Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC orders refunds over compromised health data
On March 2, the FTC filed a complaint against an online counseling service alleging the respondent violated the FTC Act by monetizing consumers’ sensitive health data for targeted advertising purposes. As part of the process to sign up for the respondent’s counseling services, consumers are required to provide sensitive mental health information, as well as other personal information. Consumers are promised that their personal health data will not be used or disclosed except for limited purposes, such as for counseling services. However, the FTC claimed the respondent used and revealed consumers’ sensitive health data to third parties for advertising purposes. According to the FTC, the respondent failed to maintain sufficient policies or procedures to protect the sensitive information and did not obtain consumers’ affirmative express consent before disclosing the health data. The respondent also allegedly failed to limit how third parties could use the health data and denied reports that it revealed consumers’ sensitive information.
Under the terms of the proposed consent order, the respondent will be required to pay $7.8 million in partial refunds to affected users and will be banned from disclosing health information to certain third parties for re-targeting advertising purposes. This will be the first FTC action returning funds to consumers whose health data was compromised. The respondent will also be prohibited from misrepresenting its sharing practices and must also (i) obtain users’ affirmative express consent before disclosing personal information to certain third parties for any purpose; (ii) implement a comprehensive privacy program with strong safeguards to protect users’ data; (iii) instruct third parties to delete shared personal data; and (iv) implement a data retention schedule imposing limits on how long personal data can be retained.
FTC bans health vendor from sharing consumer info with advertiser
On February 1, the DOJ filed a complaint on behalf of the FTC against a telehealth and prescription drug discount provider for allegedly violating the FTC Act and the Health Breach Notification Rule by failing to notify consumers that it was disclosing their personal health information to third parties for advertising purposes. As a vendor of personal health records, the FTC stated that the company is required to comply with the Health Breach Notification Rule, which imposes certain reporting obligations on health apps and other companies that collect or use consumers’ health information (previously covered by InfoBytes here).
According to the complaint filed in the U.S. District Court for the Northern District of California, the company—which allows users to keep track of their personal health information, including saving, tracking, and receiving prescription alerts—shared sensitive personal health information with advertisers and other third parties for years, even though it allegedly promised users that their health information would never be shared. The FTC maintained that the company also monetized users’ personal health information and used certain shared data to target its own users with personalized health- and medication-specific advertisement on various social media platforms. The company also allegedly: (i) permitted third parties to use shared data for their own internal purposes; (ii) falsely claimed compliance with the Digital Advertising Alliance principles (which requires companies to obtain consent prior to using health information for advertising purposes); (iii) misrepresented its HIPPA compliance; (iv) failed to maintain sufficient formal, written, or standard privacy or data sharing policies or procedures to protect personal health information; and (v) failed to report the unauthorized disclosures.
Under the terms of the proposed court order filed by the DOJ, the company would be required to pay a $1.5 million civil penalty, and would be prohibited from engaging in the identified alleged deceptive practices and from sharing personal health information with third parties for advertising purposes. The company would also be required to implement several measures to address the identified violations, including obtaining users’ affirmative consent before disclosing information to third parties (the company would be prohibited from using “dark patterns,” or manipulative designs, to obtain consent), directing third parties to delete shared data, notifying users about the breaches and the FTC’s enforcement action, implementing a data retention schedule, and putting in place a comprehensive privacy program to safeguard consumer data.
FTC takes action against eye surgery provider
On January 19, the FTC announced an action against an Ohio-based eye surgery provider (respondent) concerning allegations that it engaged in “bait-and-switch” advertising. According to the FTC’s complaint, the respondent engaged in deceptive business practices by marketing eye surgery for $250, yet only 6.5 percent of patients who received consultations qualified for that price. According to the FTC, despite the advertising claims, for consumers with less than near-normal vision the company typically quoted a price between $1,800 and $2,295 per eye. The FTC also alleged that respondent neglected to tell consumers up-front that the promotional price was per-eye.
Under the terms of the decision and order (which was granted final approval on March 15) the respondent must, among other things, pay $1.25 million in redress to harmed customers. Additionally, the respondent is banned from using deceptive business practices and is required to make certain clear and conspicuous disclosures when advertising the surgery at a price or discount for which most consumers would not qualify. Specifically, such disclosures must include whether the price is per eye, the price most consumers pay per eye, and any requirements or qualifications needed to get the offered price or discount.
The Commission voted to issue the administrative complaint and accepted the consent agreement 3-1. Commissioner Christine S. Wilson issued a dissenting statement, arguing that there are “no clear rules” regarding the qualifications of eye surgery referenced in the complaint. She stated that she is “concerned that requiring the inclusion of specific medical parameters in advertisements, when those parameters could be either over- or under-inclusive depending upon the results of the consultation, could be more confusing than helpful.”
