Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On January 27, the FTC finalized an order with an education technology (ed tech) provider which claimed that the provider’s lax data security practices led to the exposure of millions of users and employees’ sensitive information, including Social Security numbers, email addresses, and passwords. As previously covered by InfoBytes, due to the company’s alleged failure to adequately protect the personal information collected from its users and employees, the company experienced four data breaches beginning in September 2017, when a phishing attack granted a hacker access to employees’ direct deposit information. Claiming violations of Section 5(a) of the FTC Act, the FTC alleged the company failed to implement basic security measures, stored personal data insecurely, and failed to implement a written security policy until January 2021, despite experiencing three phishing attacks.
Under the terms of the final decision and order, the company (who neither admitted nor denied any of the allegations) is required to take several measures to address the alleged conduct, including: (i) implementing a data retention and deletion process, which will allow users to request access to and deletion of their data; (ii) providing multi-factor authentication methods for users to secure their accounts; (iii) providing notice to affected individuals; (iv) implementing a comprehensive information security program; and (v) obtaining initial and biennial third-party information security assessments. The company must also submit covered incident reports to the FTC and is prohibited from making any misrepresentations relating to how it collects, maintains, uses, deletes, permits, or denies access to individuals’ covered information.
On January 13, the FTC announced an action against an investment advisor and its owners concerning allegations that the defendants made deceptive claims when selling their services to consumers. While the FTC has brought “several cases” concerning false money-making claims, the action marks the first time the FTC is collecting civil money penalties from cases relating to Notice of Penalty Offenses. As previously covered by InfoBytes, the FTC sent the notice to more than 1,100 companies (including the defendants) warning that they may incur significant civil penalties if they or their representatives make claims regarding money-making opportunities that run counter to FTC administrative cases. Under the Notice of Penalty Offenses, the FTC is permitted to seek civil penalties against a company that engages in conduct it knows is unlawful and has been determined to be unlawful in an FTC administrative order. This action is also the first time the FTC has imposed civil penalties for violations of the Restore Online Shoppers’ Confidence Act (ROSCA).
According to the complaint, the defendants made numerous misleading claims when selling their investment advising services, including that (i) recommendations about the services were based on a specific “system” or “strategy” created by so-called experts who claim to have made numerous successful trades; and (ii) consumers would make substantial profits if they followed the recommended trades (consumers actually lost large amounts of money, the FTC alleged). Moreover, the FTC claimed that company disclaimers “directly contradict the message conveyed by their marketing,” including that featured testimonials and example trade profits “represent extraordinary, not typical results,” “that ‘[n]o representation is being made that any account will or is likely to achieve profits or losses similar to those discussed,’ and that ‘[n]o representation or implication is being made that using the methodology or system will generate profits or ensure freedom from losses.’” By making these, as well as other, deceptive claims, the defendants were found to be in violation of the Notice of Penalty Offenses, ROSCA, and the FTC Act, the Commission said.
Under the terms of the proposed order, the defendants would be required to surrender more than $1.2 million as monetary relief and must pay a $500,000 civil money penalty. The defendants would also have to back up any earnings claims, provide notice to consumers about the litigation and the court order, and inform consumers about what they need to know before purchasing an investment-related service.
On January 5, the FTC announced a notice of proposed rulemaking (NPRM) regarding banning the use of noncompete clauses in employment contracts. Among other things, the NPRM, would make it illegal for employers to: (i) enter into, or attempt to enter into, a noncompete agreement with a worker; (ii) maintain a noncompete agreement with a worker; or (iii) represent to a worker that the worker is subject to a noncompete agreement. The NPRM also would require employers to rescind existing noncompete agreements and notify workers that those agreements are no longer in effect. The NPRM extends to both paid and unpaid workers as well as independent contractors. It also extends to non-disclosure agreements or agreements to repay training costs upon early termination of employment if such agreements amount de facto to a noncompete. Finally, the NPRM extends to noncompetes related to the sale of a business unless they involve a person who owns at least 25 percent of the sold business. The ban would be pursuant to Sections 5 and 6(g) of the FTC Act, which declare “unfair methods of competition in or affecting commerce” to be unlawful, and authorize the FTC to issue rules prohibiting such methods.
