InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC announces two actions involving fraudulent social media activity and online reviews
On October 21, the FTC announced two separate actions involving social media and online reviews. In its complaint against a skincare company, the FTC alleged that the company misled consumers by posting fake reviews on a retailer’s website and failed to disclose company employees wrote the reviews. The FTC asserted that the retailer’s customer review section is “a forum for sharing authentic feedback about products,” and the company and owner “represented, directly or indirectly, expressly or by implication, that certain reviews of [the company] brand products on the [retailer’s] website reflected the experiences or opinions of users of the products.” The FTC argued that the failure to disclose that the owner or employees wrote the reviews constitutes a deceptive act or practice under Section 5 of the FTC Act because the information would “be material to consumers in evaluating the reviews of [the company] brand products in connection with a purchase or use decision.” In a 3-2 vote, the Commission approved the administrative consent order, which notably does not include any monetary penalties. The order prohibits the company from misrepresenting the status of an endorser and requires the company and owner to disclose the material connection between the reviewer and the product in the future.
The FTC also entered into a proposed settlement with a now-defunct company and its owner for allegedly selling fake social media followers and subscribers to motivational speakers, law firm partners, investment professionals, and others who wanted to boost their credibility to potential clients; as well as to actors, athletes, and others who wanted to increase their social media appeal. According to the FTC, the company “provided such users of social media platforms with the means and instrumentalities for the commission of deceptive acts or practices,” in violation of Section 5(a) of the FTC Act. The Commission unanimously voted to approve the proposed court order, which bans the company from selling or assisting others in selling “social media influence.” The proposed order imposes a $2.5 million monetary judgment against the company owner, but suspends the majority upon the payment of $250,000.
FTC temporarily halts real estate workshops due to deceptive marketing
On October 4, the FTC announced that the U.S. District Court for the District of Utah granted a temporary restraining order against a Utah-based company and its affiliates (collectively, “defendants”) for allegedly using deceptive marketing to persuade consumers to attend real estate events costing thousands of dollars. According to the complaint, filed by the FTC and the Utah Division of Consumer Protection, the defendants violated the FTC Act, the Consumer Review Fairness Act (CRFA), and Utah state law, by marketing real estate events with false claims, using celebrity endorsements. The defendants allegedly told consumers they will (i) earn thousands of dollars in profits from real estate investment “flips” by using the defendants’ products; (ii) receive 100 percent funding for their real estate investments, regardless of credit history; and (iii) receive a full refund if they do not make “‘a minimum of three times’” the price of the workshop within six months. The complaint argues that these statements are false or unsubstantiated, and that consumers seeking refunds from the defendants often only received a partial refund on the condition they would not speak to the FTC or other state regulators about the defendants’ products. Among other things, the temporary court order prohibits the defendants from continuing to make unsupported marketing claims and from interfering with consumers’ ability to review their products.
FTC settles with Belizean bank over real estate scheme
On September 24, the FTC announced a proposed $23 million settlement with a Belizean bank resolving allegations that it assisted various entities in deceiving U.S. consumers into purchasing parcels of land in a luxury development in Belize. As previously covered by InfoBytes, in November 2018, the FTC filed charges and obtained a temporary restraining order against the operators of an international real estate investment scheme, which allegedly violated the FTC Act and the Telemarketing Sales Rule by advertising and selling parcels of land through the use of deceptive tactics and claims. The FTC asserted that consumers who purchased lots in the development purchased them outright or made large down payments and sizeable monthly payments, including HOA fees, and that defendants used the money received from these payments to fund their “high-end lifestyles,” rather than invest in the development. The FTC argued that “consumers either have lost, or will lose, some or all of their investments.” At the time, the FTC filed separate charges against the Belizean bank for allegedly assisting and facilitating the scam.
According to the FTC, the bank has now agreed to the proposed consent order to settle the allegations. The consent order requires the bank to pay $23 million, which will be used to provide equitable relief, including consumer redress, and to cease all non-liquidation business activities permanently. Additionally, the consent order prohibits the liquidator or anyone else from seeking to re-license and operate the bank’s business. The consent order must be approved by the U.S. District Court for the District of Maryland.
FTC lawsuits allege student loan scams
On September 12, the FTC announced two separate suits filed in the U.S. District Court for the Central District of California against various entities and individuals who allegedly engaged in deceptive practices when promoting student loan debt relief schemes.
