Why (and What) You Need to Know About the FTC’s Endorsement Guides and FAQs

Endorsements are an important tool in the marketing and promotional toolbox used by both companies and individuals. A slightly paraphrased version of the FTC’s definition of an endorsement is a message, such as a statement, demonstration, or other communication, by a party not the manufacturer, provider or advertiser of a product or service which contains that third party’s opinions, beliefs, findings, or experiences regarding that product or service (which may be the same as those of the product/service manufacturer/provider or its advertiser).

LinkedIn profiles are chock full of professional endorsements and recommendations by colleagues, peers and others. Companies rely on endorsements to increase brand awareness, promote marketing communications, and drive sales. Traditionally, a company’s brand awareness or marketing message was spread through “word of mouth” by individuals who had a satisfying experience with that company’s products or services. Think back to the old 80’s Faberge Shampoo commercial with a person saying you’ll love the product and that “you’ll tell two friends, and they’ll tell two friends, and so on, and so on, and so on….” If a family member, good friend, or other trusted individual shares a positive review of or experience with a product or service, the logic is that you’ll be more inclined to learn more about it and/or give it a try based on an endorsement from a “trusted source.” Companies and their advertisers use paid celebrities as another form of trusted source to promote their products and services. More recently, a new category of trusted sources has arisen – bloggers and other online personalities, or “influencers,” who regularly provide their followers with their thoughts and opinions (often positive), including on products and services they use. Additionally, companies may seek to leverage their employees as trusted sources by asking them to re-tweet marketing messages and posts.

An unbiased endorsement based solely on a trusted source’s positive experience with the product or service is the best source of information for potential customers. But would a potential customer put the same stock in an endorsement if they knew that the trusted source providing the endorsement works for, received some tangible or intangible compensation or benefit from, or has some other material connection to the company or its advertiser whose products or services they are endorsing? For the last few years, the FTC has been paying more and more attention to online endorsers and influencers. In April 2017, the FTC sent over 90 letters to various influencers and the marketers of brands endorsed by those influencers, highlighting the requirement to clearly and conspicuously disclose any material connection between the endorser and advertiser. The FTC has also recently added to its guidance regarding online influencers, and in early September 2017 announced their first enforcement action against two individual online influencers for failing to properly disclosure their material connection with the company whose product they were endorsing. This may be just the start of more aggressive enforcement by the FTC against influencers, trusted sources, and others who do not “follow the rules” regarding endorsements.

How can companies/marketers and endorsers/influencers avoid trouble when making endorsements? As with many areas of compliance, consider a “center of the herd” approach. The animals in the center of the herd are not the ones that typically get picked off – it’s the ones out in front (e.g., those most desperate for water or who have another need to be first) and those in the rear (e.g., those not paying attention, who can’t keep up, or just don’t care). The same applies in business – the companies more likely to be fined or penalized are those who are willing to take aggressive risks to be in front of the pack, or the ones bringing up the rear due to a lack of focus on, or disregard for, compliance. The FTC has released a set of guides and FAQs to provide guidance to all parties involved with endorsements. Being familiar with these guides and FAQs, and following best practices such as the ones described at the end of this article, can help ensure both you and your company are in the “center of the herd” when it comes to endorsements.

The FTC Guides Concerning Use of Endorsements and Testimonials in Advertising

The FTC has offered guidance for decades on the issue of biased endorsements in marketing: the FTC’s Guides Concerning Use of Endorsements and Testimonials in Advertising (16 CFR Part 255) (the “Endorsement Guides“), which apply to endorsements by consumers, celebrities, experts, and organizations. The Endorsement Guides were updated in 2009 to remove the “results not typical” safe harbor disclosure in endorsements and testimonials, to address connections between endorsers and companies/marketers, and to address celebrity endorsers. While contained in the Code of Federal Regulations, they are administrative interpretations only; deceptive advertising is governed by the Federal Trade Commission Act and state deceptive trade statutes, as well as other truth-in-advertising laws.