According to FTC Chair Lina M. Khan, noncompete clauses “block workers from freely switching jobs, depriving them of higher wages and better working conditions, and depriving businesses of a talent pool that they need to build and expand.” She noted that by ending noncompete clauses, “the FTC’s proposed rule would promote greater dynamism, innovation, and healthy competition.” According to Commissioner Christine S. Wilson’s dissent, the NPRM is a “radical departure from hundreds of years of legal precedent that employs a fact-specific inquiry into whether a noncompete clause is unreasonable in duration and scope, given the business justification for the restriction.”
Comments are due by March 10.
On December 30, the FDIC released a list of orders of administrative enforcement actions taken against banks and individuals in November. The FDIC made public nine orders consisting of “two consent orders; two orders terminating deposit insurance; three orders to pay civil money penalties; one order terminating consent order; and one Section 19 order.” Among the orders is a civil money penalty against a Wisconsin-based bank related to violations of the Flood Disaster Protection Act. The FDIC determined that the bank had engaged in a pattern or practice of violations that included the bank’s failure to: (i) obtain adequate flood insurance on the building securing a designated loan at the time of loan origination; (ii) obtain adequate flood insurance at the time of the origination; (iii) notify borrowers that the borrower should obtain flood insurance where a determination had been made that flood insurance had lapsed or a loan was not covered with the required amount of insurance; (iv) provide borrowers with a Notice of Special Flood Hazard and Availability of Federal Disaster Relief Assistance when making, increasing, extending or renewing a loan; and (v) provide borrowers with a Notice of Special Flood Hazard and Availability of Federal Disaster Relief Assistance within a reasonable time before the completion of the transaction. The order requires the payment of a $39,000 civil money penalty.
The FDIC also issued a civil money penalty against an Oregon-based bank for allegedly violating Section 8(a) of RESPA “by entering into mortgage lead generation arrangements with the operator of a real estate website and the operator of an online loan marketplace that were used to facilitate and disguise referral payments for mortgage business.” The FDIC also determined that the bank violated the FTC Act “by making deceptive and misleading representations in three of the bank’s prescreened offers of credit” and violated the FCRA “by obtaining the consumer reports of former loan clients with recent credit inquiries without a legally permissible purpose.” The order requires the payment of a $425,000 civil money penalty.
Additionally, the FDIC issued a consent order against a Tennessee-based bank alleging the bank engaged in “unsafe or unsound banking practices relating to weaknesses in capital, asset quality, liquidity, and earnings.” The bank neither admitted nor denied the allegations but agreed, among other things, that its board would “increase its participation in the affairs of the bank by assuming full responsibility for the approval of the bank’s policies and objectives and for the supervision of the bank’s management, including all the bank’s activities.” The bank also agreed to maintain a Tier 1 Leverage Capital ratio equal to or greater than 8.50 percent and a Total Capital ratio equal to or greater than 11.50 percent. The FDIC also issued a consent order against a New Jersey-based bank claiming the bank engaged in “unsafe or unsound banking practices relating to, among other things, management supervision, Board oversight, weaknesses in internal controls, interest rate sensitivity, and earnings.” The bank neither admitted nor denied the allegations but agreed, among other things, that it would retain a third-party consultant “to develop a written analysis and assessment of the bank’s board and management needs (Board and Management Report) for the purpose of ensuring appropriate director oversight and providing qualified management for the bank.”
On December 19, the DOJ filed a complaint on behalf of the FTC against a video game developer for allegedly violating the Children’s Online Privacy Protection Act (COPPA) by failing to protect underage players’ privacy. The FTC also alleged in a separate administrative complaint that the company employed “dark patterns” to trick consumers into making unwanted in-game purchases, thus allowing players to accumulate unauthorized charges without parental involvement. (See also FTC press release here.)
