InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC orders refunds over compromised health data
On March 2, the FTC filed a complaint against an online counseling service alleging the respondent violated the FTC Act by monetizing consumers’ sensitive health data for targeted advertising purposes. As part of the process to sign up for the respondent’s counseling services, consumers are required to provide sensitive mental health information, as well as other personal information. Consumers are promised that their personal health data will not be used or disclosed except for limited purposes, such as for counseling services. However, the FTC claimed the respondent used and revealed consumers’ sensitive health data to third parties for advertising purposes. According to the FTC, the respondent failed to maintain sufficient policies or procedures to protect the sensitive information and did not obtain consumers’ affirmative express consent before disclosing the health data. The respondent also allegedly failed to limit how third parties could use the health data and denied reports that it revealed consumers’ sensitive information.
Under the terms of the proposed consent order, the respondent will be required to pay $7.8 million in partial refunds to affected users and will be banned from disclosing health information to certain third parties for re-targeting advertising purposes. This will be the first FTC action returning funds to consumers whose health data was compromised. The respondent will also be prohibited from misrepresenting its sharing practices and must also (i) obtain users’ affirmative express consent before disclosing personal information to certain third parties for any purpose; (ii) implement a comprehensive privacy program with strong safeguards to protect users’ data; (iii) instruct third parties to delete shared personal data; and (iv) implement a data retention schedule imposing limits on how long personal data can be retained.
District Court allows FTC suit against owners of credit repair operation to proceed
On February 13, the U.S. District Court for the Eastern District of Michigan denied a motion to dismiss filed by certain defendants in a credit repair scheme. As previously covered by InfoBytes, last May the FTC sued a credit repair operation that allegedly targeted consumers with low credit scores promising its products could remove all negative information from their credit reports and significantly increase credit scores. At the time, the court granted a temporary restraining order against the operation for allegedly engaging in deceptive practices that scammed consumers out of more than $213 million. The temporary restraining order was eventually vacated, and the defendants at issue (two individuals and two companies that allegedly marketed credit repair services to consumers, charged consumers prohibited advance fees in order to use their services without providing required disclosures, and promoted an illegal pyramid scheme) moved to dismiss themselves from the case and to preclude the FTC from obtaining permanent injunctive and monetary relief.
In denying the defendants’ motion to dismiss, the court held, among other things, that “controlling shareholders of closely-held corporations are presumed to have the authority to control corporate acts.” The court pointed to the FTC’s allegations that the individual defendants at issue were owners, officers, directors, or managers, were authorized signatories on bank accounts, and had “formulated, directed, controlled, had the authority to control, or participated in the acts and practices set forth in the complaint.” The court further held that the FTC’s allegations raised a plausible inference that the individual defendants have the authority to control the businesses and demonstrated that they possessed, “at the most basic level, ‘an awareness of a high probability of deceptiveness and intentionally avoided learning of the truth.’”
The court also disagreed with the defendants’ argument that the permanent injunction is not applicable to them because they have since resigned their controlling positions of the related businesses, finding that “[t]his development, if true, does not insulate them from a permanent injunction.” The court found that “the complaint contains plausible allegations of present and ongoing deceptive practices that would authorize the [c]ourt to award a permanent injunction ‘after proper proof.’” In addition, the court said it may award monetary relief because the FTC brought claims under both sections 13(b) and 19 of the FTC Act and “section 19(b) contemplates the ‘refund of money,’ the ‘return of property,’ or the ‘payment of damages’ to remedy consumer injuries[.]”
FTC takes action against eye surgery provider
On January 19, the FTC announced an action against an Ohio-based eye surgery provider (respondent) concerning allegations that it engaged in “bait-and-switch” advertising. According to the FTC’s complaint, the respondent engaged in deceptive business practices by marketing eye surgery for $250, yet only 6.5 percent of patients who received consultations qualified for that price. According to the FTC, despite the advertising claims, for consumers with less than near-normal vision the company typically quoted a price between $1,800 and $2,295 per eye. The FTC also alleged that respondent neglected to tell consumers up-front that the promotional price was per-eye.