DOJ says court will oversee social media company’s housing ads into 2026
On January 9, the DOJ informed a New York federal judge that it had reached a follow-up agreement with a global social media company to ensure its compliance with a June 2022 settlement that required the company to stop using a tool that allowed advertisers to exclude certain users from seeing housing ads based on their sex and estimated race/ethnicity. Explaining that the tool violated the Fair Housing Act, the letter said the company agreed to allow the tool to expire and agreed to build a system to reduce variances in its housing ad delivery system related to sex and estimated race/ethnicity. A follow-up agreement reached between the parties on compliance targets established that the company will be subject to court oversight and regular compliance review through June 27, 2026. The company released a statement following the settlement announcing it is making changes “in part to address feedback we’ve heard from civil rights groups, policymakers and regulators about how our ad system delivers certain categories of personalized ads, especially when it comes to fairness.” The company further noted that “while HUD raised concerns about personalized housing ads specifically, we also plan to use this method for ads related to employment and credit. Discrimination in housing, employment and credit is a deep-rooted problem with a long history in the US, and we are committed to broadening opportunities for marginalized communities in these spaces and others.”
FTC reports on use of "dark patterns"
On September 15, the FTC released a report, Bringing Dark Patterns to Light, examining how “dark patterns” can effect consumer choice and decision-making and could violate the law. The report stems from an April 2021 workshop that the Commission held to explore dark patterns. According to the FTC, the dark pattern tactics detailed in the report include disguising ads to appear like independent content, which makes “it difficult for consumers to cancel subscriptions or charges, burying key terms or junk fees, and tricking consumers into sharing their data.” The report highlighted the FTC’s efforts to combat the use of dark patterns in the marketplace and reiterated the Commission’s commitment to taking action against tactics designed to trick and trap consumers. Among other things, the report noted four common dark pattern tactics, which include design elements that: (i) induce false beliefs; (ii) hide or delay disclosure of material information; (iii) lead to unauthorized charges; and (iv) obscure or subvert privacy choices. The report also cited a 2017 case brought against a company as an example of past enforcement work, in which FTC fined the company $2.2 million for enabling default settings that allowed its smart TVs to collect and share consumers’ viewing activity with third parties, providing a brief notice to some consumers that the agency said could easily be missed.
FTC hosts forum on commercial surveillance and lax data security practices
On September 8, the FTC hosted a forum regarding its Advance Notice of Proposed Rulemaking (ANPR) on commercial surveillance and data security practices. As previously covered by InfoBytes, the ANPR was issued in August to solicit public comment on “the harms stemming from commercial surveillance and whether new rules are needed to protect people’s privacy and information.” The ANPR noted that there is increasing evidence that some surveillance-based services may be addictive to children and lead to a wide variety of mental health and social harms. The forum featured remarks by FTC Chair Lina M. Khan, Commissioners Rebecca Kelly Slaughter and Alvaro Bedoya, as well as a staff presentation, two panel discussions, and comments from the public. Chair Khan noted in her remarks that the discussion and comments at the forum will be critical in determining the evidentiary basis for proceeding with a rulemaking and whether legal requirements needed for crafting any particular type of rule. However, some observers expressed concern that the FTC’s ANPR could undermine efforts to pass federal privacy legislation. Slaughter noted in her remarks that she “support[s] strong federal privacy legislation, but until there’s a law on the books, the commission has a duty to use all the tools we have to investigate and address unlawful behavior in the market.” Commissioners Slaughter and Bedoya also expressed the need for public engagement to understand commercial surveillance.
The first panel focused on industry perspectives on commercial surveillance and data security. When asked about some of the best practices or potential business models developed by businesses to mitigate consumer harm and protect data, a panelist noted that there are many approaches underway, but the guiding principle is that the process of documentation supports transparency by prompting processes and critical thinking of each step in the mission learning lifecycle. One panelist expressed concerns about businesses tracking personal data, stating that because retailers collect information about their customers when they make purchases online and may recommend related offerings, regulators “should not interfere with these direct relationships.” Another panelist warned against treating all data collection and processes equally, stressing that the FTC should use its enforcement tools against third parties.
The second panel featured consumer advocates discussing interests, concerns, risks, and harms related to commercial surveillance, in addition to mitigating consumer harms and protecting data. The advocates noted, among other things, that the FTC should impose heightened safeguards on sensitive data, such as precise location records and information associated with children. Additionally, the panelists advocated for establishing a regulation and broadening the FTC’s Section 5 unfairness authority that limits widescale tracking. Specifically, one panelist discussed how the FTC should approach a data minimization rule under Section 5, recommending that such a rule should ban secondary use and third-party disclosures. In regard to combating discrimination through data collection and advertising, a panelist noted that shifting data protection responsibilities from individuals onto companies could play an important part to ensure that data-driven algorithms that deliver ads or content are not discriminating against consumers.
