Recent Regulatory Actions on Advertisement Disclosures

Reed Smith attorneys Kevin Madagan and Keri Bruce were recently quoted in the January 21st edition of Compliance Week in an article titled “FTC, FDA Take Closer Look at Disclosures,” which discusses recent actions by the Federal Trade Commission (FTC) and Food and Drug Administration (FDA) concerning advertisement disclosures. The FTC launched Operation Full Disclosure in fall 2014, involving the distribution of warning letters to more than 60 companies across “a wide range of industries” for allegedly failing to properly disclose information in their advertisements. In the article, Kevin and Keri note that the letters are a reminder to all companies, even those that did not receive letters, to review their disclosures.

The FDA also recently announced that its “fair balance” doctrine may be amended to only require companies to recite or print a product’s most prominent and common side effects during television commercials. While such changes would undoubtedly be welcomed by pharmaceutical manufacturers, it could actually result in the FDA paying more attention to drug disclosures to ensure their continued effectiveness. Kevin also comments that there is precedent of the FDA following the FTC’s lead in such matters, and the crackdown on advertisement disclosures could end up involving both agencies.

To read the article, click here.

False Advertising Claims & The First Amendment

Over on Reed Smith’s AdLaw by Request blog, attorney Caroline Klocko discusses the U.S. Court of Appeals for the District of Columbia Circuit’s January 30th ruling that the Federal Trade Commission (FTC) can prohibit POM Wonderful LLC from advertising that its products are effective in combating illnesses and conditions such as heart disease, prostate cancer and erectile dysfunction. In making the decision, the appeals court rejected POM Wonderful’s stance that under the First Amendment, the company’s advertisements and claims are protected. The court also ruled that the support of one clinical trial is necessary before POM Wonderful can make any subsequent claims of disease-fighting effectiveness – a number that deviates from both the initial amount imposed on POM Wonderful by the FTC (two) and the amount requested by POM Wonderful in its appeal (zero).

To read the full post, click here.

Federal Trade Commission Fines Manufacturers of Weight Loss Supplement $9 Million for Alleged Deceptive Advertising

By a vote of 3-2, the Federal Trade Commission (FTC) decided to fine Genesis Today, Inc. and Pure Health, LLC, manufacturers of a green coffee bean extract (GCBE), in the amount of $9 million for making claims that using GCBE could allow consumers to lose body weight and fat. As detailed by Reed Smith attorneys Sulina Gabale and Matthew Kane in a post on our AdLaw by Request blog, the FTC alleges that the companies’ advertised claims of potential weight loss benefits from using GCBE were deceptive and resulted from a flawed research study. However, the two dissenting FTC commissioners wrote that the amount of the fine was unjustified, namely because it incorporated sales attributed to televised statements by the companies’ founder Lindsey Duncan as well as Dr. Mehmet Oz that were constitutionally protected and non-commercial in nature.

To read the full post, click here.

FTC Offers Privacy and Security Guidance for Medical Devices in 'Internet of Things' Report

This post was written by Frederick Lah and Sulina Gabale.

On January 27, the FTC issued a 71-page Staff Report on the privacy and security issues with the Internet of Things. As we’ve noted in our previous blog posts, the Internet of Things (“IoT”) refers to the growing ability of everyday devices to monitor and communicate information through the Internet. This is especially relevant in the life sciences industry, to which the IoT may bring potentially revolutionary advances. For example, insulin pumps and blood-pressure cuffs that connect to a mobile application may enable people to monitor their own vitals, without having to visit a doctor’s office. The recent FTC Staff Report follows up on the FTC’s public workshop over concerns with the IoT, as well as the FTC’s first enforcement action brought in September 2013.

