FTC Business Blog

Zooming in on Zoom’s unfair and deceptive security practices: More about the FTC settlement lfair November 9, 2020 | 10:42AM Zooming in on Zoom’s unfair and deceptive security practices: More about the FTC settlement By Lesley Fair This time last year, “zoom” was just a word related to speed. But the pandemic has made video conferencing platform Zoom a daily fixture for business people conferring about trade secrets, doctors and mental health professionals discussing sensitive patient information, kids keeping up with school work, and the rest of us sharing everything from the details of day-to-day life to confidential family matters. According to a just-announced FTC complaint, Zoom allegedly engaged in deceptive and unfair practices that misled consumers about the security of their communications on the platform and that put certain users at risk when the company undermined a security feature built into the Safari browser. A proposed settlement will require Zoom to honor its security promises and implement a comprehensive program designed to protect consumers’ information in the future. Use Zoom just a few times and you’ll understand the breadth of data the company collects: names, email addresses, approximate locations, credit card numbers, the identity of attendees, and a plethora of information collected while people use the service – including chats, messages, files, and recorded meetings stored on Zoom’s cloud storage. Obviously aware of consumers’ concerns about the security of their communications, Zoom claimed on its website and elsewhere that it takes “security seriously,” that it “places privacy and security as the highest priority,” and that it “is committed to protecting your privacy.” On its site, in its app, in security guides, and in direct communications with potential customers, Zoom prominently touted its “end-to-end AES 256-bit encryption” for all meetings. End-to-end encryption is a way of securing communications so that only the sender and recipients – and no one else, not even the platform provider – can read the contents. AES 256-bit encryption is such a strong level of encryption that it can be used to secure “TOP SECRET” messages. According to a 2015 Zoom blog post, “Zoom’s use of AES 256 encryption” made “it impossible for a hacker to grab anything outside of a hopelessly garbled transmission . . . . ” The company also represented to healthcare providers that “end-to-end AES 256-bit encryption of all meeting data and instant messages” made the platform suitable for the enhanced security needs of telehealth video conferencing. That’s what the company claimed, but the FTC says Zoom delivered far less. In fact, Zoom didn’t provide end-to-end encryption for most Zoom meetings because Zoom’s servers – including some located in China – maintained the cryptographic keys that could allow Zoom to access the content of its customers’ meetings. What’s more, the FTC says the company’s claim of “256-bit encryption” was false or misleading because Zoom delivered a lower level of encryption that provided less protection. For paying customers, Zoom also offered the option of storing their recorded meetings in Zoom’s secure cloud immediately after the meeting had ended. However, according to the FTC, recordings were kept on Zoom’s servers unencrypted for up to 60 days before they were transferred to Zoom’s secure cloud storage, where they were stored encrypted. The FTC also alleges that for Mac users, Zoom installed software – called ZoomOpener – that raised particular privacy and security concerns. Mac owners will want to read the complaint for details, but here’s the summary. To help defend against malware and malicious actors, Apple had updated its Safari browser to require users to interact with a dialogue box when a website or link attempted to launch an outside app. So if a consumer received an invitation link to a Zoom meeting, they had to click that it was “okay” to open the Zoom app and join the meeting. However, to avoid this dialogue box, in July 2018, Zoom updated its app for Macs with its ZoomOpener software. The company claimed the purpose of the update was to resolve “minor bug fixes,” but the FTC says Zoom had something else in mind. In fact, Zoom’s “fix” circumvented that safeguard in Apple’s Safari browser. The upshot: Consumers could automatically be joined to Zoom meetings with their cameras also automatically activated unless the consumers had changed their Zoom default video settings. Importantly, Zoom did not put in place any offsetting measures to protect users, and the FTC alleges Zoom’s behind-the-scenes ploy put Mac users at risk. For example, no-goodniks could send phishing emails that were really Zoom invitations in disguise. If consumers