Regulatory Developments in Israel

Israeli Central District Court determines that Google's Remarketing Practice does not constitute SPAM according to the applicable Israeli Law

On 18 September 2014, the Israeli Central District Court rejected a request for a class action directed against Google, addressing the legality of Google's Remarketing practice under Amendment 40 to the Israeli Communications Law (the “Spam Law”).

According to the complaint, Google displayed advertising material to users who had previously visited a website (remarketing / retargeting), without obtaining the prior written consent of the recipients. The request for the class action sought damages under the Spam Law, which regulates the practice of sending unsolicited commercial marketing materials to recipients by way of e-mail, fax, automatic phone dialing systems or text messaging. The Spam Law establishes a general rule that an Israeli advertiser may not send commercial communications via such technologies, without obtaining the written permission of the recipient in advance.

In its decision, the court determined that the scope of the communication's technologies specified in the Spam Law, does not cover remarketing practice, as such practice does not meet the definition of dispatching an e-mail, as provided for in the Spam Law.

Regulatory Developments in the United States

U.S. Federal Court has ruled on consumer's actual notice of online terms of use agreement 

Last month, the U.S. Court of Appeals for the 9th Circuit, published a ruling discussing the required notice for a constructive consent on the part of the consumer, with regard to a contract formed on the internet.

The Court held that where a website makes its terms and conditions or terms of use agreement available via a conspicuous hyperlink on every page of the website, but otherwise provides no notice to users or prompts them to take any affirmative action to demonstrate assent, then even close proximity of the hyperlink to relevant buttons which users must click on – without more – is insufficient to substantiate constructive notice with regard to the Terms of Use Agreement. With respect to the matter before the Court, in the absence of an actual notice, the Court concluded that the parties had not entered  into a valid terms of use agreement.

This ruling illustrates the courts' traditional reluctance to enforce "browsewrap" agreements (in which a website’s terms and conditions are posted via a hyperlink, as opposed to "clickwrap" agreements, where the website users are required to click on an “I agree” box after being presented with a list of the applicable terms and conditions) against individual consumers, thereby applying a more rigorous standard while assessing the inquiry notice of the terms of use agreement. The ruling further emphasizes the importance of substantiating an actual notice of the terms of use to the user (i.e. by actively approving the terms of use agreement), in order to infer aconstructive assent on the user's part.

For your convenience, the full ruling is available here

Yelp and TinyCo settle FTC charges their Apps which improperly collected children’s Personal Information

The online review site Yelp, Inc. and mobile app developer TinyCo, Inc., agreed to settle separate Federal Trade Commission (“FTC”) charges that each of them improperly collected children’s information in violation of the Children’s Online Privacy Protection Act (COPPA).

Under the terms of the settlements, Yelp will pay a $450,000 civil penalty, while TinyCo will pay a $300,000 civil penalty.

According to the FTC complaint, Yelp failed to implement a functional age-screen in its apps, thereby allowing children under 13 to register for the service, despite having an age-screen mechanism on its website. 

With respect to TinyCo, the FTC complaint alleged that its apps, through their use of themes appealing to children, brightly colored animated characters and simple language, were directed at children under 13 and accordingly, TinyCo was subject to the COPPA Rule. Many of TinyCo’s apps included an optional feature that collected e-mail addresses from users, including children younger than aged 13.

Under both settlements, in addition to the civil penalties, the companies are required to comply with COPPA requirements in the future and submit a compliance report to the FTC within one year, outlining their COPPA compliance program.

These enforcement cases underscore the importance of undertaking reasonable measures to ensure compliance with COPPA, including that children's information will not be collected without their parent's consent. This applies particularly to app developers which potentially target a children’s audience.

The FTC targets more than 60 Advertisers

The FTC recently directed warning letters to advertisers, in a wide range of industries, which failed to make adequate disclosures in their ads. The enforcement operation, called “Full Disclosure”, focused on disclosures that were in fine print or were otherwise easy to miss or hard to read, yet contained important information which was needed in order to avoid misleading consumers.