In the Staff Report, the FTC referenced the various potential risks that IoT products present. Such connected devices could, if exploited, lead to consumer harm by enabling the unauthorized access and misuse of personal information and medical records; facilitating attacks on other systems; and creating risks to personal health and physical safety with regard to medical devices manipulated by unauthorized third parties. For example, the Staff Report mentions the possibility of an unauthorized third party hacking remotely into connected insulin pumps and changing their settings so that they no longer delivered medicine to the users. In addition, potential privacy risks could flow from the collection of personal and medical information, habits, locations, and physical conditions over time. To address these risks, the FTC recommended that companies developing IoT products take the following concrete measures in the areas of security, data minimization, and notice and choice:

  • Security. The FTC recommended that companies: (1) build security in their IoT devices at the outset; (2) train all employees about good security; (3) retain service providers that are capable of maintaining reasonable security and provide reasonable oversight for these providers; (4) implement a “defense-in-depth approach” by considering security measures at several levels; (5) implement reasonable access control measures to limit the ability of an unauthorized person to access a consumer’s device, data, or network; and (6) monitor products throughout the life cycle and, if feasible, patch known vulnerabilities.
  • Data Minimization. The Staff Report also encouraged companies to examine their business needs and develop policies and practices that impose reasonable limits on the collection and retention of consumer data. The FTC noted, though, that this recommendation is flexible and intended to give companies options. Per the FTC, companies can decide not to collect data at all; collect only the fields of data necessary to the product or service; collect data that is less sensitive; or de-identify the data collected. If none of these options is consistent with the companies’ business needs, they can seek consumer consent for collecting additional, unexpected categories of data.
  • Notice and Choice. The FTC incorporated certain elements from a use-based approach. In other words, if a use of the data by the company is consistent with the context of the interaction with the consumer (i.e., an expected use), then a choice need not be offered to the consumer. For uses that would be inconsistent with the context of the interaction (i.e., unexpected), the FTC recommended that companies offer clear and conspicuous choices. In addition, if consumer data collected is immediately and effectively de-identified, then the FTC stated that a choice need not be offered to the consumer. The FTC encouraged legislators and multistakeholder frameworks to help guide companies on what types of users of certain consumer data are permissible or impermissible, and to address other concerns.

Finally, the FTC acknowledged that IoT-specific legislation at this stage would be premature. However, it did reiterate previous recommendations for Congress to enact broader, general data security legislation. Commissioner Joshua Wright dissented, citing the lack of empirical evidence, and questioning whether the recommendations in the Staff Report would even improve consumer welfare. Said Commissioner Wright, the FTC should “at a minimum, undertake the necessary work not only to identify the potential costs and benefits of implementing such best practices and recommendations, but also to perform analysis sufficient to establish with reasonable confidence that such benefits are not outweighed by their costs at the margin of policy intervention.”

From smart medical devices to fitness and health monitoring apps, the IoT has been a hot topic lately, garnering a lot of attention from the FTC and life sciences industry alike. With the Staff Report finally released, companies now have a loose playbook on how to develop such products while keeping privacy and security in mind. With the FTC promising more enforcement in this area, we will be watching closely to see how the FTC translates its Staff Report into practice.

U.S. Senator Schumer Calls for Increased Regulation of Wearable Electronic Devices to Avoid Data Privacy Issues

Reed Smith’s Global Regulatory Enforcement Law Blog features a post on the recent phenomenon of wearable electronic devices and the legal issues that may arise from these gadgets. "Wearable Device Privacy - A Legislative Priority?," written by Reed Smith attorneys Frederick Lah and Khurram Gore, discusses a recent press release issued by U.S. Senator Chuck Schumer of New York expressing concern that personal health data collected by wearable devices and fitness apps, including medical conditions, sleep patterns, calories burned, GPS locations, blood pressure, weight, and more, will be provided to third parties without the user knowing it. Schumer, citing this as a threat to personal privacy, has urged the Federal Trade Commission to mandate that device and app companies provide users with an explicit “opt-out,” allowing them to block the distribution of this information to any third parties.

