FTC

March 2017

New Toolbar, Same Old Problems

In 2012, the Upromise allegedly: (i) failed to disclose the extent of data collected by its ‘TurboSaver’ toolbar, (ii) failed to limit data collected by its toolbar, and (iii) failed to ensure data was collected and protected consistent with its privacy policies and contractual agreements. The FTC alleged that despite representations, the tool collected financial account numbers, security codes, and Social Security numbers from secure web pages, and transmitted this information over the Internet in clear text. To resolve the matter, Upromise entered into a 20 year consent decree requiring it to:

  • Get express affirmative consent prior to download/install
    • clearly and prominently disclose privacy notices or other agreements
    • disclose all data collected, how used, with whom shared
  • Notify consumers who could have been impacted by the (unauthorized) disclosures
    • re-obtain consent from existing users
  • Destroy all previously collected data
  • Implement an ‘information security program’ (designed to protect the security, privacy, confidentiality, and integrity of personal information)
    • verify the effectiveness of the ‘information security program’ biennially through third-party audits
  • Maintain records associated with compliance with the order for five years after creation/dissemination

No monetary penalty was assessed.

In 2017, the FTC reviewed Upromise’s ‘RewardU’ toolbar, and alleged that under the new toolbar implementation, Upromise failed to clearly and conspicuously disclose the extent of data collected by its ‘RewardU’ toolbar (disclosed only in small, footnote-style, text in a barely visible font color), and at enrollment presented a different privacy policy & EULA that incorporated two other privacy policies by reference. Additionally, the FTC alleged the second and third assessments performed under the existing order did not sufficiently address the specific administrative, technical, and physical safeguards that should have been implemented in ‘RewardU.’

This time, the (20 year) agreement requires Upromise to:

  • Pay a $500,000 civil penalty
  • Assess the validity of consent previously obtained
    • perfomred by a qualified, objective, independent third-party specializing in website design and user experience
    • designed to certify adherence to the FTC Order’s ‘clearly and prominently’ disclosure requirement and ‘express, affirmative’ consent requirement
    • approved in advance by the FTC
  • Delete all cookies/trackers associated with the ‘RewardU’ toolbar
    • notify consumers to delete their cookies, and instruct them how to do this
  • Submit compliance reports on demand
  • Maintain records associated with compliance with the order for five years after creation/dissemination, for the next 20 years

Upromise (and any corporation, subsidiary, division, or other device) is also enjoined from violating any provision of this new (or any other) FTC order.
https://www.ftc.gov/news-events/press-releases/2017/03/membership-reward-service-upromise-penalized-violating-ftc-order
jbho: I guess the FTC didn’t really tell Upromise how to get consent in 2012. However, the dotcom disclosure guidance has been out there since 2013. Let’s use this example as an opportunity to freshen up on those guidelines.
https://www.ftc.gov/sites/default/files/attachments/press-releases/ftc-staff-revises-online-advertising-disclosure-guidelines/130312dotcomdisclosures.pdf

Note: Both the TurboSaver & Reward U toolbar identified and reminded consumers of cash-back opportunities when shopping online. It appears the RewardU toolbar has been pulled. https://lty.s.upromise.com/member/faq/rewardu

 

$3.6 Million For Alleged Deceptive Advertising Practices

A group of auto dealerships allegedly engaged in deceptive and unfair advertising related to the purchase, finance, and lease of vehicles. Specifically, the FTC alleged that ads that stated low ‘money-down’ rates that did reflect that actual ‘due-at-signing’ amount. Additional costs related to fees were disclosed only in small print, and prices were not linked to the disclosures. For example a 2012 Nissan Versa was allegedly advertised as “$38 Down” & “$38 A Month.”

versa-ad

But the small print allegedly stated:

2012 Versa Hatchback 4 Door Automatic – Selling Price $16,910 doc fee 80.00 Acquisition Fee $595 License $210 gross Cap cost $17,505. $2695 Due at signing. MSRP $17,755. Residual $10,118.10. Mileage per year 12,000. Term of lease 36 months. Advanced payment $195.34. Upfront charge $508.94. Initial Payment $2695.00. $38 payment for the first 6 months. Payment goes to $179.62 for the balance of the lease term. One at this price. Model #11412 VIN#285174.