clicked on a link, it could open a Zoom meeting without their permission and allow strangers to spy on them through their webcams or install malware onto their computers. Even if users deleted the Zoom app, the ZoomOpener remained – along with its accompanying vulnerabilities. What’s more, Zoom could re-install the Zoom app without the user’s permission or knowledge. Apple removed the ZoomOpener web server from users’ computers in 2019. The proposed administrative complaint alleges Zoom violated the FTC Act by making deceptive end-to-end encryption claims, false promises about the level of encryption it provided, and misleading representations regarding secured cloud storage for recorded meetings. In addition, the FTC charges that Zoom’s installation of the ZoomOpener unfairly circumvented third-party privacy and security safeguards and that Zoom deceptively failed to give consumers the full scoop about the ZoomOpener. The proposed settlement prohibits Zoom from making a wide variety of privacy- and security-related misrepresentations. It also requires Zoom to put in place a far-reaching information security program that includes – among other things – a security review for all new software before release, a vulnerability management program, regular security training for all employees, specialized training for developers and engineers, and independent program assessments by a qualified third party within 180 days and every other year after that for the next 20 years. Once the proposed settlement is published in the Federal Register, the FTC will accept public comments for 30 days. Even though Zoom has discontinued most of the practices challenged in the complaint, the most effective means for future compliance is a comprehensive security make-over assessed by a qualified third party, monitored by the FTC, and enforceable in court. The hundreds of millions of consumers who rely on Zoom every day to conduct business, get healthcare, educate their kids, and connect with family members have a right to expect the company to take steps to protect their personal information. Looking for more information about using video conferencing platforms? Read Video conferencing: 10 privacy tips for your business.  

Whose life?! MyLife charged with creating misleading background reports sgressin July 27, 2020 | 5:04PM Whose life?! MyLife charged with creating misleading background reports By Seena Gressin As adage-writers go, whoever penned, “Sticks and stones will break my bones, but words will never hurt me,” should have looked for another line of work. And, the writer should have hoped that prospective employers wouldn’t spot a promotion for MyLife.com, saying they could see the writer’s criminal and sexual offender records by subscribing to MyLife’s background reports. A lawsuit announced today alleges that MyLife.com, Inc., and its founder and CEO, Jeffrey Tinsley, enticed people to subscribe to MyLife’s background report services by posting false and misleading “teaser” background reports on MyLife’s website. The reports implied that a particular person had criminal or sex offender records that the viewer could see by subscribing to MyLife. According to the lawsuit, often, when MyLife displayed the reports, the person either had no such records or had only minor traffic citations. The Department of Justice filed the lawsuit on behalf of the FTC. It charges that in addition to violating the FTC Act with misleading claims, MyLife violated consumer protections of the Fair Credit Reporting Act (FCRA), used misleading billing practices, in violation of the Restore Online Shoppers’ Confidence Act (ROSCA), and misrepresented its refund and cancellation policies, in violation of the Telemarketing Sales Rule (TSR). There’s a lot going on in this case. If you create, use, or are the subject of a background report (and that should include most adults), you’ll want to take a closer look. According to the lawsuit, since 2009, MyLife has promoted its background reports by letting people search for someone’s name on its website for free and get a teaser background report. When the searched-for person had no had no history of criminal, traffic, or sex offenses, the teaser report typically said the person “may have” such records. It also prominently displayed large, clickable buttons, one inviting the user to “View [searched-for person’s] Court, Arrest, or Criminal Records,” and another inviting the user to “View [searched-for person’s] Sex Offender Records.” The complaint alleges that the prominent “View” buttons, together with statements that the searched-for person “may have” arrest, criminal, or sex offender records, led users to conclude that the person had such records, even if they did not. Many people reported they bought