In This Issue:

Clean Food Company Dodges NAD Inspection

Once Upon a Farm withdraws tags before the white gloves are donned

Bright Patterns

Once Upon a Farm (OFarm) is an exemplary specimen of a now-familiar type of company—a self-proclaimed provider of "clean" baby food and snacks for older kids. OFarm's packaging is what you'd expect: vivid, colorful graphics sporting cartoon tykes, anthropomorphized fruit, and chunky kiddie fonts. It's advertising to which we've all become accustomed during the past two decades, since organic and other "clean" foods became staples of the American pantry. But certain of OFarm's product claims recently caught the eye of the National Advertising Division (NAD) as part of its routine monitoring program, including the following:

Have you tried our NEW Advanced Nutrition Baby Fruit & Veggies Blend for babies yet? Veggie forward with hints of fruit, all three blends are formulated with prebiotics, probiotics, iron, vitamin B12, zinc and DHA – so you can feel comfortable your little ones are getting the nutrition they need for development.

An Emoji is Worth...

On its own, this statement might seem innocuous. After all, "development" is such a broad term that it might be hard for one to take offense. But the text of the post was followed by "a brain emoji and a flexed strong-arm emoji."

Can you see the trouble coming into focus?

According to the NAD Case Report, NAD was "concerned that the Instagram post created a link between OFarm's product ingredients and children's brain and strength development that requires competent and reliable scientific data as support."

Here's where things took a turn. Although OFarm provided NAD with evidence in support of its claims—including scientific articles and the credentials of the pediatric dietician who functions as an advisor to the company regarding combinations of natural foods to include in its products—during the proceeding, it informed NAD that it had elected to permanently discontinue the challenged express claim "for reasons other than the NAD inquiry." Accordingly, and in reliance on OFarm's representation that the claims had been permanently discontinued, NAD declined to pursue the inquiry and dropped the case without reviewing the claim on its merits.

The Takeaway

This is not the first time NAD has considered emojis as claims or as adding to claim interpretation, although this is a recent development. NAD looked at the use of a nauseated face emoji and a tears of joy emoji appearing on screen after participants in a taste test spit out Gatorade. Arguably, NAD would have found the ad falsely disparaging without the addition of the emojis. Similarly, NAD found the use of a claim that a supplement was "nature's aphrodisiac" accompanied by a fire and a heart emoji not to be puffery but to be a claim that the product would increase desire. Again, probably something NAD would have concluded even without the emojis.

While we don't have a full NAD decision analyzing whether the use of emojis adds meaning to written claims, we certainly have a hint that NAD found the brain and flexed strong-arm emojis to convey a more specific claim that the food enhanced brain and muscle development. Use of emojis in advertising will be looked at by NAD as potential claims or enhancements to claims and not simply as a way to convey a mood or to look with it with the texting generation.

For advertisers using emojis:

1247764a.jpg

Direct Seller Ignores DSSRC, Cites BBB in Press Release

Root Wellness makes wild claims, then pokes the bear in the bear's den

Root (and Branches)

When we started looking into the latest Direct Selling Self-Regulatory Council (DSSRC) ruling that caught our eye, we performed—as we always do—the stringent research demanded of us by our vigilant and, frankly, sometimes overbearing editorial board. Thus, we went out onto the interwebs to find the company that the DSSRC was manhandling and checked out their web presence, their advertising tags, and their social media, just to make sure we knew what was what. [There is no editorial board—Ed.]

But this posed a problem. The company name—"Root Wellness"—is incredibly popular. In one search alone, we counted half a dozen enterprises and individuals operating under the same or similar names. Perhaps someone failed to secure stellar trademark representation?

Luckily the DSSRC case record on the root in question is extensive; listed in the watchdog's first July 2021 inquiry into the company is the following URL: https://therootbrands.com/reviews.

So, now we had the right company, but the link just dropped us onto Root Wellness' home page where (as of this writing) nary a customer review is to be found. What gives?

Well, apparently, the DSSRC has been hounding Root Wellness since that first inquiry was launched as part of the watchdog's regular monitoring program.

Dead Endorser Office

Here's the basic history:

In its 2021 inquiry, the DSSRC zeroed in on performance claims made by Root Wellness sales force members on social media and website endorsements regarding the company's products. There are many examples, but here are a few doozies:

Our Autism Journey - Non-verbal no longer! Hi! My son Michael turned 14 in January 2021. He had been completely non verbal since he was about 15 months old...We are about 3 months in with Clean Slate now, his skin is clear (he had some recurring patches), he is calm and confident and is gaining new words.

My 79 year old husband was showing signs of dementia and had given up playing the trumpet, his difficulty in speaking clearly and finding the right words had become more pronounced. He started both products in March and is back to daily trumpet practice. His speech is slowly improving...

Morning fog has been lifted, Belly bloat has been blasted, AND long time stubborn nail fungus? Dissolving, as if by magic!

We must admit we've never seen a question ending with "stubborn nail fungus" before.

DSSRC determined that the social media posts communicated that the Root Wellness products could "treat serious health-related conditions including...psoriasis, attention-deficit/hyperactivity disorder, chronic fatigue, fatty liver disease...fibromyalgia, and rheumatoid arthritis."