So the quoted prices were not really available to consumers. The FTC cited almost a dozen other examples of similar advertisements.

The FTC further alleged that quoted prices were further out-of-reach, as add-on products were often added to sales without consumers’ knowledge or consent. Finally, the FTC alleged that defendants engaged in yo-yo practices related to financing of vehicles, and posted false customer satisfaction reviews online.

The final settlement has yet to be filed. However, under a Stipulated Preliminary Injunction Order filed 25 October 2016, Sage Group companies would be enjoined from misrepresenting:
• Any cost (or full cost) associate with purchase or lease of a vehicle,
• Any discount, rebate, or incentive
• A consumer ability to obtain a discount, rebate, or incentive
• Vehicles for which a discount, rebate, or incentive is offered
• Any trade-in allowance
• Any restriction, limitation, or condition
• Any refund, cancellation, exchange, or repurchase policy
• State a rate of finance charge without stating the rate as an ‘annual percentage rate’ or the abbreviation ‘APR’
• Any opinion, belief, finding, or experience related to customer satisfaction

Furthermore, any advertisements must clearly and conspicuously disclose all of the following terms (in compliance with TILA & Reg Z):
• The amount or percentage of the down payment
• The terms of repayment
• The annual percentage rate, using the term “annual percentage rate” or the abbreviation ‘APR’
• If the annual percentage rate may be increased after consummation of the credit transaction, that fact must also be disclosed

For leases, any advertisements must clearly and conspicuously disclose (in compliance with Reg M):
• The transaction advertised is a lease
• The total amount due at lease signing or delivery
• Any security deposit required
• The number, amounts, and timing of scheduled payments
• Any extra charges at lease end (based on the anticipated residual value of the vehicle)

Finally, Sage Group must pull all “Deceptive Reviews” from circulation.
https://www.ftc.gov/news-events/press-releases/2017/03/los-angeles-based-sage-auto-group-will-pay-36-million-settle-ftc
[C.D. CA; 2:16-cv-07329]
jbho: another reminder that additional fees and charges must be clearly and conspicuously disclosed. And disclaimers cannot contradict the claim. Particularly important when you are disclosing financing terms.

Also a reminder of the inherent risk in certain types of remuneration.

 

February 2017

$2.5 Million Settlement To Resolve Smart TV Tracking Allegations

Vizio allegedly recorded and shared viewing behavior (“on a second-by-second basis”) without consumer knowledge or consent. It also allegedly tied viewing behavior to a specific device by collecting other information about televisions, such as IP addresses, MAC addresses, WiFi information, as well as nearby WiFi access points. Over time, the data collected was allegedly used for more and more purposes, including:

  • Audience measurement (2014)
  • Advertising effectiveness (2015), including behavior across devices:
    • whether a consumer visited a particular website following an advertisement
    • whether a consumer viewed a particular television program following an advertisement
  • Target advertising on other devices (2016)

The data was provided in an ‘anonymous’ format, and Vizio contracts prohibited redentification, but did allow sex, age, income, marital status, household size, education, home ownership, and household value to be appended to the data it provided.

Vizo allegedly performed the above with no onscreen notice of collection until March 2016. Afterwards, an on-screen pop-up notification referenced collection, but timed out after 30 seconds without consumer input, and without easy access to the settings menu.
vizio-pop-up
The setting to turn off collection was allegedly unintuitively named “Smart Interactivity,” and was described as “enabl(ing) program offers and suggestions,” with no mention of data collection.

