Ready or Not, New Proposition 65 Warnings and Lawsuits Are Coming – Are Your Products, Businesses, and Websites Ready?

If you’ve seen a “WARNING: This product contains a chemical known to the State of California to cause cancer” label on a product, or a similar sign in a business, you’ve seen a warning mandated by California’s Proposition 65 law.  Those warnings are about to get more specific and even more prevalent, and are about to go digital. Most companies doing business in California are working hard to be prepared for the changes to Prop 65 that will apply as of August 30, 2018.  Some companies still may not be aware of the changes and what they mean for their supply chain, as well as for their potential exposure to class action lawsuits and other legal trouble if they are not ready in time.

Here’s the background on what’s happening with Proposition 65, and why companies affected by it should move quickly to finish (or start) implementing processes and steps to ensure compliance.

 

What is Proposition 65?

Proposition65, also known as the California Safe Drinking Water and Toxic Enforcement Act or “Prop 65,” is a “right to know” statute enacted by California voters in 1986.  Under Prop 65, businesses with 10 or more employees must in most cases provide “clear and reasonable” warnings before “knowingly and intentionally” exposing Californians to certain chemicals that cause cancer, birth defects, or other reproductive harm.  The warnings apply to exposure in products they purchase, whether used in their homes or in workplaces, as well as to environmental and occupational exposure.  Prop 65 is administered by the Office of Environmental Health Hazard Assessment (OEHHA), part of the California Environmental Protection Agency (CalEPA).

There are over 900 chemicals for which Prop 65 warnings are required, maintained on a list administered by the State of California (the “Prop 65 list”) which is updated annually. If a product contains or is made using, or an environment or occupation could expose Californians to, one or more chemicals on the Prop 65 list, and the exposure is not low enough that it does not pose a significant risk of cancer, birth defects, or other reproductive harm, a Prop 65 warning is required for that product, environment, or workplace.

While any “clear and reasonable” warning can satisfy the Prop 65 requirements, a business creating its own warnings runs a risk that they are determined to not be “clear” and/or “reasonable” and therefore deficient under Prop 65.  Fortunately, the State of California has promulgated “safe harbor” warnings that most companies use to satisfy their Prop 65 compliance requirements instead of developing their own warnings.

 

So what’s changed in Prop 65?

Under the current law, “clear and reasonable” Proposition 65 warnings are required for consumer products and environmental/occupational exposure to listed chemicals, and certain “safe harbor” warnings have been made available for use. The revisions to the law becoming effective August 30, 2018 (and applicable to products manufactured or refurbished on or after August 30, 2018) make a number of important changes and updates, including:

  • New and more detailed content and format requirements which replace the somewhat generic current Proposition 65 safe harbor warnings.
  • While the existing law tries to minimize the impact of the law to retailers, the changes clarify that manufacturers, producers, packagers, importers, suppliers, and distributors can either provide the required warning on the product via a label, or annually notify the downstream retailer of the warning requirements and provide all necessary warning materials and language to that retailer, shifting the burden to provide the warning to the seller and giving the upstream supply chain partner an affirmative defense if the retailer fails to provide the warning.
  • The new law contains more explicit transmission and placement requirements for consumer product, environmental, and occupational warnings.
  • As the existing law was written in the 1980s, it does not contain specific requirements for online sales.  The new law imposes specific Internet and catalog disclosure requirements.For internet sales, the warning must be displayed in-line (or via specific hyperlink) on the product display page or otherwise prominently displayed prior to completing the purchase.  For catalog purchases, the warning must be included in a manner that clearly associates it with the item being purchased.  This is likely the most significant change, and the one that exposes online sellers to the most legal risk under Prop 65.

 

What are the new content and format warning requirements?

The revised regulations require different warnings based on the types of listed chemicals, number of listed chemicals, and method of transmission and placement. These include specialized safe harbor warnings for certain exposures, products, and places (from alcoholic beverages, to furniture, to amusement parks, to designated smoking areas, to restaurants, to hotels),

All new warnings require the word “WARNING” in bold capital letters, as well as a specific exclamation symbol (except for food labels) which is at least as big as the font used for the “WARNING” text.  Here is an example of a generic Prop 65 safe harbor warning for consumer products:

 

Do I have to provide warning in languages other than English?

Only if the consumer information on the product label and packaging is in English only.  The Prop 65 warnings must be provided in each language in which consumer information is provided on the product label or packaging. If you use multiple languages on your product packaging, your Prop 65 warning labels must similarly be in multiple languages.

 

Why it compliance important?

Manufacturers, distributors, and retailers in the entire supply chain are potentially liable for failure to comply with the compliance requirements under Proposition 65. Prop 65 is enforceable not just by the California Attorney General, but by private parties such as consumer advocacy groups and “bounty hunters,” which has given rise to a cottage industry of parties suing companies for Prop 65 compliance violations. Penalties for violations can be as high as $2,500 per violation per day. Any time there is a change in regulatory requirements such as this, it opens the door for private party bounty hunters to file class action suits against companies slow to comply with the new requirements.

 

Do Prop 65 warnings apply just to electronics?

No. It applies to any products which contain a chemical on the Prop 65 list or which use such chemicals in the manufacture process, and to environments and workplaces which may expose people to such chemicals.  Most plasticizers are on the Prop 65 list, meaning that if your product contains plastic or is manufactured using plasticizers, there’s a good chance your company need to comply with Prop 65 warning requirements in connection with that product.  This includes plastic parts, enclosures, connectors, etc.

 

My company only sells B2B.  Does it still have to comply with the warning requirements?

Yes.  Prop 65 is designed to protect Californians from exposure to products both at home and in the workplace.  The Prop 65 warning requirements apply regardless of whether a product is sold through a B2C and or B2B transaction, and regardless of whether a person is exposed at home or at work.

 

Do the warning requirements apply to new products only, or both new and refurbished products?

It covers both.  Refurbishment is a manufacturing process, and so the warning requirements also apply to refurbished products.  For example, if your business uses refurbished products to fulfill its warranty obligations, it must comply with Prop 65 requirements for those refurbished products.

 

What does my company need to do?

Update your Prop 65 warning signs and labels. Each company that sells products in California containing chemicals on the Proposition 65 list or manufactured using such chemicals, or which exposes Prop 65 chemicals environmentally or occupationally, must implement new Prop 65 warnings satisfying the new content and format requirements. This means working upstream in the supply chain to ensure manufacturers have properly determined if any chemicals on the Prop 65 list are used in the manufacture of products, that they are implementing the appropriate new safe harbor warnings, and that they are providing copies of warning materials for use downstream in the supply chain by online and catalog retailers.

Update your supply chain contracts.  The new law is the perfect opportunity to update your contracts with your suppliers, manufacturers, packagers, importers, suppliers, and/or distributors.  Ensure they are contractually obligated to comply with Prop 65 labeling requirements (and that they agree not to push the burden downstream), and that they will indemnify your company if they do not. If your contracts have a “compliance with laws” representation, warranty, or obligation, you can point to that language if they push back on compliance.

Ensure you are considering all sales channels.  Take time to think through all of your sales channels.  Does your company use resellers, distributors, or other sales channels?  If your company is in one of the “upstream from retailer” supply chain roles, ensure you are complying with any obligations your company has under the changes to Prop 65 to provide information to downstream retailers,

Implement Prop 65 warnings on your B2C and B2B sales websites. For products sold online, the new Prop 65 warning must be clearly and prominently displayed by the seller prior to product purchase, e.g., above the fold and easy to see and not something that someone has to search for.  There are two main ways to do this:

  • The static way: Display a clear and prominent image of the Prop 65 warning on the product detail page. This requires the least work but means everyone using the online store, Californian or not, will receive the warning.  My guess is that most online retailers will opt for the static way.
  • The dynamic way: Display the Prop 65 warning during the checkout process if the purchaser enters a ship-to ZIP code in California.  This limits the user experience impact to Californians, but requires coding work to dynamically display warnings based both on the ZIP code and the SKUs in the cart (the SKU will need to trigger the specific warning associated with that product or product bundle).

For product catalogs, the warning label must be clearly and conspicuously displayed in on the catalog product page.  For products we sell via phone order, if the product is being shipped to California or the purchaser resides in California, the order-taker should read the Prop 65 warning while taking the order and ensure the consumer agrees to proceed with the transaction.

Don’t forget about phone orders and warranty replacements.  The changes to the law do not specifically address phone orders or warranty replacements.  With respect to phone orders, consider how to address this. e.g., consider whether to read the warning to a phone purchaser and require them to confirm that they wish to proceed with the transaction.  With respect to warranty replacements, consider sending the Prop 65 warning for the replacement product (if manufactured or refurbished on or after August 30, 2018) with the RMA information.

 

Where can I learn more about Proposition 65?

There are some excellent online resources to help you understand your company’s requirements under Prop 65, including:

 

Eric Lambert is counsel for the Transportation division of Trimble Inc., an geospatial solutions provider focused on transforming how work is done across multiple professions throughout the world’s largest industries. He supports the Trimble Transportation Mobility and Trimble Transportation Enterprise business units, leading providers of software and SaaS fleet mobility, communications, and data management solutions for transportation and logistics companies. He is a corporate generalist and proactive problem-solver who specializes in transactional agreements, technology/software/cloud, privacy, marketing and practical risk management. Eric is also a life-long techie, Internet junkie and avid reader of science fiction, and dabbles in a little voice-over work. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice.

 

Can Ad Targeting Equal Discrimination? What Companies Need to Know About Targeted Ad Discrimination and the Facebook Targeted Ads Lawsuit

Federal and state laws have long prohibited discrimination in employment, housing and credit-related marketing and advertising. Title VII of the Civil Rights Act prohibits employment discrimination based on ethnicity, national origin, and other protected characteristics, which includes prohibiting discriminatory practices in the marketing and advertising of employment opportunities based on their content or target audience. The Age Discrimination in Employment Act prohibits discriminatory employment practices related to people who are 40 or older. Title VIII of the Civil Rights Act (the Fair Housing Act) prohibits housing discrimination, including discriminatory practices in the marketing and advertising of housing opportunities. The Equal Credit Opportunity Act prohibits discrimination in credit transactions, including discriminatory practices in the marketing and advertising of credit opportunities. There are many state laws which provide similar protections to their citizens, such as the Minnesota Human Rights Act and the California Fair Employment and Housing Act.

Targeted advertising is an advertising method which allows online advertisers to target their advertising to a specific audience of potential purchasers/consumers based on certain audience traits or other criteria. This allows companies to realize a higher return on ad spend (ROAS) by ensuring advertising dollars spent through pay-per-click (PPC) or cost-per-impression (CPI) models are directed towards the most relevant, and presumably receptive, audience for the company’s ads. For example, if the target audience for your product or service is millennials, there is little value to having online advertising delivered to Generation X or Baby Boomers, as the number of purchases/leads you generate from that audience will not justify the ad spend on them.  If you use an online, untargeted banner advertisement, it will be displayed to every website visitor whether or not in your target demographic. Targeting your ad spend to millennials will increase the return on your advertising dollars by ensuring it’s seen by the audience most likely to be interested in your advertisement, generating sales, leads, or applicants for your company in a cost-effective manner.