In the first complaint, filed jointly with the Minnesota attorney general, a debt relief company and its owners (collectively, the “Minnesota defendants”) were alleged to have violated the FTC Act, TILA, the Telemarketing Sales Rule (TSR), and various state laws, by charging consumers who sought student loan payment reduction programs an advance fee of over $1,300 while falsely representing that the payment would go toward their student loans. The advance fee, the FTC contends, was allegedly financed through high-interest loans from a third-party finance company identified as a co-defendant in both complaints. The stipulated order entered against the Minnesota defendants prohibits them from, among other things: (i) making material misrepresentations related to their financial products and services, or any other kind of product or service; (ii) making unsubstantiated claims about their financial products and services; (iii) engaging in unlawful telemarketing practices; or (iv) collecting payments on accounts sold prior to the order’s date. The stipulated order also requires the Minnesota defendants to notify its customers that none of their prior payments have gone towards a Department of Education repayment program or towards their student loans, and orders the payment of $156,000, with the total judgment of approximately $4.2 million suspended due to inability to pay.
The FTC filed a second complaint against a separate student loan debt relief operation for allegedly engaging in deceptive and abusive practices through similar actions, including charging consumers advance fees of up to $1,400 and enrolling consumers in the same finance company’s high-interest loan program. The action against the second student loan debt relief operation is ongoing.
Both complaints also charge the finance company with violating the assisting and facilitating provision of the TSR by providing substantial assistance to both sets of defendants even though it knew, or consciously avoided knowing, that they were engaging in deceptive and abusive telemarketing practices. The FTC also alleges that the finance company violated TILA when it failed to clearly and conspicuously make certain required disclosures concerning its closed-end credit offers. Separate stipulated orders were entered by the FTC in each case (see here and here) against the finance company. The orders’ terms require the finance company to pay a combined $1 million out of a nearly $28 million judgment, with the rest suspended due to inability to pay, as well as relinquish its rights to collect on any outstanding loans. Among other things, the orders also permanently ban the finance company from engaging in transactions involving secured or unsecured debt relief products and services or making misrepresentations regarding financial products and services.
FTC approves settlement with software provider over FTC Act and GLBA data security failures
On September 6, the FTC voted 5-0 to approve a final settlement under which a software provider agreed to better protect the data it collects, resolving allegations that the company failed to implement reasonable data security measures and exposed personal consumer information obtained from its auto dealer clients in violation of the FTC Act and the Standards for Safeguarding Customer Information Rule, issued pursuant to the Gramm-Leach-Bliley Act.
As previously covered by InfoBytes, in its complaint, the FTC alleged the company’s failure to, among other things, (i) implement an organization information security policy; (ii) implement reasonable guidance or training for employees; (iii) use readily available security measures to monitor systems; and (iv) impose reasonable data access controls, which resulted in a hacker gaining unauthorized access to the company’s database containing the personal information of approximately 12.5 million consumers. The approved settlement requires the company to, among other things, implement and maintain a comprehensive information security program designed to protect the personal information it collects, including implementing specific safeguards related to the FTC’s allegations. Additionally, the settlement requires the company to obtain third-party assessments of its information security program every two years and have a senior manager certify compliance with the order every year.
District Court: FTC allegations against credit card processor can proceed
On August 28, the U.S. District Court for the District of Arizona denied motions to dismiss an enforcement action brought by the FTC against a group of individuals and entities that allegedly facilitated a telemarketing scheme that previously resulted in the principal actors in the scheme settling with the FTC and later pleading guilty to state criminal charges. The alleged scheme involved “credit card laundering”—the creation of fictitious entities to process customer credit card transactions so that the actual entity receiving the funds would not be identified. The defendants in the current matter are an Independent Sales Organization and several of its officers allegedly involved in that effort (prior Info Bytes coverage here). The defendants first argued that the relevant part of the FTC Act only permits injunctive relief and that the FTC’s requests for restitution and disgorgement were improper because those forms of relief are penalties, not equitable relief, under Kokesh v. Securities and Exchange Commission. The court noted, however, that the Supreme Court in Kokesh expressly limited the holding to the question of the statute of limitations applicable to the SEC, and that the Ninth Circuit has subsequently approved decisions granting restitution and disgorgement under the FTC Act. The defendants also argued that injunctive relief was not warranted where the unlawful conduct in question ceased in 2013, but the court ruled that the FTC need only show that it has “reason to believe” that a defendant is violating or is about to violate the law. The court declined to address the FTC’s argument that its “reason to believe” decision is unreviewable, but it found that the FTC had pled sufficient facts to establish that it has reason to believe that the defendants would violate the statute. In particular, the court noted that a “court’s power to grant injunctive relief survives the discontinuance of illegal conduct,” that “an inference arises from illegal past conduct that future violations may occur,” and that “courts should be wary of a defendant’s termination of illegal conduct when a defendant voluntarily ceases unlawful conduct in anticipation of formal intervention.” Those factors were all present, along with the fact that the defendants “remain in the same professional occupation.”