Under the Order, Vizio must not misrepresent its data collection and use practices, and:

  • Prominently (& unavoidably) disclose – separate from any privacy policy, terms of use, or similar document –
    • the types of viewing data it collects & uses
    • the types of viewing data shared
    • categories of recipients
    • all purposes for sharing
  • Obtain affirmative express consent at the above disclosure
  • Provide instructions for revoking consent when consent is sought
  • Obtain affirmative express consent to any material changes in collection, use, or sharing
  • Destroy all data collected before 1 March 2016
  • Implement a privacy program
    • program to be assessed by an independent third party initially, and biennially thereafter
  • Maintain records associated with compliance with the order for five years after creation/dissemination
  • Pay $2.5 Million in civil penalties and fines
    • $1,500,000 to the FTC
    • $1,000,000 to the New Jersey Division of Consumer Affairs ($300,000 of which is suspended, and will be vacated after 5 years if Vizio complies with the Order)

The Order remains in effect for 20 years.
https://www.ftc.gov/news-events/press-releases/2017/02/vizio-pay-22-million-ftc-state-new-jersey-settle-charges-it
[D. N.J.; 2:17-cv-00758]
jbho: a reminder that you need to know:
• what your devices are doing
• what data you’re getting
• what data you’re sharing
• and what everybody’s doing with that data

Then consider:
• do your consumer know what you’re doing? (e.g., update your privacy policy)
• are your consumer ok with that? (e.g., get consent)
• if they’re not ok, can they fix it? (e.g., offer an opt-out, or way to close an account)

Interesting here is the FTC classified television viewing as ‘sensitive’ data. I suppose it could depend on what you’re watching. However, Chair Olhausen indicated in a concurring statement that she felt the ‘sensitive’ designation may not have been the best choice, and she will be more rigorously examining what constitutes ‘substantial injury’ in the context of personal information. Nevertheless, failing to provide clear, complete, and conspicuous disclosures of data collection and use practices will likely continue to be enforced under the Section 5 ‘deceptive’ prong.

Also worth noting, the FTC here explicitly required Vizio to offer an opt-out of data collection. Something the Commission stopped short of in the recent Cross-Device recommendation.

Finally, the Order includes IP address and User IDs in the definition of ‘Covered Information.’ While not explicitly called ‘personal,’ it will be interesting see if this order has any influence on VPPA cases.

 

December 2016

FTC Proposal To Turn The Page On Surreptitious Tracking

DSP/DMP Turn allegedly misrepresented consumers’ ability to opt-out of targeted advertising. Turn allegedly continued to target consumers after opt-out using the persistent Verizon X-UIDH header (subject of a separate enforcement action). Users had no means to prevent the transmission of the Verizon X-UIDH header, and Turn allegedly used the X-UIDH to re-identify users and continue to serve targeted ads, irrespective of any settings on a mobile browser, mobile device, or in a mobile app.

The proposed Order requires Turn to:

  • Not misrepresent the information it collects, and how it uses discloses, shares, or retains that information
  • Not misrepresent a user’s ability to limit collection, use, sharing, or retention of information
  • Create a “Consumer Opt Out of Targeted Advertising” page that Clearly and Conspicuously discloses the types of information it collects and uses, as well as the technologies and methods it uses for Targeted Advertising
  • Honor and not override any browser/app/device setting indicating a consumer’s desire to opt-out
  • Submit a report on compliance with the Order in one year
  • Create the following records for the next 10 years (and maintain each for 5 years after creation):
    • accounting records showing revenues from all goods or services sold
    • personnel records on each person providing services in relation to any aspect of the Order
    • consumer complaints or inquiries relating to collection, use, and sharing of information, as well as opt-out practices
    • public statements (e.g., privacy policies) covering collection, use, sharing, and retention of information
      • including any changes in practices
    • other records required to demonstrate full compliance with the Order
  • Submit additional compliance reports or other requested information on demand
    • response within 10 days

The Order would remain in effect for 20 years. No fines have been assessed

The proposed Order is subject to a 30-day public comment period (through 19 Jan 2017).The Commission will then decide whether to make the proposed consent order final.