Targeted Ad Discrimination

Social media platforms such as Facebook offer targeted advertising to advertisers on their platform. Facebook allows you to target your advertising audience based on a number of different characteristics, such as age, location (e.g., ZIP code), gender, ethnicity, education level, and interests. For most products and services, this is extremely valuable. But for advertisers of employment, housing and credit opportunities, using targeted advertising to limit or restrict the target audience in a protected class or group can create unintended liability under federal and state laws, which I call “targeted ad discrimination.” This is a new, and real, risk for the significant numbers of employers, housing providers, and credit companies that use online targeted advertising to market their opportunities, goods, and services.

The potential for targeted ad discrimination has not gone unnoticed by the Federal Trade Commission.  In its January 2016 report “Big Data: A Tool For Inclusion or Exclusion?“, the FTC noted that “[i]n some cases, the Department of Justice has cited a creditor’s advertising choices as evidence of discrimination” and that “whether a practice is unlawful under equal opportunity laws is a case-specific inquiry, and as such, companies should proceed with caution when their practices could result in disparate treatment or have a demonstrable disparate impact based on protected characteristics.”

The Facebook Lawsuit

In November 2016, a class action lawsuit was brought in the Northern District of California against Facebook alleging targeted ad discrimination, following a ProPublica article that highlighted the ability to use Facebook’s targeted advertising to exclude users by “ethnic affinity.” The plaintiffs in Mobley et. al. v. Facebook, Inc., Case No. 5:16-cv-06440 (N.D.Cal.) allege that Facebook’s targeted advertising tools, which leverage the consumer profiles of its users created by Facebook, create a “pattern or practice” of facilitating discrimination against protected classes by employers and by providers of housing and credit by enabling them to target advertisements only to specific Facebook user groups or to exclude specific user groups from an advertisement’s audience, which has the result of targeting advertisements based on protected characteristics such as age, gender, ethnic background, or national origin.

Facebook has countered that targeted advertising allows brands to direct relevant advertising to audiences and that its advertising policies prohibit use of its targeted advertising tool for illegal purposes, and announced shortly after the lawsuit was filed that it would make changes intended to prevent the use of “ethnic affinity” marketing for housing, employment, and credit-related ads. It argues that it is shielded from liability under the Communications Decency Act, which protects online service providers for liability for third party content on their service. Facebook’s motion to dismiss is pending but on hold at the moment while the parties engage in mediation. ProPublica reported in November 2017 that it was still able to post rental housing ads on Facebook that they claim discriminated against ethnic groups. It remains to be seen whether Facebook will bear any liability for providing a targeted advertising solution that has the ability to be misused by its customers in violation of state and federal laws.

Advertisers Themselves May Face Liability, Too

In response to the uproar over potential interference with the 2016 US election, Facebook recently introduced new ad transparency features.  One aspect of these transparency features allows anyone to see information about the groups to which a Facebook ad is targeted. For example, by clicking on “Why am I seeing this?” on an advertisement in my Facebook feed for a Shark IONFlex™ vacuum, I was able to see the ad is targeted to “Member(s) of a family based household” who are “ages 18 to 64 who live in the United States.”)  While this may be OK for an ad for a vacuum, it could cause problems for a housing, employment, or credit-related ad.

According to Joel O’Malley (a shareholder at Nilan Johnson Lewis, a Minneapolis firm specializing in defense-side employment law), the plaintiffs’ firm that filed suit against Facebook has begun leveraging Facebook’s ad transparency features to examine the targeting criteria for employment, housing and credit-related Facebook ads, and sending letters to companies advertising on Facebook threatening class action lawsuits for discrimination in employment, housing, or credit advertising due to exclusions or limitations in their targeted advertising based on age, ethnicity, gender, or other protected characteristics. It is very likely that other class action firms may “smell blood in the water” and start sending similar letters or filing actions against companies for targeted ad discrimination through Facebook. It is also likely that other targeted advertising platforms and tools may face similar scrutiny, and the users of those tools may face similar letters or actions alleging targeted ad discrimination. It is also possible the FTC will take an increased interest in targeted ad discrimination.

What Companies Should Do

  • Don’t wait to receive a letter or claim. Companies that use online advertising for employment, housing, or credit-related purposes should review their use of targeted advertising and the content of their targeted ads, and ensure targeted ads are composed and posted in a manner that does not give rise to a targeted ad discrimination claim. For example, ensure there are no age or ethnicity restrictions on job postings.
  • Educate relevant internal stakeholders about targeted ad discrimination and the importance of being careful when using targeted advertising with certain types of advertisements, and what they should do if they receive a communication from a law firm regarding targeted ad discrimination.
  • Consider engaging an employment law defense firm, or reach out to your existing employment law defense firm, to assist with a review of your company’s job postings to determine whether you are at risk and what steps can be taken to mitigate any discovered risk. For example, Nilan Johnson Lewis has developed an audit tool for its corporate clients to assess each employer’s unique level of risk.

Eric Lambert has spent most of his legal career working in-house as a proactive problem-solver and business partner. He is a corporate generalist who specializes in transactional agreements, technology/software/e-commerce, privacy, marketing and practical risk management. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice. He is a technophile and Internet evangelist/enthusiast. In his spare time Eric dabbles in voice-over work and implementing and integrating connected home technologies.

Why (and What) You Need to Know About the FTC’s Endorsement Guides and FAQs

Endorsements are an important tool in the marketing and promotional toolbox used by both companies and individuals. A slightly paraphrased version of the FTC’s definition of an endorsement is a message, such as a statement, demonstration, or other communication, by a party not the manufacturer, provider or advertiser of a product or service which contains that third party’s opinions, beliefs, findings, or experiences regarding that product or service (which may be the same as those of the product/service manufacturer/provider or its advertiser).

LinkedIn profiles are chock full of professional endorsements and recommendations by colleagues, peers and others. Companies rely on endorsements to increase brand awareness, promote marketing communications, and drive sales. Traditionally, a company’s brand awareness or marketing message was spread through “word of mouth” by individuals who had a satisfying experience with that company’s products or services. Think back to the old 80’s Faberge Shampoo commercial with a person saying you’ll love the product and that “you’ll tell two friends, and they’ll tell two friends, and so on, and so on, and so on….” If a family member, good friend, or other trusted individual shares a positive review of or experience with a product or service, the logic is that you’ll be more inclined to learn more about it and/or give it a try based on an endorsement from a “trusted source.” Companies and their advertisers use paid celebrities as another form of trusted source to promote their products and services. More recently, a new category of trusted sources has arisen – bloggers and other online personalities, or “influencers,” who regularly provide their followers with their thoughts and opinions (often positive), including on products and services they use. Additionally, companies may seek to leverage their employees as trusted sources by asking them to re-tweet marketing messages and posts.

An unbiased endorsement based solely on a trusted source’s positive experience with the product or service is the best source of information for potential customers. But would a potential customer put the same stock in an endorsement if they knew that the trusted source providing the endorsement works for, received some tangible or intangible compensation or benefit from, or has some other material connection to the company or its advertiser whose products or services they are endorsing? For the last few years, the FTC has been paying more and more attention to online endorsers and influencers. In April 2017, the FTC sent over 90 letters to various influencers and the marketers of brands endorsed by those influencers, highlighting the requirement to clearly and conspicuously disclose any material connection between the endorser and advertiser. The FTC has also recently added to its guidance regarding online influencers, and in early September 2017 announced their first enforcement action against two individual online influencers for failing to properly disclosure their material connection with the company whose product they were endorsing. This may be just the start of more aggressive enforcement by the FTC against influencers, trusted sources, and others who do not “follow the rules” regarding endorsements.

How can companies/marketers and endorsers/influencers avoid trouble when making endorsements? As with many areas of compliance, consider a “center of the herd” approach. The animals in the center of the herd are not the ones that typically get picked off – it’s the ones out in front (e.g., those most desperate for water or who have another need to be first) and those in the rear (e.g., those not paying attention, who can’t keep up, or just don’t care). The same applies in business – the companies more likely to be fined or penalized are those who are willing to take aggressive risks to be in front of the pack, or the ones bringing up the rear due to a lack of focus on, or disregard for, compliance. The FTC has released a set of guides and FAQs to provide guidance to all parties involved with endorsements. Being familiar with these guides and FAQs, and following best practices such as the ones described at the end of this article, can help ensure both you and your company are in the “center of the herd” when it comes to endorsements.

The FTC Guides Concerning Use of Endorsements and Testimonials in Advertising

The FTC has offered guidance for decades on the issue of biased endorsements in marketing: the FTC’s Guides Concerning Use of Endorsements and Testimonials in Advertising (16 CFR Part 255) (the “Endorsement Guides“), which apply to endorsements by consumers, celebrities, experts, and organizations. The Endorsement Guides were updated in 2009 to remove the “results not typical” safe harbor disclosure in endorsements and testimonials, to address connections between endorsers and companies/marketers, and to address celebrity endorsers. While contained in the Code of Federal Regulations, they are administrative interpretations only; deceptive advertising is governed by the Federal Trade Commission Act and state deceptive trade statutes, as well as other truth-in-advertising laws.

There are four principles at the heart of the Endorsement Guides:

  1. Endorsers should only endorse products they have tried, and should only say they use a product if they were a bona fide user at the time the endorsement was given.
  2. Endorsements must be truthful and not misleading (either expressly or by implication).
  3. Endorsers and companies/marketers should only make claims about a product if they have proof substantiating those claims.
  4. Endorsers and companies/marketers must disclose a material connection between an advertiser and an endorser if the connection may result in a perceived bias in the endorsement. A “material connection” is a connection between the person endorsing the product and the company which is producing or marketing the product which might materially affect the weight or the credibility given to the endorsement by its audience, such as but not limited to a business/family relationship, receipt of a payment, or receipt of a free product.

The guides include dozens of examples of real-world situations and how each situation should be treated under the Endorsement Guides. They are worth a careful read. If you find examples that align with your own current or planned marketing strategies and activities, read them carefully to ensure you understand what behavior the FTC expects in that situation.

The FTC’s FAQ on the Endorsement Guides

Released in 2010 and updated in 2015, the FTC supplemented the Endorsement Guides with a set of frequently-asked-questions titled The FTC’s Endorsement Guides: What People Are Asking (the “Endorsement FAQs“). The Endorsement FAQs collect frequently asked questions from companies, marketers, bloggers and others and provide answers from the FTC to supplement the guidance and examples provided in the Endorsement Guides. The FTC’s answers are extremely important as they provide important insight on how the FTC would likely come down on a particular position.

