Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC finalizes gaming company order on dark patterns
On March 14, the FTC finalized an administrative order requiring a video game developer to pay $245 million in refunds to consumers allegedly tricked into making unwanted in-game purchases. As previously covered by InfoBytes, the FTC filed an administrative complaint claiming players were able to accumulate unauthorized charges without parental or card holder action or consent. The FTC alleged that the company used a variety of dark patterns, such as “counterintuitive, inconsistent, and confusing button configuration[s],” designed to get players of all ages to make unintended in-game purchases. These tactics caused players to pay hundreds of millions of dollars in unauthorized charges, the FTC said, adding that the company also charged account holders for purchases without authorization. Under the terms of the final decision and order, the company is required to pay $245 million in refunds to affected card holders. The company is also prohibited from charging players using dark patterns or without obtaining their affirmative consent. Additionally, the company is barred from blocking players from accessing their accounts should they dispute unauthorized charges.
Separately, last month the U.S. District Court for the Eastern District of North Carolina entered a stipulated order against the company related to alleged violations of the Children’s Online Privacy Protection Act (COPPA). The FTC claimed the company failed to protect underage players’ privacy and collected personal information without first notifying parents or obtaining parents’ verifiable consent. Under the terms of the order, the company is required to ensure parents receive direct notice of its practices with regard to the collection, use or disclosure of players’ personal information, and must delete information previously collected in violation of COPPA’s parental notice and consent requirements unless it obtains parental consent to retain such data or the player claims to be 13 or older through a neutral age gate. Additionally, the company is required to implement a comprehensive privacy program to address the identified violations, maintain default privacy settings, obtain regular, independent audits, and pay a $275 million civil penalty (the largest amount ever imposed for a COPPA violation).
FTC proposes changes to Negative Option Rule
On March 23, the FTC announced a notice of proposed rulemaking (NPRM) seeking feedback on proposed amendments to the agency’s Negative Option Rule, which is used to combat unfair or deceptive practices related to subscriptions, memberships, and other recurring-payment programs. (See also FTC fact sheet here.) Claiming that current laws and regulations do not clearly provide a consistent legal framework for these types of programs, the NPRM, which applies to all subscription features in all media, proposes to add a new “click to cancel” provision that would make it as easy for consumers to cancel their enrollment as it was to sign up. The NPRM would also require sellers to first ask consumers whether they want to hear about new offers or modifications before making a pitch when consumers are trying to cancel their enrollment. If a consumer says “no” a seller must immediately implement the cancellation process. Sellers would also be required to provide consumers who are enrolled in negative option programs with an annual reminder involving anything other than physical goods before they are automatically renewed.
Commissioner Christine Wilson issued a dissenting statement, in which she argued that while the NPRM “may achieve the goal of synthesizing the various requirements in one rule,” it “is not confined to negative option marketing [as it] also covers any misrepresentation made about the underlying good or service sold with a negative option feature.” Wilson commented, “as drafted, the Rule would allow the Commission to obtain civil penalties, or consumer redress under Section 19 of the FTC Act, if a marketer using a negative option feature made misrepresentations regarding product efficacy or any other material fact.”
FTC orders refunds over compromised health data
On March 2, the FTC filed a complaint against an online counseling service alleging the respondent violated the FTC Act by monetizing consumers’ sensitive health data for targeted advertising purposes. As part of the process to sign up for the respondent’s counseling services, consumers are required to provide sensitive mental health information, as well as other personal information. Consumers are promised that their personal health data will not be used or disclosed except for limited purposes, such as for counseling services. However, the FTC claimed the respondent used and revealed consumers’ sensitive health data to third parties for advertising purposes. According to the FTC, the respondent failed to maintain sufficient policies or procedures to protect the sensitive information and did not obtain consumers’ affirmative express consent before disclosing the health data. The respondent also allegedly failed to limit how third parties could use the health data and denied reports that it revealed consumers’ sensitive information.
Under the terms of the proposed consent order, the respondent will be required to pay $7.8 million in partial refunds to affected users and will be banned from disclosing health information to certain third parties for re-targeting advertising purposes. This will be the first FTC action returning funds to consumers whose health data was compromised. The respondent will also be prohibited from misrepresenting its sharing practices and must also (i) obtain users’ affirmative express consent before disclosing personal information to certain third parties for any purpose; (ii) implement a comprehensive privacy program with strong safeguards to protect users’ data; (iii) instruct third parties to delete shared personal data; and (iv) implement a data retention schedule imposing limits on how long personal data can be retained.