UPDATE: 21Apr2017 – the Order was approved by a 2-0 vote

https://www.ftc.gov/news-events/press-releases/2016/12/digital-advertising-company-settles-ftc-charges-it-deceptively

jbho: While likely more than most would need, the new TURN privacy policy – updated to comply with the Order – could provide some good examples of how to craft a PP for other DSPs, DMPs, SSPs, etc., as well as what to offer in terms of opt-outs.

The FTC also noted that despite statements on Turn’s website that blocking/removing cookies would prevent targeting, this would not prevent targeted ads from appearing in mobile apps. So you should make sure to distinguish between the two, and the actions that a user would need to take that are unique to one platform versus another. Since AdChoices relies on cookies, this may not be an effective opt-out for in-app ads. An alternate solution may need to be developed. For example, Turn has partnered with TRUSTe to provide an in-app opt-out (http://www.turn.com/trust/consumer-opt-out).

Note also, the press release summarizes that “Turn … must provide an effective opt-out for consumers who do not want their information used for targeted advertising …” (emphasis added). However, the press release, aid to public comment, and the Order do not say that an opt-out means to stop collecting or linking data. So it should be enough to stop serving targeted ads? (Consider also that companies may need to track specific devices in order to honor device level opt-outs).

And finally, the order also contains a nice summary of what the FTC means by “Clear and Conspicuous,” as well as a list of what information it considers in-scope for the enforcement:

“Covered Information” means information from or about an individual consumer, Computer, or Device, including, but not limited to:

  • email address or other online contact information
  • user name
  • unique ID held in a cookie
  • IP address
  • Device Advertising Identifier (e.g., IDFA, Google Ad ID)
  • Device ID
  • MAC address
  • processor serial number
  • Verizon X-UIDH header
  • browsing history or other data about websites and applications that a device has accessed
  • precise geolocation data (person or device)
    • GPS-based
    • WiFi-based
    • cell-based
  • authentication credentials
    • login ID
    • password

The Commission stopped short of calling all of the above ‘personal.’

 

 

“All Natural” Claims More About “All” Than “Natural” – Part II

The FTC finalized an order with a fifth cosmetics manufacturer, who also allegedly deceptively marketed its products. In this case, California Naturel marketed is sunscreens as “All Natural” despite containing Dimethicone.

The consent decree prohibits California Naturel from making any purity or health claims without reliable scientific evidence to prove the claims. Additionally, the company must maintain and make available upon FTC request all advertisements/promotional materials & any tests, reports, studies, surveys, demonstrations, or other evidence to support claims. The above must be maintained for five (5) years.

The FTC previously has entered into consent decrees with four other companies for similar alleged false advertising claims: Trans-India Products (Shikai), Erickson Marketing (Rocky Mountain Sunscreen), ABS Consumer Products (EDEN BodyWorks), Beyond Coastal. The products at issue contain one or more synthetic ingredients (e.g., Butyloctyl Salicylate, Caprylyl Glycol, Dimethicone, Ethylhexyl Glycerin, Phenoxyethanol, Polyethylene, etc.)

All Orders remain in effect for 20 years.
https://www.ftc.gov/news-events/press-releases/2016/12/ftc-rules-california-naturel-inc-misled-consumers-violated-ftc
jbho: a reminder to avoid absolutes in marketing copy. And disclaimers can’t contradict the claim.

Interesting here is that the FTC focused on the ‘100 percent’ and ‘all’ in the claims. In response to comments, the FTC stopped short of saying products should not be represented as ‘natural’ if they contain any amount of synthetic ingredients. The commission felt it lacked evidence that consumers would interpret the term ‘natural’ alone to mean there were no synthetic ingredients.

However, The Honest Company was recently denied a motion to dismiss on its claims of ‘natural’ products that also contained Cocamidopropyl Betaine, Methylisothiazolinone, and Phenoxyethanol (C.D. CA; 2:15-cv-07059; Doc75) – Claims it voluntarily pulled in the wake of a NAD inquiry .

So, avoiding any terms that imply an absolute is probably still a good idea.