Under the terms of the decision and order (which was granted final approval on March 15) the respondent must, among other things, pay $1.25 million in redress to harmed customers. Additionally, the respondent is banned from using deceptive business practices and is required to make certain clear and conspicuous disclosures when advertising the surgery at a price or discount for which most consumers would not qualify. Specifically, such disclosures must include whether the price is per eye, the price most consumers pay per eye, and any requirements or qualifications needed to get the offered price or discount.
The Commission voted to issue the administrative complaint and accepted the consent agreement 3-1. Commissioner Christine S. Wilson issued a dissenting statement, arguing that there are “no clear rules” regarding the qualifications of eye surgery referenced in the complaint. She stated that she is “concerned that requiring the inclusion of specific medical parameters in advertisements, when those parameters could be either over- or under-inclusive depending upon the results of the consultation, could be more confusing than helpful.”
FTC takes action against investment advisor, cites violations of Notice of Penalty Offenses
On January 13, the FTC announced an action against an investment advisor and its owners concerning allegations that the defendants made deceptive claims when selling their services to consumers. While the FTC has brought “several cases” concerning false money-making claims, the action marks the first time the FTC is collecting civil money penalties from cases relating to Notice of Penalty Offenses. As previously covered by InfoBytes, the FTC sent the notice to more than 1,100 companies (including the defendants) warning that they may incur significant civil penalties if they or their representatives make claims regarding money-making opportunities that run counter to FTC administrative cases. Under the Notice of Penalty Offenses, the FTC is permitted to seek civil penalties against a company that engages in conduct it knows is unlawful and has been determined to be unlawful in an FTC administrative order. This action is also the first time the FTC has imposed civil penalties for violations of the Restore Online Shoppers’ Confidence Act (ROSCA).
According to the complaint, the defendants made numerous misleading claims when selling their investment advising services, including that (i) recommendations about the services were based on a specific “system” or “strategy” created by so-called experts who claim to have made numerous successful trades; and (ii) consumers would make substantial profits if they followed the recommended trades (consumers actually lost large amounts of money, the FTC alleged). Moreover, the FTC claimed that company disclaimers “directly contradict the message conveyed by their marketing,” including that featured testimonials and example trade profits “represent extraordinary, not typical results,” “that ‘[n]o representation is being made that any account will or is likely to achieve profits or losses similar to those discussed,’ and that ‘[n]o representation or implication is being made that using the methodology or system will generate profits or ensure freedom from losses.’” By making these, as well as other, deceptive claims, the defendants were found to be in violation of the Notice of Penalty Offenses, ROSCA, and the FTC Act, the Commission said.
Under the terms of the proposed order, the defendants would be required to surrender more than $1.2 million as monetary relief and must pay a $500,000 civil money penalty. The defendants would also have to back up any earnings claims, provide notice to consumers about the litigation and the court order, and inform consumers about what they need to know before purchasing an investment-related service.
Senators ask FTC, CFPB to investigate deceptive listing agreements
In December, Senate Banking Committee Chairman Sherrod Brown (D-OH), along with Senators Tina Smith (D-MN) and Ron Wyden (D-OR) sent a letter to the FTC and the CFPB requesting a review of a Florida-based real estate brokerage firm’s use of exclusive 40-year listing agreements marketed as a “loan alternative.” The request follows a November press release by the Florida attorney general announcing legal action against the firm for engaging in allegedly deceptive, unfair, and unconscionable business practices. According to the AG’s complaint, the firm offered homeowners $300 to $5,000 as a cash loan alternative in exchange for an agreement to use the firm as an exclusive real estate listing broker for a 40-year period. The complaint claimed the firm informs homeowners that there is no obligation to return the cash, stressing the homeowner will owe the firm nothing unless and until the home is sold. The AG asserted, however, that what is not clearly disclosed is that after accepting the payment, the firm files a 40-year lien on the property so that if at any time within 40 years the home is foreclosed upon or transferred to heirs upon the homeowner’s death, or if homeowners simply wish to cancel the deal, the firm will attempt to take three percent of the home’s value. Further, the AG claimed that the firm also failed to inform customers that the liens are filed in the public record, which can make it difficult for homeowners to refinance or access their home’s equity. The complaint seeks injunctive relief, restitution, and civil penalties.