In September 2017, the FTC updated and modernized the Endorsement FAQs. Some of the key changes were:

  • The FTC made clear that if an individual endorser continues to fail to make required disclosures despite warnings, it may take action against that individual endorser.
  • New FAQs were added regarding donations to charity in return for a product review; family and friends eating for free at a new restaurant; YouTubers receiving free gifts in the hopes of a review; bloggers receiving free travel to a new product launch event; Instagram posts with a tag of the brand of clothing being worn; aspirational endorsements; reciprocal endorsements (“I’ll endorse your product if you endorse mine”); bloggers located outside the US targeting a US audience; where to place disclosures in Instagram posts; whether endorsers can rely on a social media platform’s built-in disclosure functionality; where the disclosure can be placed; disclosures for summary ratings including reviewers who have a material connection; and whether an employee’s like or share of a company’s post requires an endorsement disclosure.

These recent updates, and the FTC’s “shots across the bow” of online influencers in April and September 2017, likely signal the FTC’s intention to more aggressively crack down on online influencers and others in the endorsement ecosystem (especially in the social media space) for endorsements that run afoul of the Endorsement Guides and the Endorsement FAQs or otherwise constitute deceptive advertising or trade practices.

Suggested Best Practices and Closing Thoughts

Here are some key takeaways from the Endorsement Guides and the Endorsement FAQs to keep in mind as you move forward with requesting or providing endorsements:

  • If there’s an actual, potential or perceived material connection, disclose it. If there’s a material connection between an online influencer, trusted source, or other endorser and the owner or marketer of the product/service being endorsed, e.g., an influencer is paid or receives a free product, free service, or other material benefit which may be perceived by a potential customer as biasing the endorsement, the endorsers must ensure the connection is disclosed (unless the connection is clear from the context of the endorsement). If you’re on the fence as to whether a connection is material or not, disclose that too. Remember to look at it from the correct perspective — it’s not whether the endorser thinks the received consideration affects his or her endorsement of the product or service, but whether knowing about the consideration could affect how the audience views the endorsement and/or create a perception of bias.
  • Make disclosures easy to understand (e.g., unambiguous). Disclosures such as “#partner” or “thanks to [company/advertiser]” are not sufficient as while they may disclose there’s some relationship between the endorser and the company/advertiser, they do not specify the nature of that relationship. While an endorser does not need to specify the details of the compensation received, he/she needs to disclose that the post, review or other endorsement is sponsored (as long as you’re not misleading your audience on how much compensation you received), and ensure the identity of the sponsor is clear. The Endorsement FAQs disclosures reference “#ad” or “#sponsored” as hashtags that denote that an ad, post, review, etc. is an advertisement or sponsored by the company/advertiser (don’t use “#sp” as it’s not sufficiently unambiguous). For an influencer who receives free products, saying “Thanks to [company/advertiser] for the free [product received]” may be sufficient. If you are an employee of or consultant to a company whose products or services you are endorsing, “#employee” or “#consultant” is not sufficiently unambiguous – “#ABC-Employee,” “#ABC-Ambassador,” or “#ABC-Consultant” is less ambiguous, where “ABC” is the company or brand name of the product/service you are endorsing. If you’re running an online context, ensure the disclosure clearly states it is part of a sweepstakes or contest, e.g., “#ABC_contest” or “#ABC_sweepstakes” (but not “sweeps”). Think about the hashtag from a consumer’s perspective — could they figure out the connection between the endorser and the company/advertiser within the context of the ad within no more than a second or two?
  • Make disclosures hard to miss (clear and conspicuous). Disclosures must appear clearly and conspicuously so they are hard to miss. Ensure the disclosure appears before the “more” link or button in digital marketing, and “above the fold” in printed marketing – consumers should not have to click anything or take any additional action to see the disclosure, i.e., they should not have to look for it. Make sure the disclosure stands out. Don’t put it in a string of tags/hashtags, as it’s more likely to be missed (i.e., it’s not conspicuous) – ensure it’s separated out, such as at the start of the advertisement, or in bold and separated with a divider (“|”) before the other hashtags at the end. In an image, superimpose the disclosure in a way that’s easy to notice and easy to read in the time a viewer is looking at the image. In videos, ensure the disclosure is on screen long enough to be seen, read, and understood by the viewer; for longer videos, consider repeating the disclosure at appropriate intervals. Don’t combine your name with “ad” in a hashtag as it makes the fact that the post is an advertisement easier to miss. If a social media platform offers a disclosure tool, it’s up to the endorser and the company/advertiser to ensure that the tool provides a clear and conspicuous disclosure of the material connection, otherwise they should use a different disclosure.
  • Companies/advertisers must educate and monitor their influencers, trusted sources, and other endorsers. The FTC has specifically noted that companies and their advertisers have a responsibility to educate their influencers, trusted sources, and other endorsers on the rules and requirements for making endorsements (including disclosing material connections), and for monitoring what those parties are doing from an endorsement perspective. Ensure you have a well-documented enforcement process and that it is being followed. Companies should ensure their social media/brand ambassador policies address posts and other communications by influencers and other endorsers, and provide the policies to their endorsers. Companies that do not currently have such policies should strongly consider putting them in place.
  • Remember the bigger picture – deceptive and unfair trade practices. All parties in the endorsement ecosystem should remember that the Endorsement Guides and the Endorsement FAQs are built on the foundation of the FTC Act and the FTC’s authority to regulate advertising practices, and are designed to help businesses and endorsers avoid endorsement activities that constitute deceptive or unfair advertising prohibited by the FTC Act. The concept of clear, conspicuous, and unambiguous disclosures applies to, but goes far beyond the ecosystem of, endorsements.

Finally, remember that changes to the Endorsement Guides and Endorsement FAQs are far outpaced by change in the world of online marketing. Pay attention to the release date of all FTC documents and guidance, and remember that the FTC’s answers were based on the world as of that date. If an assumption or a fact cited by the FTC in its answer is inaccurate or otherwise out of date, talk with marketing counsel as to the impact on the FTC’s stated position. If you’re looking for guidance on how to apply new technologies or marketing approaches to endorsements in a compliant fashion, think of the Endorsement Guides and Endorsement FAQs as tea leaves which can be read to help you take the temperature of how the FTC is likely to view that new technology or approach. The best thing parties in the endorsement ecosystem can do is to be familiar with the Endorsement Guides and Endorsement FAQs and use them to guide their endorsement strategy and approach to keep them in the middle of the herd from a compliance perspective.

Eric Lambert has spent most of his legal career working in-house as a proactive problem-solver and business partner. He specializes in transactional agreements, technology/software/e-commerce, privacy, marketing and practical risk management. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice. He is a technophile and Internet evangelist/enthusiast. In his spare time Eric dabbles in voice-over work and implementing and integrating connected home technologies.

5 Proactive Steps For Employers and Businesses in a Post-Equifax World

Companies should proactively prepare for changes in consumer behavior and corporate responsibility.

By now, most people have heard about the massive data breach at Equifax, one of the four US credit bureaus along with Experian, TransUnion and Innovis, affecting 143 million people. Credit bureaus (also known as consumer reporting agencies) compile and keep a file containing a person’s credit history, including things like the types of credit, how long credit accounts have been open, how much available credit is utilized/available, whether bills are paid on time, late payments/collection notices/foreclosure notices, and public records such as liens and bankruptcies, as well as personal information such as Social Security Number (SSN), date of birth (DOB), and current and previous addresses. Credit bureaus make a report of a person’s credit history (their “credit report”) available to that person, and to employers and other businesses.

Employers and businesses often want to base decisions on whether to offer a person their products or services such as a loan/mortgage/credit offer, the interest rate to charge on that offer, a cell phone plan, an insurance policy, etc., or extend that person an offer of employment or a lease, on as much available relevant information as possible.  This often includes a review of that person’s credit history. Credit reporting agencies monetize accumulated credit history and associated personal information by making credit reports available to employers, insurers, service providers and other businesses for a fee, as permitted by applicable law. If an employer or business wants to obtain your credit report, they obtain your permission to access your report as required by law and ask you to provide certain sensitive personal information about you which they will use to request your report, and they pay a fee to one or more of the credit bureaus to receive a copy of your credit report.

Many employers and businesses rely on easy access to credit reports.  However, this may be one of the more likely casualties of the Equifax breach. As noted earlier, 143 million Americans may now be at risk for identity theft using their sensitive personal information from this one breach event alone. Unlike a credit card number, which can be changed in the event the data is compromised, SSNs and DOBs (which were compromised in the Equifax breach) can’t be changed. This is why the Equifax breach is so significant – unlike most previous breaches, the scale of this breach and the nature of information compromised mean that consumers will be at risk for, and must remain vigilant for, identity theft for the rest of their lives, which will likely drive changes in the way people monitor and manage their credit reports and sensitive personal information.

Most of the advice and guidance regarding the Equifax breach to date has been consumer-focused – what consumers can and should do to protect themselves in the post-Equifax world. This includes recommendations for more robust use of credit freezes currently offered by the credit bureaus and use of third party monitoring services which alert consumers to (or require the consumer’s approval for) changes in their credit report, representing a shift in the spectrum towards consumer identity protection and away from access to easy credit such as point-of-sale, “save 20% if you open an account today”-type offers requiring an instant check of your credit. It is also likely the earthquake caused by the Equifax breach will result in additional security and legal requirements not just for credit bureaus, but for all companies possessing sensitive personal information such as SSNs and DOBs, as well as industry-driven or legislatively-mandated enhanced best practices and/or new ways for consumers to help them control access to their credit reports in an effort to minimize identity theft, such as a tool to manage security freezes at all three credit bureaus simultaneously and make it easier to impose, and temporarily lift, such freezes. The Equifax breach is also likely to increase consumer acceptance of more complex login processes, such as multi-factor authentication.

Employers and businesses should start thinking about how they can and should adapt to the coming post-Equifax changes in consumer and credit bureau behavior, and increases in corporate responsibility with respect to security and collection/use of sensitive personal information. By taking proactive steps, companies can demonstrate to their employees and customers that they are sensitive to the importance of identity protection and security. Here are 5 proactive steps companies may want to consider:

1. Address consumer credit freeze/release approval in the new employee hiring process and other processes requiring a consumer credit check (such as point-of-sale credit offers).

While implementing a credit freeze will help protect a person from identity theft, it’s not without its drawbacks. As of today, these drawbacks include the need to separately implement or lift freezes on a per-credit bureau basis, and the fact that the freeze must be lifted (temporarily or permanently) before an employer or business can perform a credit check. Despite this drawback, more people will likely implement credit freezes in the post-Equifax world, which will impact companies’ ability to easily complete background checks or receive point-of-sale credit offers.

  • Employers and other businesses performing a consumer credit check should anticipate this and consider proactively modifying their credit check process by adding a question to their credit report authorization form asking whether a person has a credit freeze, or whether that person’s approval is required for the release of their credit report. If that person answers “yes,” the employer or business should have a standard exception process to work with that person to ensure the freeze is temporarily lifted, or approval for the credit check is given, so the employer or business can perform the credit check.
  • Retailers offering point-of-sale credit offers should consider ensuring their offer disclosures include a statement that people with credit freezes may not be eligible for the offer due to the inability to verify their credit history. For those businesses which use sales associates to offer point-of-sale promotions, consider requiring them to ask whether the consumer has a credit freeze in place, and if so notify them if the freeze renders them ineligible for the offer.

