InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC takes action against investment advisor, cites violations of Notice of Penalty Offenses
On January 13, the FTC announced an action against an investment advisor and its owners concerning allegations that the defendants made deceptive claims when selling their services to consumers. While the FTC has brought “several cases” concerning false money-making claims, the action marks the first time the FTC is collecting civil money penalties from cases relating to Notice of Penalty Offenses. As previously covered by InfoBytes, the FTC sent the notice to more than 1,100 companies (including the defendants) warning that they may incur significant civil penalties if they or their representatives make claims regarding money-making opportunities that run counter to FTC administrative cases. Under the Notice of Penalty Offenses, the FTC is permitted to seek civil penalties against a company that engages in conduct it knows is unlawful and has been determined to be unlawful in an FTC administrative order. This action is also the first time the FTC has imposed civil penalties for violations of the Restore Online Shoppers’ Confidence Act (ROSCA).
According to the complaint, the defendants made numerous misleading claims when selling their investment advising services, including that (i) recommendations about the services were based on a specific “system” or “strategy” created by so-called experts who claim to have made numerous successful trades; and (ii) consumers would make substantial profits if they followed the recommended trades (consumers actually lost large amounts of money, the FTC alleged). Moreover, the FTC claimed that company disclaimers “directly contradict the message conveyed by their marketing,” including that featured testimonials and example trade profits “represent extraordinary, not typical results,” “that ‘[n]o representation is being made that any account will or is likely to achieve profits or losses similar to those discussed,’ and that ‘[n]o representation or implication is being made that using the methodology or system will generate profits or ensure freedom from losses.’” By making these, as well as other, deceptive claims, the defendants were found to be in violation of the Notice of Penalty Offenses, ROSCA, and the FTC Act, the Commission said.
Under the terms of the proposed order, the defendants would be required to surrender more than $1.2 million as monetary relief and must pay a $500,000 civil money penalty. The defendants would also have to back up any earnings claims, provide notice to consumers about the litigation and the court order, and inform consumers about what they need to know before purchasing an investment-related service.
9th Circuit reverses decision in COPPA suit
In December, the U.S. Court of Appeals for the Ninth Circuit reversed and remanded a district court’s decision to dismiss a suit alleging that a multinational technology company used persistent identifiers to collect children’s data and track their online behavior surreptitiously and without their consent in violation of the Children’s Online Privacy Protection Act (COPPA). According to the opinion, the company used targeted advertising “aided by sophisticated technology that delivers curated, customized advertising based on information about specific users.” The opinion further explained that “the company’s technology ‘depends partly on what [FTC] regulations call ‘persistent identifiers,’ which is information ‘that can be used to recognize a user over time and across different Web sites or online services.’” The opinion also noted that in 2013, the FTC adopted regulations under COPPA that barred the collection of children’s “persistent identifiers” without parental consent. The plaintiff class claimed that the company used persistent identifiers to collect data and track their online behavior surreptitiously and without their consent, and alleged state law claims arising under the constitutional, statutory, and common law of California, Colorado, Indiana, Massachusetts, New Jersey, and Tennessee, in addition to COPPA violations. The district court ruled that the “core allegations” in the third amended complaint were squarely covered, and preempted, by COPPA.
On appeal, the 9th Circuit considered whether COPPA preempts state law claims based on underlying conduct that also violates COPPA’s regulations. To determine this, the appellate court examined the language of COPPA’s preemption clause, which states that state and local governments cannot impose liability for interstate commercial activities that is “inconsistent with the treatment of those activities or actions” under COPPA. The opinion noted that the 9th Circuit has long held “that a state law damages remedy for conduct already proscribed by federal regulations is not preempted,” and that the statutory term “inconsistent” in the preemption context refers to contradictory state law requirements, or to requirements that stand as obstacles to federal objectives. The appellate court stated that it was not “persuaded that the insertion of ‘treatment’ in the preemption clause here evinces clear congressional intent to create an exclusive remedial scheme for enforcement of COPPA requirements.” The opinion noted that because “the bar on ‘inconsistent’ state laws implicitly preserves ‘consistent’ state substantive laws, it would be nonsensical to assume Congress intended to simultaneously preclude all state remedies for violations of those laws.” As such, the appellate court held that “COPPA’s preemption clause does not bar state-law causes of action that are parallel to, or proscribe the same conduct forbidden by, COPPA. Express preemption therefore does not apply to the children’s claims.”
