federal Communications Commission (“FCC”) and FTC (Part IV.A and B). Lower courts have continued to piece through the elements of a TCPA claim since the Supreme Court’s Facebook decision (Part IV.C). The survey concludes with updated guidance regarding the Computer Fraud and Abuse Act and the Ninth Circuit’s decision in hiQ Labs, Inc. v. LinkedIn, Inc. (Part V).

II. FTC Consumer Protection Decisions

A. In-Game Advertising: Tapjoy, Inc.

In early 2021, the FTC issued a complaint against Tapjoy, Inc., an advertising platform operating within mobile gaming applications, alleging that Tapjoy engaged in deceptive acts and practices in violation of Section 5(a) of the Federal Trade Commission Act. Tapjoy would offer “currency” used in-game, such as jewels or diamonds, to the games’ users in exchange for the user performing various tasks, including watching a video, completing a survey, or downloading another application. Third parties paid Tapjoy to have their products, the subject of the tasks, promoted in-game.

The FTC’s complaint alleged that Tapjoy often failed to deliver the currency to consumers following the consumers’ successful completion of the task. Without telling its consumers, Tapjoy required users to wait twenty-four hours following the completion of a task before allowing complaints about non-receipt of currency. Consumers would be asked to provide evidence of the completed task, with Tapjoy closing complaints when consumers went over seventy-two hours without responding to Tapjoy’s request for evidence. Consumers who complained to Tapjoy reported little success in resolving their complaints. Despite telling consumers with closed complaints that another email would reopen the complaint, many consumers were unable to reopen a complaint following Tapjoy’s instructions. Other consumers who responded within seventy-two hours reported that Tapjoy closed their complaints. Finally, an internal presentation in 2017 acknowledged “poor customer experience” and “inconsistent user rewarding,” while other internal emails acknowledged a widespread understanding that Tapjoy’s consumers were unhappy with its offers requesting personal information.

Tapjoy settled with the FTC. As a condition of settlement, Tapjoy was required to change the interface of its service by clearly and conspicuously, and “in close proximity” to each currency offer, disclosing (i) that the advertiser determines whether a reward will issue and (ii) when customers are likely to receive the reward. Further, Tapjoy is to provide a “prominently disclosed and easy-to-use method” for consumers to send complaints, promptly investigate consumer complaints about not receiving currency, and follow recordkeeping and other compliance provisions sought by the FTC.

B. Online Product Reviews: Fashion Nova

Fast-fashion retailer Fashion Nova and the FTC reached a settlement following allegations Fashion Nova misled customers. The FTC’s complaint alleged that Fashion Nova’s third-party online product review interface excluded reviews with less than four stars, hiding hundreds of thousands of negative reviews from the public. This was despite its website inviting customers to “WRITE A REVIEW,” with the option to “POST” the review for each of its products. Indeed, the complaint alleged that if no reviews were available for a product, the customer was invited to “BE THE FIRST TO WRITE A REVIEW.”

The FTC finalized its settlement order with Fashion Nova in March 2022. The order prohibits Fashion Nova from misrepresenting its product reviews, requires all relevant reviews previously censored to be released, and orders Fashion Nova to pay the Federal Trade Commission $4.2 million.

III. FTC Revisions to .com Disclosures and Endorsement Guides

In 2013, the FTC published a guidance titled .com Disclosures: How to Make Effective Disclosures in Digital Advertising. The guidance, which updated a previous similarly named FTC publication, advises businesses on how to advertise and market online without running afoul of consumer protection laws. In June 2022, the FTC issued a press release asking for public input to help strengthen the agency’s .com Disclosures in light of evolving tactics. In its release, the FTC signaled that some practices, such as placing FTC disclosures behind a hyperlink, “wrongly cite[d] the guides to justify practices that mislead consumers online.” Further, the FTC sought comments on various issues, including disclosures accessed through hyperlinks and multiple web pages, advertising on social media and mobile devices, and “manipulative user interface designs used on websites and mobile apps.” The public comment period closed on August 2, 2022.

In May 2022, the FTC released proposed revisions to its Endorsement Guides following a comment period that began in February 2020. The FTC proposed changes in recognition of the increased use of social media to advertise, particularly to children. The proposals include a new Section 255.6, titled Endorsements Directed to Children, which emphasizes that practices acceptable in advertising to adults may be questioned if in an advertisement directed to children. The proposals also include more examples demonstrating the application of the existing law to modern, digital endorsement practices, such as when an individual’s product review must contain a disclosure of endorsement. Finally, the notice warns social media platforms that they may create liability for their influencers or the platforms themselves, depending on the adequacy of the platform’s disclosure tools and representations.

