Commercial Litigation Update

The widespread availability of Artificial Intelligence (AI) tools has enabled the growing use of “deepfakes,” whereby the human voice and likeness can be replicated seamlessly such that impersonations are impossible to detect with the naked eye (or ear). These deepfakes pose substantial new risks for commercial organizations. For example, deepfakes can threaten an organization’s brand, impersonate leaders and financial officers, and enable access to networks, communications, and sensitive information.

In 2023, the National Security Agency (NSA), Federal Bureau of Investigations (FBI), and Cybersecurity and Infrastructure Security Agency (CISA) released a Cybersecurity Information Sheet (the “Joint CSI”) entitled “Contextualizing Deepfake Threats to Organizations,” which outlines the risks to organizations posed by deepfakes and recommends steps that organizations, including national critical infrastructure companies (such as financial services, energy, healthcare and manufacturing organizations), can take to protect themselves. Loosely defining deepfakes as “multimedia that have either been created (fully synthetic) or edited (partially synthetic) using some form of machine/deep learning (artificial intelligence),” the Joint CSI cautioned that the “market is now flooded with free, easily accessible tools” such that “fakes can be produced in a fraction of the time with limited or no technical expertise.” Thus, deepfake perpetrators could be mere amateur mischief makers or savvy, experienced cybercriminals. 

On August 14, 2024, the Federal Trade Commission (“FTC”) announced a new final rule aimed at regulating fake consumer reviews, testimonials, insider reviews, company-controlled websites, and fake indicators of social media influence (e.g., “likes”) (the “Final Rule”).  The Final Rule was promulgated pursuant to Section 18 of the FTC Act, which authorizes the FTC to issue rules that define acts or practices that are unfair or deceptive within the meaning of Section 5(a)(1) of the FTC Act, and it enables the FTC to seek civil monetary penalties for violations.

While it covers ground similar to the FTC’s recently updated endorsement guides (the “Guides”), which we wrote about last year, the Guides regulate the conduct of individuals who are paid or incentivized to endorse products, whereas the Final Rule applies directly to companies advertising through consumer reviews, testimonials, and social media.

The Final Rule has six primary subsections: (1) Fake or False Consumer Reviews, Consumer Testimonials, or Celebrity Testimonials (§ 465.2); (2) Buying Positive or Negative Consumer Reviews (§465.4); (3) Insider Consumer Reviews and Consumer Testimonials (§465.5); (4) Company-Controlled Review Websites or Entities (§465.6); (5) Review Suppression (§465.7); and (6) Misuse of Fake Indicators of Social Media Influence (§465.8). 

On January 16, 2024, New Jersey Governor Phil Murphy signed into law Senate Bill No. 332, “An Act concerning online services, consumers, and personal data” (“SB 332”).  New Jersey is the fourteenth state to pass a comprehensive consumer privacy bill, and the obligations and rights created by SB 332 follow the format used in a growing number of states that have passed comprehensive consumer privacy laws.

Scope and Exemptions

SB 332 imposes obligations on “controllers”  – entities or individuals that determine the purpose and means of processing personal data – that ...

In a previous blog, we discussed the Federal Trade Commission’s (“FTC”) proposed changes to its Guides Concerning the Use of Endorsements and Testimonials in Advertising (the “Endorsement Guides”). The Endorsement Guides are intended to help businesses ensure that their endorsement and testimonial advertising conforms with Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce,” including false advertising. We specifically highlighted the FTC’s proposed changes related to social media platforms and their users, deceptive endorsements by online “influencers,” businesses’ use of consumer reviews, and the impact of advertising on children. Now, approximately one year later, and after receiving and considering public comments on its proposed changes, the FTC has issued its final rule adopting revisions to the Endorsement Guides. See Guides Concerning the Use of Endorsements and Testimonials in Advertising, 88 Fed. Reg. 48092 (July 26, 2023) (to be codified at 16 C.F.R. pt. 255). In issuing its final revised Endorsement Guides, the FTC stated that the changes are intended to “reflect the ways advertisers now reach consumers to promote products and services, including through social media and reviews.” We summarize below the FTC’s final revisions to the same sections of the Endorsement Guides covered in our earlier blog.

On July 26, 2023, the Securities and Exchange Commission (“SEC”) adopted its long-anticipated cybersecurity reporting rule (the “Final Rule”). The Final Rule applies to public companies subject to the reporting requirements of the Securities Exchange Act of 1934 and, in some cases, to foreign private issuers. As quoted in the SEC’s press release, SEC Commissioner Gary Gensler noted that many public companies already make cybersecurity disclosures to investors, and the Final Rule provides uniformity and structure for these future disclosures. The Final Rule also imposes a tight timeline for cybersecurity incident reporting and may include disclosure of an ongoing cybersecurity incident, as well as requiring periodic disclosures concerning organizational cybersecurity risk management processes and governance.

On July 7, 2022, the Consumer Financial Protection Bureau (“CFPB”) issued an advisory opinion entitled ‘“Fair Credit Reporting: Permissible Purposes for Furnishing, Using, and Obtaining Consumer Reports.”[1] The advisory opinion clarifies that “permissible purposes” under the Fair Credit Reporting Act (the “FCRA”) are “consumer specific” and highlights that a person who uses or obtains a “consumer report” is “strictly prohibit[ed]” from doing so without a permissible purpose under the FCRA. In the midst of ongoing Congressional efforts to pass a comprehensive federal data privacy law, the CFPB’s advisory opinion is a reminder of the existing rules that protect consumer privacy.

On March 15, 2022, President Biden signed into law the 2022 Consolidated Appropriations Act containing the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the “Cyber Incident Reporting Act”). While President Biden’s remarks highlighted the $13.6 billion in funding “to address Russia’s invasion of Ukraine and the impact on surrounding countries,” the 2022 Consolidated Appropriations Act contained numerous other laws, including the Cyber Incident Reporting Act, which should not be overlooked. The Cyber Incident Reporting Act puts in motion important new cybersecurity reporting requirements that will likely apply to businesses in almost every major sector of the economy, including health care, financial services, energy, transportation and commercial facilities. Critical infrastructure entities should monitor the upcoming rule-making by the Cybersecurity and Infrastructure Security Agency (“CISA”), as the final regulations will clarify the scope and application of the new law.

Recent decisions from the European Union (EU) have placed renewed focus on the use of common cookies used on ecommerce and other websites used by consumers and employees and transfers of personal data collected through cookies to the United States. The EU Data Protection Authorities (DPAs) found that the use of widely used website technologies (i.e., cookies and java script) to automatically collect identifiers from the users’ devices or through their use of internet protocols (e.g., IP addresses) resulted in the collection of personal data. The DPAs further found that the subsequent transfer of this data to Google servers located in the United States violated EU cross-border data transfer requirements because there were inadequate safeguards under the Schrems II decision invalidating the EU-US Privacy Shield. One notable impact of the decisions is to dismiss the adequacy of encryption technologies where the service provider (such as Google) has access to the cryptographic key and can be compelled to surrender it in order for the data to be decrypted and read by U.S. surveillance authorities. Consideration of the impact of these decisions is critically important for ecommerce and other websites operating in the EU, as well as more generally for organizations that transfer personal data of consumers and employees to the U.S.