You’ve met the dramatis personae on this blog over the past year or so: the Federal Trade Commission, which issued a staff report in February 2009 containing “self-regulatory” guidelines for online behavioral advertising and now is panting to go further; the State of California, one of several that requires the posting of a website privacy policy and use of data security safeguards, including vendor oversight; the State of Nevada, which requires the encryption of personal information; and the Commonwealth of Massachusetts, source of the most comprehensive information security regulation in the nation (201 CMR 17.00, which went into effect on March 1, 2010).

The patchwork is so befuddling that a reporter once barked at me in frustration: “You mean a business has to hire someone like you to keep track of all of this?” No offense meant, of course. None taken, I replied, but the answer was yes. In an indirect way, the FTC funds my Philly Beer Week expenditures.

Now the federal bear is beginning to growl. After reading the draft legislation unveiled by U.S. Representatives (D-VA) and Cliff Stearns (R-FL) on May 4 — which has attracted strong comments by the Direct Marketing Association, along with criticism from the Technology Liberation Front and others — I’m trying to decide whether things just got better or worse for my clients. Actually, scratch that. This bill needs to be rewritten, since it takes a top-down, process-heavy Gramm-Leach-Bliley type of approach and tries to plaster it onto the vast domain of cyberspace. (The Gramm-Leach-Bliley Act is the seminal 1999 financial privacy bill that requires financial institutions to provide initial and annual privacy notices to their customers and a way for them to opt out of having their personal information shared with unaffiliated marketers. No doubt you read every line of the GLBA privacy notice your bank sends you every year. Anyway, there is a real strong musty whiff of GLBA in the Boucher-Stearns draft.)

Cowpunk pioneer Dan Baird exercises his right to opt out of data-sharing. (Actually, this is from his 1991 album Love Songs for the Hearing Impaired).

On the plus side, the draft legislation would set a single national online privacy and data security standard that preempts (supersedes) state privacy and data security laws — one-stop shopping, unless you’re unfortunate enough to also be covered by GLBA, HIPAA, the CAN-SPAM Act or the Children’s Online Privacy Protection Act, in which case it’s unclear how the inconsistencies with the draft legislation would be resolved.

Data Security

The data security requirements generally follow those in the FTC Safeguards Rule promulgated under GLBA and are flexible and risk-based (appropriate administrative, technical and physical safeguards, as determined by the FTC, for protecting the security, confidentiality and integrity of covered information and preventing unauthorized loss, destruction, disclosure or misuse) as opposed to the one-size-fits-all prescriptive approach used by the encryption-happy legislature in Nevada. There is no notification requirement in the event of a data breach, although the safeguards must be sufficient to determine the scope of the breach and remediate its effects. The data security provision of the draft bill also contains a rather bizarre clause that, without any further explanation, requires a covered entity to establish reasonable measures to “assure the accuracy” of the information it collects.

Here’s the kicker, though: the Boucher-Stearns draft does not track state data security laws like Massachusetts’ in limiting its coverage to first and last name (or first initial and last name) combined with financial account number or government-issued identification number (e.g., Social Security number or driver’s license number). In fact, “covered information” as defined in the bill includes name, address or contact information. Practically speaking, then, this represents a potentially onerous expansion of existing data security regulation, even though the security requirements themselves resemble existing rules.

What information is “covered” by the bill?

Covered information includes any of the following: first name or initial together with last name; postal address; phone or fax number; e-mail address; unique biometric data; government-issued identification number; financial account number and any code or password necessary to permit access to the account; unique identifier (such as an IP address or customer number) if used to collect, store, or identify information about a specific individual or a computer, device or software application owned or used by a particular user or that is otherwise associated with a particular user; and “preference profile” (defined as “a list of information, categories of information, or preferences associated with a specific individual or a computer or device owned or used by a particular user that is maintained by or relied upon by a covered entity”).

The draft bill therefore abandons the current regulatory focus on “personal” or “personally identifiable” information in favor of the FTC position that any data that is linkable to a specific web user or device requires protection.

