Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Social media company to pay $150 million to settle FTC, DOJ data security probe
On May 25, the DOJ filed a complaint on behalf of the FTC against a global social media company for allegedly misusing users’ phone numbers and email addresses uploaded for security purposes to target users with ads. (See also FTC press release here.) According to the complaint, the defendant deceived users about the extent to which it maintained and protected the security and privacy of users’ nonpublic contact information. Specifically, from May 2013 to September 2019, the defendant asked users to provide either a phone number or an email address to improve account security. The defendant, however, allegedly failed to inform the more than 140 million users who provided phone numbers or email addresses that their information would also be used for targeted advertising. The FTC claimed the defendant used the collected information to allow advertisers to target specific ads to specific users by matching the phone numbers or email addresses with data they already had or obtained from data brokers. DOJ’s complaint alleged that the defendant’s conduct violated the FTC Act and the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield agreements, which require participating countries to adhere to certain privacy principles in order to legally transfer data from EU countries and Switzerland. This conduct also allegedly violated a 2011 FTC consent order with the defendant stemming from claims that the defendant deceived users and put their privacy at risk by failing to safeguard their personal information. According to DOJ’s complaint, the 2011 order “specifically prohibits the company from making misrepresentations regarding the security of nonpublic consumer information.”
Under the terms of the proposed order, the defendant would be required to pay a $150 million civil penalty and implement robust compliance measures to improve its data privacy practices. According to the FTC and DOJ announcements, these measures would (i) “allow users to use other multi-factor authentication methods such as mobile authentication apps or security keys that do not require users to provide their telephone numbers”; (ii) require the defendant to “notify users that it misused phone numbers and email addresses collected for account security to also target ads to them and provide information about [its] privacy and security controls”; (iii) require the defendant to implement and maintain a comprehensive privacy and information security program, including conducting “a privacy review with a written report prior to implementing any new product or service that collects users’ private information,” regularly testing its data privacy safeguards, and obtaining regular independent assessments of its data privacy program; (iv) limit employee access to users’ personal data; and (v) require the defendant to notify the FTC should it experience a data breach, and provide reports after any data privacy incident affecting 250 or more users. Additionally, the defendant would be banned from profiting from deceptively collected data.
FTC orders credit card payment ISO to comply with heightened monitoring practices
On May 24, the FTC finalized an order against an independent sales organization and its owners (collectively, “respondents”) to settle allegations that they violated the FTC Act and the Telemarketing Sales Rule by helping scammers launder millions of dollars of consumers’ credit card payments from 2012 to 2013 and ignored warning signs that the merchants were fake. According to the FTC’s administrative complaint, the respondents, among other things, created 43 different merchant accounts for fictitious companies and provided advice to the organizers of the scam on how to spread out the transactions among different accounts to evade detection (covered by InfoBytes here).
Under the terms of the final order, the respondents are required to make several substantial changes to their processes, and are prohibited from engaging in credit card laundering, as well as any other actions to evade fraud and risk monitoring programs. Additionally, the respondents are banned from providing payment processing services to any merchant that is, or is likely to be, engaged in deceptive or unfair conduct, and to any merchant that is flagged as high-risk by the credit card industry monitoring programs. Furthermore, the respondents are required to screen potential merchants who are engaged in certain activities that could harm consumers, and monitor and designate as necessary current merchants who may require additional screening. The FTC noted that it is unable to obtain a monetary judgment in this action due to the U.S. Supreme Court’s decision in AMG Capital Management v. FTC, which held that the FTC does not have statutory authority to obtain equitable monetary relief under Section 13(b) of the FTC Act (covered by InfoBytes here).
FTC addresses importance of effective incident response and breach disclosure
On May 20, the FTC’s Team CTO and the Division of Privacy and Identity Protection published a blog post, titled Security Beyond Prevention: The Importance of Effective Breach Disclosures. The blog noted that the FTC Act creates a de facto data breach notification requirement because failure to disclose can increase the likelihood that affected parties will suffer harm. The post outlines effective security breach detection and response programs, which can: (i) permit an organization time to take remedial actions to counter, prevent, or mitigate an attack; (ii) prevent and minimize consumer harm from breaches; (iii) provide valuable information to the prevention function of a security team; and (vi) remove an attacker and allow for post-breach remedial measures. According to the FTC, failure to maintain such practices could indicate a lack of competition in the marketplace. The post stated that “[r]egardless of whether a breach notification law applies, a breached entity that fails to disclose information to help parties mitigate reasonably foreseeable harm may violate Section 5 of the FTC Act.” Listing recent cyber-related FTC enforcement actions, the post explained that deceptive statements can limit consumers’ ability to mitigate foreseeable harms like identity theft, loss of sensitive data, or financial impacts. Looking at these cases together, the post further noted that “companies have legal obligations with respect to disclosing breaches, and that these disclosures should be accurate and timely.”
