Stay ADvised: 2024, Issue 22
In This Issue:
- California's Got False Advertising on Its Mind With Bill Regulating Claims You're "Buying" Digital Goods
- Marriott Settles Data Breach Kerfuffle in Separate but Related FTC and Multistate AG Actions
- PepsiCo Scores Win on Plastic Pollution, But Lawsuits Keep Bubbling Up
- Class Action Claims Popular Fertility Company's Embryo Genetic Test Is False Advertising
California's Got False Advertising on Its Mind With Bill Regulating Claims You're "Buying" Digital Goods
Among a spate of consumer protection laws recently signed into law by California Gov. Gavin Newsom is a bill expanding California's false advertising laws to add certain requirements relating to the advertising of digital goods such as games, movies, music, and e-books.
Prior to the amendment, California's false advertising statute prohibited untrue or misleading statements in connection with the sale of services, physical goods, or real property. The amendment, AB 2426, adds a new requirement that companies selling digital goods make clear when a purchase provides the consumer only with a revocable license to access the good, rather than permanent unrestricted ownership.
To which types of digital media does AB 2426 apply?
The law covers digital audiovisual works (such as motion pictures, musicals, videos, news and entertainment programs, and live events), digital apps or games, digital audio works (such as songs, music, audiobooks, ringtones), digital books and digital codes (i.e., a code that provides the user with access to another digital good). The law expressly excludes "a cable television service, satellite relay television service, or any other distribution of television, video, or radio service."
What does the law require?
The law prohibits a seller of digital goods from advertising the product using terms such as "buy" or "purchase," or any other term that a reasonable person would understand to mean unrestricted ownership interest in the digital good, unless the seller either:
(1) receives affirmative acknowledgment from the consumer, at the time of the transaction, that the consumer understands they are receiving licensed access and the restrictions and conditions of the license, or
(2) provides the consumer before finalizing the transaction a "clear and conspicuous" statement that the buyer is simply obtaining a license to access the digital good, accompanied by a link, QR code, or other means of accessing that license.
An acknowledgment under part (1) must be "distinct and separate" from any other terms applicable to the transaction.
What are the exclusions?
AB 2426 does not apply to subscription services that provide access only during the subscription term, free digital goods, and digital goods offered when the seller can't revoke access after the transaction, including by making the digital good available for permanent offline download.
Key Takeaways
Signed into law on September 24, 2024, AB 2426 goes into effect July 2025. Providers of digital goods who wish to continue to use terms such as "buy" and "purchase" in their advertising for digital goods should make sure they modify their sales transaction processes to include either (1) a process to receive acknowledgment from consumers that they are receiving a license that can be revoked at any time or (2) a process to provide, prior to completion of the transaction, clear and conspicuous notice that the buyer is obtaining a license and means to access that license.
Marriott Settles Data Breach Kerfuffle in Separate but Related FTC and Multistate AG Actions
In a pair of concurrent settlements stemming from parallel investigations, hotel juggernaut Marriott has agreed to pay $52 million and implement a complementary information security program to settle allegations that, despite representing that it had robust data privacy and security protections in place, it failed to protect customer data in three separate data breaches that occurred between 2014 and 2020.
In 2015, shortly after Marriott's acquisition of Starwood, Starwood notified consumers that it had experienced a 14-month data breach that compromised credit card information. Then in 2018, "despite having responsibility for Starwood's information security practices and network following the acquisition," Marriott discovered a data breach that had been ongoing from 2014 to 2018, compromising the personal information of 339 million consumers. Last but not least, Marriott announced in March 2020 that malicious actors had been accessing personal consumer information undetected since September 2018. The records impacted included names, mailing addresses, birth dates, account information, payment card data, passport numbers, and more.
Per the FTC's complaint, Marriott failed to provide "reasonable and appropriate security for the personal information" it collected from its customers. In particular, the complaint alleges that Marriott failed to implement such basic data security controls as password controls, or to update outdated software in a timely manner. Marriott also allegedly didn't monitor and log network environments, which left its data vulnerable to malicious actors. It failed to put in place appropriate access and firewall controls and to apply multifactor authentication.
As part of the terms of the FTC settlement, Marriott must cease misrepresenting its data collection and storage practices. Additionally, it must implement the following:
- A data minimization policy must ensure that the company retains personal information for the least necessary amount of time.
- A comprehensive information security program must be put in place and the companies need to certify compliance with the FTC over the course of 20 years, as well as submit to a third-party assessment every two years.
- Loyalty rewards program account review must restore loyalty points stolen by bad actors.
- Marriott and Starwood must provide customers with a link to request deletion of their personal information.
The state AG settlement requires similar protections but also includes a $52 million payment to the states and implementation of specific consumer protections such as data deletion, strengthening data security practices through adoption of a "risk-based" cybersecurity program. The state AG settlement also requires Marriott to implement a comprehensive information security program.
Key Takeaways
This settlement is a reminder to remain vigilant against data breach risks through regular risk assessments as well as through robust privacy practices such as two-factor authentication and data minimization. Advertisers can and should look to the settlement terms for guidance into the types of data privacy practices they might do well to consider as part of their own privacy programs.
PepsiCo Scores Win on Plastic Pollution, But Lawsuits Keep Bubbling Up
In a glaring rebuke to certain legal theories New York Attorney General Letitia James had previously called "groundbreaking," a New York State Supreme Court judge has dismissed a lawsuit brought by James alleging that the impact of PepsiCo's plastic packaging on the environment is a public nuisance and that PepsiCo misled the public about just how effective the recycling of its plastic bottles is. But even as the judge's scathing review of AG James' arguments disposed of that suit, Los Angeles County has filed a similar lawsuit alleging that PepsiCo and Coca-Cola Co. lied about the effectiveness of recycling their plastic bottles and other packaging.