Privacy: And Now for Something Completely Different

The privacy requirements of the draft legislation would drastically reshape the state of the world. Here’s a high-level overview:

The bill would generally preserve the current practice of providing notice of a site’s privacy practices and an ability to opt out prior to any collection, use or sharing of information online BUT would require affirmative express consent (that is, an opt-in) before covered information could be shared with unaffiliated third parties. These requirements would not apply to information collection, use and sharing for transactional or operational purposes (i.e, as necessary to effectuate a transaction between the site and an individual). Sharing of information with a service provider which assists the site to effectuate a “first-party transaction” with the individual is also permitted, subject to an opt-out consent requirement. Finally, the bill includes a behavioral advertising exception whereby information could be shared with online advertising networks without opt-in consent, but subject to certain notice and opt-out requirements, such as the prominent display of a notice or seal on the covered entity’s website and on or near targeted advertisements, along with a link to information about behavioral advertising and how consumers can opt out.

For the required “notice,” every site that collects covered information would need to post clearly and conspicuously (and make accessible via a link on its home page) a privacy policy containing the mandatory disclosures. (The draft bill also contains privacy notice requirements for covered information collected offline, so if it is passed, businesses should consider adopting an integrated, holistic privacy policy covering all aspects of their operations.) Some of these disclosures are already standard practice, such as a description of the information collected, purposes for collecting and using the information, how the information is collected, categories of third parties with which the information may be shared, and how individuals may obtain access to their information. Other disclosure requirements break new ground, such as:

◊ how information may be merged, linked or combined with other information from unaffiliated sources
◊ how information is stored by the entity
◊ how long the information is retained in identifiable form
◊ how the entity disposes of (or renders anonymous) covered information after the end of the retention period
◊ a means to contact the entity with an inquiries or complaints about the handling of covered information
◊ consent mechanism as required by the bill

Notably the draft legislation would codify the FTC’s diktat that material changes in privacy practices cannot be applied retroactively (i.e., to information collected prior to their posting), and information cannot be shared for purposes previously undisclosed that an individual would not reasonably expect, unless the entity gets the individual’s opt-in.

Finally, in its February 2009 staff report on behavioral advertising, the FTC posited that certain information might warrant special protection due to the increased risk of harm or embarrassment to the individual. Sure enough, the draft legislation would also create a special category of “sensitive information” for which an opt-in is required prior to collection. “Sensitive information” includes, when associated with covered information of an individual, information about medical history or condition; information about financial accounts; information about sexual orientation, race, ethnicity or religious beliefs; and — interestingly — “precise geolocation information.”

Am I Gonna Get Hit by This?

If it passes, and if you collect covered information (which you probably do) either online or offline, then yes, unless you have a very small customer or user base or are a government agency. Excluded from the draft legislation’s reach are government agencies and entities that collect covered information from fewer than 5,000 individuals in any 12-month period. However, if you collect any sensitive information at all, you are covered even if your customer or user base is under 5,000.

Who Is Going to Come After Me If I Don’t Comply?

The primary enforcer would be the FTC, the big 900-pound gorilla in this draft legislation, since it would have the power to prosecute violations as unfair or deceptive acts or practices and would also acquire broad rulemaking authority to regulate online privacy and data security (although the draft bill prohibits the FTC from requiring specific technologies or software). Based on the FTC’s activity to date in these areas, the agency would not be shy about using this power. State attorney-generals and consumer protection agencies could also enforce the law. Private actors, however, have no right of action.

Undoubtedly the Boucher-Stearns draft legislation will be heavily changed before it is passed, if it is even passed. Significant problem areas, as pointed out by the DMA and other commenters, are the expansive definition of covered information (which would lump mere name and contact information into the same protected category as Social Security numbers) and the requirement of an opt-in to share covered information with unaffiliated marketers. This regime is even more restrictive than GLBA and is a huge departure from how business is currently conducted on the Internet. If the bill passes in anything resembling its current form, expect to be bathed in disclosure and to paddle through a profusion of annoying click-throughs.