subscriptions to MyLife to see the records, the complaint says. So how does the FCRA come in? The law defines a “consumer report” as a “communication of any information” by a consumer reporting agency (CRA) that bears on a person’s “credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living” that is used (or expected to be used) as a factor in establishing their eligibility for credit, insurance, employment, or other reasons outlined in the law. The complaint alleges that MyLife is a CRA and subject to the FCRA because it assembles consumer report information, like court or arrest records, then markets and sells it to third parties to use in making decisions like whether to give someone credit, a job, or a lease. The complaint alleges that MyLife skirted its obligations under the FCRA. It charges that MyLife failed to make sure the information it sold was used only for legally permissible purposes, failed to ensure the information was accurate, and failed to tell users about their obligations under the FCRA, including the requirement to notify consumers if the user took an adverse action against them based on information in the report. Inaccurate information in a consumer report can cost a consumer a job, housing, or even a loan. As for MyLife’s alleged violations of ROSCA, MyLife sold its subscriptions through auto-renewing, or negative option, plans, triggering its obligations to comply with ROSCA. According to the complaint, MyLife struck out on ROSCA’s basic compliance requirements, including requirements that it clearly disclose all material terms of the deal before getting a consumer’s billing information, and that it give customers a simple mechanism for stopping the recurring charges. The complaint charges MyLife violated the TSR by, among other things, failing to truthfully and clearly disclose the terms of its refund or cancellation policies – including that MyLife “had a policy of not making refunds and of discouraging cancellations,” according to the complaint. The case, filed in federal court in the Central District of California, is worth watching. Meanwhile, if you’re a consumer reporting agency, or you use background reports, consider whether it’s time for an FCRA refresher. Start out by visiting our Business Center for resources on complying with the FCRA, including Background Checks: What Employers Need to Know. Note: This blog post was corrected on July 29, 2020, to identify the Central District of California as the court where the case was filed.

$40.2 million reminder about the importance of due diligence and monitoring lfair May 20, 2020 | 12:41PM $40.2 million reminder about the importance of due diligence and monitoring By Lesley Fair Companies that deceive consumers often don’t act alone. Pull back the curtain and you may find behind-the-scenes businesses that lend a hand. The FTC alleges that Atlanta-based First Data Merchant Services and its former vice president, Chi “Vincent” Ko, engaged in conduct that helped scammers rake in megabucks at consumers’ expense. The $40.2 million total proposed settlement should warn other companies of the hazards of looking the other way when fraud stares you in the face. Access to the credit card system is the lifeblood of many businesses. But banks that are members of credit card networks won’t open merchant accounts for just anyone. Various entities – including payment processors and independent sales organizations (ISOs) – serve as intermediaries between banks and merchants. Credit card networks impose anti-fraud policies on banks and other third parties. They, in turn, enter into contracts with payment processors and ISOs that mandate compliance with those rules, including due diligence and monitoring. The purpose of those multi-layered requirements is evident: to keep scammers out of the credit card ecosystem and to ensure that payment processors and others take quick action if there’s evidence they’ve wormed their way in. You’ll want to read the complaint for an in-depth look, but according to the FTC’s lawsuit, the defendants opened merchant accounts and processed payments for at least four scam operations. Three of them – Thrive Learning, Coaching Department, and E.M. Systems – were subjects of FTC law enforcement. A fourth operation that used stolen credit card data to bill consumers without their consent resulted in criminal prosecutions by the Department of Justice. The FTC says that as early as 2012, defendant Ko, through his company First Pay Solutions, started approving hundreds of facially false merchant applications for the four scam operations. For example, the applications often used straw men and shell companies. In addition, they often described business activities prohibited by credit card rules. (Examples of