FTC seeks to ban noncompete clauses
On January 5, the FTC announced a notice of proposed rulemaking (NPRM) regarding banning the use of noncompete clauses in employment contracts. Among other things, the NPRM, would make it illegal for employers to: (i) enter into, or attempt to enter into, a noncompete agreement with a worker; (ii) maintain a noncompete agreement with a worker; or (iii) represent to a worker that the worker is subject to a noncompete agreement. The NPRM also would require employers to rescind existing noncompete agreements and notify workers that those agreements are no longer in effect. The NPRM extends to both paid and unpaid workers as well as independent contractors. It also extends to non-disclosure agreements or agreements to repay training costs upon early termination of employment if such agreements amount de facto to a noncompete. Finally, the NPRM extends to noncompetes related to the sale of a business unless they involve a person who owns at least 25 percent of the sold business. The ban would be pursuant to Sections 5 and 6(g) of the FTC Act, which declare “unfair methods of competition in or affecting commerce” to be unlawful, and authorize the FTC to issue rules prohibiting such methods.
According to FTC Chair Lina M. Khan, noncompete clauses “block workers from freely switching jobs, depriving them of higher wages and better working conditions, and depriving businesses of a talent pool that they need to build and expand.” She noted that by ending noncompete clauses, “the FTC’s proposed rule would promote greater dynamism, innovation, and healthy competition.” According to Commissioner Christine S. Wilson’s dissent, the NPRM is a “radical departure from hundreds of years of legal precedent that employs a fact-specific inquiry into whether a noncompete clause is unreasonable in duration and scope, given the business justification for the restriction.”
Comments are due by March 10.
FTC finalizes data breach order with online alcohol marketplace
On January 10, the FTC announced it has finalized an order with a company that operates an online alcohol marketplace, along with its CEO, related to a data breach that allegedly exposed the personal information of roughly 2.5 million consumers. As previously covered by InfoBytes, the FTC alleged the respondents were alerted to problems with the company’s data security procedures following an earlier security incident in 2018, which involved hackers accessing company servers to mine cryptocurrency until the company changed its cloud computing account login information. The FTC asserted, however, that the company failed to take appropriate measures to address its security problems even though it publicly claimed it had appropriate security protections in place. Among other things, the respondents allegedly violated the FTC Act by (i) failing to implement basic security measures or put in place reasonable safeguards to secure the personal information it collected and stored; (ii) storing critical database information, including login credentials, on an unsecured platform; (iii) failing to monitor its network for security threats or unauthorized attempts to access or remove personal data; and (iv) exposing customers to hackers, identity thieves, and malicious actors who use personal information to open fraudulent lines of credit or commit other fraud. The respondents neither admit nor deny the allegations.
The terms of the final decision and order prohibit the company from making any misrepresentations in connection with any offered product or service related to how it collects, uses, discloses, maintains, deletes, or permits or denies access to personal information. Additionally, the company is required to destroy any collected personal data that is not necessary for providing products or services to consumers, and must refrain from collecting or maintaining personal information unless it is necessary for specific purposes provided in a data retention schedule. The company must also implement and maintain a comprehensive information security program, establish security safeguards to protect against specified security incidents, obtain initial and biennial third-party information security assessments, and publicly detail on its website information on its data collection practices. The order also requires the CEO to implement an information security program at any relevant business for which he is a majority owner, CEO, or senior officer with information security responsibilities.
