Skip to main content
Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations


Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • FTC fines ISP $100 million for dark patterns and junk fees

    Federal Issues

    On November 3, the FTC announced an action against an internet phone service provider claiming the company imposed “junk fees” and made it difficult for consumers to cancel their services. The FTC alleged in its complaint that the company violated the FTC Act and the Restore Online Shoppers’ Confidence Act by imposing a series of obstacles, sometimes referred to as “dark patterns”, to deter and prevent consumers from canceling their services or stopping recurring charges. Consumers who were able to sign up for services online were allegedly forced to speak to a live “retention agent” on the phone during limited working hours in order to cancel their services. The company also allegedly employed a “panoply of hurdles” to cancelling consumers by, among other things, making it difficult for the consumer to locate the phone number on the website, obscuring contact information, failing to consistently transfer consumers to the appropriate number, imposing lengthy wait times, holding reduced operating hours for the cancellation line, and failing to provide promised callbacks. Additionally, the FTC claimed the company often informed consumers they would have to pay an early termination fee (sometimes hundreds of dollars) that was not clearly disclosed when they signed up for the services, and continued to illegally charge consumers without consent even after they requested cancellation. According to the FTC, consumers who complained often only received partial refunds.

    Under the terms of the proposed stipulated order, the company will be required to take several measures, including (i) obtaining consumers’ express, informed consent to charge them for services; (ii) simplifying the cancellation process to ensure it is easy to find and use and is available through the same method the consumer used to enroll; (iii) ending the use of dark patterns to impede consumers’ cancellation efforts; and (iv) being transparent about the terms of any negative option subscription plans, including providing required disclosures as well as a simple mechanism for consumers to cancel the feature. The company will also be required to pay $100 million in monetary relief.

    Federal Issues FTC Enforcement Junk Fees Dark Patterns Consumer Finance Consumer Protection FTC Act ROSCA

  • FTC takes action against ed tech provider for lax data security

    Federal Issues

    On October 31, the FTC announced an administrative action against an education technology (ed tech) provider claiming that the company’s allegedly poor data security practices exposed millions of users and employees’ sensitive information, including Social Security numbers, email addresses, and passwords. According to the FTC’s complaint, due to the company’s alleged failure to adequately protect the personal information collected from its users and employees, the company experienced four data breaches beginning in September 2017, when a phishing attack granted a hacker access to employees’ direct deposit information. Less than a year later, another data breach involved a former employee using login information the company shared with employees and outside contractors to gain access to a third-party cloud database containing personal data for roughly 40 million users. In the following two years, the company experienced two more data breaches through phishing attacks that exposed sensitive employee data, including medical and financial information. Claiming violations of Section 5(a) of the FTC Act, the Commission alleged the company failed to implement basic security measures, stored personal data insecurely, and failed to implement a written security policy until January 2021, despite experiencing three phishing attacks.

    Under the terms of the proposed decision and order, the company would be required to take several measures to address the alleged conduct, including (i) documenting and limiting data collection; (ii) providing users access to collected data and allowing them to submit requests for deletion; (iii) implementing multifactor authentication or another authentication method to protect user and employee accounts; and (iv) implementing a comprehensive information security program that would encrypt consumer data and provide security training to employees, among other things.

    This action is part of the FTC’s ongoing efforts to make sure ed tech providers protect and secure personal data they collect and do not collect more information than necessary. As previously covered by InfoBytes, the FTC issued a policy statement in May warning ed tech providers that they must fully comply with all provisions of the Children’s Online Privacy Protection Act when gathering data about children. The FTC emphasized that ed tech providers may not harvest or monetize children’s data, cannot force children to disclose more information than is reasonably necessary for participating in their educational services, and must have procedures in place to keep the data secure, among other things.

    Federal Issues Privacy, Cyber Risk & Data Security FTC Enforcement FTC Act UDAP COPPA Data Breach Consumer Protection