FTC, DOJ sue telemarketers of fake debt relief services
On February 16, the DOJ filed a complaint on behalf of the FTC against several corporate and individual defendants for alleged violations of the FTC Act and the Telemarketing Sales Rule (TSR) in connection with debt relief telemarketing campaigns that delivered millions of unwanted robocalls to consumers. (See also FTC press release here.) According to the complaint, filed in the U.S. District Court for the Southern District of California, the defendants are interconnected platform providers, lead generators, telemarketers, and debt relief service sellers. Alleged violations include: (i) making misrepresentations about their debt relief services; (ii) initiating telemarketing calls to numbers on the FTC’s Do Not Call Registry, as well as calls in which telemarketers failed to disclose the identity of the seller and services being offered; (iii) initiating illegal robocalls without first obtaining consent; (iv) failing to make oral disclosures required by the TSR, including clearly and truthfully identifying the seller of the debt relief services; (v) misrepresenting material aspects of their debt relief services; and (vi) requesting and receiving payments from customers before renegotiating or otherwise altering the terms of those customers’ debts. The complaint seeks permanent injunctive relief, civil penalties, and monetary damages. Two of the defendants (a debt relief lead generator and its owner) have agreed to a stipulated order that, if approved, would prohibit them from further violations and impose a monetary judgment of $3.38 million, partially suspended to $7,500 to go towards consumer redress due to their inability to pay.
District Court allows FTC suit against owners of credit repair operation to proceed
On February 13, the U.S. District Court for the Eastern District of Michigan denied a motion to dismiss filed by certain defendants in a credit repair scheme. As previously covered by InfoBytes, last May the FTC sued a credit repair operation that allegedly targeted consumers with low credit scores promising its products could remove all negative information from their credit reports and significantly increase credit scores. At the time, the court granted a temporary restraining order against the operation for allegedly engaging in deceptive practices that scammed consumers out of more than $213 million. The temporary restraining order was eventually vacated, and the defendants at issue (two individuals and two companies that allegedly marketed credit repair services to consumers, charged consumers prohibited advance fees in order to use their services without providing required disclosures, and promoted an illegal pyramid scheme) moved to dismiss themselves from the case and to preclude the FTC from obtaining permanent injunctive and monetary relief.
In denying the defendants’ motion to dismiss, the court held, among other things, that “controlling shareholders of closely-held corporations are presumed to have the authority to control corporate acts.” The court pointed to the FTC’s allegations that the individual defendants at issue were owners, officers, directors, or managers, were authorized signatories on bank accounts, and had “formulated, directed, controlled, had the authority to control, or participated in the acts and practices set forth in the complaint.” The court further held that the FTC’s allegations raised a plausible inference that the individual defendants have the authority to control the businesses and demonstrated that they possessed, “at the most basic level, ‘an awareness of a high probability of deceptiveness and intentionally avoided learning of the truth.’”
The court also disagreed with the defendants’ argument that the permanent injunction is not applicable to them because they have since resigned their controlling positions of the related businesses, finding that “[t]his development, if true, does not insulate them from a permanent injunction.” The court found that “the complaint contains plausible allegations of present and ongoing deceptive practices that would authorize the [c]ourt to award a permanent injunction ‘after proper proof.’” In addition, the court said it may award monetary relief because the FTC brought claims under both sections 13(b) and 19 of the FTC Act and “section 19(b) contemplates the ‘refund of money,’ the ‘return of property,’ or the ‘payment of damages’ to remedy consumer injuries[.]”
FTC bans health vendor from sharing consumer info with advertiser
On February 1, the DOJ filed a complaint on behalf of the FTC against a telehealth and prescription drug discount provider for allegedly violating the FTC Act and the Health Breach Notification Rule by failing to notify consumers that it was disclosing their personal health information to third parties for advertising purposes. As a vendor of personal health records, the FTC stated that the company is required to comply with the Health Breach Notification Rule, which imposes certain reporting obligations on health apps and other companies that collect or use consumers’ health information (previously covered by InfoBytes here).
According to the complaint filed in the U.S. District Court for the Northern District of California, the company—which allows users to keep track of their personal health information, including saving, tracking, and receiving prescription alerts—shared sensitive personal health information with advertisers and other third parties for years, even though it allegedly promised users that their health information would never be shared. The FTC maintained that the company also monetized users’ personal health information and used certain shared data to target its own users with personalized health- and medication-specific advertisement on various social media platforms. The company also allegedly: (i) permitted third parties to use shared data for their own internal purposes; (ii) falsely claimed compliance with the Digital Advertising Alliance principles (which requires companies to obtain consent prior to using health information for advertising purposes); (iii) misrepresented its HIPPA compliance; (iv) failed to maintain sufficient formal, written, or standard privacy or data sharing policies or procedures to protect personal health information; and (v) failed to report the unauthorized disclosures.