There are four principles at the heart of the Endorsement Guides:

  1. Endorsers should only endorse products they have tried, and should only say they use a product if they were a bona fide user at the time the endorsement was given.
  2. Endorsements must be truthful and not misleading (either expressly or by implication).
  3. Endorsers and companies/marketers should only make claims about a product if they have proof substantiating those claims.
  4. Endorsers and companies/marketers must disclose a material connection between an advertiser and an endorser if the connection may result in a perceived bias in the endorsement. A “material connection” is a connection between the person endorsing the product and the company which is producing or marketing the product which might materially affect the weight or the credibility given to the endorsement by its audience, such as but not limited to a business/family relationship, receipt of a payment, or receipt of a free product.

The guides include dozens of examples of real-world situations and how each situation should be treated under the Endorsement Guides. They are worth a careful read. If you find examples that align with your own current or planned marketing strategies and activities, read them carefully to ensure you understand what behavior the FTC expects in that situation.

The FTC’s FAQ on the Endorsement Guides

Released in 2010 and updated in 2015, the FTC supplemented the Endorsement Guides with a set of frequently-asked-questions titled The FTC’s Endorsement Guides: What People Are Asking (the “Endorsement FAQs“). The Endorsement FAQs collect frequently asked questions from companies, marketers, bloggers and others and provide answers from the FTC to supplement the guidance and examples provided in the Endorsement Guides. The FTC’s answers are extremely important as they provide important insight on how the FTC would likely come down on a particular position.

In September 2017, the FTC updated and modernized the Endorsement FAQs. Some of the key changes were:

  • The FTC made clear that if an individual endorser continues to fail to make required disclosures despite warnings, it may take action against that individual endorser.
  • New FAQs were added regarding donations to charity in return for a product review; family and friends eating for free at a new restaurant; YouTubers receiving free gifts in the hopes of a review; bloggers receiving free travel to a new product launch event; Instagram posts with a tag of the brand of clothing being worn; aspirational endorsements; reciprocal endorsements (“I’ll endorse your product if you endorse mine”); bloggers located outside the US targeting a US audience; where to place disclosures in Instagram posts; whether endorsers can rely on a social media platform’s built-in disclosure functionality; where the disclosure can be placed; disclosures for summary ratings including reviewers who have a material connection; and whether an employee’s like or share of a company’s post requires an endorsement disclosure.

These recent updates, and the FTC’s “shots across the bow” of online influencers in April and September 2017, likely signal the FTC’s intention to more aggressively crack down on online influencers and others in the endorsement ecosystem (especially in the social media space) for endorsements that run afoul of the Endorsement Guides and the Endorsement FAQs or otherwise constitute deceptive advertising or trade practices.

Suggested Best Practices and Closing Thoughts

Here are some key takeaways from the Endorsement Guides and the Endorsement FAQs to keep in mind as you move forward with requesting or providing endorsements:

  • If there’s an actual, potential or perceived material connection, disclose it. If there’s a material connection between an online influencer, trusted source, or other endorser and the owner or marketer of the product/service being endorsed, e.g., an influencer is paid or receives a free product, free service, or other material benefit which may be perceived by a potential customer as biasing the endorsement, the endorsers must ensure the connection is disclosed (unless the connection is clear from the context of the endorsement). If you’re on the fence as to whether a connection is material or not, disclose that too. Remember to look at it from the correct perspective — it’s not whether the endorser thinks the received consideration affects his or her endorsement of the product or service, but whether knowing about the consideration could affect how the audience views the endorsement and/or create a perception of bias.
  • Make disclosures easy to understand (e.g., unambiguous). Disclosures such as “#partner” or “thanks to [company/advertiser]” are not sufficient as while they may disclose there’s some relationship between the endorser and the company/advertiser, they do not specify the nature of that relationship. While an endorser does not need to specify the details of the compensation received, he/she needs to disclose that the post, review or other endorsement is sponsored (as long as you’re not misleading your audience on how much compensation you received), and ensure the identity of the sponsor is clear. The Endorsement FAQs disclosures reference “#ad” or “#sponsored” as hashtags that denote that an ad, post, review, etc. is an advertisement or sponsored by the company/advertiser (don’t use “#sp” as it’s not sufficiently unambiguous). For an influencer who receives free products, saying “Thanks to [company/advertiser] for the free [product received]” may be sufficient. If you are an employee of or consultant to a company whose products or services you are endorsing, “#employee” or “#consultant” is not sufficiently unambiguous – “#ABC-Employee,” “#ABC-Ambassador,” or “#ABC-Consultant” is less ambiguous, where “ABC” is the company or brand name of the product/service you are endorsing. If you’re running an online context, ensure the disclosure clearly states it is part of a sweepstakes or contest, e.g., “#ABC_contest” or “#ABC_sweepstakes” (but not “sweeps”). Think about the hashtag from a consumer’s perspective — could they figure out the connection between the endorser and the company/advertiser within the context of the ad within no more than a second or two?
  • Make disclosures hard to miss (clear and conspicuous). Disclosures must appear clearly and conspicuously so they are hard to miss. Ensure the disclosure appears before the “more” link or button in digital marketing, and “above the fold” in printed marketing – consumers should not have to click anything or take any additional action to see the disclosure, i.e., they should not have to look for it. Make sure the disclosure stands out. Don’t put it in a string of tags/hashtags, as it’s more likely to be missed (i.e., it’s not conspicuous) – ensure it’s separated out, such as at the start of the advertisement, or in bold and separated with a divider (“|”) before the other hashtags at the end. In an image, superimpose the disclosure in a way that’s easy to notice and easy to read in the time a viewer is looking at the image. In videos, ensure the disclosure is on screen long enough to be seen, read, and understood by the viewer; for longer videos, consider repeating the disclosure at appropriate intervals. Don’t combine your name with “ad” in a hashtag as it makes the fact that the post is an advertisement easier to miss. If a social media platform offers a disclosure tool, it’s up to the endorser and the company/advertiser to ensure that the tool provides a clear and conspicuous disclosure of the material connection, otherwise they should use a different disclosure.
  • Companies/advertisers must educate and monitor their influencers, trusted sources, and other endorsers. The FTC has specifically noted that companies and their advertisers have a responsibility to educate their influencers, trusted sources, and other endorsers on the rules and requirements for making endorsements (including disclosing material connections), and for monitoring what those parties are doing from an endorsement perspective. Ensure you have a well-documented enforcement process and that it is being followed. Companies should ensure their social media/brand ambassador policies address posts and other communications by influencers and other endorsers, and provide the policies to their endorsers. Companies that do not currently have such policies should strongly consider putting them in place.
  • Remember the bigger picture – deceptive and unfair trade practices. All parties in the endorsement ecosystem should remember that the Endorsement Guides and the Endorsement FAQs are built on the foundation of the FTC Act and the FTC’s authority to regulate advertising practices, and are designed to help businesses and endorsers avoid endorsement activities that constitute deceptive or unfair advertising prohibited by the FTC Act. The concept of clear, conspicuous, and unambiguous disclosures applies to, but goes far beyond the ecosystem of, endorsements.

Finally, remember that changes to the Endorsement Guides and Endorsement FAQs are far outpaced by change in the world of online marketing. Pay attention to the release date of all FTC documents and guidance, and remember that the FTC’s answers were based on the world as of that date. If an assumption or a fact cited by the FTC in its answer is inaccurate or otherwise out of date, talk with marketing counsel as to the impact on the FTC’s stated position. If you’re looking for guidance on how to apply new technologies or marketing approaches to endorsements in a compliant fashion, think of the Endorsement Guides and Endorsement FAQs as tea leaves which can be read to help you take the temperature of how the FTC is likely to view that new technology or approach. The best thing parties in the endorsement ecosystem can do is to be familiar with the Endorsement Guides and Endorsement FAQs and use them to guide their endorsement strategy and approach to keep them in the middle of the herd from a compliance perspective.

