Why (and What) You Need to Know About the FTC’s Endorsement Guides and FAQs

Endorsements are an important tool in the marketing and promotional toolbox used by both companies and individuals. A slightly paraphrased version of the FTC’s definition of an endorsement is a message, such as a statement, demonstration, or other communication, by a party not the manufacturer, provider or advertiser of a product or service which contains that third party’s opinions, beliefs, findings, or experiences regarding that product or service (which may be the same as those of the product/service manufacturer/provider or its advertiser).

LinkedIn profiles are chock full of professional endorsements and recommendations by colleagues, peers and others. Companies rely on endorsements to increase brand awareness, promote marketing communications, and drive sales. Traditionally, a company’s brand awareness or marketing message was spread through “word of mouth” by individuals who had a satisfying experience with that company’s products or services. Think back to the old 80’s Faberge Shampoo commercial with a person saying you’ll love the product and that “you’ll tell two friends, and they’ll tell two friends, and so on, and so on, and so on….” If a family member, good friend, or other trusted individual shares a positive review of or experience with a product or service, the logic is that you’ll be more inclined to learn more about it and/or give it a try based on an endorsement from a “trusted source.” Companies and their advertisers use paid celebrities as another form of trusted source to promote their products and services. More recently, a new category of trusted sources has arisen – bloggers and other online personalities, or “influencers,” who regularly provide their followers with their thoughts and opinions (often positive), including on products and services they use. Additionally, companies may seek to leverage their employees as trusted sources by asking them to re-tweet marketing messages and posts.

An unbiased endorsement based solely on a trusted source’s positive experience with the product or service is the best source of information for potential customers. But would a potential customer put the same stock in an endorsement if they knew that the trusted source providing the endorsement works for, received some tangible or intangible compensation or benefit from, or has some other material connection to the company or its advertiser whose products or services they are endorsing? For the last few years, the FTC has been paying more and more attention to online endorsers and influencers. In April 2017, the FTC sent over 90 letters to various influencers and the marketers of brands endorsed by those influencers, highlighting the requirement to clearly and conspicuously disclose any material connection between the endorser and advertiser. The FTC has also recently added to its guidance regarding online influencers, and in early September 2017 announced their first enforcement action against two individual online influencers for failing to properly disclosure their material connection with the company whose product they were endorsing. This may be just the start of more aggressive enforcement by the FTC against influencers, trusted sources, and others who do not “follow the rules” regarding endorsements.

How can companies/marketers and endorsers/influencers avoid trouble when making endorsements? As with many areas of compliance, consider a “center of the herd” approach. The animals in the center of the herd are not the ones that typically get picked off – it’s the ones out in front (e.g., those most desperate for water or who have another need to be first) and those in the rear (e.g., those not paying attention, who can’t keep up, or just don’t care). The same applies in business – the companies more likely to be fined or penalized are those who are willing to take aggressive risks to be in front of the pack, or the ones bringing up the rear due to a lack of focus on, or disregard for, compliance. The FTC has released a set of guides and FAQs to provide guidance to all parties involved with endorsements. Being familiar with these guides and FAQs, and following best practices such as the ones described at the end of this article, can help ensure both you and your company are in the “center of the herd” when it comes to endorsements.

The FTC Guides Concerning Use of Endorsements and Testimonials in Advertising

The FTC has offered guidance for decades on the issue of biased endorsements in marketing: the FTC’s Guides Concerning Use of Endorsements and Testimonials in Advertising (16 CFR Part 255) (the “Endorsement Guides“), which apply to endorsements by consumers, celebrities, experts, and organizations. The Endorsement Guides were updated in 2009 to remove the “results not typical” safe harbor disclosure in endorsements and testimonials, to address connections between endorsers and companies/marketers, and to address celebrity endorsers. While contained in the Code of Federal Regulations, they are administrative interpretations only; deceptive advertising is governed by the Federal Trade Commission Act and state deceptive trade statutes, as well as other truth-in-advertising laws.

There are four principles at the heart of the Endorsement Guides:

  1. Endorsers should only endorse products they have tried, and should only say they use a product if they were a bona fide user at the time the endorsement was given.
  2. Endorsements must be truthful and not misleading (either expressly or by implication).
  3. Endorsers and companies/marketers should only make claims about a product if they have proof substantiating those claims.
  4. Endorsers and companies/marketers must disclose a material connection between an advertiser and an endorser if the connection may result in a perceived bias in the endorsement. A “material connection” is a connection between the person endorsing the product and the company which is producing or marketing the product which might materially affect the weight or the credibility given to the endorsement by its audience, such as but not limited to a business/family relationship, receipt of a payment, or receipt of a free product.

The guides include dozens of examples of real-world situations and how each situation should be treated under the Endorsement Guides. They are worth a careful read. If you find examples that align with your own current or planned marketing strategies and activities, read them carefully to ensure you understand what behavior the FTC expects in that situation.

The FTC’s FAQ on the Endorsement Guides

Released in 2010 and updated in 2015, the FTC supplemented the Endorsement Guides with a set of frequently-asked-questions titled The FTC’s Endorsement Guides: What People Are Asking (the “Endorsement FAQs“). The Endorsement FAQs collect frequently asked questions from companies, marketers, bloggers and others and provide answers from the FTC to supplement the guidance and examples provided in the Endorsement Guides. The FTC’s answers are extremely important as they provide important insight on how the FTC would likely come down on a particular position.

In September 2017, the FTC updated and modernized the Endorsement FAQs. Some of the key changes were:

  • The FTC made clear that if an individual endorser continues to fail to make required disclosures despite warnings, it may take action against that individual endorser.
  • New FAQs were added regarding donations to charity in return for a product review; family and friends eating for free at a new restaurant; YouTubers receiving free gifts in the hopes of a review; bloggers receiving free travel to a new product launch event; Instagram posts with a tag of the brand of clothing being worn; aspirational endorsements; reciprocal endorsements (“I’ll endorse your product if you endorse mine”); bloggers located outside the US targeting a US audience; where to place disclosures in Instagram posts; whether endorsers can rely on a social media platform’s built-in disclosure functionality; where the disclosure can be placed; disclosures for summary ratings including reviewers who have a material connection; and whether an employee’s like or share of a company’s post requires an endorsement disclosure.