FTC settles with lead generator
On August 27, the FTC announced a settlement with an Illinois-based educational services company and its subsidiaries (defendants) to resolve deceptive marketing allegations in violation of the FTC Act and the Telemarketing Sales Rule. In the complaint, the FTC claimed the defendants used third-party lead generators that posed as military recruiters or job-finding services to encourage consumers to provide contact information via websites. The websites did not clearly inform the consumers that the personal information entered into online forms might be sold or used in training or educational programs. Rather, the FTC asserted that the lead generators falsely informed consumers that their information would not be shared. According to the FTC, the defendants then purchased these leads to call consumers in an attempt to enroll them in post-secondary schools, with many of these calls made to consumers on the National Do Not Call Registry. While the defendants did not carry out the deceptive practices to generate the leads, the FTC stated that the defendants established control over the marketing materials and reviewed telemarketing scripts that allegedly directed lead generators to falsely identify themselves as military recruiters. The FTC’s press release emphasized that “[t]his case demonstrates that the FTC will seek to hold advertisers liable for the deceptive or illegal practices of their affiliates, publishers, or other lead generators. We expect companies purchasing leads to implement strong vendor management programs and stay on the right side of the law.” Under the terms of the settlement, the defendants are: (i) ordered to pay $30 million; (ii) required to implement a system to review any marketing materials used by lead generators; (iii), prohibited from calling numbers on the National Do Not Call Registry without obtaining written consent; and (iv) banned from falsely stating that they represent the military or prospective employers.
7th Circuit overturns precedent, rejects restitution under Section 13(b) of FTC Act
On August 21, the U.S. Court of Appeals for the 7th Circuit held that Section 13(b) of the FTC Act does not give the FTC power to order restitution, overruling that court’s 1989 decision in FTC v. Amy Travel Service, Inc. As previously covered by InfoBytes, in June 2018, the U.S. District Court for the Northern District of Illinois granted the FTC’s motion for summary judgment against a credit monitoring service and its sole owner in an action filed under Section 13(b) of the FTC Act. The court concluded that no reasonable jury would find that the defendants’ scheme of using false rental property ads to solicit consumer enrollment in credit monitoring services without their knowledge could occur without engaging in unfair or deceptive practices. The FTC argued that the defendants’ scheme, which used the promise of a free credit report to enroll the consumers into a monthly credit monitoring program, violated the FTC Act’s ban on deceptive practices. The court agreed, holding that the ad campaign was “rife with material misrepresentations that were likely to deceive a reasonable consumer.” Additionally the court agreed with the FTC that the defendants’ website was materially misrepresentative because it did not give “the net impression that consumers were enrolling in a monthly credit monitoring service” for $29.94 a month, as opposed to defendants’ claim that consumers were obtaining a free credit report. The court also found that the defendants’ websites failed to meet certain disclosure requirements imposed by the Restore Online Shopper Confidence Act. The court entered a permanent injunction and ordered the defendants to pay over $5 million in “equitable monetary relief” to the FTC.
On appeal, the 7th Circuit affirmed the district court’s liability determination, and affirmed the issuance of the permanent injunction. However, the appellate court took issue with the restitution award ordered pursuant to Section 13(b) of the FTC Act. The appellate court noted that the FTC has long viewed Section 13(b) as authorizing awards of restitution, and even acknowledged that the 7th Circuit agreed with the FTC’s position in its decision in Amy Travel. However, subsequent to the Amy Travel decision, the Supreme Court, in Meghrig v. KFC W., Inc., clarified that “courts must consider whether an implied equitable remedy is compatible with a statute’s express remedial scheme.” Applying Meghrig, the 7th Circuit noted that “nothing in the text or structure of the [FTC Act] supports an implied right to restitution in section 13(b), which by its terms authorizes only injunctions.” The panel emphasized that the FTC Act has two other provisions that expressly authorize restitution if the FTC follows certain procedures, but the current reading of Section 13(b), based on Amy Travel, allows the FTC “to circumvent these elaborate enforcement provisions and seek restitution directly through an implied remedy.” Therefore, based on the Supreme Court precedent in Meghrig, the panel concluded that Section 13(b)’s grant of authority to order injunctive relief does not implicitly authorize an award of restitution, overturning its previous decision in Amy Travel and vacating the district court’s award of restitution.