I consider this a significant, if qualified, victory for online marketplaces and forums as well as consumers. Significant, because a contrary result would have imposed potentially crippling liability on these venues and forced them to adopt ever more draconian measures to filter user content and terminate users based on educated guesses and unproven allegations. Qualified, because the irony of this case is that eBay actually used a broad range of costly preventive and remedial measures to protect Tiffany’s trademarks and prevent sales of counterfeit Tiffany products. These measures included: canceling sales and reimbursing buyers of counterfeit products, deploying a “fraud engine” to filter out illegal Tiffany listings, responding within 12-24 hours to Tiffany’s take-down requests submitted through eBay’s highly respected Verified Rights Owner (VeRO) Program, terminating repeat offenders and sellers of multiple counterfeit Tiffany products, and manually reviewing certain Tiffany listings. In fact, during the relevant period covered by Tiffany’s complaint, eBay had over 200 employees dedicated exclusively to combatting trademark infringement.

Both the district court and the appellate court were clearly impressed by the seriousness with which eBay took infringement and counterfeiting. Obviously, this was not a case of a website looking the other way. But eBay sets a very, very high standard for other online marketplaces.

Despite all these protections, a “significant portion” of Tiffany jewelry listed on eBay was counterfeit, a fact of which eBay was aware. After determining that eBay’s use of sponsored-link advertisements on Google and Yahoo! touting the presence of Tiffany products on eBay was not direct trademark infringement (because the use of Tiffany’s mark was necessary to describe Tiffany products and did not falsely imply any affiliation with or endorsement by Tiffany), the court turned to the bigger issuer: to what extent was eBay responsible for the infringement of its sellers? The court applied the Supreme Court’s rule in Inwood Laboratories, Inc. v. Ives Laboratories, Inc., 456 U.S. 844 (1982) to hold that a service provider can be liable for contributory trademark infringement if it (1) intentionally induces someone else to commit trademark infringement, or (2) continues to supply services to someone it knows or has reason to know is engaging in trademark infringement.

Of course, no one claimed that eBay was intentionally getting its sellers to infringe Tiffany’s marks. However, Tiffany alleged that eBay’s knowledge of the existence of continued widespread counterfeiting and infringement, despite all of its protective measures, was enough to impose liability for contributory infringement. The court disagreed — generalized knowledge of infringement cannot be used to penalize a service provider for continuing to provide service to a particular individual where the provider doesn’t have real information to suggest that that individual may be using the service to infringe someone else’s trademark. In other words, suspecting that a person might conceivably be an infringer doesn’t make you, the service provider, an enabler in a legal sense. At the same time, the court noted that websites can’t choose to remain willfully blind when there is evidence to suggest that particular users are infringers. However, the response doesn’t have to be perfect, and eBay had clearly done at least as much as the law expects to detect and punish infringers.

Tiffany did score a lesser point when the appellate court remanded its false advertising claim under the Lanham Act for reconsideration by the lower court. It held that while eBay’s advertisements indicating that consumers could find Tiffany jewelry on eBay were not literally false, they could be considered misleading in view of eBay’s awareness that many Tiffany-branded products sold on eBay were counterfeit. Still, the elimination of the trademark claims significantly reduced eBay’s potential legal exposure.

So, what does all this mean for you, dear web businesses? As under the Digital Millennium Copyright Act (DMCA), you are partially protected from infringement liability flowing from the misdeeds of your site users. But the protection is porous — if you are aware (or are in possession of information to tip you off) that particular site users are using your site or web service to infringe trademarks, you can’t blithely continue to provide service and keep out of their business. You are NOT expected to have the knowledge of a trademark attorney and be able to judge authoritatively whether every use of a third-party trademark is infringing or not; there is room for error and miscalculation. Mere suspicion won’t make you contributorily liable. But you should investigate and respond expeditiously to any complaints by trademark owners. Even better, if your site invites abundant third-party content, you should include in your website terms of use or as a separate intellectual property policy a notice and take-down procedure (like eBay does with its VeRO policy) for rights holders to follow if they wish to submit complaints of infringement. Finally, if you are aware that certain trademarks are particularly susceptible to infringement on your site, and if economically feasible, you might consider adopting (again, as eBay did) a filtering mechanism to block or segregate for prior review postings that use the problematic trademarks.