Eric Lambert has spent most of his legal career working in-house as a proactive problem-solver and business partner. He specializes in transactional agreements, technology/software/e-commerce, privacy, marketing and practical risk management. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice. He is a technophile and Internet evangelist/enthusiast. In his spare time Eric dabbles in voice-over work and implementing and integrating connected home technologies.

“Consumer Disclosure Icons” in Mobile and Social Marketing

The advent of mobile and social marketing has created a significant headache for attorneys and marketers alike.  The FTC has stated that consumer disclosure requirements to avoid deception (e.g., ensuring that disclosures are clear and conspicuous, are in close proximity to the statement requiring the disclosure, are sufficiently prominent, are in understandable language, are not hidden behind a non-descriptive hyperlink, etc.) apply to marketers regardless of the medium in which they are delivered.  Whether you’re delivering a marketing communication via email to a desktop computer, via social media, or to a mobile or wearable device, these rules apply.

The result is an understandable tension between attorneys trying to ensure that required disclosures are being made to control risk, and marketers seeking to deliver a compelling message and CTA (call to action) in a limited amount of space.  Attorneys need to partner with their marketing brethren to find creative solutions to achieve both goals.

One idea for common ground here from an industry perspective worth pitching is to develop a set of standard “consumer disclosure icons,” or CDIs, that use a single character to denote a standard marketing disclosure phrase, e.g., “additional purchase required,” “no purchase necessary,” “subscription required,” “terms and conditions apply,” “sponsored promotion,” “paid advertisement,” etc.  These could be something as simple as a set of initials in a box, such as the following for “no purchase necessary”:

NPN

Using these as a single character in a standard browser font would mean each CDI only takes up one character in a text-based communication, freeing up valuable real estate for the communication itself.  Each could be a hyperlink to a page with explanations of the meanings of standard CDIs.  Companies would want to use them consistently, e.g., at the end of each paragraph with claims triggering a disclosure.

CDIs would not work for non-standard disclosures, and companies would need to be careful not to improperly use CDIs where a custom disclosure is required.

Through efforts such as “Operation Full Disclosure” in September 2014, the FTC is looking to the industry to demonstrate their compliance with standard consumer marketing requirements even as the medium in which these messages are delivered continues to evolve (and shrink in size).  Devising a set of consumer disclosure icons for common disclosures in visual mobile and social marketing may be a solution embraceable by marketers, attorneys and regulators alike.

FTC opens their nationwide tour to promote Start with Security

It’s not the latest group on tour with a band name and album name that needed a lot more thought.  Earlier this year, the FTC announced that they would be releasing guidance for businesses on data security.  In June, they did just that, releasing a guide called Start with Security: A Guide for Business.  It’s subtitled “Lessons Learned From FTC Cases” for a reason — it uses the 50+ FTC enforcement actions on data security to provide ten lessons companies should learn when approaching to security to avoid others’ missteps that led to enforcement actions, and practical guidance on reducing risks.  The lessons are:

  1. Start with security.  The FTC has long advocated the concept of “privacy by design,” meaning companies should bake an understanding of and sensitivity to privacy into every part of the business, making it part of the design process for new products and processes.  The FTC is advocating a similar concept of “security by design.” Guidance:  don’t collect personal information you don’t need (the RockYou enforcement action); don’t use personal information when it’s not necessary (Accretive and foru International); don’t hold on to information longer than you have a legitimate business need for it (BJ’s Wholesale Club).
  1. Control access to data sensibly.  Keep data in your possession secure by controlling access to it – limit access to those with a need to know for a legitimate business purpose (e.g., no shared user accounts, lock up physical files). Guidance: don’t let employees access personal information unless they need to access it as part of their job (Goal Financial); don’t give administrative access to anyone other than employees tasked administrative duties (Twitter).
  1. Require secure passwords and authentication.  Use strong password authentication and sensible password hygiene (e.g., suspend password after x unsuccessful attempts; prohibit common dictionary words; require at least 8 characters; require at least one upper case character, one lower case character, 1 numerical character, and 1 special character; prohibit more than 2 repeating characters; etc.)  Guidance: require complex and unique passwords (Twitter); store passwords securely (Guidance SoftwareReed ElsevierTwitter); guard against brute force attacks (Lookout ServicesTwitter, Reed Elsevier); protect against authentication bypass such as predictable resource location (Lookout Services).
  1. Store sensitive personal information securely (“at rest”) and protect it during transmission (“in motion”). Use strong encryption when storing and transmitting data, and ensure the personnel implementing encryption understand how you use sensitive data and can determine the right approach on a situation-by-situation basis.  Guidance: Keep sensitive information secure throughout the data life-cycle (receipt, use, storage, transmission, disposal) (Superior Mortgage Corporation); use industry-tested and accepted methods (ValueClick); make sure encryption is properly configured (FandangoCredit Karma).
  1. Segment your network and monitor who’s trying to get in and out.  Be sure to use firewalls to segment your network to minimize what an attacker can access.  Use intrusion detection and prevention tools to monitor for malicious activity.  Guidance: segment your network (DSW); monitor activity on your network (Dave & Buster’sCardsystem Solutions).
  1. Secure remote access to your network. Make sure you develop and implement a remote access policy, implement strong security measures for remote access, and put appropriate limits on remote access such as by IP address and revoking remote access promptly when no longer needed.  (The compromise of a vendor’s system via phishing, leading to remote network access, is how the Target breach started.)  Guidance: ensure remote computers have appropriate security measures in place, e.g., “endpoint security” (Premier Capital LendingSettlement OneLifeLock); put sensible access limits in place (Dave & Buster’s).
  1. Apply sound security practices when developing new products. Use “security by design” to ensure data security is considered at all times during the product development life-cycle.  Guidance: Train engineers in secure coding (MTS, HTC America, TrendNet); follow platform guidelines for security (HTC AmericaFandangoCredit Karma); verify that privacy and security features work (TRENDnetSnapchat); test for common vulnerabilities (Guess?).
  1. Make sure your service providers implement reasonable security measures. Make sure you communicate your security expectations to your service providers and vendors, and put their feet to the fire through contractual commitments and auditing/penetration testing. Guidance: put it in writing (GMR Transcription); verify compliance (Upromise).
  1. Put procedures in place to keep your security current and address vulnerabilities that may arise.  Data security is a constant game of cat-and-mouse with hackers – make sure to keep your guard up.  Apply updates to your hardware and software as they are issued, and ensure you are spotting vulnerabilities in, and promptly patching, your own software. Have a mechanism to allow security warnings and issues to be reported to IT.  Guidance: update and patch third-party software (TJX Companies); heed credible security warnings and move quickly to fix them (HTC AmericaFandango).
  1. Secure paper, physical media, and devices.  Lastly, while the focus these days seems to be on cybersecurity, don’t forget about physical security of papers and physical media.  Guidance: securely store sensitive files (Gregory NavoneLifelock); protect devices that process personal information (Dollar Tree); keep safety standards in place when data is en route (AccretiveCBR Systems); dispose of sensitive data securely (Rite AidCVS CaremarkGoal Financial).

As this guidance is based on what companies did wrong or didn’t do that led to FTC enforcement actions, it will be interesting to see how the FTC treats a company that suffers a data breach but demonstrates that they used reasonable efforts to comply with the FTC’s guidance.  I suspect the FTC will take a company’s compliance with this guidance into consideration when determining penalties in an enforcement action. The guidance is very high-level, so companies must rely on their IT and Legal teams to determine what steps, processes and protocols need to be implemented in alignment with the FTC’s guidance.

In addition to publishing the guide, the FTC has embarked on a conference series aimed at SMBs (small and medium-sized businesses), start-up companies, and developers to provide information on “security by design,” common security vulnerabilities, secure development strategies, and vulnerability response.  The first conference took place September 9 in San Francisco, CA; the second will take place November 5 in Austin, TX.

The FTC also announced a new website at which they’ve gathered all of their data security guidance, publications, information and tools as a “one-stop shop”.  You can find it at http://www.ftc.gov/datasecurity.