 

DeVry University Settles On Unsubstantiated Advertising Claims

DeVry University (DVU) allegedly used deceptive representations about the benefits of obtaining a degree from DVU in its advertising campaigns. Ads cited statistics claiming students of DVU were highly likely to obtain a well-paying, career-oriented job in the student’s chosen field of study soon after graduating. Specifically, the cornerstone claim of DVU’s advertising across all channels was, “90% of DVU graduates who were actively seeking employment landed or obtained new jobs in their field of study within six months of graduation.” Another frequent claim was that DVU grads earned 15% more than all other bachelor’s degree candidates.

The FTC argued the 90% claim was deceptive, as the statistics included individuals employed at the time of enrollment who remained in the same job after graduation, and individuals who were NOT employed in their field of study (e.g., rural mail carrier, sales associate at Macy’s, unpaid volunteer, server at a Cheesecake Factory, car salesman, etc.). The statistics also excluded individuals whom DVU considered to not be “actively seeking employment” (i.e., could not find a job). Additionally, the FTC determined the 15% higher income claim was based on a flawed statistical study, thus also deceptive.

In addition to the $100,000,000 penalty, the Order requires DeVry to:

  • Not misrepresent the success of students or graduates in a particular field, type of employment/employer, compensation, or timing of employment
  • Not use misleading statistical analyses of students or graduates success, and clearly and conspicuously disclose the relevant, correct statistics
  • Preserve all complaints and other relevant student data to determine appropriate reparations
  • Implement a training program to ensure compliance with the order
    • and maintain for 20 years
  • Maintain the following records for the next 15 years (and keep each for 5 years):
    • copies of all advertising/marketing materials
    • revenue accounting
    • personnel records
    • consumer complaints
    • requested refunds
    • all records necessary to demonstrate compliance with the order

Of the 100 Million, ~$49M goes to the commission (to be distributed through an FTC claims process), ~$30M is earmarked for forgiveness of student loans issued by DeVry, and ~$20M is reserved for forgiveness of other student expenses. The Order also prohibits DeVry from implementing non-disparagement clauses in any credit/refund agreements.
https://www.ftc.gov/news-events/press-releases/2016/01/ftc-brings-enforcement-action-against-devry-university
jbho: any performance claims must be substantiated based on impartial, empirical data.

Also, a couple examples of how not to cite studies. For example, the substantiation DVU used for its 90% claim:

  • “Based on self-reported data from bachelor’s and associate degree graduates. Does not include graduates not actively seeking employment, as determined by DeVry University Career Services or graduates who did not report data on employment status to DeVry University Career Services.” (emphasis added)
  • It also included the disclaimer:
    • “Active job market includes those already employed prior to graduation.” (emphasis added)

And the full disclaimer used for the study that backed the 15% higher pay claim:

  • “Based on PayScale study commissioned by DeVry. Data collected in 2012 and compared median self-reported earnings for graduates at different stages in their careers. Self-reported information may not reflect actual earnings and may not be representative of earnings of individuals who don’t supply information. Results may not be statistically significant. For information on study methodology, visit devry.edu/sourceinfo.” (emphasis added)
    • imho, as a mathematician, the “Results may not be statistically significant” statement immediately shows the disclaimer contradicts the claim; breaking the first rule of qualifying disclosures.

 

2016 Do Not Call Data Book

The FTC has released its 2016 stats on DNC subscriptions and complaints. Highlights include:

  • 226,001,288 numbers on the registry
    • over 3 million more than last year, 100 million more than 2006
  • 5,340,234 complaints
    • almost 1.8 million (50%) more than last year, over 4 million (364%) more than 2006
    • 3.4 million (64%) involved robocalls
    • 2.4 million (45%) involved failure to honor opt-outs

The number of companies subscribing to the DNC registry continues to decline
https://www.ftc.gov/system/files/documents/reports/national-do-not-call-registry-data-book-fiscal-year-2016/dnc_data_book_fy_2016_post.pdf
jbho: remember that each of these complaints is a potential TCPA lawsuit, since the TCPA does cover manual dialed telemarketing calls (47 USC §227(c)).