The FTC letters advised advertisers that to meet the “clear and conspicuous” standard, their disclosures should use clear and unambiguous language and should stand out in the advertising - consumers should be able to notice disclosures easily; they should not have to look for them.  

The inadequate disclosures identified in the ads fell into many different categories:

  • Many ads quoted the price of a product or service, but did not adequately disclose the conditions for obtaining that price, while others did not adequately disclose an automatic billing feature.
  • Other ads claimed a product capability or that an accessory was included, butdid not adequately disclose the need to first own or buy an additional product or service.
  • In some ads, the advertiser claimed that a product was unique or superior in a product category, but did not adequately disclose how narrowly the advertiser defined the category, while other comparative ads did not adequately disclose the basis of their comparisons
  • Ads promoting a “risk-free” or “worry free” trial period did not adequately disclose that consumers would need to pay for initial or return shipping.
  • Numerous other ads made absolute or otherwise broad statements and had inadequate disclosures explaining exceptions or limitations.
  • Weight-loss ads featuring testimonials claiming outlier results did not adequately disclose the weight loss that consumers generally could expect to achieve.
  • Other ads did not adequately disclose issues related to the safety or legality of a product or service.
  • Some ads also made false claims that the advertisers attempted to cure with contradictory disclosures, which were not sufficient to prevent ads from being deceptive. 

While the operation focused on television and print advertisements, the FTC announced it follows a recent FTC effort to address online disclosures in new media.

FTC approves final orders settling charges against Fandango and Credit Karma

The FTC has approved final orders settling charges against two companies – Fandango, Inc. and Credit Karma, Inc – whose mobile apps left consumers’ sensitive personal information, including credit card information and Social Security numbers,vulnerable to interception by third parties.

The complaints against the Fandango and Credit Karma alleged that the companies disabled a process called SSL certificate verification that would have protected consumers’ information.

The settlements require the companies to establish comprehensive security programs designed to address security risks during the development of their applications and to undergo independent security assessments.

The settlements further illustrate the importance of implementing strict and adequate security measures with respect to securing sensitive personal information.

Regulatory Developments in the Europe

EU Privacy Regulators give Google guidelines to change privacy practices

Last week (23 September 2014) the advisory group of the European data privacy regulators (“Article 29 Working Party”) sent to Google a package of guidelines to help it in the way it collects and stores user data in line with EU law after six regulators had opened investigations into the company’s privacy practices.

According to the letter sent by the Article 29 Working Party to Google CEO, Larry Page:“at the beginning of 2012, EU data protection authorities launched an in-depth investigation to assess the compliance of Google’s privacy policy with European Data Protection legislation. This process unveiled several issues with the privacy policy and the combination of data across services. Following this investigation, national procedures were conducted in 2013 and 2014 in a number of EU Member States, some of which concluded that the current privacy policy did not meet the requirements laid down in the respective national laws”. Accordingly, “in order to guide Google in this compliance effort, the Article 29 Working Party has developed guidelines containing a common list of measures that your company could implement”.

The guidelines sent to Google are available here and we recommend reading these guidelines in order to ensure compliance with their key principles.

Facebook has to answer to Privacy complaints made in a Class Action Suit

In August 2014 the Vienna Regional Court ruled that Facebook must respond to a class action suit filed against the company’s Irish subsidiary.

The class action suit was filed by a privacy activist and lawyer, Max Schrems, together with tens of thousands other people. In response, the court ruled that the company must respond to the privacy complaints against it, otherwise the court will rule without its response.

The law suit covers a range of allegations over Facebook's data usage and privacy policy, including that its data use policy is invalid under EU law, absence of effective consent to many types of data use, tracking of internet users on external websites (e.g. through the “Like” button), monitoring and analysis of users through “big data” systems, unauthorized passing on of user data to external applications, and more.