As the authors note, with the rising popularity of these types of devices, we expect regulators, legislators, and companies to start paying closer attention to the data security and privacy risks associated with their use.

Do You Know Where Your Pharmaceuticals Are From? Navigating the "Country of Origin" Question for Pharmaceutical Products

Drug and medical device manufacturers are often faced with difficult — and sometimes unexpected — challenges in sorting out the country of origin for their products, which are often sourced, processed and manufactured in multiple countries.

One would think it would be easy to answer the question, “What is a pharmaceutical product’s ‘country of origin’?” Unfortunately, as Jeffrey Orenstein and Lorraine Campos point out in “Origin of the Pieces: How to Determine a Pharmaceutical Product’s ‘Country of Origin,’” the answer to this question is not as simple as many would think – and the correct answer can depend on who is asking. Jeff and Lorraine’s article is published in the Spring 2014 edition of the Public Contract Law Journal.

Supreme Court Decision on Reverse Payments has Significant Implications for Pharmaceutical Manufacturers

Reed Smith’s Global Regulatory Enforcement Law Blog recently featured a detailed analysis of the Supreme Court’s decision in FTC v. Actavis, where the court ruled five-to-three that reverse payments, also called pay-for-delay settlements, can violate antitrust laws and are subject to antitrust review under the rule-of-reason. As reverse payments are commonly used by branded drug manufacturers to settle patent litigation related to generic drug manufacturers’ market entry, this decision will change the approaches courts, drug company litigants, and lawmakers take to the issue of generic entry into a patented brand drug’s market. To learn more about the implications for both branded and generic drug manufacturers, particularly in their approach to resolving patent litigation, read the full alert.

FTC Issues Guidance to Mobile App Developers

Reed Smith's AdLaw By Request blog features a post on the Federal Trade Commission's recently published "Marketing Your Mobile App: Get It Right from the Start," a set of guides addressing compliance with truth in lending and privacy principles for mobile app developers. Reed Smith partner Doug Wood notes that disclosures and privacy protection for mobile apps is a major issue and recommends that the guides should be read carefully by anyone in the mobile app business. Developers and marketers operating in the health care and life sciences industry should take note.

FTC's Proposed Rule Changes Modify HSR Reporting Requirements for Pharmaceutical Exclusive Licensing Deals

Reed Smith's Global Regulatory Enforcement Law Blog recently featured a post regarding the Federal Trade Commission's proposed changes to the premerger notification rules to clarify when the transfer of exclusive marketing, sales and manufacturing rights to a patented pharmaceutical product requires notification to the agencies under the Hart-Scott-Rodino Antitrust Improvements Act of 1976 (15 U.S.C. § 18a). The proposed rule changes are applicable only to the pharmaceutical industry. The comment period closes October 25, 2012.

Red Flags Rule Enforcement Postponed Again

On May 28, 2010, just shy of the June 1st compliance deadline, the Federal Trade Commission announced that it would again be postponing enforcement of the Red Flags Identity Theft Prevention Rule through December 31, 2010. This delay comes at the request of Congress, which has been considering legislation (which has been referred to the Senate Committee on Banking, Housing, and Urban Affairs) that would affect the scope of entities covered by the Rule. The FTC "urges Congress to act quickly to pass legislation that will resolve any questions as to which entities are covered by the Rule and obviate the need for further enforcement delays." If Congress passes legislation limiting the scope of the Red Flags Rule with an effective date earlier than December 31, 2010, the Commission will begin enforcement as of that effective date.

FCC Proposes Tougher Rules on Telemarketing

This post was written by Robert H. Jackson.

The Federal Communications Commission (“FCC”) has proposed changes to its Telephone Consumer Protection Act (“TCPA”) rules that would conform to the Federal Trade Commission’s Telemarketing Sales Rule (“TSR”). The primary change in the regulations would affect the sending of prerecorded messages (a/k/a “robocalls”) by barring them even to existing customers without first obtaining prior written consent. At first blush, this seems routine, but because of differences in the FCC’s and FTC’s statutory jurisdiction, there are complicated implementation issues that could trap unsuspecting companies. Other key issues for the health care industry is whether the FCC should create an exemption for prerecorded messages that are subject to Health Insurance Portability and Accountability Act (“HIPAA”) and, if so, how such exemption should be implemented. For more information about these changes, please read our client alert written by Robert Jackson.