  • 4th Circuit says AMG Capital does not alter FTC’s $120.2 million judgment


    On November 1, the U.S. Court of Appeals for the Fourth Circuit predominantly upheld a district court’s final judgment in an FTC action involving a Belizean real estate scheme. As previously covered by InfoBytes, the FTC initiated the action in 2018 against several individuals and corporate entities, along with a Belizean bank, asserting that the defendants violated the FTC Act and the Telemarketing Sales Rule (TSR) by advertising and selling parcels of land that were part of a luxury development in Belize through the use of deceptive tactics and claims. In 2019, a settlement was reached with the Belizean bank requiring payment of $23 million in equitable relief, and in 2020, the district court ordered the defaulted defendants to pay over $120.2 million in redress and granted the FTC’s request for permanent injunctions (covered by InfoBytes here and here). Later, in 2021, the district court denied a request to set aside the $120.2 million default judgment, disagreeing with the defendants’ argument that the U.S. Supreme Court’s decision in AMG Capital Management, LLC v. FTC (which unanimously held that Section 13(b) of the FTC Act “does not authorize the Commission to seek, or a court to award, equitable monetary relief such as restitution or disgorgement”—covered by InfoBytes here) nullified the judgment. The district court stated that the AMG Capital decision does not render judgments in the case void, and that “[i]n its Opinion rendered before the Supreme Court reached its decision, the Court considered the effect that a decision in AMG Capital adverse to the FTC might have, reasoning that: ‘this Court’s findings of fact and determinations as to liability—including contempt of court and violations of the Telemarketing Services Rule []—would not be affected by a decision in AMG.’” (Covered by InfoBytes here.)

    On appeal, the 4th Circuit determined that the defendants advanced “a mixed bag of factual and legal challenges” to various contempt orders, equitable monetary judgments, permanent injunctions, and default judgments, finding that there was no abuse of discretion by the district court. While the appellate court reversed the $120.2 million judgment after finding it to be invalid under the Supreme Court’s decision in AMG Capital, it noted that because the defendants violated the FTC Act and the TSR they cannot escape the judgment. “The findings made by the district court show that [the defendant’s] Belizean business venture was dishonest to the core,” the 4th Circuit wrote. “The district court correctly surmised that this sort of deception lies at the heart of what the FTC is empowered to seek out and stop.” According to the appellate court, while “the FTC may seek injunctive relief under Section 13, the Supreme Court held in AMG Capital that it does not authorize the FTC to seek, or a court to award, ‘equitable monetary relief such as restitution or disgorgement.’” However, the defendant “latches onto this last point, claiming that the judgment in the [] case must be thrown out under AMG Capital. ... Vacating that judgment does not help [him], however, because he already has a $120.2 million judgment against him for contempt of the telemarketing injunction, and the FTC has conceded that it is not seeking $240.4 million against [him].” Essentially, AMG Capital “does not undercut the injunctive relief entered under Section 13(b), and the $120.2 million order can be upheld under the contempt judgment, so AMG does not in fact change the bottom line,” the 4th Circuit concluded.

    Courts Appellate Fourth Circuit FTC Enforcement FTC Act U.S. Supreme Court Telemarketing Sales Rule

  • FTC’s proposed breach order would apply personally to CEO

    Federal Issues

    On October 24, the FTC announced an action against a company operating an online alcohol marketplace and its CEO related to a data breach that allegedly exposed the personal information of roughly 2.5 million consumers. The FTC alleged in its complaint that the respondents were alerted to problems with the company’s data security procedures following an earlier security incident in 2018, which involved hackers accessing company servers to mine cryptocurrency until the company changed its cloud computing account login information. According to the FTC, the company failed to take appropriate measures to address its security problems, but publicly claimed it had appropriate security protections in place. Two years later, an employee account was breached, thus allowing a hacker to gain access to login information, hack into the company’s database, and steal customers’ information. Among other things, the respondents allegedly violated the FTC Act by (i) failing to implement basic security measures or put in place reasonable safeguards to secure the personal information it collected and stored; (ii) storing critical database information, including login credentials, on an unsecured platform; (iii) failing to monitor its network for security threats or unauthorized attempts to access or remove personal data; and (iv) exposing customers to hackers, identity thieves, and malicious actors who use personal information to open fraudulent lines of credit or commit other fraud.

    Under the terms of the proposed decision and order, the respondents will be required to take several measures to prevent further violations, including destroying unnecessary personal data, limiting future data collection to what is necessary for specifically outlined purposes, and implementing a comprehensive information security program. As part of these requirements, the respondents must establish security safeguards to protect against the identified security incidents, such as providing employees security training, designating a high-level employee to oversee the company’s information security program, implementing controls on who is able to access personal data, and requiring multi-factor authentication in order to access databases and other assets containing consumer data.

    Notably, the FTC said in its announcement that the proposed order applies personally to the individual respondent who presided over the company’s insufficient data security practices. The FTC explained that the proposed order will follow the individual respondent even if he leaves the company, and that he “will be required to implement an information security program at future companies if he moves to a business collecting consumer information from more than 25,000 individuals” where the individual respondent “is a majority owner, CEO, or senior officer with information security responsibilities.”