These recent updates, and the FTC’s “shots across the bow” of online influencers in April and September 2017, likely signal the FTC’s intention to more aggressively crack down on online influencers and others in the endorsement ecosystem (especially in the social media space) for endorsements that run afoul of the Endorsement Guides and the Endorsement FAQs or otherwise constitute deceptive advertising or trade practices.

Suggested Best Practices and Closing Thoughts

Here are some key takeaways from the Endorsement Guides and the Endorsement FAQs to keep in mind as you move forward with requesting or providing endorsements:

  • If there’s an actual, potential or perceived material connection, disclose it. If there’s a material connection between an online influencer, trusted source, or other endorser and the owner or marketer of the product/service being endorsed, e.g., an influencer is paid or receives a free product, free service, or other material benefit which may be perceived by a potential customer as biasing the endorsement, the endorsers must ensure the connection is disclosed (unless the connection is clear from the context of the endorsement). If you’re on the fence as to whether a connection is material or not, disclose that too. Remember to look at it from the correct perspective — it’s not whether the endorser thinks the received consideration affects his or her endorsement of the product or service, but whether knowing about the consideration could affect how the audience views the endorsement and/or create a perception of bias.
  • Make disclosures easy to understand (e.g., unambiguous). Disclosures such as “#partner” or “thanks to [company/advertiser]” are not sufficient as while they may disclose there’s some relationship between the endorser and the company/advertiser, they do not specify the nature of that relationship. While an endorser does not need to specify the details of the compensation received, he/she needs to disclose that the post, review or other endorsement is sponsored (as long as you’re not misleading your audience on how much compensation you received), and ensure the identity of the sponsor is clear. The Endorsement FAQs disclosures reference “#ad” or “#sponsored” as hashtags that denote that an ad, post, review, etc. is an advertisement or sponsored by the company/advertiser (don’t use “#sp” as it’s not sufficiently unambiguous). For an influencer who receives free products, saying “Thanks to [company/advertiser] for the free [product received]” may be sufficient. If you are an employee of or consultant to a company whose products or services you are endorsing, “#employee” or “#consultant” is not sufficiently unambiguous – “#ABC-Employee,” “#ABC-Ambassador,” or “#ABC-Consultant” is less ambiguous, where “ABC” is the company or brand name of the product/service you are endorsing. If you’re running an online context, ensure the disclosure clearly states it is part of a sweepstakes or contest, e.g., “#ABC_contest” or “#ABC_sweepstakes” (but not “sweeps”). Think about the hashtag from a consumer’s perspective — could they figure out the connection between the endorser and the company/advertiser within the context of the ad within no more than a second or two?
  • Make disclosures hard to miss (clear and conspicuous). Disclosures must appear clearly and conspicuously so they are hard to miss. Ensure the disclosure appears before the “more” link or button in digital marketing, and “above the fold” in printed marketing – consumers should not have to click anything or take any additional action to see the disclosure, i.e., they should not have to look for it. Make sure the disclosure stands out. Don’t put it in a string of tags/hashtags, as it’s more likely to be missed (i.e., it’s not conspicuous) – ensure it’s separated out, such as at the start of the advertisement, or in bold and separated with a divider (“|”) before the other hashtags at the end. In an image, superimpose the disclosure in a way that’s easy to notice and easy to read in the time a viewer is looking at the image. In videos, ensure the disclosure is on screen long enough to be seen, read, and understood by the viewer; for longer videos, consider repeating the disclosure at appropriate intervals. Don’t combine your name with “ad” in a hashtag as it makes the fact that the post is an advertisement easier to miss. If a social media platform offers a disclosure tool, it’s up to the endorser and the company/advertiser to ensure that the tool provides a clear and conspicuous disclosure of the material connection, otherwise they should use a different disclosure.
  • Companies/advertisers must educate and monitor their influencers, trusted sources, and other endorsers. The FTC has specifically noted that companies and their advertisers have a responsibility to educate their influencers, trusted sources, and other endorsers on the rules and requirements for making endorsements (including disclosing material connections), and for monitoring what those parties are doing from an endorsement perspective. Ensure you have a well-documented enforcement process and that it is being followed. Companies should ensure their social media/brand ambassador policies address posts and other communications by influencers and other endorsers, and provide the policies to their endorsers. Companies that do not currently have such policies should strongly consider putting them in place.
  • Remember the bigger picture – deceptive and unfair trade practices. All parties in the endorsement ecosystem should remember that the Endorsement Guides and the Endorsement FAQs are built on the foundation of the FTC Act and the FTC’s authority to regulate advertising practices, and are designed to help businesses and endorsers avoid endorsement activities that constitute deceptive or unfair advertising prohibited by the FTC Act. The concept of clear, conspicuous, and unambiguous disclosures applies to, but goes far beyond the ecosystem of, endorsements.

Finally, remember that changes to the Endorsement Guides and Endorsement FAQs are far outpaced by change in the world of online marketing. Pay attention to the release date of all FTC documents and guidance, and remember that the FTC’s answers were based on the world as of that date. If an assumption or a fact cited by the FTC in its answer is inaccurate or otherwise out of date, talk with marketing counsel as to the impact on the FTC’s stated position. If you’re looking for guidance on how to apply new technologies or marketing approaches to endorsements in a compliant fashion, think of the Endorsement Guides and Endorsement FAQs as tea leaves which can be read to help you take the temperature of how the FTC is likely to view that new technology or approach. The best thing parties in the endorsement ecosystem can do is to be familiar with the Endorsement Guides and Endorsement FAQs and use them to guide their endorsement strategy and approach to keep them in the middle of the herd from a compliance perspective.

Eric Lambert has spent most of his legal career working in-house as a proactive problem-solver and business partner. He specializes in transactional agreements, technology/software/e-commerce, privacy, marketing and practical risk management. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice. He is a technophile and Internet evangelist/enthusiast. In his spare time Eric dabbles in voice-over work and implementing and integrating connected home technologies.