FTC (Revised) Endorsement Guides Go Into Effect

As noted by our colleagues at Legal Bytes, on December 1, 2009, the revised "Guides Concerning the Use of Endorsements and Testimonials in Advertising" released by the Federal Trade Commission ("FTC") came into effect. Washington, D.C. partner John P. Feldman, an authority in advertising regulations and compliance, recently outlined some considerations every advertiser should take into account in his memo, "FTC Endorsement Guides (Revised) - Some Thoughts As They Become Effective." To read John's full analysis, click here.

Legal Bytes has been following new developments regarding the FTC's Guidelines since November 2008. In case you missed any earlier updates, you can refer back to them here: FTC Testimonial and Endorsement Guides Stimulate Industry Comment (March 2009); a presentation given at the University of Limerick on the subject entitled "Trust Me, I'm a Satisfied Customer: Testimonials & Endorsements in the United States," which you can download (If You Didn't Make It to Ireland ...); Ghostwriters: Medical Research or Paid Endorsers (and are they mutually exclusive?) and Rights of Publicity - Wake Up and Smell the Coffee! (both in August 2009); and FTC Releases Updated Endorsement & Testimonial Guidelines and Reed Smith Analysis of the New FTC Endorsement and Testimonial Guidelines (both in October 2009).

Another Postponement of FTC's Red Flags Rule

On October 30, 2009 the Federal Trade Commission (FTC) issued a News Release announcing that it is granting industries under the FTC's jurisdiction an additional 7 months (i.e., until June 1, 2010) to develop and implement their identity theft prevention programs as required under the FTC's Identify Theft Red Flags Rule. According to the FTC News Release, this additional extension has been provided at the request of members of Congress. In making this announcement, the FTC attempts to refocus the attention of creditors and financial institutions to the FTC's dedicated Red Flags Rule website, which contains various compliance guidance documents designed to assist affected industries with the development of Identity Theft Protection Programs. 

Also on October 30, 2009, the U.S. District Court for the District of Columbia ruled that the FTC may not apply the Red Flags Rule to attorneys. The FTC's New Release acknowledges this ruling, and further cautions that the FTC's additional postponement of Red Flags Rule enforcement remains distinct from whatever timeline may be associated with the aforementioned court proceeding and any possible appeals.

The announcement of the additional extension is available at, and our prior posts on the Red Flags Rule are available here.

FTC Issues Final Rule on Notifying Consumers About Breaches of Electronic Health Records

This post was written by Mark S. MelodiaMichael K. BrownJ. Ferd Convery, IIISteven J. Boranian, Brad M. Rostolsky, Shana R. Fried and Paul Bond.

Until now, the loss or theft of protected health information rarely resulted in notice to consumers. Very few state data security breach notification laws encompass medical information. The Health Insurance Portability and Accountability Act ("HIPAA") merely required an "accounting" of such events to a patient upon the patient's request.

All that has changed. Congress, in enacting the Health Information Technology for Economic and Clinical Health Act ("HITECH"), imposed breach notification obligations on many of the individuals and business entities that receive, create, or maintain patients' individually identifiable health information. Pursuant to HITECH, on Aug. 17, the Federal Trade Commission ("FTC") issued its Health Breach Notification Rule, governing the breach notification obligations of three new categories of entity: "vendors of personal health records," "PHR related entities" and "third party service providers."

To read the full alert, click here.