District Court approves $11 million data breach settlement
On January 4, the U.S. District Court for the Northern District of Texas granted final approval of an $11 million class action settlement resolving allegations related to a February 2021 data breach that compromised more than 4.3 million customers’ personally identifiable information, including names, Social Security numbers, driver’s license numbers, dates of birth, and username/password information. According to plaintiffs’ amended complaint, the defendant insurance software providers failed to notify affected individuals about the data breach until on or after May 10, 2021, despite commencing an investigation in March. Plaintiffs maintained that the defendants’ alleged failure to comply with FTC cybersecurity guidelines and industry data protection standards put at risk their financial and personal records, and said they now face years of constant surveillance to prevent potential identity theft and fraud. Under the terms of the settlement (see also plaintiffs’ memorandum of law in support of the motion for final approval), class members will each receive up to $5,000 for out-of-pocket expenses, including up to eight hours of lost time at $25/hour, as well as 12 months of financial fraud protection. Members of a California subclass will receive additional benefits of between $100 and $300 each. The defendants are also responsible for paying each named plaintiff a $2,000 service award and must pay over $3 million in attorney fees, costs, and expenses.
Agencies highlight downpayment assistance, child privacy in regulatory agendas
Recently, the Office of Information and Regulatory Affairs released fall 2022 regulatory agendas for the FTC and HUD. With respect to an FTC review of the Children’s Online Privacy Protection Rule (COPPA) that was commenced in 2019 (covered by InfoBytes here), the Commission stated in its regulatory agenda that it is still reviewing comments. COPPA “prohibits unfair or deceptive acts or practices in connection with the collection, use and/or disclosure of personal information from and about children under the age of 13 on the internet,” and, among other things, “requires operators of commercial websites and online services, with certain exceptions, to obtain verifiable parental consent before collecting, using, or disclosing personal information from or about children.”
HUD stated in its regulatory agenda that it anticipates issuing a notice of proposed rulemaking in March that would address mortgage downpayment assistance programs. The Housing and Economic Recovery Act of 2018 amended the National Housing Act to add a clause that prohibits any portion of a borrower’s required minimum cash investment from being provided by: “(i) the seller or any other person or entity that financially benefits from the transaction, or (ii) any third party or entity that is reimbursed, directly or indirectly, by any of the parties described in clause (i).” According to the agenda, FHA continues to receive questions about prohibitions on persons or entities that may financially benefit from a mortgage transaction, including “whether down payment assistance programs operated by government entities are being operated in a fashion that would render such assistance prohibited.” A future NPRM would clarify the circumstances in which government entities are deriving a prohibited financial benefit.
Senators ask FTC, CFPB to investigate deceptive listing agreements
In December, Senate Banking Committee Chairman Sherrod Brown (D-OH), along with Senators Tina Smith (D-MN) and Ron Wyden (D-OR) sent a letter to the FTC and the CFPB requesting a review of a Florida-based real estate brokerage firm’s use of exclusive 40-year listing agreements marketed as a “loan alternative.” The request follows a November press release by the Florida attorney general announcing legal action against the firm for engaging in allegedly deceptive, unfair, and unconscionable business practices. According to the AG’s complaint, the firm offered homeowners $300 to $5,000 as a cash loan alternative in exchange for an agreement to use the firm as an exclusive real estate listing broker for a 40-year period. The complaint claimed the firm informs homeowners that there is no obligation to return the cash, stressing the homeowner will owe the firm nothing unless and until the home is sold. The AG asserted, however, that what is not clearly disclosed is that after accepting the payment, the firm files a 40-year lien on the property so that if at any time within 40 years the home is foreclosed upon or transferred to heirs upon the homeowner’s death, or if homeowners simply wish to cancel the deal, the firm will attempt to take three percent of the home’s value. Further, the AG claimed that the firm also failed to inform customers that the liens are filed in the public record, which can make it difficult for homeowners to refinance or access their home’s equity. The complaint seeks injunctive relief, restitution, and civil penalties.