    Federal Issues FTC Enforcement Privacy, Cyber Risk & Data Security Data Breach FTC Act

  • FTC final order fines company $62 million for misleading potential home sellers

    Federal Issues

    On October 21, the FTC announced the approval of a final order against an online home buying firm accused of allegedly making misleading claims to consumers about how much money they could save by selling their home through the company’s services as opposed to selling on the open market. As previously covered by InfoBytes, the FTC claimed the company violated the FTC Act by, among other things, misrepresenting: (i) market value prices when making offers to buy homes by including downward adjustments to such values; (ii) the manner in which it made money on transactions; (iii) that consumers likely would have paid the same amount in repair costs whether they sold their home through the company or in traditional sale; and (iv) that consumers paid less in costs. The final order requires the company to pay $62 million, which is expected to be used for consumer redress, and prohibits the company from making deceptive, false, and unsubstantiated claims about how much money consumers will receive for their homes or the costs required to use the company’s service. Additionally, the company is required to have “competent and reliable evidence to support any representations made about the costs, savings, or financial benefits associated with using its service, and any claims about the costs associated with traditional home sales.”

    Federal Issues FTC Enforcement UDAP FTC Act Deceptive

  • FTC takes action against auto dealer over deceptive advertising and pricing practices

    Federal Issues

    On October 18, the FTC announced an action against an auto dealer group and two of its officers (the owner/president and the vice president) for engaging in deceptive advertising and pricing practices and discriminatory and unfair financing. According to the complaint, the FTC alleged that the defendants violated the FTC Act by deceptively advertising cars as “certified,” “inspected,” or “reconditioned” at specific prices, but then charged customers fees above the advertised price for costs related to “inspection,” “reconditioning,” or “certification.” The FTC also alleged that the defendants “unlawfully discriminate[d] on the basis of race, color, and national origin by imposing higher borrowing costs on Black and Latino consumers than non-Latino White consumers,” in violation of ECOA. Specifically, the FTC claimed that the defendants charged a higher markup to the interest rate for Black and Latino consumers than to non-Latino White consumers. Black and Latino consumers paid on average about $291 and $235, respectively, more in interest than non-Latino White consumers did. The FTC also alleged that Black and Latino consumers paid on average at least one extra fee 24 percent and 42 percent more often, respectively, than non-Latino White consumers. In addition to alleging that this conduct violated ECOA, the FTC also alleged that this discriminatory practice was an unfair act or practice in violation of Section 5 of the FTC Act.  According to the order, the defendants are required to establish a fair lending program to ensure they do not discriminate in the future, including a provision that will require each associated dealership to either charge no financing markup or charge the same markup rate to all consumers, and must pay the FTC $3.38 million to refund harmed consumers. Among other things, the defendants are also prohibited from misrepresenting the cost or terms to buy, lease, or finance a car, or whether a fee or charge is optional. Two of the commissioners issued dissenting statements (see here and here), challenging the fair lending claims being brought under Section 5 of the FTC Act and the imposition of liability against the individual officers.

    Federal Issues FTC Enforcement Fees ECOA FTC Act Discrimination UDAP Auto Finance Consumer Finance

  • FTC, DFPI shut down operation offering mortgage relief

    Federal Issues

    On September 19, the FTC and the California Department of Financial Protection (DFPI) announced a lawsuit against several companies and owners for allegedly operating an illegal mortgage relief operation. (See also DFPI’s announcement here.) The filing marks the agencies’ first joint action, which alleges the defendants’ conduct violated the California Consumer Financial Protection Law, the FTC Act, the FTC’s Mortgage Assistance Relief Services Rule (the MARS Rule or Regulation O), the Telemarketing Sales Rule, and the Covid-19 Consumer Protection Act. The agencies claimed that the defendants preyed on distressed consumers with false promises of mortgage assistance relief. According to the complaint, the defendants made misleading claims during telemarketing calls to consumers, including those with numbers on the National Do Not Call Registry, as well as through text messages and in online ads. In certain cases, defendants represented they were affiliated with government agencies or were part of a Covid-19 pandemic assistance program. Among other things, defendants falsely claimed they were able to lower consumers’ interest rates or payments, and instructed consumers not to pay their mortgages, leading to late fees and significantly lower credit score. Defendants also allegedly told consumers not to communicate directly with their lenders, which caused consumers to miss default notices and face foreclosure. Additionally, defendants charged consumers illegal up-front fees ranging from $500 to $2,900 a month, and told consumers they were negotiating loan modifications that in most cases never happened.