FTC, Ohio AG halt payment processor and credit card interest-reduction telemarketing operations
On July 29, the FTC and the Ohio attorney general announced temporary restraining orders and asset freezes issued by the U.S. District Court for the Western District of Texas against a payment processor and a credit card interest-reduction telemarketing operation (see here and here). According to the FTC, the payment processor defendants allegedly violated the FTC Act, the Telemarketing Sales Rule (TSR), and various Ohio laws by, among other things, generating and processing remotely created payment orders or checks that allowed merchants—including deceptive telemarketing schemes—the ability to withdraw money from consumers’ bank accounts. The FTC asserted that the credit card interest-reduction defendants deceptively promised consumers significant credit card interest rate reductions, along with “a 100 percent money back guarantee if the promised rate reduction failed to materialize or the consumers were otherwise dissatisfied with the service.” However, the FTC claimed that most customers never received the promised rate reduction, were refused refund requests, and often received collection or lawsuit threats. Additionally, the credit card interest-reduction defendants allegedly violated the TSR by charging advance fees, failing to properly identify the service in telemarketing calls, and failing to pay to access the FTC’s National Do Not Call Registry.
FTC and DOJ announce $5 billion privacy settlement with social media company; SEC settles for $100 million
On July 24, the FTC and the DOJ officially announced (see here and here) that the world’s largest social media company will pay a $5 billion penalty to settle allegations that it mishandled its users’ personal information. As previously covered by InfoBytes, it was reported on July 12 that the FTC approved the penalty, in a 3-2 vote. This is the largest privacy penalty ever levied by the agency, almost “20 times greater than the largest privacy or data security penalty ever imposed worldwide,” and one of the largest ever assessed by the U.S. government for any violation. According to the complaint, filed the same day as the settlement, the company allegedly used deceptive disclosures and settings to undermine users’ privacy preferences in violation of a 2012 privacy settlement with the FTC, which allowed the company to share users’ data with third-party apps that were downloaded by users’ “friends.” Moreover, the complaint alleges that many users were unaware the company was sharing the information, and therefore did not take the steps needed to opt-out of the sharing. Relatedly, the FTC also announced a separate action against a British consulting and data analytics firm for allegedly using deceptive tactics to “harvest personal information from millions of [the social media company’s] users.”
In addition to the monetary penalty, the 20-year settlement order overhauls the company’s privacy program. Specifically, the order, among other things, (i) establishes an independent privacy committee of the company’s board of directors; (ii) requires the company to designate privacy program compliance officers who can only be removed by the board’s privacy committee; (iii) requires an independent third-party assessor to perform biennial assessments of the company’s privacy program; (iv) requires the company to conduct a specific privacy review of every new or modified product, service, or practice before it is implemented; and (v) mandates that the company report any incidents in which data of 500 or more users have been compromised to the FTC.
In dissenting statements, Commissioner Chopra and Commissioner Slaughter asserted that the settlement, while historic, does not contain terms that would effectively deter the company from engaging in future violations. Commissioner Slaughter argues, among other things, that the civil penalty is insufficient and believes the order should have contained “meaningful limitations on how [the company] collects, uses, and shares data.” Similarly, Commissioner Chopra argues that the order imposes no meaningful changes to the company’s structure or financial incentives, and the immunity provided to the company’s officers and directors is unwarranted.
On the same day, the SEC announced that the company also agreed to pay $100 million to settle allegations that it mislead investors about the risks it faced related to the misuse of its consumer data. The SEC’s complaint alleges that in 2015, the company was aware of the British consulting and data analytics firm’s misuse of its consumer data but did not correct its disclosures for more than two years. Additionally, the SEC alleges the company failed to have policies and procedures in place during that time that would assess the results of internal investigations for the purposes of making accurate disclosures in public filings. The company neither admitted nor denied the allegations.