banned categories include “debt consolidation services,” “get rich quick opportunities,” and “any merchant engaged in any form of deceptive marketing practices.”) Given that some of Ko’s sales agents had multiple criminal convictions, F ratings with the Better Business Bureau, or civil judgments for deceptive conduct, he shouldn’t have been surprised by what was going on. Indeed, other members of Ko’s staff warned him early on that some sales agents were opening merchant accounts based on phony applications. But according to the FTC, Ko violated his obligation to monitor what was going on and to take action in light of evidence that fraud was afoot. What role did First Data – one of the largest payments processors in the country – play? First Data employed Ko and First Pay Solutions as an ISO to sell its services and processed payments for the four operations mentioned in the complaint. Throughout its relationship with First Pay Solutions, First Data had what the industry calls “shadow underwriting,” which gave First Data access to information regarding First Pay Solutions merchants’ processing activities. According to the FTC, by April 2012, First Data had already started to question the kind of accounts First Pay Solutions was opening. For the next several years, First Data and First Pay Solutions communicated about deceptive conduct and high chargeback rates, but never seemed to do much about them. How bad was the problem? Very. At one point, First Pay Solutions’ merchants accrued over 300,000 chargebacks in less than a year, totaling approximately 40% of First Data’s excessive chargeback violations for its entire wholesale merchant business. The FTC says First Data continued to receive warnings and direct evidence that First Pay Solutions’ portfolio was permeated by fraud, and yet continued to allow Ko and his company to open merchant accounts with minimal oversight. Then in 2014, a Wells Fargo’s executive vice-president emailed the General Counsel of First Data’s parent corporation, asking this prescient question: “Why is First Data signing ISOs like [First Pay]? They are going to get First Data and Wells Fargo in trouble with the FTC and CFPB due to consumer deceptive practices . . . .” Toward the end of that year, Wells Fargo terminated its processing contract First Pay Solutions. In addition, in December 2014, Visa banned First Pay Solutions from bringing high-risk merchants on board until a full audit could be performed. Visa also required First Data to pay $18.7 million restitution in connection with First Pay Solutions’ merchants. In April 2015, a forensic accounting firm found major failures in risk management practices, including deficient monitoring of merchant transactions and failures in due diligence by Ko and his company. Based on those developments, you might expect that First Data cut First Pay Solutions loose for highly questionable conduct, right? On the contrary, in May 2015, First Data acquired the company’s merchant accounts, took over its office space, and hired most of its employees. A few months later, First Data asked Wells Fargo to allow former First Pay Solutions’ employees to solicit high-risk merchants. Wells Fargo said yes, but on two conditions: that the employees weren’t “associated with or related to Vincent Ko” and that First Data could confirm that “Vincent Ko has no influence.” Those caveats make a subsequent personnel decision by First Data seem particularly ironic – because in January 2017, who did First Data hire as its Vice-President of Strategic Partnerships? Vincent Ko. The complaint offers much more detail about the FTC’s allegations. Count 1 charges that First Data and Ko violated the FTC Act by engaging in unfair payment processing practices, including opening or maintaining accounts for shell companies or others engaged in fraud, processing transactions for merchants who were defrauding consumers, failing to terminate merchants, and ignoring evidence of fraudulent activity on merchant accounts. According to Count 2, defendant Ko engaged in credit card laundering, in violation of the Telemarketing Sales Rule. Count 3 alleges that First Data violated the TSR by assisting and facilitating credit card laundering. And Count 4 charges First Data and Ko with violating the TSR by assisting and facilitating companies who (among other things) used false or misleading statements to market debt relief services or investment opportunities. In addition to the $40 million judgment against First Data and the $270,373 judgment against Ko, the terms of the proposed settlement require First Data to submit to annual audits for the next three years by an FTC-approved independent assessor. The order also bans Ko for life from processing payments for high-risk merchants.    