Employers and businesses should also know which credit bureau(s) they use for background checks, and be prepared to provide this information to make it as easy as possible for a prospective employee or customer to implement a temporary lift of the credit freeze. It may be worth having a short URL handy which can be provided to a prospective employee or customer who wants to temporarily lift their credit freeze to enable them to take advantage of the offer on the spot or at a later time.

2. Enable multi-factor authentication for access to online services and consumer portals.

Most businesses use a username and password as access credentials. Some, but not all, have moved to a more secure authentication mechanism known as multi-factor authentication. Multi-factor authentication requires a user to provide not only a username, but two or more of the following “authentication elements” to validate the user’s identity: (1) something you know (e.g., a password, the answer to a challenge question), (2) something you have (e.g., a one-time PIN or password or a code delivered specifically through the user’s mobile device), and/or (3) something you are (e.g., facial recognition or fingerprint). Each factor must be independent of the other so that knowing one factor does not reveal another. Other data, such as geolocation information or time-based access requirements, can be used as well. The most commonly-known type of multi-factor authentication is two-factor authentication, where two authentication elements (of which one is typically a password) are required. Multi-factor authentication helps reduce the chance a bad actor could successfully exploit a username and password obtained through a security breach, through phishing, or through other social engineering attack vectors. Companies can use multi-factor authentication to demonstrate to its users (and potential users) that it places a high value on security.

Some companies argue that the burden of providing additional verification does not outweigh the simplicity of a username/password, especially where the company is not collecting any sensitive personal information. However, multi-factor authentication is an industry standard in certain areas, such as under the current Payment Control Industry Data Security Standard (PCI-DSS) for companies that are required to be PCI compliant, and will likely continue to gain traction as an industry standard, or customer expectation, in other areas. The National Institute of Standards and Technology (NIST) recommends using multi-factor authentication wherever possible. For companies where multi-factor authentication is not an industry standard or legal requirement, consider offering multi-factor authentication anyway, or offering it as an enhanced security option to customers concerned about protecting access to their accounts.

3. Evaluate whether there is a true need to collect SSNs and DOBs from consumers, and/or other creative ways to validate SSN and DOB information.

Companies which collect Social Security Numbers or dates of birth from their users should consider whether the collection of this information is truly required. One of the core tenets of data privacy is the Collection Limitation principle, which advocates for limits on companies’ collection of personal data. HIPAA takes this a step further and applies a “minimum necessary standard” – companies should limit the use and disclosure of collected personal information to the minimum necessary to accomplish the intended purpose. Companies should consider following HIPAA’s “minimum necessary standard” even if they are not subject to HIPAA. With respect to sensitive personal information such as SSN and DOB, companies should look carefully at whether they truly need to collect this information, and for what purpose. If there is another way to accomplish the same goal without collecting the information, consider implementing that alternative approach. Here are two examples:

  • With respect to SSNs, instead of asking for a user’s SSN for validation purposes considering asking for the sum of the digits in their SSN,or the sum of the digits in their SSN plus the digits in their home street address.This provides a strong identity validation mechanism without the need to capture and store SSNs.
  • With respect to DOBs, if validating a user’s age (e.g., for COPPA purposes), consider whether the month and year is sufficient, and keep a flag indicating that the age information was verified instead of the month/year information itself.

4. Review and freshen (or implement) their incident response and incident communications plan(s).

To many, Equifax’s response has been a lesson in how not to manage communications regarding a security breach. Companies should take the opportunity to learn from Equifax’s missteps and review and freshen up their incident response and incident communication plan(s). For companies still without an incident response/incident communications plan, now is the time to ensure one is in place. A few things to consider:

  • According to press reports, the Equifax breach allegedly stemmed from the failure to timely implement a security update to the Apache Struts Web Framework. As part of incident response preparedness, work with IT to ensure that your company is actively monitoring for hardware/software security patches, and is applying them as quickly as possible following release.
  • There have been numerous reports regarding sales of Equifax stock valued at $1.8 million by three senior Equifax executives within days of Equifax’s discovery of the breach. While Equifax has stated that the executives were not aware of the breach, whether or not the executives (including the CFO and President of US Information Systems) had knowledge doesn’t really matter – the perception and optics of it are awful in the eyes of the public, the SEC, and state attorneys general. Consider ensuring that the entire senior team is notified immediately in the event of a security breach, and have your General Counsel or external breach counsel discuss with them the risks of continuing with any automated stock sale programs in light of the breach.

5. Consider offering credit monitoring as an employee benefit.

Finally, employers may want to consider adding credit monitoring as an employee benefit, by offering subsidized or free credit monitoring services to their employees through a partnership with a credit bureau or a third-party provider such as AllClear ID. While there are some questions as to the value of credit monitoring in protecting against identity theft, services that notify you and/or require your approval before a new account is opened can be very valuable in fighting identity theft. As the possibility of identity theft is becoming a fact of life in the 21st century, companies may find it beneficial to help their employees guard their identity. Among other benefits to companies, minimizing identity theft reduces the time employees need to take away from work, whether as PTO or lost productivity, to deal with the repercussions of having their identity stolen, and provides employees with increased peace of mind with respect to identity protection.

Eric Lambert has spent most of his legal career working in-house as a proactive problem-solver and business partner. He specializes in transactional agreements, technology/software/e-commerce, privacy, marketing and practical risk management. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice. He is a technophile and Internet evangelist/enthusiast. In his spare time Eric dabbles in voice-over work and implementing and integrating connected home technologies.

The New Revenue Recognition Standards Are Coming – Will You Be Ready?

Most companies measure their financial performance by the revenues and other compensation they earn through their business operations, which in many cases means the sale of goods or provision of services. Knowing when to recognize the proceeds from a sale of good or provision of services as revenue is therefore critical to financial reporting. For many years, two different rules by two different standards organizations governed revenue recognition:

  1. The Financial Accounting Standards Board (“FASB“)’s Accounting Standards Codification (“ASC“) provide US generally accepted accounting principles (“GAAP“), including those governing revenue recognition. Under the current GAAP revenue recognition rule in ASC 605, revenue recognition varies by industry and in some cases by transaction, which makes revenue recognition a complex and difficult exercise in many situations.
  2. The International Accounting Standards Board (“IASB“)’s International Accounting Standards (“IAS“) provide an international standard for financial statements and accounting. Under the current international revenue recognition rule known as IAS 18, revenue recognition also varies by industry and transaction type, but IAS 18 provides less guidance than ASC 605 making it harder for companies to recognize revenue in a consistent fashion. The IASB is the successor to the International Accounting Standards Council (“IASC“) which originally promulgated the IAS.

Beginning in 2001, the IASB began replacing the IAS with new International Financial Reporting Standards (“IFRS“). In 2002, the FASB and IASB began collaborating on developing an improved. stronger, more robust, more useful, more consistent revenue recognition standard to make revenue recognition simpler and easier to consistently apply. This collaboration bore fruit 12 years later in May 2014, when the FASB and IASB released a converged revenue recognition standard titled Revenue from Contracts with Customers, codified as ASC 606by FASB and IFRS 15by IASB. Since 2014, there have been a few amendments (and implementation delays) by the FASB and IASB, and there have been a few small areas where the standards have diverged (e.g., the definition of what “probable” means). Despite this, for the most part the goal of a unified revenue recognition standard remains intact. These new standards will go into effect in December 2017 (for ASC 606) and January 2018 (for IFRS 15). All this background can be summarized in the following table:

A tabular representation of the history behind the ASC 606 / IFRS 15 revenue recognition standard.Here’s what you need to know about the new twin revenue recognition standards (for simplicity, this analysis is based on ASC 606):

How Revenue Recognition Works Under ASC 606/IFRS 15

To recognize revenue under the new standard, companies must do 5 things: (1) identify a customer contract, (2) identify the distinct performance obligations under that contract, (3) determine the transaction price (expected revenue),(4) allocate the expected revenue to the performance obligations,and (5) recognize allocated revenue when (or as) each performance obligation is satisfied.As stated in ASC 606, “an entity should recognize revenue to depict the transfer of promised goods or services to customers in an amount that reflects the consideration to which the entity expects to be entitled in exchange for those goods or services.” As we go through each step, keep this visual representation in mind:

ASC 606 Revenue Recognition DiagramStep 1 – Identify the contract(s) with a customer. The first step of the revenue recognition process is to identify a contract, i.e., an agreement creating enforceable rights and obligations among two (or more) parties. A contract must be signed or otherwise approved by the parties, must have identifiable rights and payment terms, have commercial substance, and it must be probable that one party will receive the revenue or other consideration expected from the performance of its obligations (e.g., provision of goods or services). Remember that a contract does not have to be in writing to be considered a contract for revenue recognition purposes – oral or implied contracts may satisfy these requirements.

Step 2 – Identify the contract’s distinct performance obligations. For goods and services contracts, a “performance obligation” is promise to transfer a good or provide a service to another party. A “distinct” performance obligation is one that benefits the recipient alone or with other readily available resources (e.g., delivery of a computer that is usable with power and Internet access obtained separately) and can be identified separately from other obligations under the contract (e.g., a company is delivering 5 computers, delivery of all 5 computers should be combined into a single performance obligation). A series of distinct performance obligations that are substantially similar can still be treated as individual performance obligations (e.g., delivery of a new computer at the start of each quarter during a calendar year, 4 new computers total). In a services agreement such as a SaaS contract, implementation obligations and the provision of services may be separate obligations. A SaaS company may look at its distinct performance obligation as providing a service each day during the term of the Agreement, so each day would be a distinct performance obligation.

Step 3 – Determine the transaction price.The “transaction price” is the expected payment and other consideration to be paid/provided in return for satisfaction of the performance obligations. Financial consideration can usually be grouped into fixed (stated in the contract) vs. variable (contingent on the occurrence or non-occurrence of a future event). For variable consideration, companies should look at the expected value taking into account the potential for changes in the variable payment component. If compensation for a performance obligation will be deferred, and not paid contemporaneously with the satisfaction of the performance obligation, the present value of the deferred compensation should be considered. Non-cash compensation (e.g., bartered goods or services) should be measured at fair value, or if not available the standalone selling price. Other consideration such as coupons or vouchers may need to be deducted from the transaction price. For SaaS companies that use a tiered pricing structure and monthly or annual minimums, calculating the expected revenue can be tricky (e.g., by using a probability-weighted methodology).

Step 4 – Allocate the transaction price to the performance obligations. If your contract has one performance obligation, you’re already done with this step. If not, the next step is to allocate the transaction price among each distinct performance obligation, i.e., to separate the transaction price into each discrete “piece” of consideration a party expects to receive from satisfying the associated performance obligation. This can be done by allocating the standalone selling price (i.e., the price at which the good would be sold separately) to the performance obligation, or where that standalone price is not available, the selling entity should estimate it by utilizing as many observable data points as possible to come up with the best estimate possible. ASC 606 includes examples of estimation methods. If a company provides a discount, the discount should be allocated proportionally among the expected revenue for the performance obligations to which the discount applies.