FTC orders card company to let merchants use other debit networks
On December 23, the FTC ordered a payment card company to stop blocking merchants from using competing debit payment networks. According to an agency investigation, the company allegedly violated provisions of the Durbin Amendment, which requires “banks to enable at least two unaffiliated networks on every debit card, thereby giving merchants a choice of which network to use for a given debit transaction,” and “bars payment card networks from inhibiting merchants from using other networks.” The FTC claimed that the company’s policy requires the use of a token when a cardholder loads a company-branded debit card into an ewallet. Ewallets are used to make online and in-app transactions, the FTC explained, adding that because competing networks cannot access the company’s token vault, merchants are dependent on the company to convert the token to process ewallet transactions using company-branded debit cards. Moreover, since the company allegedly did not provide conversion services to competing networks for remote ewallet debit transactions, the FTC asserted that it is impossible for merchants to route their ewallet transactions on other payment networks.
Under the terms of the proposed order, the company will be required to (i) provide other payment networks with customer account information in order to process ecommerce debit payments, and prohibit any efforts that may prevent other networks from serving as token service providers; (ii) provide notice to affected persons; (iii) provide 60-days advance written notice to the FTC before launching any pilot programs or new debit products that would require merchants to route electronic debit transactions only to the company; (iv) file regular compliance reports with the FTC; and (v) notify the FTC of any events that may affect compliance with the order.
CFPB, FTC say furnishers’ investigative duties extend to legal disputes
On December 16, the CFPB and FTC filed an amicus brief in a case on appeal to the U.S. Court of Appeals for the Eleventh Circuit concerning two related FCRA cases in support of plaintiffs-appellants and reversal of their suits involving a defendant hotel chain’s summary judgments. Both cases involve the same defendant company. In one case, the plaintiff entered into a timeshare agreement with the defendant for a property and made monthly payments for approximately three years. When the plaintiff stopped making payments, the plaintiff mailed the defendant letters that disputed the validity of, and purported to rescind, the agreement, while permitting the defendant to retain all prior payments as liquidated damages. The plaintiff obtained a copy of his credit report from a credit reporting agency (CRA), which stated that he had an open account with the defendant with a past-due balance. In three letters to the CRA, the plaintiff disputed the credit reporting. The letters stated that the plaintiff had terminated his agreement with the defendant and that he did not owe a balance. After the CRA communicated each dispute to the defendant, the defendant certified that the information for the defendant’s account was accurate. The plaintiff sued alleging the defendant violated the FCRA when it verified the accuracy of his credit report without conducting reasonable investigations following receipt of his indirect disputes. The defendant moved for summary judgment, alleging, among other things, that the plaintiff’s claim that he was not contractually obligated to make the payments to the defendant that are reported on his credit report as being due “is inherently a legal dispute and is not actionable under the FCRA.” The district court granted the defendant’s motion for summary judgment, which the plaintiff appealed.
In the other case, the plaintiff entered into a timeshare agreement with the defendant. She made a down payment and the first three installment payments, but did not make any additional payments. The plaintiff sent letters to the defendant disputing the validity of, and attempted to cancel, the agreement. The defendant reported the plaintiff’s delinquency to the CRA. In three letters to the CRA, the plaintiff disputed the credit reporting. After the CRA communicated the disputes to the defendant, the defendant determined there was no inaccuracy in the reporting. The plaintiff sued alleging the defendant violated the FCRA when it verified the accuracy of her credit report without conducting reasonable investigations following receipt of her indirect disputes about credit reporting inaccuracies. The district court granted the defendant’s motion for summary judgment, which the plaintiff appealed.
The CFPB and FTC argued in favor of the plaintiffs-appellants. According to the agencies, furnishers’ duty under the FCRA to reasonably investigate applies not only to factual disputes, but also to disputes that can be labeled as legal in nature. The agencies made three arguments to support their contention. First, a reasonable investigation is required under the FCRA to comport with its goal to “protect consumers from the transmission of inaccurate information about them.” The agencies argued that reasonableness is case specific, but it can “be evaluated by how thoroughly the furnisher investigated the dispute (e.g., how well its conclusion is supported by the information it considered or reasonably could have considered).”