FTC Chairman Simons’ statement regarding consumer protection lfair March 26, 2020 | 2:37PM FTC Chairman Simons’ statement regarding consumer protection By Lesley Fair It’s an unprecedented time. But even in the midst of monumental change, the FTC’s commitment to its consumer protection mission remains constant. Here’s a statement from Chairman Simons about the ongoing work of the Bureau of Consumer Protection: “Federal Trade Commission staff in the Bureau of Consumer Protection remain hard at work protecting consumers from deceptive and unfair commercial practices. Despite the difficult circumstances, the FTC’s law enforcement, policy, and investigative work continues, and our dedicated professional staff are fully engaged in our mission to protect consumers. We are working closely with federal and state law enforcers, and with other stakeholders, including consumer advocates and the business community, and are devoting significant resources to tackling scammers and unfair and deceptive business practices. We will not tolerate businesses seeking to take advantage of consumers’ concerns and fears regarding coronavirus disease, exigent circumstances, or financial distress. Information to educate consumers about emerging coronavirus scams, and what each of us can do, is available at ftc.gov/coronavirus. We encourage you to share these educational materials broadly to help protect those you love from scams. You can also help us by reporting such scams at ftc.gov/complaint. Reporting these scams to the FTC not only informs us, but also can help to protect your family, friends, and community. In this time of national emergency with the pandemic putting enormous strain on all sectors of commerce, we are all doing our part. We recognize enormous challenges for consumers, as well as for businesses trying to get goods and services to people across the country. Over the next few weeks, the FTC will remain flexible and reasonable in enforcing compliance requirements that may hinder the provision of important goods and services to consumers. To be clear, by being flexible and reasonable, I am not suggesting that we will tolerate companies deceiving consumers, using tactics that violate well-established consumer protections, or taking unfair advantage of these uniquely challenging times. At all times, good faith efforts undertaken to provide needed goods and services to consumers will be taken into account in making enforcement decisions. The FTC is ready to assist businesses that may seek guidance about compliance obligations on consumer protection issues during this unprecedented time. If you seek guidance for your business, please email Business.covid@ftc.gov and FTC staff will respond to your inquiries as quickly as possible.”  

Pump fiction? FTC challenges claims for fuel cards lfair December 20, 2019 | 11:29AM Pump fiction? FTC challenges claims for fuel cards By Lesley Fair Everyone wants to save money at the pump. And no one wants to cut fuel costs more than companies – including many small businesses – that are in the trucking industry or have company cars. The FTC just filed a complaint alleging that Georgia-based FleetCor Technologies has made misleading representations in pitching its “Fuelman” and co-branded fuel cards to businesses around the country. According to the complaint, FleetCor hasn’t lived up to its marketing promises and has charged customers unexpected fees that to date total hundreds of millions of dollars. The lawsuit, which names FleetCor and CEO Ronald Clarke, alleges that despite the defendants’ claim that businesses using its fuel cards would achieve specific per-gallon savings – for example, “Save 10¢ per gallon on diesel fuel with a customized fleet management solution.*” – FleetCor’s own data show that these customers have saved, on average, less than a penny per gallon even before taking into account FleetCor’s hefty unexpected fees. About those fees: The defendants have promised “[n]o set-up, transaction or annual fees,” but according to the FTC, the defendants have charged customers millions in a broad array of unexpected fees. For example, some ads said that customers could enjoy the “convenience” of filling up at tens of thousands of locations nationwide. However, when customers buy fuel at a number of national retailers, including Pilot, Texaco, Chevron, and Loves, they’re in for a surprise. First, FleetCor doesn’t honor promised discounts at those large chains. And second, FleetCor imposes a transaction fee of $2.00 or more for each fill-up at those locations. FleetCor considers those retailers to be part of its “Convenience Network,” but according to the FTC, that term really means a non-preferred or out-of-network station where FleetCor customers have to pay more. The FTC says the defendants also bill customers for an array of other unexpected fees, including Account Administration Fees, Program Fees, High Credit Risk Account Fees, and Minimum Program Administration Fees. To the extent that FleetCor has mentioned some of those fees, the FTC says it’s in dense blocks of fine print in hard-to-read and hard-to-understand Terms and Conditions documents. Other fees, including fees for unwanted subscription programs, aren’t mentioned even there. In addition, the complaint alleges the defendants have charged some customers “Late Fees and Interest and Finance Charges” totaling hundreds or thousands of dollars in a single billing cycle even when a customer paid on time. Here’s an example of how just one of those fees works. Buried in the fine print is the fact that FleetCor charges certain customers fees if FleetCor deemed them to be “High Credit Risk Accounts.” Who has fallen within FleetCor’s definition? Customers with a lower credit score, customers who have paid late, and customers who “operate[] in the trucking or transportation industry.” You read that right. According to the FTC, the defendants pitch fuel cards to members of that industry and yet have allegedly soaked them for at least $1.7 million in High Credit Risk Account fees solely because they’re part of FleetCor’s target market. Factoring in other customers, FleetCor has allegedly taken in a total of more than $108 million in High Credit Risk Account fees alone. What’s more, the FTC alleges that when customers complain to FleetCor and are successful in getting one fee removed, in many instances, the defendants simply have swapped it out for a different unexpected fee. You’ll want to read the lawsuit for more allegations about how the defendants’ billing practices have cost customers hundreds of millions of dollars – conduct that has led tens of thousands of people to complain to the company, government agencies, and the BBB. The FTC also cites in-house documents to illustrate the defendants’ failure to take action in response to what the defendants describe as “noise,” a derogatory term some highly-placed corporate officials have used to describe complaints and concerns voiced by FleetCor’s customers. The case is pending in federal court in Georgia.  