5 Proactive Steps For Employers and Businesses in a Post-Equifax World

Companies should proactively prepare for changes in consumer behavior and corporate responsibility.

By now, most people have heard about the massive data breach at Equifax, one of the four US credit bureaus along with Experian, TransUnion and Innovis, affecting 143 million people. Credit bureaus (also known as consumer reporting agencies) compile and keep a file containing a person’s credit history, including things like the types of credit, how long credit accounts have been open, how much available credit is utilized/available, whether bills are paid on time, late payments/collection notices/foreclosure notices, and public records such as liens and bankruptcies, as well as personal information such as Social Security Number (SSN), date of birth (DOB), and current and previous addresses. Credit bureaus make a report of a person’s credit history (their “credit report”) available to that person, and to employers and other businesses.

Employers and businesses often want to base decisions on whether to offer a person their products or services such as a loan/mortgage/credit offer, the interest rate to charge on that offer, a cell phone plan, an insurance policy, etc., or extend that person an offer of employment or a lease, on as much available relevant information as possible.  This often includes a review of that person’s credit history. Credit reporting agencies monetize accumulated credit history and associated personal information by making credit reports available to employers, insurers, service providers and other businesses for a fee, as permitted by applicable law. If an employer or business wants to obtain your credit report, they obtain your permission to access your report as required by law and ask you to provide certain sensitive personal information about you which they will use to request your report, and they pay a fee to one or more of the credit bureaus to receive a copy of your credit report.

Many employers and businesses rely on easy access to credit reports.  However, this may be one of the more likely casualties of the Equifax breach. As noted earlier, 143 million Americans may now be at risk for identity theft using their sensitive personal information from this one breach event alone. Unlike a credit card number, which can be changed in the event the data is compromised, SSNs and DOBs (which were compromised in the Equifax breach) can’t be changed. This is why the Equifax breach is so significant – unlike most previous breaches, the scale of this breach and the nature of information compromised mean that consumers will be at risk for, and must remain vigilant for, identity theft for the rest of their lives, which will likely drive changes in the way people monitor and manage their credit reports and sensitive personal information.

Most of the advice and guidance regarding the Equifax breach to date has been consumer-focused – what consumers can and should do to protect themselves in the post-Equifax world. This includes recommendations for more robust use of credit freezes currently offered by the credit bureaus and use of third party monitoring services which alert consumers to (or require the consumer’s approval for) changes in their credit report, representing a shift in the spectrum towards consumer identity protection and away from access to easy credit such as point-of-sale, “save 20% if you open an account today”-type offers requiring an instant check of your credit. It is also likely the earthquake caused by the Equifax breach will result in additional security and legal requirements not just for credit bureaus, but for all companies possessing sensitive personal information such as SSNs and DOBs, as well as industry-driven or legislatively-mandated enhanced best practices and/or new ways for consumers to help them control access to their credit reports in an effort to minimize identity theft, such as a tool to manage security freezes at all three credit bureaus simultaneously and make it easier to impose, and temporarily lift, such freezes. The Equifax breach is also likely to increase consumer acceptance of more complex login processes, such as multi-factor authentication.

Employers and businesses should start thinking about how they can and should adapt to the coming post-Equifax changes in consumer and credit bureau behavior, and increases in corporate responsibility with respect to security and collection/use of sensitive personal information. By taking proactive steps, companies can demonstrate to their employees and customers that they are sensitive to the importance of identity protection and security. Here are 5 proactive steps companies may want to consider:

1. Address consumer credit freeze/release approval in the new employee hiring process and other processes requiring a consumer credit check (such as point-of-sale credit offers).

While implementing a credit freeze will help protect a person from identity theft, it’s not without its drawbacks. As of today, these drawbacks include the need to separately implement or lift freezes on a per-credit bureau basis, and the fact that the freeze must be lifted (temporarily or permanently) before an employer or business can perform a credit check. Despite this drawback, more people will likely implement credit freezes in the post-Equifax world, which will impact companies’ ability to easily complete background checks or receive point-of-sale credit offers.

  • Employers and other businesses performing a consumer credit check should anticipate this and consider proactively modifying their credit check process by adding a question to their credit report authorization form asking whether a person has a credit freeze, or whether that person’s approval is required for the release of their credit report. If that person answers “yes,” the employer or business should have a standard exception process to work with that person to ensure the freeze is temporarily lifted, or approval for the credit check is given, so the employer or business can perform the credit check.
  • Retailers offering point-of-sale credit offers should consider ensuring their offer disclosures include a statement that people with credit freezes may not be eligible for the offer due to the inability to verify their credit history. For those businesses which use sales associates to offer point-of-sale promotions, consider requiring them to ask whether the consumer has a credit freeze in place, and if so notify them if the freeze renders them ineligible for the offer.

Employers and businesses should also know which credit bureau(s) they use for background checks, and be prepared to provide this information to make it as easy as possible for a prospective employee or customer to implement a temporary lift of the credit freeze. It may be worth having a short URL handy which can be provided to a prospective employee or customer who wants to temporarily lift their credit freeze to enable them to take advantage of the offer on the spot or at a later time.

2. Enable multi-factor authentication for access to online services and consumer portals.

Most businesses use a username and password as access credentials. Some, but not all, have moved to a more secure authentication mechanism known as multi-factor authentication. Multi-factor authentication requires a user to provide not only a username, but two or more of the following “authentication elements” to validate the user’s identity: (1) something you know (e.g., a password, the answer to a challenge question), (2) something you have (e.g., a one-time PIN or password or a code delivered specifically through the user’s mobile device), and/or (3) something you are (e.g., facial recognition or fingerprint). Each factor must be independent of the other so that knowing one factor does not reveal another. Other data, such as geolocation information or time-based access requirements, can be used as well. The most commonly-known type of multi-factor authentication is two-factor authentication, where two authentication elements (of which one is typically a password) are required. Multi-factor authentication helps reduce the chance a bad actor could successfully exploit a username and password obtained through a security breach, through phishing, or through other social engineering attack vectors. Companies can use multi-factor authentication to demonstrate to its users (and potential users) that it places a high value on security.