Second, the agencies argued that Congress did not intend to exclude disputes that involve legal questions. The FCRA describes the types of indirect disputes that furnishers need to investigate, which are “those that dispute ‘the completeness or accuracy of any item of information contained in a consumer’s file.’” The agencies said nothing suggests that Congress intended to exclude information that is inaccurate on account of legal issues. Furthermore, the agencies noted that a lot of “inaccuracies in consumer reports could be characterized as legal, which would create an exception that would swallow the rule.” Consumer reports generally include information regarding an individual’s debt obligations, which are generally creatures of contract. Therefore, “many inaccurate representations pertaining to an individual’s debt obligations arguably could be characterized as legal inaccuracies, given that determining the truth or falsity of the representation could require the reading of a contract.”
Lastly, the agencies argued that an “atextual exception for legal inaccuracies would create a loophole that could swallow the reasonable investigation rule.” The agencies urged that “[g]iven the difficulty in distinguishing ‘legal’ from ‘factual’ disputes,” the court “should hold that there is no exemption in the FCRA’s reasonable investigation requirement for legal questions” because it would “curtail the reach of the FCRA’s investigation requirement in a way that runs counter to the purpose of the provision to require meaningful investigation to ensure accuracy on credit reports.”
Gaming company to pay $520 million to resolve FTC allegations
On December 19, the DOJ filed a complaint on behalf of the FTC against a video game developer for allegedly violating the Children’s Online Privacy Protection Act (COPPA) by failing to protect underage players’ privacy. The FTC also alleged in a separate administrative complaint that the company employed “dark patterns” to trick consumers into making unwanted in-game purchases, thus allowing players to accumulate unauthorized charges without parental involvement. (See also FTC press release here.)
According to the complaint filed in the U.S. District Court for the Eastern District of North Carolina, the company allegedly collected personal information from players under the age of 13 without first notifying parents or obtaining parents’ verifiable consent. Parents who requested that their children’s personal information be deleted allegedly had to take unreasonable measures, the FTC claimed, and the company sometimes failed to honor these requests. The company is also accused of violating the FTC Act’s prohibition against unfair practices when its settings enabled, by default, real-time voice and text chat communications for children and teens. These default settings, as well as a matching system that enabled children and teens to be matched with strangers to play the game, exposed players to threats, harassment, and psychologically traumatizing issues, the FTC maintained. While company employees expressed concerns about the default settings and players reported concerns, the FTC said that the company resisted turning off the default setting and made it difficult for players to figure out how to turn the voice chat off when the FTC did eventually take action.
Under the terms of a proposed court order filed by the DOJ, the company would be prohibited from enabling voice and text communications unless parents (of players under the age of 13) or teenage users (or their parents) provide affirmative consent through a privacy setting. The company would also be required to delete players’ information that was previously collected in violation of COPPA’s parental notice and consent requirements unless it obtains parental consent to retain such data or the player claims to be 13 or older through a neutral age gate. Additionally, the company must implement a comprehensive privacy program to address the identified violations, maintain default privacy settings, and obtain regular, independent audits. According to the DOJ’s announcement, the company has agreed to pay $275 million in civil penalties—the largest amount ever imposed for a COPPA violation.
With respect to the illegal dark patterns allegations, the FTC claimed that the company used a variety of dark patterns, such as “counterintuitive, inconsistent, and confusing button configuration[s],” designed to get players of all ages to make unintended in-game purchases. These tactics caused players to pay hundreds of millions of dollars in unauthorized charges, the FTC said, adding that the company also charged account holders for purchases without authorization. Players were able to purchase in-game content by pressing buttons without requiring any parental or card holder action or consent. Additionally, the company allegedly blocked access to purchased content for players who disputed unauthorized charges with their credit card companies, and threatened players with a lifetime ban if they disputed any future charges. Moreover, cancellation and refund features were purposefully obscured, the FTC asserted.
To resolve the unlawful billing practices, the proposed administrative order would require the company to pay $245 million in refunds to affected players. The company would also be prohibited from charging players using dark patterns or without obtaining their affirmative consent. Additionally, the order would bar the company from blocking players from accessing their accounts should they dispute unauthorized charges.