Future of the COPPA Rule: What’s on the agenda lfair October 1, 2019 | 11:46AM Future of the COPPA Rule: What’s on the agenda By Lesley Fair Technology changes at the speed of light, but the touchstone of the Children’s Online Privacy Protection Act Rule remains constant. When it comes to the collection of their kids’ personal information online, parents are in charge. But how does that principle apply in technologies not originally anticipated by the COPPA Rule? Whether it’s social media, the Internet of Things, or educational technology, do changes in media and the marketplace warrant updates to the Rule? The FTC staff asked that question and others a few months ago and the time has come to talk it over. On October 7, 2019, we’re hosting The Future of the COPPA Rule: An FTC Workshop and you’ll want to check out the just-posted agenda. FTC Commissioner Christine Wilson will open the event with comments at 9:00 AM Eastern Time. After a presentation by Dr. Jenny Radesky, Assistant Professor of Pediatrics at the University of Michigan Medical School, Panel #1 will examine the State of the World in Children’s Privacy. One panelist of particular note: Jo Pedder, Head of Regulatory Strategy for the United Kingdom’s Information Commissioner’s Office. Next on the agenda: remarks from FTC Commissioner Noah Phillips, followed by Panel #2, which will explore the Scope of the COPPA Rule. The afternoon session will begin with comments from Morgan Reed, President of ACT, The App Association. Then Panel #3 will discuss Definitions, Exceptions, and Misconceptions. Jonathan Mayer, Assistant Professor in Princeton University’s Department of Computer Science will speak on Technology Trends Since the Revised COPPA Rule. Panel #4 will consider the Uses and Misuses of Persistent Identifiers. Closing remarks from Maneesha Mithal, Associate Director of the FTC’s Division of Privacy & Identity Protection, will put the day in perspective. The Future of the COPPA Rule is free and open to the public. You can attend in person at the FTC’s Constitution Center conference facility, 400 7th Street, S.W., in Washington, DC, or watch the webcast from a link on the event page that will go live moments before the 9:00 ET start on October 7th. Interested in filing a public comment on the subject? The record will remain open until October 23, 2019.