Step 5 – Recognize allocated revenue when (or as) the performance obligations are satisfied. The final step is to recognize each allocation of the transaction price as each distinct performance obligation is satisfied (i.e., the promised good or service is transferred to the recipient). For physical assets, transfer occurs when the recipient obtains control of the asset. For services, a performance obligation is satisfied when the benefits from the provider’s performance are received and utilized, the provider’s performance creates and/or enhances an asset in the recipient’s control, or the provider’s performance creates a payment right without creating an asset with an alternative use to the recipient (e.g., a company is contractually restricted from using a provided service for other purposes). Performance obligations may be satisfied on a specific date (e.g., for delivery of goods) or over a specific time period (e.g., for delivery of services). If satisfied over a time period, revenue may be recognized based on the progress towards satisfying the performance obligation.

Get Prepared Now

While it may seem like there is plenty of time to prepare for the implementation of the new revenue recognition standard, there’s a lot of work that needs to be done to be ready, including the following:

  • Learn the details.It’s important to note that this article represents a very high-level summary of the new revenue recognition standard. Having a more in-depth understanding of the new standard and how it applies to your company and its costing models/contracts is critical. There is an abundance of articles, seminars, and other publicly-available materials available on ASC 606 and IFRS 15. Also, talk with your accounting firm on what they have done as a firm to prepare, and their recommended action plan for your business – they may have some great materials they can provide to get you and your company up to speed.
  • A lot of work be done proactively. Conduct a proactive review of existing contracts, contractual obligations, and other revenue sources that may be classified as a “contract” subject to the new revenue recognition standard. Analyze each to determine the distinct performance obligations, and determine the transaction price. Work with your accountants to allocate the transaction price among the performance obligations.
  • Review (and update if necessary) contract templates.Accounting should partner with Legal and Sales to review sales proposal templates and contract templates describing or creating performance obligations. Review all standard variations of pricing offered to clients to identify any issues under the new revenue recognition standards. Consider whether warranties, returns language, or other contractual terms create distinct performance obligations and how they can be satisfied. Make any updates as necessary to ensure your templates align with the new standards going forward.
  • Create a plan. Assign a resource to manage the process of preparing for the new standard. Consider creating a cross-departmental group to meet regularly to discuss progress and assign tasks. Consider what internal education will need to be done to prepare employees and groups for the new standard, what changes to internal or third party systems may be required, what additional disclosure requirements may be required, whether internal policies will need to be updated or created, and what changes may be needed to internal processes. Secure the support of executive sponsors, such as the CFO and CEO. If you have personnel who were involved in rolling out SOX compliance in the early 2000s, talk to them about lessons learned to avoid repeating the mistakes of the past.

Eric Lambert is Assistant General Counsel and Privacy Officer at CommerceHub, a leading cloud services provider helping retailers and brands increase sales and delight shoppers through supply solutions to expand product assortment, demand solutions to promote and sell products on the channels that perform, and delivery solutions to enable rapid, on-time customer delivery. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice. Eric works primarily from his home office outside of Minneapolis, Minnesota. He is a technophile and Internet evangelist/enthusiast. In his spare time, Eric dabbles in voice-over work and implementing and integrating connected home technologies.

7 Tips for Implementing a Records Retention Policy Employees Will Follow

How long to hang on to corporate information and records (records retention) is a common source of conflict within companies. Those in the “keep it” camp believe companies should keep any business records that are needed to conduct business operations effectively, records that serve as a company’s “corporate memory,” records that must be kept for legal, accounting or other regulatory compliance purposes, or have other value to the company (such as protecting the company’s interests). Those in the “destroy it” camp believe companies must promptly destroy records when there is no longer a legitimate business need to retain them, in order (a) to ensure they are minimizing the amount of information that could potentially be exposed in the event of a security breach, inadvertent disclosure, legal disclosure requirement such as a subpoena, or during the discovery phase of litigation, (b) to comply with legal, accounting and other regulatory requirements to destroy information after a certain time, and (c) to reduce the costs of discovery and of storing corporate information. Which side is right?

The answer, of course, is that they’re both right. All of the reasons to keep corporate records, and all the reasons to destroy them, are legitimate. This is the “double-edged sword” of records retention.  For every argument that “we might need that piece of information somewhere down the line,” there’s a counterargument that “we could get in trouble someday if we still have that piece of information around.” The way to ensure your company is striking the right balance between these two extremes is to have a written records retention policy that balances the reasons to retain information against the reasons to destroy it, by setting appropriate “retention periods” for various categories of corporate records and requiring employees to destroy data once the retention period is ended in most cases. It is an essential component of a company’s incident response planning process to reducing the amount of information potentially exposable in the event of a security incident or breach. The policy must cover corporate records wherever located, including physical and electronic data wherever stored (in employee workstations, on intranets and network drives, in third party data centers, in cloud-based service providers’ systems, etc.)  It should list the categories of business records governed by the policy (I prefer a table format), and the records retention period for each category. It should clearly explain to employees what they need to do to comply with the policy, including how to ensure records are properly destroyed when the retention period ends.

It’s easy to argue why companies need a records retention policy. It’s much harder to actually draft and successfully implement one. Here are 7 drafting and implementation tips to help drive the success of your records retention policy.

1. Success is directly proportional to simplicity and communication.

The simpler you can make a records retention policy, the easier it will be for employees to follow it and the greater the likelihood that employees will take time to follow it. Policies that add significant process requirements into the life of rank-and-file employees who already feel like they are “doing more with less” and may be resistant to new ways of doing things are often met with skepticism at best, and outright rebellion at worst. It can be very difficult to successfully implement and administer a records retention policy if employees feel it is onerous and unnecessarily impeding their ability to do their job. If that happens, employees may simply ignore the policy in favor of their day-to-day business duties, or worse, use the records retention policy as a scapegoat if they fail to deliver on their projects and goals.

To solve this problem, ensure your policy is written as simply as possible, take into account the employee’s perspective, and have a communication plan to roll it out. Ensure your policy overview answers questions such as “Why is having a records retention policy important to me?”, “How hard will it be to follow the policy?”, and “What do I have to do under the policy?” Consider using a “frequently asked questions” format for the policy overview. Have a few employees whose opinion you value give you feedback on the policy. Develop a communication plan to roll out the policy to all employees, and leverage HR and Marketing for their input to make it as effective as possible. Ensure your senior leadership team endorses the policy so employees understand it has top-level visibility.

2. Set a “once per year” date for retention periods to expire.

One way to write a records retention policy is to have a fixed retention period for each business record run from the date the record was created. Under that approach, retention periods will be expiring throughout the year.  If the records retention policy requires employees to destroy records immediately upon expiration of the retention period, the policy may require employees to be managing document destruction on a daily or near-daily basis. This may make compliance seem like a daunting task to employees, even if your policy allows employees to destroy expired business records one per month or once per quarter.

As an alternative, consider having the expiration date for all retention periods expire on the same day during each calendar year by having your retention period be measured in full “retention years,” defined as a full calendar year or other 12-month measurement period. For example, if you set December 31 as your annual date for expiration of records retention periods, a presentation created on May 15, 2016 which must be kept for 3 “retention years” would be kept from May 15, 2016 through December 31, 2019 (3 full calendar years from the date of creation). While this approach does extend the retention period for some documents by a bit, that may be an acceptable trade-off to a simple, once-per-year obligation to destroy records under the records retention policy. Consider tying your annual records retention period expiration date into an “office clean-up days” event in partnership with HR where everyone pitches in to tidy up the office, clean up their workspaces, and destroy any documents for which retention periods have expired under the records retention period.

3. Right-size the departments and categories of corporate records listed in the policy.

In an effort to be as comprehensive as possible, some records retention policies include a significant number of categories of information subject to retention requirements. This can result from using an “all purpose” template such as a template obtained from a law firm, from a colleague, or from online searches. In others, a company may want to ensure they are not missing anything by including everything employees have today or could have in the future. One size does not fit all with respect to records retention categories. Consider having a “general” or “common business records” category as the first section of business records in your policy, covering items like business presentations, contracts and agreements (both current and expired); general and customer/vendor correspondence; material of historic value; software source code; etc. Then determine which departments have additional, specialized categories of business records (e.g., HR, IT, Finance, Marketing, Legal, etc.) that should be listed specifically in the policy. For each such department, learn which business records they have and use to create a first draft of your categories list and retention periods. Using a general/departments grouping of categories allows employees to find the information on records retention applicable to them a targeted and streamlined fashion. There will likely still be a significant number of categories of corporate records, but taking the time to think through the right categories for your company’s records retention policy will help ensure it is as easy as possible for employees to read, follow and use.

4. Use a limited number of retention periods, with “permanent” used as sparingly as possible.

Another common issue with records retention policies is the use of a large number of retention periods. Different departments may have different periods under which they currently retain documents, and they may put pressure to keep their own retention periods in an enterprise-wide policy. A policy with a large number of retention periods will make it harder for employees to follow, and harder for IT and others to operationalize. Remember, simplicity where possible is key to success. Consider using a limited number of retention periods (e.g., 1 year, 3 years, 5 years, 7 years, Permanent) which will simplify administration of, and compliance with, the policy. For departments with different existing retention periods, determine which of the next closest periods (longer or shorter) will work, and be prepared to explain to the head of that department why a limited number of periods is essential to the successful implementation of an enterprise-wide policy.

It can be tempting to put many things into a “permanent” bucket (those in the “keep it” camp are likely candidates to ask for this category). However, overuse of the “perpetual” category cuts against the reason for implementing the policy in the first place. While some documents may need to be kept perpetually, for example, information subject to a document preservation notice due to litigation, document categories should be assigned a “permanent” retention period very sparingly. Use it where it is legally necessaryto preserve a category of documents (e.g., it’s required for regulatory purposes), or where there is a compelling business interestin keeping it forever (e.g., prior art that may have value in defending against a future patent infringement claim). One way to find a “happy medium” with those in the “keep it” camp is to include in your policy a mechanism by which Legal and the CISO/CIO can approve an exception to the retention period on a case-by-case basis, but make clear that exceptions will be rarely very sparingly and only where legally necessary or where there is a compelling business interest.

5. Partner with department heads to solicit and incorporate their feedback, and to turn them into champions of an enterprise-wide policy.

One of the keys to the successful roll-out of a records retention policy is to have the support of senior management and department heads. Compliance with a records retention policy should be driven from the top down, not bottom up. It’s also important to consider that just because a company has not implemented an enterprise-wide records retention policy does not mean that some departments have not “gone it alone” and implemented their own limited retention and destruction schedule. Partnering with department heads to gain their support for an enterprise policy, and ensure their own efforts are leveraged as part of the broader policy, is essential.

Once a draft policy is prepared, set up one-on-one meetings with the leader of each department to let them know that you want the enterprise policy to be a collaborative (and not an imposed) effort on his/her department. If they have department-specific document categories or retention periods, leverage them to the greatest extent possible to minimize the impact the enterprise policy will have on that department. If they do not, walk them through the reasons why having a well-followed enterprise records retention policy will benefit the company as a whole. Walk the department head through the draft policy, and ensure they agree with the categories and retention periods applicable to their business unit. Try to incorporate their feedback wherever possible, and talk them through where you cannot (e.g., they ask for a non-standard retention period). Finally, ask for their help in rolling the policy out to their department, e.g., by sending a note to the department as a follow-up to the enterprise-wide policy announcement. By meeting with department heads, you will not only ensure the policy hews as closely as possible to the operational and compliance needs and practices of each department, but also establish a contact for future revisions/enhancements to the policy, and hopefully foster an internal champion to help drive the success of the policy.

