Caveat Employer: Let the Employer Beware of Employee Endorsements on Social Media Websites

Posted on January 5, 2010 by Employment Litigation Practice Group

Employers already face concerns about how to handle employees trash-talking about them on blogs, Facebook and other social media. Now, employers must be cautious of the converse — employee endorsements of their employers’ products and services on social media websites. The Federal Trade Commission (FTC) recently issued updated guidelines aimed at protecting consumers from misleading endorsements and advertising. As these guidelines make clear, employers whose employees use social media like blogs or Facebook to comment on their employer’s products or services face potential liability, even where the employer has not authorized or ratified the employee’s remarks.

The FTC’s revised Guides Concerning the Use of Endorsements and Testimonials in Advertising, published in the Federal Register at 16 C.F.R. Part 255 (the “guidelines”), address the application of Section 5 of the FTC Act (the “Act”) – which prohibits unfair or deceptive acts or practices and unfair competition in or affecting commerce -- to the use of endorsements and testimonials in advertising.

In the guidelines, the FTC identifies the general principles it will apply when evaluating whether endorsements and testimonials, including those given by employees about their employers’ products and services, are deceptive. The guidelines provide specific examples, and suggest that employees endorsing their employer’s products or services have a duty to disclose to their audience their relationship to an employer at the time they give the endorsement or testimonial. To be an endorsement or testimonial subject to these guidelines, the posting must be a message “that consumers are likely to believe reflects the opinions, beliefs, findings, or experiences of a party other than the sponsoring advertiser, even if the views expressed by that party are identical to those of the sponsoring advertiser. The party whose opinions, beliefs, findings, or experience the message appears to reflect will be called the endorser...” 16 C.F.R. Part 255.01(b).

The duty of disclosure applies even when the employee’s endorsement appears on a site that is not maintained by the employer or employee (such as a popular “bulletin board”) and the statement itself is not misleading. See 16 C.F.R. Part 255.5 (entitled “Disclosure of material connections”), Example 8. Failure to make such disclosure may expose the employer to liability under the Act.

If employees make misleading statements about the employer’s products and services that result in injury to consumers, the FTC may bring an enforcement action against the employer. The FTC reports that it has brought enforcement actions against employers “whose failure to establish or maintain appropriate internal procedures” had resulted in consumer injury, but the FTC suggested in comments on the guidelines that it would be unlikely to take action against an employer for the conduct of a single “rogue” employee whose conduct violated an adequate company policy.

Additionally, because postings on blogs and Facebook pages can reach wide audiences, employers may be vulnerable to large-scale liability like class-action lawsuits by consumers and/or legal action by state attorneys general.

In view of this latest possible exposure to employers from employees’ use of blogs and social websites, employers should consider reviewing their electronic communications or social media policies to ensure: (1) that they have policies addressing the use of the company’s name, trademarks, and other proprietary information in blogs and other social media; and (2) that these policies include either prohibitions or appropriate guidance regarding references to company products or services. Such prohibitions and/or guidance should no longer be limited to criticisms of the employer and its products and/or services. Endorsements, if permitted at all, should be limited to truthful and verifiable statements, or should be subject to prior approval by management. And in either event, such statements must be accompanied by an employee’s written disclosure of the employment relationship so that consumers can fairly weigh the testimonial.

This entry was written by Lisa Brauner.

Tags: , , , , , , , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

Multinationals Certified to the U.S.-E.U. Safe Harbor Agreement Beware: The Federal Trade Commission Has Bared Its Enforcement Teeth

Posted on October 13, 2009 by Privacy and Data Protection Practice Group

European FlagSince its inception in the year 2000, the U.S.-E.U. Safe Harbor Agreement has attracted nearly 2,000 multinationals seeking to establish a lawful basis to transfer to the U.S. the personal data of their consumers and employees who reside in the European Union (E.U.). To obtain the benefits of the Safe Harbor, these organizations are required to (a) certify to the U.S. Department of Commerce that they have implemented the seven Safe Harbor principles, (b) post for their employees and/or customers (depending upon the type of personal data being imported from the E.U.) a Safe Harbor privacy policy that embodies those principles, and (c) implement policies and procedures to ensure that the organization processes personal data received from the E.U. in compliance with the privacy policy. The Safe Harbor certification must be updated annually.

Until just a few weeks ago, the Federal Trade Commission (FTC), which enforces the Safe Harbor, had not commenced a single enforcement action in the nine years that the Safe Harbor has been in effect. Last week, the FTC requested public comment on six separate settlements of complaints alleging that multinationals had violated the Safe Harbor by representing to the public that they were current members of the Safe Harbor even though their certification was not up-to-date. Notably, the settlements do not include any monetary penalties, but instead would enjoin the targets from future misrepresentations about their Safe Harbor status.

The lessons learned include the following:
 

  • Multinationals must take compliance with all of the Safe Harbor’s requirements seriously; there is now some enforcement risk.
  • The nature of the enforcement risk is uncertain. The FTC’s charges required virtually no enforcement resources. The agency had to do nothing more than compare the target’s statements in their publicly posted Safe Harbor privacy policy against the certification records maintained by the Commerce Department. These settlements do not (at least yet) reflect the agency’s intention to perform on-site audits to determine whether the multinational’s internal process for handling personal data actually conforms to the seven Safe Harbor principles embodied in the organization’s Safe Harbor privacy policy.
  • The next, most likely enforcement step would be the FTC’s request to review the mandatory, annual self-assessment or third-party assessment of Safe Harbor compliance. The FTC would not have to expend any resources to “look behind” the assessment to find a violation. The failure to conduct the required annual assessment itself would be a violation.
  • Given the above, multinationals certified to the Safe Harbor should promptly confirm that their certification is current and conduct an assessment of their compliance with the Safe Harbor if they have not performed one during the preceding year. To the extent the assessment reveals any gaps in compliance, the gaps should be closed.

This entry was written by Philip L. Gordon.

Photo Credit: S. Solberg J.
Tags: , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link