FTC temporarily halts unlawful credit repair operation
On May 6, the FTC announced that the U.S. District Court for the Middle District of Florida granted a temporary restraining order against a credit repair operation for allegedly engaging in deceptive practices. According to the FTC’s complaint, the operation violated the FTC Act, the CROA, and the TSR by, among other things; (i) making misrepresentations regarding credit repair services; (ii) making misrepresentations regarding a money-making opportunity associated with a government benefit related to Covid-19; (iii) making untrue or misleading representations to consumers, which included increasing their credit score; (vi) charging for the performance of credit repair services that the defendants agreed to perform prior to such services being fully performed; (v) making untrue or misleading statements with respect to their sales pitch on credit worthiness, credit standing, or credit capacity to consumer reporting agencies, creditors, and potential creditors; and (vi) charging illegal advance fees. Beyond the temporary restraining order, the FTC is seeking a permanent injunction, the appointment of a receiver, immediate access to business premises, an asset freeze, and other equitable relief.
National retailers must pay $5.5 million to resolve deceptive product representation
On May 10, the DOJ announced that two national retailers agreed to pay a $2.5 million and a $3 million civil penalty (see here and here) to resolve allegations that they engaged in false labeling and marketing tactics by presenting rayon textile products as bamboo. As previously covered by InfoBytes, the DOJ on behalf of the FTC, filed complaints (see here and here) against the defendants, which alleged that since at least 2015, the companies made false or unsubstantiated representations in violation of the FTC Act by improperly labeling and marketing textile fiber products as “made of bamboo” in both product titles and descriptions. In addition to paying the civil money penalties, the defendants are prohibited from making deceptive claims, including false and/or unsubstantiated claims, relating to bamboo fiber products, and are prohibited from engaging in future violations of the FTC Act, Textile Act and Textile Rules.
FTC settles with VoIP service provider for TSR violations
On April 26, the FTC announced the filing of a proposed consent order with a Voice over Internet Protocol (VoIP) service provider, a related company, and the company’s owner (collectively, “defendants”) for allegedly “help[ing] scammers blast millions of illegal robocalls.” In the complaint the FTC claims that the defendants violated Section 5(a) of the FTC Act, the Telemarketing Act, and the TSR by continuing to provide VoIP services to customers despite “knowing or consciously avoiding knowing” the customers were: (i) using the services to place calls to numbers on the FTC’s Do Not Call (DNC) Registry; (ii) delivering prerecorded messages; and (iii) displaying spoofed caller ID services to callers involved in scams related to credit card interest rate reduction, tech support, and the Covid-19 pandemic.
According to the announcement, this is the third such action by the FTC against VoIP service providers during the past two years. Under the terms of the consent order, the defendants are (i) banned from assisting and facilitating abusive telemarketing practices, including the use of VoIP services; (ii) prohibited from further violations of the TSR or assisting others in doing so; (iii) banned from providing services or assigning telephone numbers without employing automated procedures to block calls from unassigned or invalid numbers; and (iv) required to ensure that they do not provide VoIP to suspected telemarketers. The proposed order also provides for a $3 million civil money penalty that is suspended due the company’s inability to pay.
FTC charges funeral company with deceptive marketing practices
On April 22, the DOJ filed a complaint on behalf of the FTC against certain defendants providing funeral goods and services to consumers throughout the U.S. for alleged violations of Section 5 of the FTC Act and the FTC’s Funeral Rule. (See also FTC press release here.) According to the complaint, the defendants, who arrange third-party cremation services, allegedly (i) misrepresented that they perform local funeral services, which were instead outsourced to unaffiliated third parties; (ii) charged consumers additional undisclosed costs; and (iii) illegally threatened to withhold remains or information about the remains from consumers who refused to pay previously undisclosed fees or the new, higher prices. The complaint seeks injunctive relief, monetary relief, and civil penalties.
FTC takes action against day-trading company for deceptive sales techniques
On April 19, the FTC filed a complaint against a day-trading investment company and its CEO alleging the defendants violated the FTC Act and the Telemarketing Sales Rule (TSR) in connection with the company’s investment opportunities. According to the complaint, the Massachusetts-based defendants promote day-trading investments online and sell programs promising to show consumers how to earn substantial profits in a short time period. The FTC contends that the defendants promote these so-called “profitable” and “scalable” trading strategies to consumers through allegedly deceptive sales pitches and inform consumers that their strategies are effective even with initial investments as small as $500. However, the FTC claims that 74 percent of customers’ accounts actually lost money and that only 10 percent of the accounts earned more than $90.