According to the complaint filed in the U.S. District Court for the Eastern District of North Carolina, the company allegedly collected personal information from players under the age of 13 without first notifying parents or obtaining parents’ verifiable consent. Parents who requested that their children’s personal information be deleted allegedly had to take unreasonable measures, the FTC claimed, and the company sometimes failed to honor these requests. The company is also accused of violating the FTC Act’s prohibition against unfair practices when its settings enabled, by default, real-time voice and text chat communications for children and teens. These default settings, as well as a matching system that enabled children and teens to be matched with strangers to play the game, exposed players to threats, harassment, and psychologically traumatizing issues, the FTC maintained. While company employees expressed concerns about the default settings and players reported concerns, the FTC said that the company resisted turning off the default setting and made it difficult for players to figure out how to turn the voice chat off when the FTC did eventually take action.
Under the terms of a proposed court order filed by the DOJ, the company would be prohibited from enabling voice and text communications unless parents (of players under the age of 13) or teenage users (or their parents) provide affirmative consent through a privacy setting. The company would also be required to delete players’ information that was previously collected in violation of COPPA’s parental notice and consent requirements unless it obtains parental consent to retain such data or the player claims to be 13 or older through a neutral age gate. Additionally, the company must implement a comprehensive privacy program to address the identified violations, maintain default privacy settings, and obtain regular, independent audits. According to the DOJ’s announcement, the company has agreed to pay $275 million in civil penalties—the largest amount ever imposed for a COPPA violation.
With respect to the illegal dark patterns allegations, the FTC claimed that the company used a variety of dark patterns, such as “counterintuitive, inconsistent, and confusing button configuration[s],” designed to get players of all ages to make unintended in-game purchases. These tactics caused players to pay hundreds of millions of dollars in unauthorized charges, the FTC said, adding that the company also charged account holders for purchases without authorization. Players were able to purchase in-game content by pressing buttons without requiring any parental or card holder action or consent. Additionally, the company allegedly blocked access to purchased content for players who disputed unauthorized charges with their credit card companies, and threatened players with a lifetime ban if they disputed any future charges. Moreover, cancellation and refund features were purposefully obscured, the FTC asserted.
To resolve the unlawful billing practices, the proposed administrative order would require the company to pay $245 million in refunds to affected players. The company would also be prohibited from charging players using dark patterns or without obtaining their affirmative consent. Additionally, the order would bar the company from blocking players from accessing their accounts should they dispute unauthorized charges.
On December 15, the FTC announced proposed court orders to permanently ban a group of companies and their owners (collectively, “defendants”) from offering or providing credit repair services. In May the FTC filed a complaint against the defendants for allegedly violating the FTC Act, the Credit Repair Organizations Act, and the TSR, among other statutes, by making deceptive misrepresentations about their credit repair services and charging illegal advance fees (covered by InfoBytes here). At the time, the U.S. District Court for the Middle District of Florida granted a temporary restraining order against the defendants. The proposed court orders (see here and here) were agreed to by the defendants, and contain several requirements: (i) a permanent ban against the defendants from operating or assisting any credit repair service of any kind; (ii) a prohibition against making unsubstantiated claims “about the benefits, performance, or efficacy of any good or service without sufficient supporting evidence”; and (iii) the release of numerous possessions that will be liquidated by a court-appointed receiver and used by the FTC to provide refunds to impacted consumers. The proposed court orders also include a total monetary judgment of more than $18.8 million, which is partially suspended due to the defendants’ inability to pay.
On December 8, the FTC and the Florida attorney general announced that a Florida-based grant funding company and its owner (collectively, “defendants”) will be permanently banned from offering grant-writing and business consulting services as a result of a lawsuit the regulators brought against the defendants in June. As previously covered by InfoBytes, the complaint alleged that the defendants violated the Consumer Protection Act, the FTC Act, and the Florida Deceptive Unfair Trade Practices Act by deceptively marketing their services to minority-owned small businesses. Among other things, the defendants (i) promised grant funding that did not exist and/or was never awarded; (ii) misled customers about the status of grant awards; and (iii) failed to honor a “money-back guarantee” and suppressed customer complaints. The defendants agreed to the terms of a proposed court order, which would ban them from providing grant-related services and business consulting, and prohibit them from making misrepresentations regarding advertised products or services. Defendants would also be required to turn over certain property to be sold in order to provide refunds to affected businesses. The proposed order also includes a more than $2 million monetary judgment, which is partially suspended due to defendants’ inability to pay.