Report tax identity theft with IdentityTheft.gov sgressin April 3, 2018 | 10:58AM Report tax identity theft with IdentityTheft.gov By Seena Gressin If you’re a tax professional, business owner, or in a human resources department, the FTC and IRS can help you help clients, employees, or other people who discover they’re victims of tax-related identity theft.   Tax-related identity theft happens when someone uses your stolen Social Security number (SSN) to file a tax return and claim your refund. You might find out about it when you try to e-file — only to find that someone else already has submitted a return — or when the IRS sends you a letter saying it has identified a suspicious tax return that used your SSN. That’s when you’ll need to file an IRS Identity Theft Affidavit (IRS Form 14039), so that the IRS can begin resolving your case.   Until now, you had to complete an Affidavit from the IRS website, print it, then fax or mail it to the IRS. Now, the FTC and IRS have collaborated to let people report tax-related identity theft to the IRS online, using the FTC’s IdentityTheft.gov website. It’s the only place you can submit your IRS Form 14039 electronically.   What are the benefits? IdentityTheft.gov will:   Walk you through the process of completing the Form 14039 Transfer your Form 14039 to the IRS securely Guide you through placing fraud alerts on your credit files, checking your credit reports, and taking other steps to stop the tax identity theft from harming your accounts, and Help you resolve any other problems the tax identity theft may have caused.   Here’s how it works: IdentityTheft.gov will first ask you questions to collect the information the IRS needs, then use your information to populate the Form 14039 and let you review it. Once you’re satisfied, you can submit the Form 14039 to the IRS through IdentityTheft.gov and download a copy for yourself. About 30 days later, the IRS will send you a letter confirming it received the information.   Remember, though — filing the Affidavit doesn’t eliminate the need to pay your taxes. If you couldn’t e-file your tax return, you’ll still need to mail it to the IRS and pay any taxes you owe.   We hope you can share this information with any victims of tax-related identity theft you encounter and remind them to visit IdentityTheft.gov to report the problem and get fast and effective recovery help.

Lead generation: When the “product” is personal data lfair July 5, 2017 | 12:42PM Lead generation: When the “product” is personal data By Lesley Fair There’s been a lot of talk about “ping trees” and other activities associated with the lead generation industry. The FTC’s concern is that consumers don’t get ponged in the process. A proposed settlement gives a glimpse into how one lead generation company operated and offers insights for businesses about compliance considerations when the “product” in question is consumers’ personal data. Arizona-based Blue Global operated at least 38 internet domains with names like 247loan.com, clickloans.net, onehourloan.com, and netloanusa.com. The sites offered services to consumers looking for anything from small payday loans to installment loans of as much as $35,000. Consumers completed online loan applications that required scads of personal information – the usual stuff, of course, but also bank routing numbers, driver’s license numbers, dates of birth, and Social Security numbers. So Blue Global lent money to consumers? No, that’s not what was going on. The company told consumers to “sit back while we do the dirty work” of matching applications with their “network of more than 100 lending partners,” including one that would offer them “the best interest rates, lowest finance charges and longest repayment period.” The defendants also claimed “With four out of every five applications approved, you have an excellent chance of qualifying for a loan – regardless of your credit history!” What’s more, Blue Global promised that “your personal information is completely protected 24/7 GUARANTEED!” As the company said on one of its sites, “It’s our number one priority to make sure any information you pass along remains in good hands.” But according to the FTC, the defendants sold very few of the applications to actual lenders and didn’t match consumers and lenders based on loan rates or terms. In fact, the complaint charges that the company pretty much sold the leads – the data-laden loan applications – to the first buyer with a pulse willing to pay for them and without regard for how the buyer planned to use the treasure trove of confidential consumer information Blue Global was handing over. You’ll want to read the complaint for an explanation of how those transactions happened, but it boils down to this. Within seconds of a consumer clicking ENTER, Blue Global was already peddling their personal data to the first potential buyer using a sequenced sales process known as a ping tree. If the first buyer didn’t accept the lead, Blue Global offered it to the next (and next and next) until someone finally bit or every ping tree participant declined – after viewing the unmasked confidential information contained in the lead, of course. Blue Global had multiple ping trees running at once and received as much as $200 for each lead. What kind of screening did Blue Global undertake to make sure the people buying the leads were actually engaged in lending and used the information to offer loans? None, alleges the FTC. According to the complaint, Blue Global often sold loan applications to entities that didn’t even provide a business address. Not surprisingly, consumers complained that personal information in their applications was being misused by phantom debt collectors, but the FTC says the defendants ignored those warnings and others. What about that “number one priority” of ensuring data “remains in good hands”? It seems unlikely that the security of consumers’ confidential information broke into the defendants’ Top 40. The complaint challenges alleged misrepresentations involving lending as well as unfair practices related to the use of consumers’ loan applications. One notable feature of the proposed settlement: The defendants will have to investigate and verify the identity of businesses to which they disclose consumers’ sensitive information, and must get consumers’ express consent for those disclosures. The proposed settlement includes a judgment for more than $104 million, which will be suspended based on defendants’ financial condition. The main message for businesses is to exercise particular care if consumers’ confidential information is on the line. When the “product” you sell includes sensitive data, you’ve upped your compliance ante. Savvy companies take steps to vet prospective buyers and understand how that information is being used.  