For a slightly differently take on a ticked-off Tiffany, please check out a recent blog post on the Electronic Frontier Foundation’s (EFF) site. (The EFF, by the way, filed an amicus brief in the case on behalf of eBay.) The EFF, like me, sees the decision as a qualified victory for web businesses and consumers. Its main concern is that trademark law as yet does not provide a “put-back” procedure, as the DMCA does for content that is taken down by a web service provider in connection with a contested copyright infringement allegation.

Guys — on a related note, if you’re thinking of buying Tiffany jewelry for that special somebody in your life, please don’t buy it on eBay. If you’re in or near Center City, Philadelphia, go to the Tiffany store on Walnut Street between Broad and 15th. Or use their catalog or website. Otherwise, you may need a different type of lawyer.

Two items emerged almost immediately from the roundtables and the FTC’s related comments: (1) the FTC does not believe industry self-regulation in behavioral advertising is working, and (2) the category of “personally identifiable information” (PII) that has been used in privacy law up to this point to denote sensitive information warranting legal and regulatory protection is effectively obsolete.

RIP, PII

To the latter point, studies have shown that non-personalized information like IP addresses or even browser and operating system specifications can be combined with other information gathered from online browsing to build detailed personal profiles and even identify individuals with a reasonable degree of certainty. The FTC’s 2009 behavioral guidelines anticipated a breakdown of the existing personal/non-personal information dichotomy by expanding the category of information covered by the guidelines to include information that can be used to identify a specific computer or device (not just a particular human being). According to the FTC, such data include clickstream data that can be combined with a consumer’s website registration information; individual pieces of anonymous data combined into a detailed profile that is identifiable with a particular person; and behavioral profiles that are not associated with a particular consumer, but are stored and used to deliver personalized advertising and content to a particular device.

In addition, the guidelines identified a special category of personal information, such as health information, financial information, precise geographic location information or information about children, that is so sensitive it warrants heightened privacy protection (for example, requiring consumers to opt in before such data can be collected for behavioral advertising, rather than providing the standard opt-out).

More Powers for the FTC?

Greater privacy regulation in online behavioral advertising seems to be a given, therefore. Some sites like Yahoo! have felt it prudent to get ahead of the curve by expanding their privacy disclosure preemptively (for example, Yahoo!’s Ad Interest Manager allows you to see information about your browsing activities that Yahoo! collects for targeted advertising purposes and set your preferences accordingly). The big question, though, is how sweeping the new rules will be. One problem with a non-incremental approach is that the FTC is currently limited in its rule-making authority when it is using its power to combat unfair or deceptive practices under Section 5 of the FTC Act. This is the main authority the FTC has used for a decade to make its views known with respect to online privacy (Congress has granted it broader powers to regulate in specific areas, such as under the Children’s Online Privacy Protection Act and the CAN-SPAM Act).

However, a clause in Congress Barney Frank’s (D-Mass.) financial reform bill H.R. 4173, otherwise known as the Wall Street Reform and Consumer Protection Act of 2009, would greatly expand the FTC’s power to regulate and litigate, and not just against financial services companies. Specifically, the bill would allow the FTC to implement consumer protection regulations generally through the Administrative Procedures Act (APA) rule-making process, rather than through the more rigorous current process, which takes much longer and requires greater public participation and comment. The FTC would also be able to file suit directly instead of having to act through the Department of Justice. (NOTE: this is the second time in a week I have blogged about a little-known clause in Congressional financial reform legislation that drastically expands regulatory involvement in areas that have nothing to do with the 2008 financial collapse.) FTC Chairman Jon Leibowitz argued for such powers in Senate testimony on the pending legislation, promising to use them sparely. It remains to be seen whether Congressman Frank’s creation of an “FTC on steroids” (as some libertarian/anarchist tech bloggers have called it) will appear in the final act after reconciliation with Senator Chris Dodd’s (D-Conn.) bill.