Under the terms of the proposed stipulated order, the defendants are required to pay $3 million in consumer redress and are permanently restrained and enjoined from making unsubstantiated earnings claims concerning consumers’ potential to earn money using their trading strategies regardless of the amount of capital invested or the amount of time spent trading. Defendants are also prohibited from violating federal law, or from making any misrepresentations about investment opportunities, including misrepresentations in connection with telemarketing regarding the amount of “risk, liquidity, earnings potential, or profitability of goods or services that are the subject of a sales offer.”
CFPB and FTC release 2021 FDCPA report
On April 15, the CFPB and the FTC released their annual report to Congress on the administration of the FDCPA (see announcements here and here). The agencies are delegated joint FDCPA enforcement responsibility and, pursuant to a 2019 memorandum of understanding, may share supervisory and consumer complaint information, as well as collaborate on education efforts (covered by InfoBytes here). Among other things, the annual report provided a broad overview of the debt collection industry during the Covid-19 pandemic and highlighted enforcement actions taken by, and education and outreach efforts, policy initiatives, and supervisory findings of, the CFPB and FTC. With respect to enforcement, the report noted that: (i) the FTC resolved three FDCPA cases against 17 defendants and banned all 17 companies and individuals who engaged in serious and repeated violations of law from engaging in debt collection; (ii) there was one new public enforcement action brought in 2021 related to unlawful debt collection conduct; (iii) the Bureau resolved two pending lawsuits with FDCPA claims and also filed an action to recover a fraudulent transfer to enforce a prior judgment that penalized a defendant’s FDCPA violations, which resulted in judgments for $2.26 million in consumer redress; and (iv) by the end of 2021, the Bureau had three FDCPA enforcement actions pending in federal court. The report also noted that the CFPB handled roughly 121,700 debt collection complaints in 2021, of which the Bureau sent approximately 73,600 (or 60 percent) to companies for their review and response. Finally, the report also noted that the U.S. Supreme Court’s decision in AMG Capital Management v. FTC “made it much more difficult for the FTC to obtain monetary relief for unfair or deceptive debt collection practices that fall outside the scope of the FDCPA.” As previously covered by InfoBytes, in that decision the Court unanimously held that Section 13(b) of the FTC Act “does not authorize the Commission to seek, or a court to award, equitable monetary relief such as restitution or disgorgement.”
FTC takes action against medical school for deceptive tactics
On April 14, the FTC filed a complaint against a Caribbean for-profit medical school and its Illinois-based operators alleging the defendants violated the Telemarketing Sales Rule, Holder Rule, and Credit Practices Rule (CPR) in connection with its marketing and credit practices. According to the complaint, the defendants improperly marketed the school’s medical license exam pass rate and residency match success. In addition, financing contracts omitted a legally-mandated Holder Rule notice in their credit agreements, among other things. Under the Holder Rule, “any seller that receives the proceeds of a purchase money loan [must] include, in the underlying credit contract, a specific notice informing the consumer of their right to assert claims against any holder of the credit contract.” In addition to omitting the required notice, the defendants also allegedly attempted to waive consumers’ legal rights by inserting language in the credit agreements stating, “ALL PARTIES, INCL[U]DING BOTH STUDENT BORROWER AND COSIGNER. . .WAIVE ANY CLAIM OR CAUSE OF ACTION OF ANY KIND WHATSOEVER THAT THEY MAY HAVE WITH RESPECT TO [DEFENDANT]…” The FTC also contended that the defendants included a notice informing cosigners of their liability in the middle of the contract, instead of providing a separate document containing specific language required by the CPR.
Under the terms of the proposed stipulated order, the defendants are required to pay a $1.2 million judgment that will go towards refunds and debt cancellation for affected consumers, and also cease collection of approximately $357,000 in consumer debt covered by the proposed order. Defendants are also required to notify each consumer that their debt is being cancelled and that consumer reporting agencies will be directed to delete the debt from the consumers’ credit reports. Additionally, defendants are prohibited from misrepresenting their pass rates and residency matches, and from making unsubstantiated claims or violating federal law. The order also provides Holder Rule protections, including prohibiting defendants from selling, transferring, or assigning any consumer credit contracts unless the recipient of such contract agrees, in writing, “that its rights are subject to the borrowers’ claims and defenses against [d]efendants” and requiring defendants to notify each borrower whose credit contract is sold.
- Keisha Whitehall Wolfe to discuss “Tips for successfully engaging your state regulator” at the MBA's State and Local Workshop
- Max Bonici to discuss “Enforcement risk and trends for crypto and digital assets (Part 2)” at ABA’s 2023 Business Law Section Hybrid Spring Meeting
- Jedd R. Bellman to present “An insider’s look at handling regulatory investigations” at the Maryland State Bar Association Legal Summit