Some companies argue that the burden of providing additional verification does not outweigh the simplicity of a username/password, especially where the company is not collecting any sensitive personal information. However, multi-factor authentication is an industry standard in certain areas, such as under the current Payment Control Industry Data Security Standard (PCI-DSS) for companies that are required to be PCI compliant, and will likely continue to gain traction as an industry standard, or customer expectation, in other areas. The National Institute of Standards and Technology (NIST) recommends using multi-factor authentication wherever possible. For companies where multi-factor authentication is not an industry standard or legal requirement, consider offering multi-factor authentication anyway, or offering it as an enhanced security option to customers concerned about protecting access to their accounts.

3. Evaluate whether there is a true need to collect SSNs and DOBs from consumers, and/or other creative ways to validate SSN and DOB information.

Companies which collect Social Security Numbers or dates of birth from their users should consider whether the collection of this information is truly required. One of the core tenets of data privacy is the Collection Limitation principle, which advocates for limits on companies’ collection of personal data. HIPAA takes this a step further and applies a “minimum necessary standard” – companies should limit the use and disclosure of collected personal information to the minimum necessary to accomplish the intended purpose. Companies should consider following HIPAA’s “minimum necessary standard” even if they are not subject to HIPAA. With respect to sensitive personal information such as SSN and DOB, companies should look carefully at whether they truly need to collect this information, and for what purpose. If there is another way to accomplish the same goal without collecting the information, consider implementing that alternative approach. Here are two examples:

  • With respect to SSNs, instead of asking for a user’s SSN for validation purposes considering asking for the sum of the digits in their SSN, or the sum of the digits in their SSN plus the digits in their home street address. This provides a strong identity validation mechanism without the need to capture and store SSNs.
  • With respect to DOBs, if validating a user’s age (e.g., for COPPA purposes), consider whether the month and year is sufficient, and keep a flag indicating that the age information was verified instead of the month/year information itself.

4. Review and freshen (or implement) their incident response and incident communications plan(s).

To many, Equifax’s response has been a lesson in how not to manage communications regarding a security breach. Companies should take the opportunity to learn from Equifax’s missteps and review and freshen up their incident response and incident communication plan(s). For companies still without an incident response/incident communications plan, now is the time to ensure one is in place. A few things to consider:

  • According to press reports, the Equifax breach allegedly stemmed from the failure to timely implement a security update to the Apache Struts Web Framework. As part of incident response preparedness, work with IT to ensure that your company is actively monitoring for hardware/software security patches, and is applying them as quickly as possible following release.
  • There have been numerous reports regarding sales of Equifax stock valued at $1.8 million by three senior Equifax executives within days of Equifax’s discovery of the breach. While Equifax has stated that the executives were not aware of the breach, whether or not the executives (including the CFO and President of US Information Systems) had knowledge doesn’t really matter – the perception and optics of it are awful in the eyes of the public, the SEC, and state attorneys general. Consider ensuring that the entire senior team is notified immediately in the event of a security breach, and have your General Counsel or external breach counsel discuss with them the risks of continuing with any automated stock sale programs in light of the breach.

5. Consider offering credit monitoring as an employee benefit.

Finally, employers may want to consider adding credit monitoring as an employee benefit, by offering subsidized or free credit monitoring services to their employees through a partnership with a credit bureau or a third-party provider such as AllClear ID. While there are some questions as to the value of credit monitoring in protecting against identity theft, services that notify you and/or require your approval before a new account is opened can be very valuable in fighting identity theft. As the possibility of identity theft is becoming a fact of life in the 21st century, companies may find it beneficial to help their employees guard their identity. Among other benefits to companies, minimizing identity theft reduces the time employees need to take away from work, whether as PTO or lost productivity, to deal with the repercussions of having their identity stolen, and provides employees with increased peace of mind with respect to identity protection.

Eric Lambert has spent most of his legal career working in-house as a proactive problem-solver and business partner. He specializes in transactional agreements, technology/software/e-commerce, privacy, marketing and practical risk management. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice. He is a technophile and Internet evangelist/enthusiast. In his spare time Eric dabbles in voice-over work and implementing and integrating connected home technologies.

The What, Why and How of SLAs, aka Service Level Agreements (part 2)

Every company uses technology vendors, such as Software-as-a-Service providers, to provide critical components of their business operations. One pervasive issue in technology vendor agreements is the vendor’s commitment to the levels of service the customer will receive.  A representation to use commercially reasonable efforts to correct product defects or nonconformity with product documentation may not be sufficient for a customer relying on a technology vendor’s service for a mission-critical portion of its business. In this situation, the vendor may offer (and/or a customer may require) a contractual commitment as to the vendor’s levels of service and performance, typically called a “Service Level Agreement” or “SLA.” Service Level Agreements (SLAs) ensure there is a meeting of the minds between a vendor and its customer on the minimum service levels to be provided by that vendor.

In Part 1 of this post, I walked through uptime and issue resolution SLAs.  In this second part, I cover other types of technology SLA commitments, SLA remedies, and other things to watch for.

Other Types of Commitments in SLAs

Other common types of SLAs in technology agreements include latency SLAs and customer service SLAs.

Latency SLAs. “Latency” is the time it takes for a server to receive a server request, process it, and send a response. For example, when you load a webpage, a server request is sent to a web server to deliver the webpage, the server processes the request, and sends a response with the code to render the page in the user’s web browser. Latency can be affected by a number of factors, including the geographic location of servers, network/Internet capacity, and server optimization. For companies using a vendor to provide services as part of its client-facing systems (e.g., an address verification service), minimizing latency to ensure a high level of performance is critical. A latency SLA is a commitment to a maximum roundtrip response time for a vendor server request. Latency SLAs typically exclude the time it takes to get from the customer’s server to the boundary of the vendor’s network, and vice versa (as this is outside of the vendor’s control).