6. Ensure the policy accounts for document preservation notices.

One critical element of any records retention policy is a very important exception — information subject to a litigation hold or other document preservation notice (such as in the event of litigation or anticipation of future litigation, where the company receives a subpoena, etc.) If employees follow the records retention policy and destroy business records that are relevant to a legal proceeding or subpoena, the company could face very significant fines and penalties. Ensure that the records retention policy makes it very clear that a document preservation notice supersedes the records retention periods, and that any documents and business records subject to a litigation hold or other document preservation notice must be kept for as long as the preservation notice is in effect regardless of the expiration of the retention period. It’s also important to communicate that once an employee is notified that a document preservation notice has been canceled, any documents subject to the notice should be destroyed at the next anniversary date. Ensure that any systems and processes used by the company to operationalize the records retention policy (e.g., automatic deletion of emails after a certain amount of time) account for the preservation of documents and business records subject to a preservation notice irrespective of the retention periods.

7. Partner with IT to implement technical safeguards to minimize policy “workarounds.”

Finally, partnering with IT will be critical to the success of the policy. In many cases, some document destruction processes can be automated (for example, emails can be deleted after a certain period, files older than a certain date can be automatically deleted from network shares, etc.) Work with your IT group to determine what technological solutions can be put in place to help operationalize the records retention policy. At the same time, some employees may believe that their needs trump the records preservation policy, and will try to work around it (e.g., by saving emails to a PST, printing them to a PDF and saving them on a network drive, “backdating” them by changing the system date before saving files, etc.) Partner with your IT team to put as many appropriate technical safeguards in place as possible to minimize employee workarounds to the records retention policy.

Eric Lambert is Assistant General Counsel and Privacy Officer at CommerceHub, a leading cloud services provider helping retailers and brands increase sales and delight shoppers by expanding product assortment, promoting and selling products on the channels that perform, and enabling rapid, on-time customer delivery. He works primarily from his home office outside of Minneapolis, Minnesota. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice. He is a technophile and Internet evangelist/enthusiast. In his spare time Eric dabbles invoice-over work and implementing and integrating connected home technologies.

Practical Tips for Managing Risks in Vendor, Supplier, and other Partner/Provider Relationships

The best place to stop a snowball from rolling the wrong way is the top of the hill.

When it comes to managing risk in business, there are two fundamental principles:

  1. You can’t disarm all of the land mines. A risk is like a land mine – it will detonate sooner or later once the right factors occur. Part of risk management is having enough information to know (or make an educated guess) at which risk “land mines” are more likely to go off than others, so you can stack rank and disarm the land mines in the right order. That way, hopefully you’ll disarm each one in time, and if one does goes off before you can disarm it it will cause minimal damage.
  2. You don’t have to stop every factor from occurring; you have to stopat least one factor from occurring. If a risk “land mine” detonates, a number of things all went wrong at the same time. Think of it as the lock on Pandora’s Box – for the lock to open (the land mine going off), the pins in the cylinder (the environmental factors) must align perfectly with the key (the catalyst). As long as one of the pins are misaligned, the lock won’t open. If you don’t have the resources or ability to ensure all pins are misaligned, try to ensure at least one pin is misaligned so the land mine can’t go off. (If more than one is misaligned, that’s even better.)

To manage a risk, a business must first mitigate and shiftthe risk to reduce the chance of the land mine detonating to the greatest extent possible, and then accept or rejectthe residual risk to the business. (For more on this, please see my earlier LinkedIn article on Revisiting Risk Management).

When it comes to your relationships with your key vendors, suppliers and other partners/providers, risk management principles should be applied to both existing partners/providers, prospective partners/providers, and “inherited” partners/providers (e.g., through acquisition). There are a number of ways to mitigate and shift risk in these relationships:

Mitigating the Risks

  • Do due diligence on your partners and providers.Perform research to see if the partner/provider has had security or privacy problems in the past. If they are public, look at the risk factors in their securities filings. Look at the partner/provider’s privacy policy to see if they make any claims they likely cannot live up to, or are overly broad in what they can do with your company’s data. Watch out for unrealistic marketing statements regarding privacy, security or their ability to perform the obligations you are contracting for. Use RFPs to gather information on prospective partners/providers up front (and keep it in case you need to refer to it later on if something they told in you in RFP proves not to be true).
  • Don’t automatically disqualify companies that have had past problems. If an RFP reveals that a partner/provider has had a past issue, focus on what steps they have taken to remediate the issue and protect against a recurrence. The result may be that they have a more robust security and risk management program than their peers.
  • Ask them what they do.Consider adding privacy and security questions to your RFP to gather information on current practices and past problems/remediation efforts (and to make them put it in writing). Watch out for answers that are too generic or just point you to their privacy policy.
  • Set online alerts, such as Google Alerts, to stay up-to-date on the news relating to your prospective or current partner/provider during the course of your negotiations and relationship, and escalate any alerts appropriately. If the partner/provider is public, set an alert for any spikes (up or down) in stock price.
  • Plan for the inevitable. Inevitably, your business relationship will end at some point. It could end when you’re ready for and expecting it, but you can’t count on that. If your partner/provider is mission-critical, develop an “expected” and “unexpected” transition plan and confirm that the partner/provider can locate and provide you the data you need to execute on that plan. For example, ensure you have all information and data you may need if the partner/provider ceases operations (for example, routinely download reports and data sets from their portal, or set up an automated feed). Alternatively, consider ways to ensure that if a partner/provider creates and stores mission-critical information (e.g., order or personal information, critical reports or data, etc.), it’s mirrored securely to a location in your control on a regular basis so that if there’s a problem, you have a secure and current data set to work from. This may be required or important under your company’s business continuity plan, and your contractual commitments to your clients.
  • Know your alternatives. Keep abreast of alternative partners/providers, do initial vetting from a security perspective, and maintain relationships with them. If a problem occurs, the company may have to switch partners/providers quickly. If you have taken the time to cultivate a “rainy day” relationship, that partner/provider may be happy to go out of their way to help you onboard quickly should a problem with your existing partner/provider occur (in the hopes that your company may reward their help with a long-term relationship).
  • Know what you have to do to avoid a problem. Once negotiated, contracts often go in the drawer, and the parties just “go about their business.” Make sure you know what your and your partner/provider’s contractual obligations are, and follow them. If they have “outs” under the contract, ensure you know what you need to do in order to ensure they cannot exercise them. If terms of use or an Acceptable Use Policy (AUP) or other partner/provider policies apply, make sure the right groups at your company are familiar with your obligations, and ensure they are being checked regularly in case they are updated or changed. If possible, minimize the number of “outs” during the negotiation. For existing or inherited partners/providers, consider preparing a list of the provisions you want to try to remove from their agreements so you can try to address them when the opportunity arises in the future (e.g., in connection with a renewal negotiation).
  • Put contractual provisions in place. Sales and Procurement should partner with IT and Legal to ensure that the right risk mitigation provisions are included in partner/provider agreements on an as-needed basis. Consider adding a standard privacy and security addendum to your agreements, whether on their paper or yours. Common provisions to consider include a security safeguards requirement; obligation to protect your network credentials in their possession; obligation to provide security awareness training (including anti-phishing) to their employees (consider asking for the right to test their employees with manufactured phishing emails, or getting an obligation that they will do so); requiring partners/providers to maintain industry standard certifications such as ISO 27001 certification, PCI certification, SOC 2 Type 2 obligations, etc.; obligation to encrypt sensitive personal information in their possession; obligations to carry insurance covering certain types of risks (ensure your company is named as an additional insured, and try to obtain a waiver of the right of subrogation); rights to perform penetration testing (or an obligation for them to do so); a obligation to comply with all applicable laws, rules and regulations); an obligation to complete an information security questionnaire and participate in an audit; language addressing what happens in the event of a security breach; and termination rights in the event the partner is not living up to their obligations. Not all of these provisions make sense for every partner/provider. Another approach to consider is to add appropriate provisions to a supplier/vendor code of conduct incorporated by reference into your partner/provider agreements (ensure conflicts are resolved in favor of the code of conduct).

Shifting the Risks

  • Use contractual indemnities. An indemnity is a contractual risk-shifting term through which one party agrees to bear the costs and expenses arising from, resulting from or related to certain claims or losses suffered by another party. Consider whether to include in your partner/provider agreement an indemnity obligation for breaches of representations/warranties/covenants, breach of material obligations, breach of confidentiality/security, etc. Consider whether to ask for a first party indemnity (essentially insurance, much harder to get) vs. a third party indemnity (insulation from third party lawsuits). Remember that an indemnity is only as good as the company standing behind it. Also, pay close attention to the limitation of liability and disclaimer of warranties/damages clauses in the agreement to ensure they are broad enough for your company.
  • Request a Parental Guaranty. If the contracting party isn’t fully capitalized, or is the subsidiary of a larger “deep pocketed” organization, consider requesting a performance and payment/indemnification guaranty to ensure you can pursue the parent if the subsidiary you are contracting with fails to comply with its contractual obligations.
  • Acquire insurance. Finally, consider whether your existing or other available insurance coverage would protect you against certain risks arising from your partner/provider relationships. Review the biggest risks faced by your company (including risks impacting your partner/provider agreements) on a regular basis to determine if changes to your insurance coverage profile are warranted; your coverage should evolve as your business evolves. Understand what exclusions apply to your insurance, and consider asking your broker walk you through your coverage on an annual basis.

Are IP and MAC Addresses Personal Information?

To many, “personally identifiable information” (also “PII” or “personal information”) means information that can be used to identify an individual, such as a person’s name, address, email address, social security number/drivers’ license number, etc. However, in the US, there is no uniform definition of personal information. This is because the US takes a “sectoral” approach to data privacy. In the US, data privacy is governed by laws, rules and regulations specific to market sectors such as banking, healthcare, payment processing, and the like, as well as state laws such as breach notification statutes). Companies, such as Google, often include their own definition of personal information in their privacy policy. Even though there is no uniform definition, however, it’s clear that that more and more information is falling under the PII/personal information umbrella.

One category of data with potentially significant implications to US businesses if classified as PII are Internet Protocol (IP) and Media Access Control (MAC) addresses.