Under the terms of the proposed court order filed by the DOJ, the company would be required to pay a $1.5 million civil penalty, and would be prohibited from engaging in the identified alleged deceptive practices and from sharing personal health information with third parties for advertising purposes. The company would also be required to implement several measures to address the identified violations, including obtaining users’ affirmative consent before disclosing information to third parties (the company would be prohibited from using “dark patterns,” or manipulative designs, to obtain consent), directing third parties to delete shared data, notifying users about the breaches and the FTC’s enforcement action, implementing a data retention schedule, and putting in place a comprehensive privacy program to safeguard consumer data.
FTC finalizes data-security order with ed tech provider
On January 27, the FTC finalized an order with an education technology (ed tech) provider which claimed that the provider’s lax data security practices led to the exposure of millions of users and employees’ sensitive information, including Social Security numbers, email addresses, and passwords. As previously covered by InfoBytes, due to the company’s alleged failure to adequately protect the personal information collected from its users and employees, the company experienced four data breaches beginning in September 2017, when a phishing attack granted a hacker access to employees’ direct deposit information. Claiming violations of Section 5(a) of the FTC Act, the FTC alleged the company failed to implement basic security measures, stored personal data insecurely, and failed to implement a written security policy until January 2021, despite experiencing three phishing attacks.
Under the terms of the final decision and order, the company (who neither admitted nor denied any of the allegations) is required to take several measures to address the alleged conduct, including: (i) implementing a data retention and deletion process, which will allow users to request access to and deletion of their data; (ii) providing multi-factor authentication methods for users to secure their accounts; (iii) providing notice to affected individuals; (iv) implementing a comprehensive information security program; and (v) obtaining initial and biennial third-party information security assessments. The company must also submit covered incident reports to the FTC and is prohibited from making any misrepresentations relating to how it collects, maintains, uses, deletes, permits, or denies access to individuals’ covered information.
FTC takes action against investment advisor, cites violations of Notice of Penalty Offenses
On January 13, the FTC announced an action against an investment advisor and its owners concerning allegations that the defendants made deceptive claims when selling their services to consumers. While the FTC has brought “several cases” concerning false money-making claims, the action marks the first time the FTC is collecting civil money penalties from cases relating to Notice of Penalty Offenses. As previously covered by InfoBytes, the FTC sent the notice to more than 1,100 companies (including the defendants) warning that they may incur significant civil penalties if they or their representatives make claims regarding money-making opportunities that run counter to FTC administrative cases. Under the Notice of Penalty Offenses, the FTC is permitted to seek civil penalties against a company that engages in conduct it knows is unlawful and has been determined to be unlawful in an FTC administrative order. This action is also the first time the FTC has imposed civil penalties for violations of the Restore Online Shoppers’ Confidence Act (ROSCA).
According to the complaint, the defendants made numerous misleading claims when selling their investment advising services, including that (i) recommendations about the services were based on a specific “system” or “strategy” created by so-called experts who claim to have made numerous successful trades; and (ii) consumers would make substantial profits if they followed the recommended trades (consumers actually lost large amounts of money, the FTC alleged). Moreover, the FTC claimed that company disclaimers “directly contradict the message conveyed by their marketing,” including that featured testimonials and example trade profits “represent extraordinary, not typical results,” “that ‘[n]o representation is being made that any account will or is likely to achieve profits or losses similar to those discussed,’ and that ‘[n]o representation or implication is being made that using the methodology or system will generate profits or ensure freedom from losses.’” By making these, as well as other, deceptive claims, the defendants were found to be in violation of the Notice of Penalty Offenses, ROSCA, and the FTC Act, the Commission said.
Under the terms of the proposed order, the defendants would be required to surrender more than $1.2 million as monetary relief and must pay a $500,000 civil money penalty. The defendants would also have to back up any earnings claims, provide notice to consumers about the litigation and the court order, and inform consumers about what they need to know before purchasing an investment-related service.