FTC Further Postpones Identity Theft Red Flags Rule

On July 29, 2009 the Federal Trade Commission (FTC) issued a News Release announcing that it is granting industries under the FTC's jurisdiction an additional 3 months to develop and implement their identity theft prevention programs as required under the FTC's Identify Theft Red Flags Rule. Additionally, the FTC staff will "redouble" its education efforts and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply.   By extending the enforcement date of the Rule until November 1, 2009, the FTC intends to give creditors and financial institutions more time to review the forthcoming guidance and to develop and implement written Identity Theft Prevention Programs. The announcement of the extension is also available at, and our prior posts on the Red Flags Rule are available here.

Identity Theft Red Flag Rule Further Postponed

This post was written by Carol Loepere.

On April 30, 2009 the Federal Trade Commission (FTC) issued a News Release announcing that it is granting industries under the FTC's jurisdiction an additional 3 months to develop and implement their identity theft prevention programs as required under the FTC's so-called Identify Theft Red Flag Rule. The FTC also stated that that some entities, particularly those that are small, non-traditional creditors, would benefit from the availability of a template Red Flags program in developing their programs. The Commission staff intends to publish such a template for low-risk entities shortly. The FTC said that the extension, coupled with the release of the template, should be sufficient to enable low-risk entities to prepare their programs without undue burden. The announcement of the extension is also available at

Testimonials and Endorsements: Complying with the FTC Guides in Light of Proposed Changes

This post was written by John P. Feldman and Anthony E. DiResta.

One of the most frequent strategies employed by advertisers is to let the consumer hear about the advertised product or service from a third party, someone other than the advertiser itself. At its root, an endorsement or testimonial when used in advertising is the advertiser’s way of saying, “Don’t just take my word for how wonderful my product or service is, listen to this unbiased person whose opinion you should rely upon to make a purchasing decision.” The Federal Trade Commission (FTC or Commission) originally published Guides Concerning the Use of Endorsement and Testimonials in Advertising (The Guides) in 1972. The Guides have not been updated since 1980. In January, 2007, the FTC sought comments on proposed modifications and updates to the Guides. In particular, the Commission sought comments on whether so-called “disclaimers of typicality,” statements like “Results not typical” or “Your results may vary,” should continue to be a valid way to communicate that a testimonial does not represent experiences consumers will generally achieve with the advertised product or service.

Click here to view the alert.

FTC Grants Six-Month Delay on Enforcement of the "Red Flag Rules"

This post was written by Carol C. Loepere.

Today, the Federal Trade Commission (FTC) issued a press release to announce that it will suspend enforcement of the new “Red Flag Rules” until May 1, 2009, to give "creditors" and financial institutions additional time in which to develop and implement written identity-theft prevention programs. Reed Smith has worked on behalf of the American Health Care Association (AHCA) to question the applicability of the rules to health care providers, and to request a delay in the effective date of the rule. For more on the possible application of the FTC's Red Flag Rules to health care providers, see our prior post

FTC's Identity Theft Red Flag Regulations: Implications for Health Care Providers

This post was written by Debra L. Hutchings, Paul J. Bond, and Carol C. Loepere.

In November 2007, the Federal Trade Commission (“FTC”) issued sweeping regulations aimed at deterring, detecting and preventing identity theft. Under these rules, known as the Red Flag Regulations, 16 C.F.R. § 681.1 et seq. and Final Rule (“Red Flag Regulations”), financial institutions and creditors of covered accounts must establish a program to detect, prevent and mitigate identity theft. While somewhat unclear and perhaps counterintuitive, the breadth of the Red Flag Regulations and the FTC’s current interpretation indicates that these rules apply to many participants in the health care industry. The rules become effective November 1, 2008.

The Red Flag Regulations have three parts, two of which pertain to the health care industry. The first part applies to anyone who uses “consumer reports” for employment, insurance or credit purposes. The second part places obligations on “creditors and financial institutions” to detect, prevent and mitigate identity theft in relation to accounts covered under the Red Flag Regulations. This Client Alert addresses each part in turn.