On November 30, the FTC announced an action against three individuals and their affiliated companies (collectively, “defendants”) for allegedly participating together in a credit card debt relief scheme since 2019. The FTC alleged in its complaint that the company violated the FTC Act and the Telemarketing Sales Rule (TSR) by using telemarketers to call consumers and pitch their deceptive scheme, falsely claiming to be affiliated with a particular credit card association, bank, or credit reporting agency and promising they could improve consumers’ credit scores after 12 to 18 months. The defendants also allegedly misrepresented that the upfront fee, which in some cases was as high as $18,000, was charged to consumers’ credit cards as part of the overall debt that would be eliminated, and therefore consumers would not actually have to pay this fee. The District Court for the Middle District of Tennessee granted the Commission’s request to temporarily shut down the scheme operated by the defendants and froze their assets. The complaint requests, among other things, a permanent injunction to prevent future violations of the FTC Act and the TSR by the defendants.
On November 22, the DOJ, FTC, and the Wisconsin attorney general announced a civil enforcement action against 16 defendants for allegedly using deceptive sales practices to sell timeshare “exit services” to consumers, mostly involving senior citizens. The complaint, which was filed in the U.S. District Court for the Eastern District of Missouri, alleged that the defendants failed to assist consumers in exiting their timeshare contracts while collecting large fees for the incomplete service. The complaint also alleged that the defendants deceived consumers into registering for timeshare exit services by, among other things, falsely claiming that consumers could not exit timeshare contracts on their own, and that the defendants were affiliated with legitimate companies. The complaint further alleged that the defendants failed to notify consumers of their rights under federal and state law to cancel their contracts with defendants within three business days. The complaint noted that the defendants allegedly deceived consumers into paying over $90 million to the defendant companies for services that were not delivered. The complaint also stated that the defendants’ actions violated the FTC Act, the FTC’s rule concerning the cooling-off period for sales made at home or other locations, and certain Wisconsin state laws concerning fraudulent misrepresentations and direct marketing. The complaint seeks monetary relief, civil penalties, and injunctive relief. According to the DOJ, the defendants’ timeshare exit services are also the subject of lawsuits filed by the Alaska and Missouri attorneys general in June 2022.
On November 16, the FTC announced an action against a company that markets and sells business opportunities for allegedly pitching deceptive moneymaking schemes promising big returns to consumers. Claims were also brought against the company owners. The FTC alleged in its complaint that the defendants violated the FTC Act, the Business Opportunity Rule, and the Consumer Review Fairness Act by selling business packages and business coaching through an internet retailer under various names that promised consumers they could “generate passive income on autopilot.” However, the FTC claimed the defendants charged consumers between $5,000 and $100,000 for the programs and used fake consumer reviews in their marketing and sales pitches. Few consumers ever made money from these schemes, the FTC said. Additionally, the defendants allegedly charged consumers thousands of dollars to participate in a cryptocurrency investment service, which defendants claimed could generate profits for consumers “while you sleep.” According to the FTC, the defendants harmed consumers by, among other things, (i) deceiving them about potential earnings; (ii) using fake testimonials; (iii) suppressing negative reviews and promising refunds to consumers if they removed their complaints; (iv) threatening to sue dissatisfied consumers and adding language to contracts to prevent consumers from leaving negative reviews; and (v) failing to provide required disclosures when selling their programs.
Under the terms of the proposed stipulated order, the defendants will be prohibited from making deceptive earnings claims and misleading consumers about the nature of their products, including the likelihood of profits. Defendants must also stop engaging in behavior that interferes with consumer reviews and complaints. The defendants will also be required to pay $2.6 million in monetary relief. The proposed order includes nearly $53 million in total monetary judgment, which is partially suspended due to defendants’ inability to pay.