  • An IP address is a unique numerical or hexadecimal identifier used by computing devices such as computers, smartphones and tablets to identify themselves on a local network or the Internet, and to communicate with other devices. IP addresses can be dynamic (a temporary IP address is assigned each time a device connects to a network), or static (a permanent IP address is assigned to a network device which does not change if it disconnects and reconnects). There are two types of IP addresses – the original IPv4 (e.g., “210.43.92.4”), and the newer IPv6 (e.g., “2001:0db8:85a3:0000:0000:8a2e:0370:7334”).
  • MAC address is a unique identifier used to identify a networkable device, such as a computer/phone/tablet/smartwatch, as well as other connected devices such as smart home technologies, printers, TVs, game consoles, etc. A MAC address is a 12-character hexadecimal (base 16) identifier, e.g., “30:0C:AA:2D:FB:22”. The first half of the address identifies the device manufacturer, and the second half is a unique identifier for a specific device. If a device needs to talk to other devices, it likely has a MAC address.
  • Why do devices need both? There are incredibly technical reasons for this, but at a very high level, MAC addresses are used to identify devices on a local wired or wireless network (e.g., your home network) to transmit data packets between devices on that local network, and IP addresses are used to identify devices on the worldwide Internet to transmit data packets between devices connected directly to the Internet. Your router has an IP address assigned by your ISP, as well as a MAC address which identifies it to other devices on the local network. Your router assigns a local IP address (e.g., 192.168.1.2-192.168.1.50) to connected devices by MAC address. Network traffic comes to your router via IP address, and the router determines what MAC device on the network to which to route the traffic.
  • Think of a letter mailed to your attention at your corporate office address of 1234 Anyplace Street, Suite 1500, Anytown, US 12345. The mailing address will tell the mail carrier what address to deliver it to, but the carrier won’t deliver it right to you personally. Suppose you are in Cube 324. Your mail room will look up your cube number, and deliver the letter to you. The letter is like an online data packet, the mailing address is like an IP address, the cube number is like a MAC address, and the mail room is like a router — the router takes the inbound packet delivered by IP address and uses the local device’s MAC address to route the packet to the right device on the network.

Canada’s approach. In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) defines “personal information” as “information about an identifiable individual.” The Office of the Privacy Commissioner of Canada (OPCC) has released an interpretation making clear that this definition must be given a “broad and expansive interpretation,” and that it includes information that “relates to or concerns” a data subject. With respect to IP addresses, according to the OPCC an Internet Protocol (IP) address is personal information if it can be associated with an identifiable individual. (Note that in Canada, business contact information is not considered personal information, which implies that an IP or MAC address of a work computing device associated with an employee’s work contact information is not personal information.)

The European approach.In Europe, the current Data Protection Directive and the proposed Data Protection Regulation both define personal dataas “any information relating to an identified or identifiable natural person.” Individual EU member states differ on whether an IP address should be considered personal data. The European Court of Justice (ECJ) has held that IP addresses are protected personal information “because they allow … users to be precisely identified,” and is considering whether to adopt an even stronger position that dynamic IP addresses collected by a website operator are personal information even if though the Internet service provider, and not the website operator, has the data needed to identify the data subject. The same rules should apply to MAC addresses. The new Data Protection Regulation, which will override member state implementations of the Directive, states in its findings that “[n]atural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”

In the US, the sectoral and state-by-state approach to data privacy does not paint a clear picture as to whether an IP address or MAC address should be considered personal information.

  • Specific laws. The one US statute that clearly states that IP and MAC addresses are personal information is the Children’s Online Privacy Protection Act (COPPA). In 2013, the FTC revised the COPPA Rule, which defines “personal information” as “individually identifiable information about an individual collected online,” as specifically including IP addresses, MAC addresses, and other unique device identifiers. The Health Insurance Portability and Accessibility Act (HIPAA) includes device identifiers (such as MAC addresses) and IP addresses as “identifiers” that must be removed in order to de-identify protected health information. State security breach notification laws define personal information, but those laws do not include IP address, MAC address, or other device identifier as PII.
  • The FTC’s view. In April, Jessica Rich, the Director of the FTC’s Bureau of Consumer Protection, wrote on the FTC’s business blog about cross-device tracking. In her remarks, she restated the FTC’s long-held position that data is personally identifiable, “and thus warranting privacy protections, when it can be reasonably linked to a particular person, computer, or device. In many cases, persistent identifiers such as device identifiers, MAC addresses, static IP addresses, or cookies meet this test.” She then specifically cited the FTC’s 2013 amendments to the COPPA Rule as an example of this in practice. Director Rich’s comments signal that the FTC views IP and MAC addresses, and other unique device identifiers, in a similar manner as the Office of the Privacy Commissioner of Canada — if it can be associated with an identifiable individual, it should be considered personal information.
  • Google’s View. It is also worth looking at Google’s definition from its privacy policy, given Google’s prominence as a collector and user of consumer personal information. Google defines personal information to include both information that personally identifies a person, as well “other data which can be reasonably linked to such information by Google, such as information we associate with your Google account.” This is essentially the FTC’s view, with a reasonableness standard.

Given all this, what should US businesses do?

  • Consider using a term to define IP addresses, MAC addresses, and other user device identifiers which identify a thing, not a person, but can be linked to an individual depending on what information is collected or obtained about that individual. I call this information linkable information.
    If linkable information is, or reasonably can be, associated or linked with an identifiable individual in your records, it becomes personal information.
  • Think of your driver’s license and your license plate as things. Your drivers’ license has your name, photo, and other information, so it identifies you. Therefore, a copy of your license would be personal information. On the other hand, your license plate by itself identifies a thing (your vehicle), and therefore by itself is linkable information, but not personal information. However, if your license plate is contained in a list of names and associated license plates maintained by a company, the license plate is associated with you, and therefore the company should handle it as personal information. Similarly, your phone number identifies a thing (your phone, not you, as you can let anyone use your phone) and therefore is linkable information; if your number is linked with an identifiable individual (e.g., the number is associated with a recording an individual’s voice on a phone call), the phone number becomes personal information.
  • An IP address in a server log, by itself, is linkable information not linked or associated with an individual, and therefore not personal information. However, an IP address as part of an electronic signature record, where the IP address is collected and stored with a person’s name, time/date stamp of acceptance, and IP address are collected, would be personal information.
  • If your company’s privacy policy defines personal information to include device identifiers such as IP addresses and MAC addresses, or defines when device identifiers would be considered personal information, ensure you are doing what your privacy policy says you will do. Failing to comply with a stated privacy policy can give rise to an FTC investigation and/or complaint under §5 of the FTC Act, as well as state AG investigations/actions and private litigation.
  • If you collect information from European consumers, given the extra-territorial reach of the upcoming Regulation US companies should carefully watch how IP and MAC addresses fall into the EU’s definition of personal data, and determine whether it needs to comply with Europe’s approach.
  • If you collect IP address information from a child under 13 through a website or app governed by COPPA, by law it’s personal information.
  • Talk to your IT group about whether you collect any device information, such as IP or MAC addresses, that could be linkable information, and analyze whether that data is linked or associated with personal information in your systems.

Are Your Website and App Legal Disclosures Saying Enough (Or Too Much)?

Almost every business has an online presence of some form. Many have a website which serves as anything from an online company brochure to a fully-featured online store or customer/vendor/user portal. Some have apps available through Google Play Store, the Apple App Store, or other app stores. A number of companies spend significant sums on their websites and apps to design robust features and content delivered through a compelling user experience. But if there’s one place website and app operators miss the mark, it’s ensuring the right legal disclosures are in place, and that the ones that are in place are saying the right things.

When most people think of a website or app disclosure, they think of a privacy policy and terms of use. These are definitely important. However, There are a number of other disclosures required or recommended under federal and state law that companies should consider to manage risk and avoid potentially distracting and costly litigation.  At the same time, saying too much in disclosures such as your privacy policy can expose your company to unnecessary risk.

There are four core rules that should apply to all website disclosures:

  1. Write them in plain English.
  2. Avoid using undefined technical jargon and using marketing bluster.
  3. Make them easy to understand and use.
  4. Make them 100% accurate and truthful.

Consider having your company’s User Experience group review your disclosures and policies to ensure they are as easy to read and navigate as possible. Consider using design elements such as progressive reduction and progressive disclosure (you can see my earlier blog post on this topic by clicking here.) The goal is to ensure consumers easily understand your disclosures. If you ever have an issue with a term or provision in your disclosures, being able to argue that the content and design were optimized for easy reading and navigation can pay dividends.

Here are some website and app disclosures to consider:

  • The Privacy Policy.States such as California have laws requiring companies to have online privacy policy. Since almost every website is accessed by users in California, it’s safe to say you are legally required by state law to have a privacy policy. Companies in certain industries or sectors such as in the healthcare sector (HIPAA) and financial sector (Gramm-Leach-Bliley) have specific requirements for their privacy policies. A privacy policy is also required by law in some states on an information category basis, such as Connecticut’s requirement that anyone collecting Social Security Numbers have a publicly displayed privacy policy with certain required disclosures. Certain laws also mandate that you cover certain topics in your privacy policy (e.g., California’s requirement to disclose how you handle “do-not-track” headers, and California’s requirement to provide information on how minors who are your registered website users can request that you remove their personal information). Don’t forget that your privacy policy needs to apply to, and be displayed on, your company’s apps as well.

    A company’s privacy policy obligations can be summarized simply: say what you do, and do what you say. “Say what you do” means ensure your privacy policy fully describes how you collect, use, and share information (both personally identifiable information, such as your name and address, and non-personally identifiable information such as behavioral data) collected from or about your customers. “Do what you say” means ensuring your day-to-day business activities with respect to information collected from consumers falls within the boundaries of what you say you do in your privacy policy. Two important rules to follow are, (1) if you want to change how you collect, use or share information from consumers, make sure your privacy policy allows it first, and give prior notice to website users that your privacy policy is changing; and (2) if you want to change how you use information you’ve already collected from consumers, you’ll need permission from the consumers first. Always include an effective date on your privacy policy (again, a state law requirement).

    Look for a more detailed post on privacy policies coming soon.