Customer Service SLAs. In some vendor relationships, ensuring the prompt provision of customer support is a critical component of the relationship. For example, if a vendor is providing support to a customer’s clients or employees, or is providing level 2 escalation support, customer support SLA commitments may be important to the customer to ensure a high level of service.  Customer support commitments often include commitments on time to first response (the time from the submission of a request to the time an agent opens the support ticket to begin working on it); time to resolution (total time needed to resolve the issue); average speed to answer (the percent of calls answered within a maximum time, e.g., 85% of calls within 30 minutes, or percent of emails answered within a maximum time, e.g., 90% of emails within 4 business hours); and/or abandonment rate (the maximum number of calls being abandoned in queue before a support agent picks up the call).

SLA Remedies

In order to ensure the service level commitments made by a vendor have teeth, the SLA should have remedies available to the customer in the event of a failure to meet one or more SLA commitments. The remedies are often the most heavily negotiated section of the SLA. There are a variety of remedies that can be applied in the event of a SLA failure.

Service Credits. One of the more common forms of remedy is a service credit, often a percentage of fees paid by the customer for the period in which the SLA failure occurred.  For example, if a vendor fails to meet a 99.9% monthly SLA, a service credit equal to a percentage of the monthly fees paid by the customer would be applied to the next monthly invoice.  A credit is often provided on a tiered basis, up to 100% of the fees for the relevant period based on the size of the SLA miss. Vendors may want to include language ensuring that if multiple credits are available for the same reporting period (e.g., a credit for failure to meet the uptime SLA as well as the issue resolution SLA), only the greater credit will apply.  The credit is usually applied to the next invoice, or if there will be no additional invoice, paid directly to the customer.  For a service credit related to an uptime SLA commitment, instead of a percentage of fees some vendors will offer a credit equal to the fees earned by the vendor during the period of time during which the Service was unavailable during the previous measurement period (or an average of the amount during previous measurement periods), under the theory that the credit is an accurate reflection of the actual fees that would have been earned by the vendor had the service been available in compliance with the SLA.  Customers should carefully consider what fees are used to calculate the credit – customers will want this to be as inclusive as possible.

Termination. In the event of a SLA failure, another remedy commonly offered by vendors is a right to terminate. Vendors typically put restrictions around the exercise of this right, e.g., termination is the sole and exclusive remedy available; termination is limited to the service subject to the SLA failure, not the entire service agreement; it is offered on a “use it or lose it” right which can only be exercised for a period of time following the measurement period in which the SLA failure giving rise to the termination right arose; or the right to terminate is only triggered by multiple failures, such as failure to meet its SLA commitments in three (3) consecutive months or any two (2) out of three (3) consecutive calendar quarters. Customers should carefully consider whether the limits on these rights are appropriate (e.g., ensure that “sole and exclusive remedy” applies only to a SLA failure, and would not preclude the customer enforcing its rights and remedies for any other breaches of the vendor agreement; ensure a right to terminate extends to the entire service agreement if the affected service component is a significant portion of the value of the relationship to the customer; etc.)

Other creative remedies. Vendors and customers should consider whether other creative remedies for a breach of the SLA, such as waiver of fee minimums, waiver or imposition of other contractual obligations, or provision of additional services (e.g., a certain number of free hours of professional services), may be an appropriate remedy for the customer and an appropriate motivator for the vendor to meet its SLA commitments.

Closing Thoughts – Things to Watch For

  • Remember that most vendors are trying to provide as close to 100% uptime as possible, and the best possible service they can to their clients. A SLA is intended to be a floor on performance, not a ceiling.
  • Some vendors do not include a SLA in their standard service agreement, instead letting customers ask for one. In my experience, less customers will ask for a SLA than you’d think.  It’s always a good idea to ask a vendor to ensure they include their SLA with the service agreement at the outset of the contract negotiation process.
  • If the vendor will not agree to include a SLA, ask them why.
    • In some cases, vendors will not provide a SLA with credits to all but their largest clients, relying on the fact that as a multi-tenant platform all clients receive the benefit of the SLAs provided to their largest clients. In this event, customers should consider whether to fight for a direct SLA or rely on their commitments to larger clients (which commitments may change over time).
    • If you can’t get a SLA from a vendor, customers should consider whether to push for a termination for convenience right (and refund of prepaid but unaccrued fees) in the event they are dissatisfied with the service levels they are receiving from the vendor.
    • Customers should also ask whether the service is truly a mission-critical service. If not, it may be worth considering how hard to fight for the SLA, or if the customer can offer to concede the SLA to win on another open negotiation point of greater importance.
  • Customers should watch for language in the vendor agreement that gives the vendor the right to unilaterally change terms of the agreement, instead of having changes mutually agreed upon. This unilateral right is often broad enough to allow a vendor to change the terms of the SLA as well. If so, customers may seek to limit the scope to exclude the SLA, or ensure that the agreement includes a termination right as described above.

Eric Lambert has spent most of his legal career working in-house as a proactive problem-solver and business partner. He specializes in transactional agreements, technology/software/e-commerce, privacy, marketing and practical risk management. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice. He is a technophile and Internet evangelist/enthusiast. In his spare time Eric dabbles in voice-over work and implementing and integrating connected home technologies.

The What, Why and How of SLAs, aka Service Level Agreements (part 1)

Every company uses technology vendors, such as Software-as-a-Service providers, to provide critical components of their business operations. One pervasive issue in technology vendor agreements is the vendor’s commitment to the levels of service the customer will receive.  A representation to use commercially reasonable efforts to correct product defects or nonconformity with product documentation may not be sufficient for a customer relying on a technology vendor’s service for a mission-critical portion of its business. In this situation, the vendor may offer (and/or a customer may require) a contractual commitment as to the vendor’s levels of service and performance, typically called a “Service Level Agreement” or “SLA.” Service Level Agreements (SLAs) ensure there is a meeting of the minds between a vendor and its customer on the minimum service levels to be provided by that vendor.

At a high level, a SLA does three things:

  1. Describes the types of minimum commitments the vendor will make with respect to levels of service provided by the vendor;
  2. Describes the metrics by which the service level commitments will be measured; and
  3. Describes the rights and remedies available to the customer if the vendor fails to meet their commitments.