So, what’s next for online privacy? More disclosure and more consumer choice, probably, as well as the possible creation of a sliding scale of privacy protection based on categories of totally de-identified data, data that can (either alone or in combination with other data available through the Internet) be associated with a unique individual, and sensitive personal data warranting strong safeguards. Online advertisers and ad networks: be aware that the FTC is watching you. Of course, I am watching them, and you can find new developments on this blog as soon as they occur.

In my view, the disclosure requirements don’t apply to a typical sponsored ad run by an affiliate site because someone looking at the ad is likely to understand it as advertising for which the site is (presumably) being compensated. The disclosure requirements apply to an “endorsement,” which the new rules define as an advertising message that consumers will likely believe reflects the opinions, beliefs, findings or experience of a party OTHER THAN THE SPONSORING ADVERTISER, whether the endorser’s statements are the same as or different from the sponsoring advertiser’s. If a consumer perusing a site is likely to think it is the site owner or blogger speaking, not the seller of the product being written about, then there may be a disclosure obligation if the site owner or blogger is being comped or incentivized somehow for making the posts.

If disclosure is required, it must be “clear and conspicuous.” In FTC parlance, this requires, among other things, putting the disclosure somewhere near the post that constitutes the “endorsement” (i.e., the advertising). I would NOT bury it in the site T&C’s — the FTC has criticized this practice in other contexts (such as behavioral advertising) where it favors clear disclosures. So if there are multiple posts that constitute endorsements, you may need to include a short disclosure at the end of each post (unless you can associate a single disclosure with multiple posts in a way that makes it clear the disclosure relates to all of them).

Having said that, I also don’t think it is necessary to include a paragraph of legalese in each case. You might think about including a simple link entitled “Advertising Disclosure” after each post that causes a pop-up box to appear with a one-sentence disclosure (e.g., “The product reviewed here was provided by ____ free of charge.”). The bottom line is that I don’t believe the FTC is going to take a hard line on bloggers, particularly where there is some good-faith attempt to comply (as described above). The FTC itself has signaled that its primary target for enforcement will be advertisers, not bloggers. On the other hand, the product sellers may end up dictating what sort of disclosure they want, since they are also liable if bloggers don’t make the required disclosure.

Finally, with regard to affiliates who are also bloggers, a big question is what kind of incentive are they getting for writing favorable blog posts? Is it merely the affiliate advertising revenue (i.e., they want to say good things about the product they are running affiliate ads for) or are they getting something else too?

The latter case is easy — I would say include disclosure near the relevant blog posts, as discussed above. In the former case, one could make the argument that the presence of the ad means consumers are likely to suspect that the site owner has a compensated relationship with the product seller and therefore that the blog posts are sponsored advertising; ergo, no additional disclosure is needed. To be safe, I would probably still include some kind of short disclosure about the relationship, but the point is at least arguable. I think an ordinary blogger/affiliate running a site out of his house who isn’t realizing a significant amount of revenue and hasn’t previously been warned by the FTC is not facing a huge risk. (That said, if the FTC reads this blog or my article and comments on ReveNews, they may disagree with me!)

Now for my own disclosure: the foregoing is provided for informational purposes only and does not constitute legal advice on a specific matter. You should consult with an attorney (hopefully me!) before taking any definite action on this or any other legal matter.

On October 5, the FTC issued its final revised Guides Concerning the Use of Endorsements and Testimonials in Advertising (available for download here), the first rewrite of the Guides since 1980. While their title is not particularly noteworthy, these new rules broadly extend the concept of endorsements and testimonials to include as sponsored advertising all sorts of loose new media relationships that are increasingly used by marketers in place of traditional radio and television advertising and paid endorsements. (They also include changes in other areas, such as disclosures that must be made when advertising the results of using a product.) The Guides do not purport to be binding law, but are rather administrative interpretations of the law, issued to provide guidance on what the FTC considers to be deceptive behavior. However, violations are punishable by civil penalties of up to $11,000 per violation. The revised Guides will become effective on December 1, 2009.