 

July 2016

Ad Network Fined $4 Million For Geo-Tracking Consumers Without Permission

The InMobi SDK was allegedly configured by default to collect WiFi information to create a ‘geocoder database’ to infer consumer latitude and longitude. This was allegedly done independent of a specific app developer’s intent to collect and use location information, as well as independent of a consumer’s location settings on a mobile device. InMobi would then allegedly use this information to track consumer location and serve geo-targeted ads.

Furthermore, InMobi stated in its SDK documentation that location parameters were only passed to InMobi if the app user allowed it, and InMobi used only opt-in location data. As a result, app developers could not provide accurate information in their app privacy policies.
Finally, InMobi represented its SDK could be used in compliance with COPPA, and it would not collect data on children under 13. Despite the representations, The FTC alleged InMobi neither implemented nor tested the COPPA functionality, and knowingly collected and used personal information – including unique device identifiers and location information (including inferred location) – through thousands of applications directed to children.

In addition to the $4 million civil penalty*, InMobi is prohibited from collecting information from children without adequately informing parents and obtaining verifiable parental consent. Any information previously collected from children must be destroyed.
InMobi is also prohibited from collecting or inferring location information without the affirmative consent of the consumer, and must discontinue collection/inference if consent has been revoked – whether directly, or through any other app, OS, device, or other system setting. Any information previously collected/inferred must be destroyed.

Lastly, InMobi must establish, implement, and maintain a comprehensive privacy program. The program is subject to an initial assessment, to be provided to the FTC, and biennial assessments thereafter (available to the FTC on demand). All assessments must be performed by an independent, third-party, and maintained for 5 years. The order remains in effect for 20 years.
*adjusted to $950,000 based on the company’s financial condition
https://www.ftc.gov/news-events/press-releases/2016/06/mobile-advertising-network-inmobi-settles-ftc-charges-it-tracked
jbho: To the great relief of InMobi clients, the FTC went after the SDK maker, and not the apps using the SDK (since InMobi’s allged ‘deceptive’ statements ultimately impacted consumers). It will be interesting to see how the FTC handles cases where it feels an app developer should have been “on notice” that an SDK was suspect (e.g., Silverpush https://www.ftc.gov/news-events/press-releases/2016/03/ftc-issues-warning-letters-app-developers-using-silverpush-code)

 

Health Co. Settles With FTC Over Public Release Of Survey Responses

Cloud-based Electronic Health Record (EHR) provider Practice Fusion allegedly publically posted some 613,000 doctor reviews online without proper notice or consent. According to the complaint:

  • Review (survey) invitations were sent via email under the guise of “improv(ing) your service in the future.”
    • the privacy policy included in the email did not inform users reviews would be publically posted
  • To submit a review, users ticked a box to agree to the terms of a “Patient Authorization” which authorized public release of survey responses o users were not required to view the Patient Authorization
  • Survey responses typically included sensitive health information
  • Healthcare providers were unaware survey responses about them were being publically posted

The Order prohibits Practice Fusion from misrepresenting its privacy and security protections. It also requires:

  • Provision of a separate dedicated notice with opt-in consent before publically posting (covered) personal information
  • Prohibition on public display of healthcare provider review information
  • Maintenance of the following records for five years:
    • accounting records
    • personnel records
    • consumer complaints concerning the subject matter of the Order
    • records necessary to demonstrate compliance with the Order (or any potential lack of compliance)
    • forms used to obtain information from consumers
    • representations regarding privacy and security protections

No fines were issued, but the Order is effective for 20 years.
https://www.ftc.gov/news-events/press-releases/2016/06/electronic-health-records-company-settles-ftc-charges-it-deceived
jbho: something to keep in mind w.r.t. surveys. Always provide notice and get appropriate consent based on information being collected & shared.

Also, keep in mind the FTC recently raised its fining authority from $16,000 to $40,000 per violation (to adjust for inflation)
https://www.ftc.gov/news-events/press-releases/2016/06/ftc-raises-civil-penalty-maximums-adjust-inflation

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s