In many cases, a SLA is presented as an exhibit or appendix to the vendor agreement (and not a separate agreement). In others, a SLA may be presented as a separate document available on a vendor’s website.  Think of the former as a customer-level SLA which is stated directly in (and quite often negotiated on a customer-by-customer basis as part of) the service agreement with that customer, and the latter as a service-level SLA which the vendor wants to apply equally to every user of its service.

In this two-part post, I’ll explain the contents of, reasons for, and important tips and tricks around technology SLAs.  Part 1 will cover uptime and issue resolution SLAs.  Part 2 will cover other types of technology SLA commitments, SLA remedies, and other things to watch for.

Common types of commitments in SLAs

The most common types of commitments found in technology SLAs are the uptime commitment and the issue resolution commitment.

Uptime SLA Commitment

An uptime commitment is generally provided in connection with online services, databases, and other systems or platforms (a “Service”). A technology vendor will commit to a minimum percentage of Service availability during specified measurement periods.  This percentage is typically made up of nines – e.g., 99% (“two nines”), 99.9% (“three nines”), 99.99% (“four nines”), 99.999% (“five nines”), etc.  Some SLAs will use “.5” instead of “.9”, for example, 99.5% or 99.95%”.   Uptime is typically calculated as follows:

(total minutes in the measurement period - minutes of Downtime in that period) / Total minutes in the measurement period

Definitions are key. The right definitions can make all the difference in the effectiveness of an uptime SLA commitment. Vendors may gravitate towards a narrower definition of “Downtime” (also called “Unavailability” in some SLAs) to ensure they are able to meet their uptime commitment, e.g., by excluding a slowdown that makes the Service hard (but not impossible) to use. Customers should look carefully at this definition to ensure it covers any situation in which they cannot receive substantially all of the value of the Service. For example, consider the difference between Unavailability/Downtime as a period of time during which the Service fails to respond or resolve, versus a period of time during which a material (or non-material) function of the service is unavailable. The SLA should define when the period of Unavailability/Downtime starts and ends, e.g., starting when the vendor first learns of the issue, and ending when the Service is substantially restored or a workaround is in place; customers should look at this carefully to ensure it can be objectively measured.

Mind the measurement period. Some vendors prefer a longer (e.g., quarterly) measurement period, as a longer measurement period reduces the chance a downtime event will cause a vendor to miss its uptime commitment. Customers generally want the period to be shorter, e.g., monthly.

Consider whether the uptime percentage makes sense in real numbers. Take the time to actually calculate how much downtime is allowed under the SLA – you may be surprised. For a month with 30 days:

  • 99% uptime = 432 minutes (7 hours, 12 minutes) of downtime that month
  • 99.5% uptime = 216 minutes (3 hours, 36 minutes) of downtime that month
  • 99.9% uptime = 43.2 minutes of downtime that month
  • 99.99% uptime = 4.32 minutes of downtime that month

One critical question customers should ask is whether a Service is mission-critical to its business.  If it’s not, a lower minimum uptime percentage may be acceptable for that service.

Some vendors may offer a lower uptime commitment outside of business hours, e.g., 99.9% from 6am to 10pm weekdays, and 99% all other times. Again, as long as this works for a customer’s business (e.g., the customer is not as concerned with downtime off-hours), this may be fine, but it can make it harder to calculate.

Ensure the Unavailability/Downtime exclusions are appropriate. Uptime SLAs generally exclude certain events from downtime even though the Service may not be available as a result of those events. These typically include unavailability due to a force majeure event or an event beyond the vendor’s reasonable control; unavailability due to the equipment, software, network or infrastructure of the customer or their end users; and scheduled maintenance.  Vendors will often seek to exclude a de minimis period of Unavailability/Downtime (e.g., less than 5/10/15 minutes), which is often tied to the internal monitoring tool used by the vendor to watch for Service unavailability/downtime. If a vendor wouldn’t know if a 4-minute outage between service pings even occurred, it would argue that the outage should not count towards the uptime commitment.

Customers should make sure there are appropriate limits to these exclusions (e.g., force majeure events are excluded provided the vendor has taken commercially reasonable steps to mitigate the effects of such events consistent with industry best practices; scheduled maintenance is excluded provided a reasonable amount of advance written notice is provided.  Customers should watch out for overbroad SLAs that try to exclude maintenance generally (including emergency maintenance).  Customers may also want to ensure uptime SLAs include a commitment to take reasonable industry-standard precautions to minimize the risk of downtime (e.g., use of no less than industry standard anti-virus and anti-malware software, firewalls, and backup power generation facilities; use of redundant infrastructure providers; etc.)

Don’t overlook SLA achievement reporting. One important thing customers should look for in a SLA is how the vendor reports on SLA achievement metrics, which can be critical to know when a remedy for a SLA failure may be available. Vendors may place the burden on the customer to provide notice of a suspected uptime SLA failure within a specified amount of time following the end of the measurement period, in which case the vendor will review uptime for that period and verify whether the failure occurred. However, without proactive metrics reporting, a customer may only have a suspicion of a SLA failure, not actual facts. Customers using a mission-critical system may want to consider asking for proactive reporting of SLA achievement within a certain amount of time following each calendar month.

Issue Resolution SLA Commitment

Of equal importance to an uptime commitment is ensuring that a Service issue (downtime or otherwise) will be resolved as quickly as possible.  Many technology SLAs include a service level commitment for resolution of Service issues, including the levels/classifications of issues that may occur, a commitment on acknowledging the issue, and a commitment on resolving the issue.  The intent of both parties should be to agree on a commitment gives customers assurances that the vendor is exerting reasonable and appropriate efforts to resolve Service issues.