Although the company provided articles to DSSRC to demonstrate a direct correlation between their product ingredients and the claims, DSSRC concluded that "the studies did not provide the necessary evidence" to substantiate the claims. Moreover, although certain testimonial claims were removed from the company's website, Root Wellness failed to demonstrate to DSSRC that it had taken good faith efforts to contact the salespeople who had posted the messages on which the inquiry was based.

The Takeaway

If you're ever tempted to ignore the DSSRC, we're here to tell you that it's not a good idea. Although they initially cooperated with the watchdog's inquiry, Root Wellness later ghosted the DSSRC staff, which may have had the inverse effect of keeping the company on the watchdog's radar.

The DSSRC followed up with Root Wellness again in July 2022, explaining how the company had failed to "substantively comply" with stipulations of the previous inquiry. To make matters worse, DSSRC found that Root Wellness had not only failed to comply with the inquiry but subsequently cited "BBB Programs News" and used the Direct Selling Association (DSA) logo in press releases, creating the perception that Root Wellness was an accredited business and/or had the backing of the industry groups.

"DSSRC became aware of four press releases made by the Company indicating that Root Wellness received high trust ratings from several independent trade organizations," the watchdog wrote. "DSSRC determined that references to both the BBB and the DSA could be construed by consumers as meaning that Root Wellness is a member company of both organizations and, as such, adheres to the business practice standards of both organizations."

Root Wellness, it turns out, is not a member of either organization. (What chutzpah!) And yet, the DSSRC is an affiliate of the BBB National Programs. Did Root Wellness assume the council would forget to check up on this fact?

Who knows? But regardless of their lapses in judgment, Root Wellness has earned the attention of the Federal Trade Commission (FTC). The DSSRC referred the entire case to the FTC in mid-October.

Another cautionary tale. Will Root Wellness claim to have FTC approval before their case is reviewed?

Growing E-Commerce Platform Flipped Data Security on Its Head

NYAG fines owner of Shein and Romwe brands $1.9 million

Antitheses

Bizarro World is one of those tropes that almost anyone of any age who's participated in American culture has access to. If you've somehow missed it, Bizarro World was a concept introduced by DC Comics in the early 1960s as a wrinkle in its Superman storylines. Also known as Htrae (spell it backwards...), Bizarro World was a cube-shaped planet where everything that happened on our world was restated as its "opposite." For the purposes of the DC franchise, this meant ineffectual and stupid superheroes ("stupor heroes") modeled on the opposite characteristics of Superman, Batman, and so forth.

The Bizarro concept was reintroduced to audiences in the 1990s through repeated references on Friends, Buffy the Vampire Slayer, and Saturday Night Live. Even Seinfeld dedicated an entire episode ("The Bizarro Jerry") to the notion.

So, we here at Ad-ttorneys@law—middle-aged shleps, the perfect bizarro demographic—are primed to notice when aspects of the Bizarro World leak into the topics we cover.

Us Hate Data Security!

New York Attorney General Leticia James recently issued an assurance of discontinuance signed by Zoetop, a clothing website operator that was hit by two related data breaches in 2018. The assurance document is a bizarro version of sound data policy—a perfect catalog of everything a company should not do when anticipating or responding to a data breach.

In 2018, Zoetop's e-commerce exporter, Shein, was hit by a cyberattack followed by a breach at its sister-site, Romwe. The Shein attack feasted on 39 million accounts, exfiltrating "names, city/province information, email addresses, and hashed account passwords." And so the bizarro litany begins.

If you want to expose your customers to identity theft and your own company to fines and legal jeopardy, follow these bizarro steps:

Ensure that the hash method you use to hide your customers' data is not secure (which is apparently what Zoetop did).

Fail to force a password reset for all the affected accounts when new logins occur (Zoetop failed to do so).

Instead, contact only a portion of those 39 million accounts—6.42 million accounts—and suggest a reset (which is how Zoetop approached its customers).

Oh, and don't forget to make misleading public statements regarding the breach in press releases and on your website, including statements that credit card information was not stolen when it was (which, again, is what Zoetop did).

Following the breach, make sure that a Payment Card Industry (PCI)-qualified forensic investigator cannot fully access your compromised systems and crucial information about your data security program (Zoetop failed to allow a PCI investigator sufficient access).

Moreover, before the breach even happens, fail to adhere to PCI data security standards (Zoetop failed to do so).

Finally, fail to adhere to network monitoring and testing standards such as file integrity monitoring, monitoring of log files, retention of audit trail histories and quarterly network vulnerability scans (Zoetop failed on this score, too.)

The Takeaway

There's so much in the assurance document that we can't write about all of it here, but it should serve as an excellent bizarro guide for companies hoping to enact the opposite of a sound data policy.

It's a shame because at least part of what was happening was avoidable. Tech news outlets claim that Zoetop got caught flatfooted by its own success and that its data security teams hadn't kept up with the growth of the company. Its subsequent skyrocketing sales resulting from the COVID-19 pandemic likely made matters more difficult, raising further questions about whether similar lapses could occur again.

But this isn't a question that anyone—let alone a popular company flush with success—should force itself to answer. Make sure that your data security efforts fail to be bizarro and ensure they scale up with your sales and web traffic, or you may suffer losses to both—and a $1.9 million fine as well.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.