For example, a marketer may provide unsolicited samples of its products to members of a blogger network who sign up for the network so that they can review the products on their sites. Or a marketer may supply a product, such as a video game, to one particularly well-read blogger known as an expert or authority in his area in the hope of gaining a positive review. Or the marketer may institute a word-of-mouth or viral marketing scheme where participants receive something of value (such as a payment or an entry in a sweepstakes) to e-mail their friends or send out tweets about the marketer’s product. All of these relationships may now be characterized by the FTC as endorser-advertiser relationships, wherein both the “endorser” (i.e., the person generating the content about the product) and the “advertiser” (the marketer) must ensure the absence of false or misleading statements and the “clear and conspicuous” disclosure of connections that are not reasonably expected by the target audience and are likely to influence purchasers’ assessment of the credibility of the statements.

When is a Favorable Post an “Endorsement”?

The threshold question is obviously what level of incentive turns blogger commentary about a marketer’s product into an “endorsement,” thereby rendering both the blogger and the marketer potentially liable for failure to disclose material connections and for deceptive statements. The FTC notes:

“[A] blogger could receive merchandise from a marketer with a request to review it, but with no compensation paid other than the value of the product itself. In this situation, whether or not any positive statement the blogger posts would be deemed an “endorsement” within the meaning of the Guides would depend on, among other things, the value of that product, and on whether the blogger routinely receives such requests. If that blogger frequently receives products from manufacturers because he or she is known to have wide readership within a particular demographic group that is the manufacturers’ target market, the blogger’s statements are likely to be deemed to be “endorsements,” as are postings by participants in network marketing programs. Similarly, consumers who join word of mouth marketing programs that periodically provide them products to review publicly (as opposed to simply giving feedback to the advertiser) will also likely be viewed as giving sponsored messages.”

As an example, the Guides posit a consumer who purchases a new brand of dog food and reviews its favorably on her personal blog. If she purchases the dog food with her own money or gets it for free because the store routinely tracks her purchases and generates a coupon for a free trial bag of the new dog food, there is no endorsement. However, if the consumer gets the dog food as a result of joining a network marketing program under which she periodically receives various products about which she can write reviews if she wants to, her positive review will be considered an endorsement. As another example, a college student who has earned a reputation as a video game expert receives (as he has in the past) a copy of a newly released video gaming system along with a request from the manufacturer to write about it on his blog. He tests it out and gives it a favorable review. This is also an endorsement, and the FTC comments that because the review is disseminated via a form of consumer-generated media in which his relationship to the advertiser is not inherently obvious, and given the value of the gaming system, the blogger should clearly and conspicuously disclose that he received it free of charge. Furthermore, “[t]he manufacturer should advise him at the time it provides the gaming system that this connection should be disclosed, and it should have procedures in place to try to monitor his postings for compliance.” (Presumably, the Guides’ additional rules on the use of expert endorsements in advertising would also apply here.)

In yet another example given by the FTC, a skin care product manufacturer participates in a blog advertising service that matches up advertisers with reviewers. The marketer requests that the blogger try out its new body lotion and write a review. The blogger, totally on her own initiative and without any direction from the manufacturer, makes an unsubstantiated recommendation that the product cures eczema. Both the manufacturer and the blogger will be liable for the unsubstantiated claim and any failure to disclose that the blogger is being paid.

The FTC has explained that the purpose of the new rules is to treat new media in the same manner as traditional journalistic and advertising outlets. However, as a practical matter, many businesses treat these channels differently and will have to scramble to implement the necessary monitoring and enforcement mechanisms. For example, it is not uncommon for a business to buy a sponsorship from a non-profit organization where one of the benefits of the sponsorship is a favorable mention on the organization’s blog. In many cases, the sponsorship agreement is spotty and does not include detailed restrictions on what the organization can and cannot say about the sponsor’s products, and it is doubtful that anyone at the sponsor is giving the non-profit organization’s Web 2.0 chatter a compliance review. Indeed, the whole point of marketing to bloggers and through social media is to support a spontaneous and unforced style of commentary that has greater authenticity for cynical, tech-savvy consumers. Of course, in response to such comments the FTC has countered that its rules are designed precisely to protect consumers’ ability to rely on this quality of the blogosphere in making purchasing decisions. Liability depends, then, not on the existence of direct control over bloggers, but on whether “the advertiser initiated the process that led to [the] endorsements being made – e.g., by providing products to well-known bloggers or to endorsers enrolled in word of mouth marketing programs ….”