Gaming company to pay $520 million to resolve FTC allegations
On December 19, the DOJ filed a complaint on behalf of the FTC against a video game developer for allegedly violating the Children’s Online Privacy Protection Act (COPPA) by failing to protect underage players’ privacy. The FTC also alleged in a separate administrative complaint that the company employed “dark patterns” to trick consumers into making unwanted in-game purchases, thus allowing players to accumulate unauthorized charges without parental involvement. (See also FTC press release here.)
According to the complaint filed in the U.S. District Court for the Eastern District of North Carolina, the company allegedly collected personal information from players under the age of 13 without first notifying parents or obtaining parents’ verifiable consent. Parents who requested that their children’s personal information be deleted allegedly had to take unreasonable measures, the FTC claimed, and the company sometimes failed to honor these requests. The company is also accused of violating the FTC Act’s prohibition against unfair practices when its settings enabled, by default, real-time voice and text chat communications for children and teens. These default settings, as well as a matching system that enabled children and teens to be matched with strangers to play the game, exposed players to threats, harassment, and psychologically traumatizing issues, the FTC maintained. While company employees expressed concerns about the default settings and players reported concerns, the FTC said that the company resisted turning off the default setting and made it difficult for players to figure out how to turn the voice chat off when the FTC did eventually take action.
Under the terms of a proposed court order filed by the DOJ, the company would be prohibited from enabling voice and text communications unless parents (of players under the age of 13) or teenage users (or their parents) provide affirmative consent through a privacy setting. The company would also be required to delete players’ information that was previously collected in violation of COPPA’s parental notice and consent requirements unless it obtains parental consent to retain such data or the player claims to be 13 or older through a neutral age gate. Additionally, the company must implement a comprehensive privacy program to address the identified violations, maintain default privacy settings, and obtain regular, independent audits. According to the DOJ’s announcement, the company has agreed to pay $275 million in civil penalties—the largest amount ever imposed for a COPPA violation.
With respect to the illegal dark patterns allegations, the FTC claimed that the company used a variety of dark patterns, such as “counterintuitive, inconsistent, and confusing button configuration[s],” designed to get players of all ages to make unintended in-game purchases. These tactics caused players to pay hundreds of millions of dollars in unauthorized charges, the FTC said, adding that the company also charged account holders for purchases without authorization. Players were able to purchase in-game content by pressing buttons without requiring any parental or card holder action or consent. Additionally, the company allegedly blocked access to purchased content for players who disputed unauthorized charges with their credit card companies, and threatened players with a lifetime ban if they disputed any future charges. Moreover, cancellation and refund features were purposefully obscured, the FTC asserted.
To resolve the unlawful billing practices, the proposed administrative order would require the company to pay $245 million in refunds to affected players. The company would also be prohibited from charging players using dark patterns or without obtaining their affirmative consent. Additionally, the order would bar the company from blocking players from accessing their accounts should they dispute unauthorized charges.
FTC proposes to permanently ban credit repair operation
On December 15, the FTC announced proposed court orders to permanently ban a group of companies and their owners (collectively, “defendants”) from offering or providing credit repair services. In May the FTC filed a complaint against the defendants for allegedly violating the FTC Act, the Credit Repair Organizations Act, and the TSR, among other statutes, by making deceptive misrepresentations about their credit repair services and charging illegal advance fees (covered by InfoBytes here). At the time, the U.S. District Court for the Middle District of Florida granted a temporary restraining order against the defendants. The proposed court orders (see here and here) were agreed to by the defendants, and contain several requirements: (i) a permanent ban against the defendants from operating or assisting any credit repair service of any kind; (ii) a prohibition against making unsubstantiated claims “about the benefits, performance, or efficacy of any good or service without sufficient supporting evidence”; and (iii) the release of numerous possessions that will be liquidated by a court-appointed receiver and used by the FTC to provide refunds to impacted consumers. The proposed court orders also include a total monetary judgment of more than $18.8 million, which is partially suspended due to the defendants’ inability to pay.