IV. TCPA and Telemarketing Developments

A. FCC Order Targeting International Robocalls

In May 2022, the FCC adopted new rules designed to limit the scope of foreign robocalls. The new regulations include (1) a requirement that gateway providers submit traffic mitigation plans to the Robocall Mitigation Database, (2) a requirement that gateway providers apply STIR/SHAKEN caller ID authentication protocols and validate the identity of the providers whose traffic they are routing to help weed out robocalls, and (3) requirements that gateway providers respond to traceback requests—which are trigged by belief that phone traffic is coming from a prohibited source or is otherwise improper—within twenty-four hours, block calls that are conduits for illegal traffic, and take steps to ensure their immediate upstream foreign providers are not trafficking a “high volume” of illegal robocalls into the United States. Previously, the FCC required providers to respond to traceback requests merely “fully and in a timely manner.” Providers within the Robocall Mitigation Database—a certification database maintained by the FCC to monitor efforts to fight illegal robocalls—may not accept calls from providers not listed within the database. Additionally, gateway providers failing to meet these compliance standards can be subject to removal from the Robocall Mitigation Database.

Additionally, the FCC announced it would seek additional public comment on proposed rules applying to U.S.-based intermediate providers to strengthen robocall mitigation efforts. Currently, these providers are not required to file a certification and mitigation plan in the Robocall Mitigation Database. Under the proposed rules, all U.S. intermediate providers would need to authenticate caller ID consistently with STIR/SHAKEN and file a mitigation plan in the Robocall Mitigation Database.

B. FTC Proposed Rule on Maintaining Records

The FTC announced in April 2022 proposed rules increasing the recordkeeping obligations of sellers and telemarketers. Since 1995, the FTC has regulated telemarketing through the Telemarketing Sales Rule (“TSR”). Currently, sellers and telemarketers are required to keep records such as telemarketing scripts and transactions with customers for twenty-four months, but there is no requirement to keep a record of each call’s details. State and federal law enforcement agencies, as well as numerous consumer advocacy groups, previously pushed for an expansion of recordkeeping requirements in public comments.

The proposed amendments include a requirement in Section 310.5(a)(1) that telemarketers and sellers keep a record of each unique, prerecorded message used, including those made using soundboard technology, requirements in Sections 310.5(a)(5) and (6), respectively, that records are kept demonstrating an established business relationship and that a consumer was a previous donor, and a requirement in Section 310.5(a)(9) that records are kept “of all service providers the telemarketer uses to deliver outbound calls in each telemarketing campaign.”

Finally, a proposed new Section 310.5(a)(2) requires detailed records of each call by the seller or telemarketer. These must include the calling number, the called number, the exact time and duration of the call, and an indication of the call’s outcome, such as “answered, dropped, transferred, or connected,” including details of the phone number, IP address, or company name to which calls were transferred. Additionally, the proposed amendments to Section 310.5(a)(2) would require records of the identity of each telemarketer in the call, the seller or charitable organization for which the call is made, the subject of the call, whether the recipient was a consumer or business, whether robocalls or outbound calls were used, and the telemarketing script and robocall used in the call.

C. Post Facebook TCPA ATDS Cases

1. Meier v. Allied Insurance

The plaintiff, Meier, brought suit against Allied Interstate, LLC, alleging violation of the TCPA. Allied Interstate called Meier seventy-seven times to reach a different individual who owed money to the client of Allied Interstate. The calls were placed using the LiveVox Human Call Initiator, a dialing system that shows phone numbers from outside dialers to “clicker agents,” or human workers, who manually click a phone number to initiate a call. If a person answers the call, it is rerouted to a “closer agent,” or individual authorized by LiveVox’s client to answer the phone. Holding that the manual work of the “clicker agent” in placing each call constituted human intervention, the district court granted summary judgment for Allied Interstate. The Ninth Circuit stayed Meier’s appeal pending the Supreme Court’s decision in Facebook, Inc. v. Duguid.

In Facebook, the Supreme Court held that “a device must have the capacity either to store a telephone number using a random or sequential generator or to produce a telephone number using a random or sequential number generator” to qualify as an automatic telephone dialing system (“ATDS”). Following Facebook, Meier argued the LiveVox Platform constituted an ATDS because the telephone numbers stored in the LiveVox system via the uploaded file were produced to operators to be dialed “sequentially,” i.e., the same way they were ordered in the file. The Ninth Circuit rejected this argument, stating it would bring “virtually any system” storing pre-produced lists into the scope of an ATDS, so long as the system could automatically dial the numbers. Additionally, the Ninth Circuit held that only the Human Call Initiator, as opposed to the entire LiveVox Platform, should be considered equipment subject to the TCPA.