Design a Compliance Program

Unfortunately, corporate legal departments will now have to extend the long arm of compliance over a whole host of Web 2.0 marketing activities that until now may have been loosely policed, if at all. “In employing this means of marketing,” the FTC dryly observes, “the advertiser has assumed the risk that an endorser may fail to disclose a material connection or misrepresent a product, and the potential liability that accompanies that risk.” However, it also states that in the exercise of prosecutorial discretion it will consider “the advertiser’s efforts to advise these endorsers of their responsibilities and to monitor their online behavior ….”

The first step for companies, then, is to get a handle on what their marketing departments are doing to curry favor with bloggers and create buzz through viral online marketing. It is especially important to get a firm handle on the activities of advertising and PR agencies, since the FTC will hold companies responsible for the actions of these third-party agents. If compensation, free products or other valuable incentives (such as sponsorships) are being offered in the hope of stimulating positive reviews, then the company should institute and document a process of advising bloggers and other new media commenters about their duty to disclose material connections and the limits on the factual claims they can make about a products and its beneficial effects. There should also be periodic monitoring of the resulting posts, with documented follow-up action if necessary, to make sure they comply with the FTC’s endorsement guidelines.

If blogger relationships are managed through an advertising agency or other third party, the written contract with that third party should specifically address each party’s rights and obligations with respect to monitoring and compliance. At the very least, a company should reserve the right to audit and pre-approve an advertising agency’s solicitation of bloggers so that the company knows which bloggers the agency is dealing with and whether the relationships are of a type that could lead to advertiser-endorser liability and can monitor the bloggers’ posts about the company’s products.

If all this sounds like overkill (and no doubt it will meet with fierce resistance in some online marketing departments), it is critical to remember that incentivized blogger buzz is now treated the same as any paid endorsement: according to the FTC, both are advertising subject to disclosure requirements and prohibitions on misleading or unsubstantiated claims. The compliance burden may, in fact, prove too onerous for some companies. In this case, their best bet is to implement policies that prohibit the payment of compensation or giving away of valuable products in the hope of generating positive online buzz. Favorable reviews are not “endorsements” within the meaning of the Guides unless they have been incentivized in some way.

Implement a Social Media and Blogging Policy

Promoting compliance within organizations also it makes it essential, now more than ever, to have a social media and blogging policy that covers both references to the company and its products in employees’ personal posts as well as the use of social media and blogs for marketing and other business purposes. Not only is it a best practice to treat company-initiated social media and blog posts as official corporate communications that require consideration of regulatory, securities, litigation and reputational risk issues, and possibly prior legal or regulatory review; the possibility that third-party posts may now be deemed company-initiated endorsements makes it vital to bring all Web 2.0 activities under one comprehensive policy. Furthermore, according the Guides, a company employee who posts messages on an online message board promoting the company’s product (a common practice) must clearly and conspicuously disclose his or her relationship to the company. This requirement should be specifically spelled out in the company’s social media and blogging policy.

Tips for Bloggers

As for bloggers and other online commenters, they should be sure to disclose any compensation or benefits they receive to comment on products and, if they do have such a connection to a marketer, should be very careful to follow the guidelines furnished by the marketer (which the marketer is required to provide) and not make general or sweeping factual claims about the product or any claim that can’t be easily substantiated. If a blogger chafes at submitting to this degree of oversight and control, he always has the option of buying the product himself, for example, rather than receiving it as a freebie. The FTC has indicated that advertisers and not bloggers will be its main enforcement target. However, a blogger who runs a “substantial operation” that violates the rules and who receives a warning will still be at risk. Moreover, the FTC can adopt a more aggressive enforcement stance at any time.

The FTC’s rulemaking will heavily influence the way marketers generate buzz on the Internet and warrants close scrutiny of participation in blogger and viral incentive programs by all parties involved.