New Jersey settles with car dealerships over consumer protection violations
On December 15, the New Jersey attorney general announced that the Division of Consumer Affairs has now reached settlements with six car dealerships totaling over $260,000 to resolve alleged consumer protection violations. Among other things, the dealerships allegedly failed to honor the advertised price of used vehicles, charged excessive vehicle preparation fees that were not properly itemized or disclosed, failed to disclose the vehicle’s full sale price, and engaged in deceptive advertising. Under the terms of the most recent settlement (joining five other settlements announced earlier in the year), the dealership is required to pay $180,000, and must stop engaging in any unfair or deceptive acts practices. The dealership must also (i) comply with all applicable state and federal laws, including the Consumer Fraud Act, the Motor Vehicle Advertising Regulations, and the Automotive Sales Practices Regulations; (ii) honor all advertised sale or lease prices; (iii) accurately disclose a vehicle’s sale price; (iv) disclose previous damage and substantial repairs done to used cars when advertising; (v) clearly and conspicuously disclose all disclaimers, qualifiers, or offer limitations in advertisements; and (vi) enter binding arbitration to resolve any pending consumer complaints, as well as any additional complaints received by the Division for a one-year period.
FTC, Florida permanently shut down grant funding operation
On December 8, the FTC and the Florida attorney general announced that a Florida-based grant funding company and its owner (collectively, “defendants”) will be permanently banned from offering grant-writing and business consulting services as a result of a lawsuit the regulators brought against the defendants in June. As previously covered by InfoBytes, the complaint alleged that the defendants violated the Consumer Protection Act, the FTC Act, and the Florida Deceptive Unfair Trade Practices Act by deceptively marketing their services to minority-owned small businesses. Among other things, the defendants (i) promised grant funding that did not exist and/or was never awarded; (ii) misled customers about the status of grant awards; and (iii) failed to honor a “money-back guarantee” and suppressed customer complaints. The defendants agreed to the terms of a proposed court order, which would ban them from providing grant-related services and business consulting, and prohibit them from making misrepresentations regarding advertised products or services. Defendants would also be required to turn over certain property to be sold in order to provide refunds to affected businesses. The proposed order also includes a more than $2 million monetary judgment, which is partially suspended due to defendants’ inability to pay.
FTC takes action against ed tech provider for lax data security
On October 31, the FTC announced an administrative action against an education technology (ed tech) provider claiming that the company’s allegedly poor data security practices exposed millions of users and employees’ sensitive information, including Social Security numbers, email addresses, and passwords. According to the FTC’s complaint, due to the company’s alleged failure to adequately protect the personal information collected from its users and employees, the company experienced four data breaches beginning in September 2017, when a phishing attack granted a hacker access to employees’ direct deposit information. Less than a year later, another data breach involved a former employee using login information the company shared with employees and outside contractors to gain access to a third-party cloud database containing personal data for roughly 40 million users. In the following two years, the company experienced two more data breaches through phishing attacks that exposed sensitive employee data, including medical and financial information. Claiming violations of Section 5(a) of the FTC Act, the Commission alleged the company failed to implement basic security measures, stored personal data insecurely, and failed to implement a written security policy until January 2021, despite experiencing three phishing attacks.
Under the terms of the proposed decision and order, the company would be required to take several measures to address the alleged conduct, including (i) documenting and limiting data collection; (ii) providing users access to collected data and allowing them to submit requests for deletion; (iii) implementing multifactor authentication or another authentication method to protect user and employee accounts; and (iv) implementing a comprehensive information security program that would encrypt consumer data and provide security training to employees, among other things.
This action is part of the FTC’s ongoing efforts to make sure ed tech providers protect and secure personal data they collect and do not collect more information than necessary. As previously covered by InfoBytes, the FTC issued a policy statement in May warning ed tech providers that they must fully comply with all provisions of the Children’s Online Privacy Protection Act when gathering data about children. The FTC emphasized that ed tech providers may not harvest or monetize children’s data, cannot force children to disclose more information than is reasonably necessary for participating in their educational services, and must have procedures in place to keep the data secure, among other things.