2. Beal v. Outfield Brewhouse

Plaintiffs, former and potential customers of the defendant bars, brought suit against the defendants claiming violations of the TCPA. Previously, the plaintiffs had given their cell phone numbers to the defendant bars. Because the defendants used the marketing software Txt Live, which is not capable of generating phone numbers, the bars’ employees manually entered the numbers, with demographic data, into the Txt Live database. From there, Txt Live allowed the defendants to filter the number of recipients of a text and the individual recipients based on demographic factors. When an employee hits “send,” the recipients were shuffled based on a random number generator, and when the number of potential recipients exceeded the number of intended recipients, those potential recipients who were the first sequentially in the randomly generated list received the messages. The U.S. District Court for the Western District of Missouri granted summary judgment for the defendants, finding the defendants’ use of Txt Live was permissible. Specifically, it held Txt Live was not an ATDS as the manually entered phone numbers were “merely stored” rather than “generate[d]” by the Txt Live system.

The Eighth Circuit affirmed the lower court’s textual approach, holding that the term “produce” within the TCPA should be read as akin to “generate” since the subject it modifies is a “random or sequential number generator.” The Eighth Circuit found this was in line with the Supreme Court’s decision in Facebook, stating that the Court in Facebook emphasized that Section 227 targets only telemarketing equipment that “risks dialing emergency lines randomly or tying up all the sequentially numbered lines at a single entity.” Because the customers gave the defendant their phone numbers, which were then manually entered into Txt Live’s list, the Eighth Circuit found that the numerically based randomizer did not transform Txt Live away from the “equipment that merely stores and dials telephone numbers” excluded by Facebook from section 227(a)(1). Finally, the Eighth Circuit joined other courts in rejecting the notion that footnote 7 of the Supreme Court’s Facebook opinion indicates that systems randomly selecting from pre-produced, non-random lists must be prohibited autodialers.

3. Shank v. Givesurance

In Shank v. Givesurance Insurance Services, Inc., the Southern District of Ohio joined a growing number of courts allowing a putative TCPA class action past the pleading stage. The plaintiff alleged he received a single telemarketing call and automated text message from SimpleTexting, a mass text messaging service, on behalf of defendant Givesurance, an insurance broker. The defendants moved for judgment on the pleadings, challenging the sufficiency of the plaintiff ’s complaint and his Article III standing. Finding that the common law “recognizes claims based on privacy and nuisance” and that Congress referred to “unrestricted telemarketing” as “an intrusive invasion of privacy” and “nuisance” in the TCPA, the court held that the receipt of a single text message is sufficient to establish injury in fact and, therefore, Article III standing. In so doing, the court followed the Second, Fifth, Seventh, and Ninth Circuits, and rejected the Eleventh Circuit’s holding that the receipt of a single text message is too minimal to warrant “injury in fact” capable of supporting standing.

Additionally, the court found the plaintiff ’s complaint adequate to survive the pleading stage. In Facebook, the Supreme Court held that Facebook’s automatic text messages to targeted subscribers or contacts did not fall within the meaning of the TCPA since its equipment did not store or produce numbers using a random or sequential number generator. The defendants in Shank argued that because SimpleTexting’s website stated users must “import any existing contacts,” and because the plaintiff ’s complaint alleged Givesurance used a service allowing it to reach “subscribers,” the defendants could not have used an ATDS prohibited by the TCPA. The court, however, found the following allegations of the plaintiff sufficient to support a plausible claim under the TCPA: 1) the call was made from an SMS code, 2) SMS codes are evidence of use of an ATDS, 3) SimpleTexting’s website advertised its “mass text messaging” ability, 4) the generic and non-personalized text message was “part of a ‘nationwide telemarketing campaign,’” and 5) the plaintiff did not consent to receive the text. Accordingly, the defendants must wait for summary judgment to argue they did not use a prohibited, automatic dialer.

D. Additional TCPA Cases of Note

1. Miholich v. Senior Life Insurance

The plaintiff, a licensed California insurance agent, filed a class action against the defendant, Senior Life Insurance Company, alleging violations of the TCPA. Though Miholich was on the National Do-Not-Call Registry, he received text messages allegedly sent by Senior Life Insurance advertising its services. Specifically, the parties disputed whether the text messages were sent to Miholich’s business telephone and thus excluded from the reach of the TCPA’s “do-not-call” provisions. Senior Life Insurance countered by primarily arguing that the court lacked subject matter jurisdiction because Miholich lacked Article III standing.