As we covered in Stay ADvised back in December 2023, James' suit alleged that PepsiCo's advertising misleads consumers about the extent to which its single-use plastic bottles can be recycled and how well PepsiCo's recycling program works to counterbalance the impact of consumers' use of plastic bottles on the environment. James' suit also argued that the impact of the company's plastic bottles and packaging constitutes a public nuisance that contributed to pollution in New York.
New York Supreme Court Judge Emilio Colaiacovo did not buy James' arguments. According to the order dismissing the suit, permitting the AG to pursue her public nuisance action against PepsiCo would open the door to more baseless lawsuits against companies going after any perceived harm that the plaintiff could dream up without having a specific statutory basis for the claims. The court found that the suit was a misguided attempt to impose civil liability on the manufacturer for the conduct of its consumers, who are the ones responsible for purchasing and failing to properly or responsibly dispose of the plastic bottles.
"Absent evidence showing that these products are deceptive or unlawful, it is hard to ascertain any duty that Defendants owed. If courts refused to impose a duty of care on firearm manufacturers, it is difficult to see how imposing such a restriction on those who produce bottles and wrappers is viable," said the court.
The court also took umbrage with what it characterized as an attempt to pin the plastic pollution problem on one company "despite thousands of other producers of the same materials who have seemingly escaped such scrutiny."
Similarly, the court rejected the Attorney General's General Business Law Section 349 argument, finding that she failed to allege how PepsiCo engaged in deceptive conduct, instead only offering conclusory allegations that PepsiCo made "false representations." According to the judge's order, PepsiCo has no affirmative obligation to provide a warning that its products might cause plastic pollution, nor do its aspirational claims that it would reduce its plastics use constitute deception.
Possibly having anticipated this result, just one day before the decision came down, Los Angeles County filed a lawsuit alleging that PepsiCo and Coca-Cola have spread deceptive information about the impact of their plastic bottles and their recyclability, based on—you guessed it— legal theories of public nuisance and false advertising claims.
The California complaint alleges that the companies have created "theater" to make consumers feel good about their purchasing choice of single-use plastic while continuing to be among the top plastic producers (and polluters) in the world. The companies' marketing deceives consumers and worsens the "plastic pollution crisis," says Los Angeles. The complaint further alleges that the companies' claims that their policies are "sustainable" constitute greenwashing, and are merely an attempt to "push false solutions while maintaining profits." Finally, the Los Angeles complaint argues that the beverage companies also fail to disclose the presence of microplastics in their products.
Key Takeaways
As we await updated Green Guides from the FTC, states continue to be active in the greenwashing world—even as different outcomes ensue. Clearly, PepsiCo's woes, and those of other large plastic producers, are not over.
Class Action Claims Popular Fertility Company's Embryo Genetic Test Is False Advertising
Claims made by a preimplantation fertility testing company that its product can improve pregnancy rates and decrease chances of miscarriage are false advertising, according to the plaintiff in a newly filed putative class action lawsuit.
The suit accuses Reproductive Genetic Innovations (RGI), which markets a genetic test for improved early pregnancy and implantation outcomes, of specifically targeting its misleading marketing to a vulnerable and unsuspecting consumer population.
RGI markets and sells the "PGT-A" genetic test. It is advertised as a genetic test that checks for embryo abnormalities prior to implantation. The company claims that its users can increase the chances of a viable pregnancy by not using embryos that the test indicates have certain chromosomal abnormalities.
PGT-A is marketed as an "add-on" to the IVF procedure. According to the complaint, IVF clinics send an embryo cell sample to RGI for testing to determine whether the sample exhibits certain chromosomal abnormalities that may affect the embryo's ability to implant. The results determine which embryos are "best suited for implantation" and which are not.
The plaintiff alleges that RGI markets the PGT-A test as a highly accurate way of predicting whether a viable pregnancy will occur, touting accuracy rates of 98%. The company markets the test as "improving pregnancy rates, reducing the risk of miscarriage, increasing the success of IVF, and increasing the chances of a healthy baby," according to the complaint.
According to the plaintiff, however, these advertising claims are false and misleading. The complaint alleges that, contrary to RGI's representations, PGT-A is "unproven, lacking in validation, and unable to provide reliably accurate results." Further, the complaint asserts that there have been no "randomized, properly structured, non-commercial trials" to support RGI's representations and the marketing claims.
The complaint also alleges that in addition to affirmatively misleading users about the effectiveness of the PGT-A test, RGI has "concealed and omitted [from consumers] material information," such as by failing to disclose that the test is "experimental" or to tell consumers that the test in fact has a "substantial degree of inaccuracy [and] unreliability."
According to the complaint, the company's advertising for these tests has contributed to a recent increase in the use of the PGT-A testing by IVF clinics and patients despite insufficient evidence that it actually works, with about 40% of IVF cycles in the United States utilizing the test.
These tests can cost around $5,000 per round of IVF and have netted the company handsome profits in the hundreds of millions of dollars, the complaint alleges. Meanwhile, potential class members have experienced ascertainable economic losses in the thousands of dollars, says plaintiff.
Key Takeaways
This lawsuit against RGI is one of several pursuing similar claims against other fertility companies making what plaintiff alleges are untested and unsubstantiated claims about preimplantation genetic testing. Given arguably heightened public and political interest in IVF, it will be particularly interesting to see how these cases progress.