    The U.S. District Court for the Central District of California granted a restraining order temporarily shutting down the defendants’ operations. In freezing the defendants’ assets and ordering them to submit financial statements, the court noted that the agencies established a likelihood of success in showing that the defendants “have falsely, deceptively, and illegally marketed, advertised, and sold mortgage relief assistance services.”

    Federal Issues FTC DFPI State Issues California Mortgages Consumer Finance Mortgage Relief Enforcement California Consumer Financial Protection Law FTC Act MARS Rule Regulation O Telemarketing Sales Rule Covid-19 Consumer Protection Act Covid-19 UDAP

  • FTC aims to protect gig workers from unfair, deceptive, and anticompetitive practices

    Federal Issues

    On September 15, the FTC adopted a new policy statement outlining several issues facing consumers working in jobs that are part of the gig economy. According to the Commission, gig workers face potential harm related to misrepresentations about the nature of the work, diminished bargaining power for transparency, and anticompetitive hurdles resulting in reduced choice. The policy statement “makes clear that the FTC’s authority to enforce both competition and consumer protection law in the gig economy is not affected by how companies choose to classify the consumers who perform gig work.” Specifically, the Commission lists several areas where it will focus its attention on preventing consumer harm: (i) companies will be held accountable for claims and conduct about costs and benefits, including potential earnings, and must be transparent about costs borne by workers; (ii) companies using artificial intelligence or other advanced technologies for pay, performance, and work assignments are required to uphold promises made to workers, and must ensure that any restrictive contract terms do not violate the FTC Act or other statutes; and (iii) companies may be subject to investigations related to potential exclusionary or predatory conduct causing reduced compensation or poor working conditions. Companies that fail to comply with laws governing unfair, deceptive, or anticompetitive practices may be required to pay consumer redress and civil penalties, and may also be ordered to cease their unlawful business practices. 

    Federal Issues FTC Consumer Protection UDAP FTC Act Enforcement

  • FTC, states sue rental listing platform for fraud

    Federal Issues

    On August 30, the FTC announced a lawsuit, together with the attorneys general from New York, California, Colorado, Florida, Illinois, and Massachusetts, against a rental listing platform and its owners for allegedly charging consumers for false endorsements and fake listings. The complaint, which alleges violations of the FTC Act and various state laws, claims that the defendants used both fake reviews and fake listings to lure consumers to its platform and pay for access to so-called “verified and authentic living arrangement listings.” In particular, one of the individual defendants is alleged to have deceptively promoted the platform “by providing tens of thousands of fake four- and five-star reviews” to app stores. That individual defendant stipulated to the entry of a proposed stipulated final order on the same day, which requires the following: (i) cooperation with the FTC’s ongoing action; (ii) informing the app stores that he was paid to post reviews and identify the fake reviews and when they were posted; (iii) a permanent ban from selling or misrepresenting consumer reviews or endorsements; and (iv) payment of a total of $100,000 to the state AGs.

    The action is part of the FTC’s on-going efforts to address fake and deceptive reviews, which include a $4.2 million action taken against an online fashion retailer accused of suppressing negative reviews, and warnings issued in 2021 to more than 700 companies announcing that they may face fines over misleading online endorsements (covered by InfoBytes here and here).

    Federal Issues FTC Enforcement State Issues FTC Act UDAP Deceptive State Attorney General

  • FTC sues data broker for unfair sale of sensitive data

    Federal Issues

    On August 29, the FTC announced an action taken against a data broker accused of allegedly selling precise geolocation data from hundreds of millions of mobile devices that can be used to trace individuals’ movements to and from sensitive locations. According to the complaint, the defendant purchases location information from other data brokers and packages it into customized data feeds that match unique mobile device advertising identification numbers with timestamped latitude and longitude locations. These data feeds allow purchasers to identify and track specific mobile device users with no restrictions on usage and puts consumers at significant risk, the FTC claimed, noting that by failing to adequately protect its data from public exposure, consumers may be identified and face substantial injury. Moreover, people are often unaware that their location data is being purchased and shared by the defendant and have no control over its sale or use, the FTC said in its announcement. The complaint alleges the defendant’s unfair sale of sensitive data violates the FTC Act, and seeks a permanent injunction and any additional relief deemed just and proper.

    Federal Issues Privacy, Cyber Risk & Data Security FTC Enforcement Data Brokers FTC Act UDAP Unfair


Upcoming Events