As evidence, Senior Life Insurance showed Miholich’s telephone number is listed as the “Business Phone” number for Miholich on his license with the California Department of Insurance. Miholich submitted a declaration stating the number was his “personal cellular telephone number” and that it was used for a variety of calls, including those with “family members and friends.” The court found it could not conclude as a matter of law that Miholich did not fall within the protection of the TCPA as the FCC previously recognized that the TCPA could protect a telephone used for business and personal use.

The court similarly rejected Senior Life Insurance’s request for dismissal for failure to state a claim. Senior Life Insurance pled that its text messages were attempts to recruit Miholich as an independent contractor rather than a prohibited telephone solicitation. Miholich alleged that the messages he received advertising “Financed Leads” and a link to a Senior Life Insurance webinar constituted “an attempt to promote or sell Defendant’s services.” Again, the court sided with Miholich, allowing his TCPA class action to pass the pleadings stage.

2. Barnes v. Allsup Employment Services LLC

In Barnes v. Allsup Employment Services LLC, the Southern District of Florida rejected class certification for a putative class of individuals who received a telemarketing call from the defendant and for whom the defendant’s call records indicate a voicemail message was left. The plaintiff brought suit against the defendant under the TCPA on behalf of herself and two putative classes. Though the Eleventh Circuit requires that an individual receive more than a single unwanted telemarketing call to suffer an injury-in-fact and thus have Article III standing, the plaintiff survived the defendant’s challenge on account of having received and listened to four telemarketing calls.

In addition, the defendant challenged class certification on the ground that determining the standing of the putative class members was a predominating individualized issue. The court agreed, finding that within the Eleventh Circuit, an individualized inquiry would be necessary into each class member to determine if she suffered injury-in-fact by receiving more than one voicemail. Further, even if that individual received only one voicemail, the court reasoned that the individual could still have standing under Eleventh Circuit law if she answered two or more calls separate from the voicemail. Accordingly, the Eleventh Circuit’s standing requirements under the TCPA may raise a barrier against class certification.

V. Computer Fraud and Abuse Act Developments

A. New Policy for Charging Cases Under the Computer Fraud and Abuse Act

In May 2022, the U.S. Department of Justice released an updated policy to guide its attorneys in charging violations of the Computer Fraud and Abuse Act (“CFAA”). The new charging policy clarifies the meaning of impermissible access “without authorization” and “exceeding authorized access” under Section 1030 of the CFAA. The updated policy describes when charges under both theories should be brought and explicitly recommends against prosecution “if available evidence shows the defendant’s conduct consisted of, and the defendant intended, good-faith security research.” Further, in response to some concerned courts and commentators, the updated policy clarifies that individuals will not be federally criminally charged for minor infractions where a user continues to use a service after access is withdrawn under terms of the contract or other writing. For example, even if the terms of a dating website only allow access to users who do not embellish their profiles, under the updated policy, an embellishing user cannot be charged with an offense under the CFAA unless expressly informed they are no longer permitted to use the website.

B. hiQ Labs, Inc. v. LinkedIn, Inc.

In April 2022, the Ninth Circuit affirmed for the second time a district court preliminary injunction preventing LinkedIn from denying hiQ Labs access to LinkedIn’s publicly available member profiles. Previously, the Ninth Circuit affirmed the district court’s preliminary injunction in September 2019. Then, however, the Supreme Court granted LinkedIn’s petition for writ of certiorari, vacated the Ninth Circuit’s judgment, and remanded the case to the Ninth Circuit for reconsideration in light of Van Buren v. United States. In this second consideration by the Ninth Circuit, at issue for the preliminary injunction was whether LinkedIn may invoke the CFAA to preempt hiQ’s likely meritorious tortious interference claim under California state law. If hiQ violated the CFAA in accessing LinkedIn’s publicly accessible profiles against LinkedIn’s terms of use, hiQ’s state law claims and, consequently, its motion for a preliminary injunction, would fail.

The appeal then turned on whether, after LinkedIn sent hiQ a cease-and-desist letter, hiQ’s continued scraping of LinkedIn’s profiles was “without authorization” under the CFAA. Relying on the “gates-up-or-down” inquiry from Van Buren, the Ninth Circuit held that hiQ did not improperly bypass any “gate” in scraping data from LinkedIn’s publicly available profiles. Instead, by leaving the data publicly accessible LinkedIn had failed to construct any gate. Accordingly, in the Ninth Circuit, a person must circumvent generally applicable rules for access permissions to violate the CFAA’s “without authorization” prohibition. It is yet to be seen how this rule will interact with the Department of Justice’s new charging policies and examples.

Richik thanks Nathan J. Hall, Washington University School of Law, J.D. candidate 2022, for his immense contribution to this survey.