Severity Levels. Issue resolution SLAs typically include from 3-5 “severity levels” of issues.  Consider the following issues:

Impact Example Classification
Critical The Service is Unavailable
High An issue causing one or more critical functions to be Unavailable or disrupting the Service, or an issue which is materially impacting performance or availability
Medium An issue causing some impact to the Service, but not materially impacting performance or availability
Low An issue causing minimal impact to the Service
Enhancement The Service is not designed to perform a desired function

Issue resolution SLAs typically use some combination of these to group issues into “severity levels.”  Some group critical and high impact issues into Severity Level 1; some do not include a severity level for enhancements, instead allowing them to be covered by a separate change order procedure (including it in the SLA may be the vendor’s way of referencing a change order procedure for enhancements). Vendors may include language giving them the right to reclassify an issue into a lower severity level with less stringent timeframes. Customers should consider ensuring whether they should have the ability to object to (and block) a reclassification if they disagree that the issue should be reclassified.

Acknowledgment Commitment. Issue resolution SLAs typically include a commitment to acknowledge the issue. As with the uptime SLA, the definition of the acknowledgment timeframe is important (when it starts and when it ends). A vendor will typically define this as the period from the time it is first notified of or becomes aware of the issue to the time the initial communication acknowledging the issue is provided to the customer.  Customers should look at the method of communication (e.g., a post to the vendor’s support page, tweet through their support Twitter account, an email, a phone call from the customer’s account representative required, etc.) and determine if a mass communication method versus a personal communication method is important.

For critical and high impact issues, vendors (especially those operating multi-tenant environments) will often not offer a specific acknowledgment commitment, instead offering something like “as soon as possible depending on the circumstances.”  The argument for this is that for a critical or high impact issue, a vendor wants all available internal resources triaging and working the problem, not reaching out to customers to tell them there is a problem. In many cases, this may be sufficient for a customer provided there is some general acknowledgment provided to a support page, support Twitter account, etc. to alert customers that there is an issue. In others, a customer may want to push for their account representative, or a vendor representative not involved in triaging the problem such as an account executive, to acknowledge the issue within a fixed amount of time, putting the burden on the vendor to ensure it has appropriate internal communication processes in place.

Resolution Commitment. Issue resolution SLAs also typically include a time commitment to resolve the issue. One important thing to focus on here is what “resolve” means.  Vendors may define it as the implementation of a permanent fix or a workaround that temporarily resolves the problem pending the permanent fix; in some cases, vendors may also define it as the commencement of a project to implement a fix.  Customers should ensure that a vendor promptly implement a permanent fix if a workaround is put in place, and that failure to do so is a failure under the SLA. Many vendors are reluctant to provide a firm issue resolution timeframe, as the time required to resolve or implement a workaround is dependent on the issue itself, and are often unwilling to negotiate the resolution commitment or commit to a fixed timeframe for resolution.  Customers should ensure the resolution commitment is reasonable and that the vendor is doing everything it can to correct issues.  For example, for critical and high impact issues, consider an issue resolution commitment of “as soon as possible using continuous diligent efforts” – as long as the vendor is working diligently and continuously to fix the issue, they’re in compliance with the SLA. For lower impact issues, consider a commitment to implement a fix or workaround in the ordinary course of business.

In part 2, I’ll cover other types of technology SLA commitments, SLA remedies, and other things to watch for.

Eric Lambert has spent most of his legal career working in-house as a proactive problem-solver and business partner. He specializes in transactional agreements, technology/software/e-commerce, privacy, marketing and practical risk management. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice. He is a technophile and Internet evangelist/enthusiast. In his spare time Eric dabbles in voice-over work and implementing and integrating connected home technologies.

The New Revenue Recognition Standards Are Coming – Will You Be Ready?

Most companies measure their financial performance by the revenues and other compensation they earn through their business operations, which in many cases means the sale of goods or provision of services. Knowing when to recognize the proceeds from a sale of good or provision of services as revenue is therefore critical to financial reporting. For many years, two different rules by two different standards organizations governed revenue recognition:

  1. The Financial Accounting Standards Board (“FASB“)’s Accounting Standards Codification (“ASC“) provide US generally accepted accounting principles (“GAAP“), including those governing revenue recognition. Under the current GAAP revenue recognition rule in ASC 605, revenue recognition varies by industry and in some cases by transaction, which makes revenue recognition a complex and difficult exercise in many situations.
  2. The International Accounting Standards Board (“IASB“)’s International Accounting Standards (“IAS“) provide an international standard for financial statements and accounting. Under the current international revenue recognition rule known as IAS 18, revenue recognition also varies by industry and transaction type, but IAS 18 provides less guidance than ASC 605 making it harder for companies to recognize revenue in a consistent fashion. The IASB is the successor to the International Accounting Standards Council (“IASC“) which originally promulgated the IAS.

Beginning in 2001, the IASB began replacing the IAS with new International Financial Reporting Standards (“IFRS“). In 2002, the FASB and IASB began collaborating on developing an improved. stronger, more robust, more useful, more consistent revenue recognition standard to make revenue recognition simpler and easier to consistently apply. This collaboration bore fruit 12 years later in May 2014, when the FASB and IASB released a converged revenue recognition standard titled Revenue from Contracts with Customers, codified as ASC 606 by FASB and IFRS 15 by IASB. Since 2014, there have been a few amendments (and implementation delays) by the FASB and IASB, and there have been a few small areas where the standards have diverged (e.g., the definition of what “probable” means). Despite this, for the most part the goal of a unified revenue recognition standard remains intact. These new standards will go into effect in December 2017 (for ASC 606) and January 2018 (for IFRS 15). All this background can be summarized in the following table:

A tabular representation of the history behind the ASC 606 / IFRS 15 revenue recognition standard.Here’s what you need to know about the new twin revenue recognition standards (for simplicity, this analysis is based on ASC 606):

How Revenue Recognition Works Under ASC 606/IFRS 15

To recognize revenue under the new standard, companies must do 5 things: (1) identify a customer contract, (2) identify the distinct performance obligations under that contract, (3) determine the transaction price (expected revenue), (4) allocate the expected revenue to the performance obligations, and (5) recognize allocated revenue when (or as) each performance obligation is satisfied. As stated in ASC 606, “an entity should recognize revenue to depict the transfer of promised goods or services to customers in an amount that reflects the consideration to which the entity expects to be entitled in exchange for those goods or services.” As we go through each step, keep this visual representation in mind:

ASC 606 Revenue Recognition DiagramStep 1 – Identify the contract(s) with a customer. The first step of the revenue recognition process is to identify a contract, i.e., an agreement creating enforceable rights and obligations among two (or more) parties. A contract must be signed or otherwise approved by the parties, must have identifiable rights and payment terms, have commercial substance, and it must be probable that one party will receive the revenue or other consideration expected from the performance of its obligations (e.g., provision of goods or services). Remember that a contract does not have to be in writing to be considered a contract for revenue recognition purposes – oral or implied contracts may satisfy these requirements.