  • Terms of Use/Terms of Service. Your terms of use (sometimes also referred to as “terms of service”) should describe the rights and obligations applicable to both your company’s website/app/online service users and to your company itself with respect to the operation and/or use of an online website, app, and/or online service. It should cover topics such as ownership of the website and company-provided content on it (including your copyrights, trademarks and licensed trademarks), and associated restrictions (e.g., no screen scraping website content); disclaimers of third party content, such as third party ad networks on your site, and language to prevent use of your company’s trademarks other content to create the appearance of sponsorship by or affiliation with a third party; whether or not you collect information from children under 13 (if you do, ensure you are complying with the Children’s Online Privacy Protection Act or “COPPA”); an obligation to report lost or stolen passwords and change passwords regularly; what you can do with user-generated content uploaded or shared to the website (e.g., a broad right and license to use it), and related terms (e.g., it’s provided royalty-free and with no license costs, that it doesn’t infringe anyone else’s rights, etc.); a feedback provision if users may provide feedback or comments; links to third party content; and important legal terms such as jurisdiction, choice of law, indemnification, and the like. Many website operators include an acceptable use policy as part of their Terms of Use/Terms of Service; some have a separate policy on their website.
  • DMCA Notice. If your website collects, displays, or otherwise uses or shares user-generated content, consider a copyright notice (also called a “DMCA notice”). The Digital Millennium Copyright Act creates a “safe harbor” from copyright infringement for websites operators who honor takedown requests and display on their website information for their designated “copyright agent” to which takedown requests can be sent. There’s more to the statute than that, so if you need a DMCA notice please review one of the multitude of articles out then on crafting a proper DMCA notice. Don’t forget that you need to register your designated copyright agent with the US Copyright Office by filing a “Designation of Copyright Agent” form.
  • California “Shine the Light” Notice. In 2005, California enacted the “Shine the Light” law as part of its Consumer Records Act. The law requires businesses to provide disclosures to California consumers of the types of customer information they share with third parties for the third party’s direct marketing purposes during the immediately preceding calendar year. If your business shares collected personal information with third parties for the third party’s direct marketing purposes and does business in California, with a few exceptions this law applies to you. Businesses are required to let customers know how to submit requests for this information. While there are a few options, the simplest for most businesses is to include a link on the company’s homepage to “Your California Privacy Rights” or “Your Privacy Rights” to a page describing customer’s rights under the “Shine the Light” law and the email/physical address to which requests should be sent. There has been an uptick in class action litigation recently against companies which do not have a “Shine the Light” disclosure on their website.
  • Terms of Sale. If you sell products through your website, consider using a Terms of Sale to govern the sales transaction. Terms of Sale typically include provisions such as placing an order; when it is accepted by the company; delivery and fulfillment terms; the return/cancellation policy; information on prices (e.g., subject to change without notice, not required to honor incorrect pricing); license rights to software; etc.
  • Warranties. One policy you may want to consider adding to your website are product warranties. Last year Congress passed, and President Obama signed, the E-Warranty Act of 2015. This law amended the 1975 Magnuson-Moss Warranty Act to allow companies to put their warranties online instead of including them on or in product packaging. The product documentation or packaging would need to include a link to the online warranty, instead of the warranty terms themselves. Companies that sell products that come with warranties should consider reviewing and taking advantage of the E-Warranty Act.
  • Supply Chains Notice.In 2010, California enacted the Transparency in Supply Chains Act. The law requires large retailers doing business in California (over $100 million in annual revenue identifying itself as a retail seller or manufacturer on their CA tax return) to post disclosures on their websites on their “efforts to eradicate slavery and human trafficking from their [direct] supply chain for tangible goods offered for sale” in five specific areas: verification, audits, certification, internal accountability, and training. It requires the disclosures be accessible through the company’s homepage via a “conspicuous and easily understood” link.
  • Be careful your disclosures aren’t saying too much. While having the right disclosures for your websites and apps is important, avoid saying too much. Remember, when it comes to disclosures, what you say can hurt you. Website disclosures are not the place for marketing puffery. If you make a statement such as “100% guaranteed,” “we encrypt all data,” or “we use best-in-the-industry [whatever],” and it turns out to be false or inaccurate, you can expect state AGs and the FTC (and class action counsel) may come knocking. Generally, one of the roles of the Federal Trade Commission is to ensure that companies are not engaging in unfair or deceptive trade practices. This extends to ensuring that companies are making accurate and truthful disclosures on their websites. Some states, such as Pennsylvania, have expressly included false and misleading privacy policy statements as a deceptive or fraudulent business practice.
  • At the extreme end of this, consider what has been happening in New Jersey. Class action counsel have been using an extremely broad interpretation of NJ’s largely-ignored-until-recently Truth in Consumer Contract, Warranty and Notice Act to go after companies operating business-to-consumer (B2C) websites. The law prohibits sellers from providing notices, terms, or contracts with provisions that violate “any clearly established legal right of a consumer or responsibility of a seller” under federal or state law (whether or not the consumer is happy with the purchase). Class action counsel are bringing suit under this statute stating that just displaying a website notice with a general limitation of liability, broad disclaimers of warranty, statements that certain terms such as warranty disclaimers may not apply to particular consumers without specifying whether NJ consumers are affected, or other limitations on a consumer’s rights is a violation of the statute. Most of these cases are settling before trial, but like other nuisance lawsuits they can end up costing your business considerable time and lost productivity if you end up facing one.

Most companies place their website disclosures at the bottom of the page in a footer. Do not bury them or make them hard to find.  Your policies should be accessible through no more than 2-3 clicks via a logical navigation path. While putting your disclosures in the footer makes sense and is very common, consumers may argue that they simply never saw the disclosures because they never scrolled down to the bottom. Consider also making website disclosures “contextual,” i.e., place policy and disclosure links in close proximity to the related usage. For example, on pages where you are actively collecting information, consider putting a link to the privacy policy right next to the “submit” button, or before a consumer places an order on your e-commerce website, add language verifying they have read and agree to your terms of sale and privacy policy. Consider providing a welcome message, with notice of your privacy policy and terms of use, to consumers visiting your website as a disappearing pop-up, e.g., one that appears for 3-4 seconds at the top of the webpage then fades out, similar to “cookie disclosures” on many EU-based websites.

Finally, consider working with IT to create simple shortcuts for your most common policies (e.g., “privacy.company.com” or “www.company.com/privacy” for your privacy policy) so you have a short and simple URL you can use where you need to direct consumers to your online disclosures.

Why Accessible Websites and Mobile Applications Matter

The Internet is an essential part of life in the 21st century. A 2015 Nielsen study found that people spend an average of 2.5 hours a day using smartphones and PCs to access the Internet.

Look at any website or app and think of how different the experience would be if you couldn’t see it or hear it like everyone else.  The American with Disabilities Act (“ADA”) was enacted in 1990 to ensure Americans with disabilities had equal access to places and things such as government facilities and places of public accommodation.  Soon after the ADA was enacted, a new communications medium arose – the World Wide Web, marking the start of the Second Age of the Internet.  The question soon arose as to what extent websites were “places of public accommodation” requiring reasonable accommodations to allow use by disabled Americans under the ADA.  The Department of Justice has repeatedly delayed its rulemaking on website accessibility guidelines, most recently postponing it to at least 2017.  This may be due to the explosion of apps on the Internet and the corresponding decrease in website usage – a recognition that the landscape of what would be regulated is changing too rapidly at this point.

However, don’t think you’re safe to just wait for the DOJ’s guidance. Even without rules, the DOJ has gone on record stating that the ADA applies to web services. The DOJ has instituted a number of lawsuits against companies which they believe are not meeting accessibility standards, including their websites and apps.  For example, in 2015 the DOJ settled with Carnival Cruise Lines requiring not only improvements in accessibility of its ships, but of its website and mobile application.  Many US companies are unaware that under Section 508 of the United States Workforce Rehabilitation Act of 1973, websites and apps developed by companies receiving federal funds or under contract with a federal agency must meet certain accessibility standards.  Private and government litigants continue to bring actions against companies under federal and state law for inaccessible websites – over 45 in 2015 alone, according to BNA.  There have reportedly been many more demand letters sent to companies concerning digital properties allegedly inaccessible by persons with disabilities.

Despite the uncertain landscape, there is a path forward to minimize the risk that your company’s digital properties will come under scrutiny or attack. All companies, and especially those currently or prospectively doing business with the government, should make accessibility part of the calculus when designing, building, and refreshing websites and mobile applications. Here are some important considerations for companies.

(1) Ensure your web and app developers are familiar with WCAG 2.0 standards and Section 508 requirements. Although the DOJ has not yet released its own rules, they continue to use Version 2.0 of the Web Content Accessibility Guidelines (WCAG 2.0) as a de facto standard.  WCAG 2.0 was released in 2008 and became an ISO standard in 2012. There are 4 core principles for web content under the guidelines:  content must be Perceivable (e.g., alternatives for non-text content, alternative content presentation, separate foreground and background content, etc.); Operable (e.g., make all functionality keyboard-accessible, allow sufficient time to read content, ensure navigation and search are easily usable, etc.); Understandable (e.g., clear text content, predictable operation of web pages, etc.); and Robust (e.g., use standardized and proper tagging; ensure content can be interpreted reliably by varied user agents such as assistive technologies).  While there are 3 levels of conformance with WCAG – A, AA, and AAA – AA is the most common and the one referenced in most litigation and DOJ actions.  Additionally, Section 508 imposes specific obligations on software applications and operating systems and intranet and Internet websites.

It’s very likely a future version of WCAG will form a foundation of the DOJ’s guidance; the DOJ has referred to the WCAG as a recognized international industry web accessibility standard. If the DOJ’s advice aligns with this standard, it will likely mean only minor accessibility adjustments will be required by companies that are already WCAG compliant. If you have international users of your digital properties and/or an international presence, consider whether international standards such as Canada’s Standard on Web Accessibility, the UK’s Disability Discrimination Act, and France’s AccessiWeb impose any obligations above and beyond WCAG 2.0 AA.

(2) Ensure your app developers are also familiar with and OS assistive capabilities such as Google Talkback and VoiceOver for iOS.  Google and iOS both have assistive software.  Apple offers VoiceOver, a gesture-based screen reader integrated with iOS.  Google Talkback similarly enhances Android with spoken, audible and vibration feedback to better enable use of Android devices by visually impaired persons.  Your app developers should understand these and other assistive technologies available for app operating systems so they can utilize them to the fullest extent possible.

(3) Perform an accessibility audit of your digital properties. An accessibility audit will help you understand what accessibility improvements are needed to ensure WCAG 2.0 AA and Section 508 compliance, as well as the cost and resources that will be required for your company to achieve compliance.  Being able to demonstrate the costs of compliance vs. some of the settlements forced by litigants and the DOJ can help add a quantifiable metric to the risk analysis. An internal audit can be helpful to ensure your internal team understands the accessibility requirements, but also consider using third party tools and partners such as SiteImprove, IBM’s Rational Policy Tester Accessibility Edition, ACCVerify, or ComplianceSherriff.

(4) Make “accessibility by design” part of your creative development process. Many of the visual design elements we take for granted, such as layouts, have a very different meaning (if any) to a visually disabled person. Audiovisual content is very different to a hearing-impaired individual – if can be very difficult for a captioned video to deliver the nuances of inflection that often go into a vocal performance.  Consider the user experience of someone hearing your copy (not just reading it), or reading your video or narration (not just hearing it).  Consider having your marketing and design teams use screen readers and watch captioned videos for a better understanding of that experience with their content. Include audio captions in videos or narrated presentations to assist hearing-impaired individuals. Look at what features and functionality are available to assist you with enabling accessible creative content.

(5) Make it part of your coding and testing DNA, too. Ensure your web design techniques promote accessibility. Make the WCAG 2.0 AA guidelines, Section 508 requirements, and OS assistive capability support part of your development requirements for any new coding project or project refresh.  When contracting with web and app developers and with web and commerce platform vendors, ask them for examples of projects they’ve done which were assistive technology and guideline compliant, and require them to follow accessibility guidelines. Use web design tools that support and enable accessibility.  When you develop customer profiles for testing, consider adding profiles for visually-impaired and hearing-impaired users.

Website and app accessibility compliance can seem daunting, but it doesn’t have to be. Knowing accessibility requirements and guidelines, and your company’s current implementation of them in their digital properties, is an important first step.  Making a plan to build accessibility into your company’s design and development DNA, and implementing accessibility support and features in your digital properties, can help keep you ahead of both accessibility litigation and future government regulations.