FTC seeks feedback on digital ad effects on children
On August 23, the FTC announced that it is soliciting additional public feedback on the effects digital advertising and marketing messages have on children. As previously covered by InfoBytes, in May the FTC announced that it is seeking comment on its notice of proposed changes to its “Guides Concerning the Use of Endorsements and Testimonials in Advertising” (Endorsement Guides), which includes the addition of a new section highlighting special concerns related to child-directed advertising. Under the Endorsement Guides, which were enacted in 1980 and amended in 2009, advertisers are required “to be upfront with consumers and clearly disclose unexpected material connections between endorsers and a seller of an advertised product.” The Commission also noted that, in conjunction with the notice, it is hosting a public event on October 19 to address topics including “children’s capacity at different ages and developmental stages to recognize and understand advertising content and distinguish it from other content,” and the “need for and efficacy of disclosures as a solution for children of different ages, including the format, timing, placement, wording, and frequency of disclosures.” Comments are due by November 18 “to accommodate those who wish to provide input on the topics discussed at the October digital advertising event.”
District Court awards injunctive relief to FTC in deceptive advertising case
On August 9, the U.S. District Court for the Northern District of Georgia ruled that the FTC provided “broad and detailed” evidence of alleged deceptive advertising and unfair fee practices in its $550 million case against a technology company and its CEO (collectively, “defendants”). As previously covered by InfoBytes, the FTC filed a suit in 2019, alleging the defendants made deceptive representations to customers and charged hidden, unauthorized fees in connection with the company’s “fuel card” products in violation of Section 5 of the FTC Act. In 2019, when the agency filed its lawsuit, legal precedent held that the FTC could obtain restitution for consumers directly through such civil proceedings in federal court. However, in April of 2021, the Supreme Court held in AMG Capital Management, LLC v. FTC that the FTC does not have statutory authority to obtain equitable monetary relief under Section 13(b) of the FTC Act. (Covered by InfoBytes here.) Following that decision, the FTC filed a motion to stay or voluntarily dismiss in an attempt to preserve the possibility of obtaining monetary relief for injured consumers in federal court while pursuing claims against the defendants through the agency’s administrative process, but the district court denied the motion, concluding that the “balance of equities does not weigh in favor of a stay or dismissal without prejudice.”
In its most recent order, the district court ruled that the FTC provided compelling and overwhelming evidence, including advertisements, internal marketing studies, and a “plethora of customer complaints” that showed the defendants are liable for multiple violations of the FTC Act. Among other things, the court noted that the evidence showed that the defendants knew that many customers were unaware of certain fees when they signed up for the fuel cards and that the defendants’ terms and conditions governing the fees were “inscrutable” and confusing. However, the district court partially granted defendants’ request for summary judgment on monetary relief, ruling that in light of the Supreme Court’s decision in AMG Capital Management, the FTC cannot obtain a monetary award for the violations until the agency exhausts its administrative litigation process. A hearing will be held to determine the nature of the required injunctive relief.
Special Alert: DOJ settles claims of algorithmic bias
On June 21, the United States Department of Justice announced that it had secured a “groundbreaking” settlement resolving claims brought against a large social media platform for allegedly engaging in discriminatory advertising in violation of the Fair Housing Act. The settlement is one of the first significant federal actions involving claims of algorithmic bias and may indicate the complexity of applying “disparate impact” analysis under the anti-discrimination laws to complex algorithms in this area of increasingly intense regulatory focus.
FTC to strengthen advertising and endorsement guidelines against fraudulent reviews
On May 19, the FTC announced it is considering changes to strengthen its advertising guidelines to address fake and manipulative reviews, as well as concerns over inadequate disclosure tools. The Commission unanimously voted to submit a notice of proposed changes to its “Guides Concerning the Use of Endorsements and Testimonials in Advertising” (Endorsement Guides), which were enacted in 1980 and amended in 2009. Under the Endorsement Guides, advertisers are required “to be upfront with consumers and clearly disclose unexpected material connections between endorsers and a seller of an advertised product.” In February 2020, the FTC issued a request for comments on, among other things, whether the Endorsement Guides are effective at addressing concerns in the marketplace, as well as issues related to social media disclosures, incentive reviews, and affiliate links. According to the Commission’s announcement, the proposed changes (i) warn “social media platforms that some of their tools for endorsers are inadequate and may open them up to liability”; (ii) clarify that the Endorsement Guides cover fake reviews; (iii) add a new principle, which provides that “in procuring, suppressing, boosting, organizing, or editing consumer reviews, advertisers should not distort or misrepresent what consumers think of their products”; (iv) clarify that social media tags are covered by the Endorsement Guides; (v) modify “the definition of ‘endorsers’ to bring virtual influencers—that is, computer-generated fictional characters—under the guides”; (v) provide an example addressing the microtargeting of a discrete group of consumers; and (vi) introduce a new section addressing concerns related to child-directed advertising.
A public event will be hosted by the FTC on October 19 to address topics including “children’s capacity at different ages and developmental stages to recognize and understand advertising content and distinguish it from other content,” and the “need for and efficacy of disclosures as a solution for children of different ages, including the format, timing, placement, wording, and frequency of disclosures.”