Step 2 – Identify the contract’s distinct performance obligations. For goods and services contracts, a “performance obligation” is promise to transfer a good or provide a service to another party. A “distinct” performance obligation is one that benefits the recipient alone or with other readily available resources (e.g., delivery of a computer that is usable with power and Internet access obtained separately) and can be identified separately from other obligations under the contract (e.g., a company is delivering 5 computers, delivery of all 5 computers should be combined into a single performance obligation). A series of distinct performance obligations that are substantially similar can still be treated as individual performance obligations (e.g., delivery of a new computer at the start of each quarter during a calendar year, 4 new computers total). In a services agreement such as a SaaS contract, implementation obligations and the provision of services may be separate obligations. A SaaS company may look at its distinct performance obligation as providing a service each day during the term of the Agreement, so each day would be a distinct performance obligation.

Step 3 – Determine the transaction price. The “transaction price” is the expected payment and other consideration to be paid/provided in return for satisfaction of the performance obligations. Financial consideration can usually be grouped into fixed (stated in the contract) vs. variable (contingent on the occurrence or non-occurrence of a future event). For variable consideration, companies should look at the expected value taking into account the potential for changes in the variable payment component. If compensation for a performance obligation will be deferred, and not paid contemporaneously with the satisfaction of the performance obligation, the present value of the deferred compensation should be considered. Non-cash compensation (e.g., bartered goods or services) should be measured at fair value, or if not available the standalone selling price. Other consideration such as coupons or vouchers may need to be deducted from the transaction price. For SaaS companies that use a tiered pricing structure and monthly or annual minimums, calculating the expected revenue can be tricky (e.g., by using a probability-weighted methodology).

Step 4 – Allocate the transaction price to the performance obligations. If your contract has one performance obligation, you’re already done with this step. If not, the next step is to allocate the transaction price among each distinct performance obligation, i.e., to separate the transaction price into each discrete “piece” of consideration a party expects to receive from satisfying the associated performance obligation. This can be done by allocating the standalone selling price (i.e., the price at which the good would be sold separately) to the performance obligation, or where that standalone price is not available, the selling entity should estimate it by utilizing as many observable data points as possible to come up with the best estimate possible. ASC 606 includes examples of estimation methods. If a company provides a discount, the discount should be allocated proportionally among the expected revenue for the performance obligations to which the discount applies.

Step 5 – Recognize allocated revenue when (or as) the performance obligations are satisfied. The final step is to recognize each allocation of the transaction price as each distinct performance obligation is satisfied (i.e., the promised good or service is transferred to the recipient). For physical assets, transfer occurs when the recipient obtains control of the asset. For services, a performance obligation is satisfied when the benefits from the provider’s performance are received and utilized, the provider’s performance creates and/or enhances an asset in the recipient’s control, or the provider’s performance creates a payment right without creating an asset with an alternative use to the recipient (e.g., a company is contractually restricted from using a provided service for other purposes). Performance obligations may be satisfied on a specific date (e.g., for delivery of goods) or over a specific time period (e.g., for delivery of services). If satisfied over a time period, revenue may be recognized based on the progress towards satisfying the performance obligation.

Get Prepared Now

While it may seem like there is plenty of time to prepare for the implementation of the new revenue recognition standard, there’s a lot of work that needs to be done to be ready, including the following:

  • Learn the details. It’s important to note that this article represents a very high-level summary of the new revenue recognition standard. Having a more in-depth understanding of the new standard and how it applies to your company and its costing models/contracts is critical. There is an abundance of articles, seminars, and other publicly-available materials available on ASC 606 and IFRS 15. Also, talk with your accounting firm on what they have done as a firm to prepare, and their recommended action plan for your business – they may have some great materials they can provide to get you and your company up to speed.
  • A lot of work be done proactively. Conduct a proactive review of existing contracts, contractual obligations, and other revenue sources that may be classified as a “contract” subject to the new revenue recognition standard. Analyze each to determine the distinct performance obligations, and determine the transaction price. Work with your accountants to allocate the transaction price among the performance obligations.
  • Review (and update if necessary) contract templates. Accounting should partner with Legal and Sales to review sales proposal templates and contract templates describing or creating performance obligations. Review all standard variations of pricing offered to clients to identify any issues under the new revenue recognition standards. Consider whether warranties, returns language, or other contractual terms create distinct performance obligations and how they can be satisfied. Make any updates as necessary to ensure your templates align with the new standards going forward.
  • Create a plan. Assign a resource to manage the process of preparing for the new standard. Consider creating a cross-departmental group to meet regularly to discuss progress and assign tasks. Consider what internal education will need to be done to prepare employees and groups for the new standard, what changes to internal or third party systems may be required, what additional disclosure requirements may be required, whether internal policies will need to be updated or created, and what changes may be needed to internal processes. Secure the support of executive sponsors, such as the CFO and CEO. If you have personnel who were involved in rolling out SOX compliance in the early 2000s, talk to them about lessons learned to avoid repeating the mistakes of the past.

Eric Lambert is Assistant General Counsel and Privacy Officer at CommerceHub, a leading cloud services provider helping retailers and brands increase sales and delight shoppers through supply solutions to expand product assortment, demand solutions to promote and sell products on the channels that perform, and delivery solutions to enable rapid, on-time customer delivery. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice. Eric works primarily from his home office outside of Minneapolis, Minnesota. He is a technophile and Internet evangelist/enthusiast. In his spare time, Eric dabbles in voice-over work and implementing and integrating connected home technologies.