FTC seeks to ban noncompete clauses
On January 5, the FTC announced a notice of proposed rulemaking (NPRM) regarding banning the use of noncompete clauses in employment contracts. Among other things, the NPRM, would make it illegal for employers to: (i) enter into, or attempt to enter into, a noncompete agreement with a worker; (ii) maintain a noncompete agreement with a worker; or (iii) represent to a worker that the worker is subject to a noncompete agreement. The NPRM also would require employers to rescind existing noncompete agreements and notify workers that those agreements are no longer in effect. The NPRM extends to both paid and unpaid workers as well as independent contractors. It also extends to non-disclosure agreements or agreements to repay training costs upon early termination of employment if such agreements amount de facto to a noncompete. Finally, the NPRM extends to noncompetes related to the sale of a business unless they involve a person who owns at least 25 percent of the sold business. The ban would be pursuant to Sections 5 and 6(g) of the FTC Act, which declare “unfair methods of competition in or affecting commerce” to be unlawful, and authorize the FTC to issue rules prohibiting such methods.
According to FTC Chair Lina M. Khan, noncompete clauses “block workers from freely switching jobs, depriving them of higher wages and better working conditions, and depriving businesses of a talent pool that they need to build and expand.” She noted that by ending noncompete clauses, “the FTC’s proposed rule would promote greater dynamism, innovation, and healthy competition.” According to Commissioner Christine S. Wilson’s dissent, the NPRM is a “radical departure from hundreds of years of legal precedent that employs a fact-specific inquiry into whether a noncompete clause is unreasonable in duration and scope, given the business justification for the restriction.”
Comments are due by March 10.
FDIC issues November enforcement actions
On December 30, the FDIC released a list of orders of administrative enforcement actions taken against banks and individuals in November. The FDIC made public nine orders consisting of “two consent orders; two orders terminating deposit insurance; three orders to pay civil money penalties; one order terminating consent order; and one Section 19 order.” Among the orders is a civil money penalty against a Wisconsin-based bank related to violations of the Flood Disaster Protection Act. The FDIC determined that the bank had engaged in a pattern or practice of violations that included the bank’s failure to: (i) obtain adequate flood insurance on the building securing a designated loan at the time of loan origination; (ii) obtain adequate flood insurance at the time of the origination; (iii) notify borrowers that the borrower should obtain flood insurance where a determination had been made that flood insurance had lapsed or a loan was not covered with the required amount of insurance; (iv) provide borrowers with a Notice of Special Flood Hazard and Availability of Federal Disaster Relief Assistance when making, increasing, extending or renewing a loan; and (v) provide borrowers with a Notice of Special Flood Hazard and Availability of Federal Disaster Relief Assistance within a reasonable time before the completion of the transaction. The order requires the payment of a $39,000 civil money penalty.
The FDIC also issued a civil money penalty against an Oregon-based bank for allegedly violating Section 8(a) of RESPA “by entering into mortgage lead generation arrangements with the operator of a real estate website and the operator of an online loan marketplace that were used to facilitate and disguise referral payments for mortgage business.” The FDIC also determined that the bank violated the FTC Act “by making deceptive and misleading representations in three of the bank’s prescreened offers of credit” and violated the FCRA “by obtaining the consumer reports of former loan clients with recent credit inquiries without a legally permissible purpose.” The order requires the payment of a $425,000 civil money penalty.
Additionally, the FDIC issued a consent order against a Tennessee-based bank alleging the bank engaged in “unsafe or unsound banking practices relating to weaknesses in capital, asset quality, liquidity, and earnings.” The bank neither admitted nor denied the allegations but agreed, among other things, that its board would “increase its participation in the affairs of the bank by assuming full responsibility for the approval of the bank’s policies and objectives and for the supervision of the bank’s management, including all the bank’s activities.” The bank also agreed to maintain a Tier 1 Leverage Capital ratio equal to or greater than 8.50 percent and a Total Capital ratio equal to or greater than 11.50 percent. The FDIC also issued a consent order against a New Jersey-based bank claiming the bank engaged in “unsafe or unsound banking practices relating to, among other things, management supervision, Board oversight, weaknesses in internal controls, interest rate sensitivity, and earnings.” The bank neither admitted nor denied the allegations but agreed, among other things, that it would retain a third-party consultant “to develop a written analysis and assessment of the bank’s board and management needs (Board and Management Report) for the purpose of ensuring appropriate director oversight and providing qualified management for the bank.”
- Keisha Whitehall Wolfe to discuss “Tips for successfully engaging your state regulator” at the MBA's State and Local Workshop
- Max Bonici to discuss “Enforcement risk and trends for crypto and digital assets (Part 2)” at ABA’s 2023 Business Law Section Hybrid Spring Meeting
- Jedd R. Bellman to present “An insider’s look at handling regulatory investigations” at the Maryland State Bar Association Legal Summit