FTC settlement with Amazon yields $70 million for consumers, advice for business lfair May 30, 2017 | 12:07PM FTC settlement with Amazon yields $70 million for consumers, advice for business By Lesley Fair The FTC’s law enforcement action against Amazon for unauthorized billing recently settled, leaving two key takeaways: 1) Consumers are eligible for more than $70 million in refunds; and 2) Businesses need to get customers’ express consent before placing charges on their credit or debit cards. Last year, a federal judge in Seattle ruled in the FTC’s favor in an action against Amazon for billing consumers for unauthorized in-app charges incurred by children. Kid-focused apps available in Amazon’s Appstore prompted children to acquire virtual currency – for example, a “boatload of doughnuts.” But to parents who got stuck with the bill, it was more like a boatload of dough – millions of dollars in surprise charges they didn’t approve. The Court agreed that Amazon’s practice of charging parents real live money for make-believe items in kids’ apps without parents’ consent violated the FTC Act. The FTC had already settled similar cases with Apple and Google. The next chapter in the story is to make sure that people who were harmed by Amazon’s illegal practices get their money back. Under the terms of the settlement, Amazon is making more than $70 million in refunds available to customers who were charged for unauthorized in-app purchases made by a child. Amazon may owe you a refund if: You were billed for charges made by a child that you didn’t authorize, and The charges were for in-app purchases made between November 2011 and May 2016. The refund process is simple. If you’re eligible, you should have received an email from Amazon. If you think Amazon owes you money, but you haven’t received an email, there are two ways to find out more: Go to https://www.amazon.com/gp/mas/refund-orders/in-apprefund/ or Log into your Amazon.com account and go to the Message Center. If you’re eligible, you’ll find more information under Important Messages. The refund request process is online only and consumers don’t have to send anything by mail to submit a refund request. The deadline for applying for a refund is May 28, 2018. Consumers can call Amazon at 866-216-1072 if they have questions. The Amazon case also offers compliance currency for companies. Most importantly, as the Judge observed, “Courts have repeatedly held that billing customers without permission causes injury for the purposes of asserting a claim under Section 5 of the FTC Act.” Prudent businesses are careful to explain the nature of the transaction up front and get customers’ express consent before placing charges on their accounts. Companies that use payment methods other than greenbacks on the barrelhead should pay particular attention to that principle. As the Court held, “Many of Amazon’s arguments improperly assume a familiarity with in-app purchases on the part of consumers.” It’s unwise for companies simply to assume that people grasp how new payment mechanisms work. A clearer explanation at the outset can reduce the risk of antagonizing customers and violating the law. Furthermore, the case stands for the established proposition that if the disclosure of information is necessary to prevent a practice from being deceptive or unfair, the disclosure must be clear and conspicuous. Amazon argued that a small hyperlink that simply said “In-App Purchasing” was sufficient to alert consumers that they would be billed for in-app charges. Not so, ruled the Court. If your company is looking for more guidance, consult .com Disclosures: How to Make Effective Disclosures in Digital Advertising.  

Screening tenants? Check out the FTC’s new guidance lschifferle November 28, 2016 | 10:04AM Screening tenants? Check out the FTC’s new guidance By Lisa Weintraub Schifferle Using background checks to screen tenants? Or maybe your company provides those background checks to landlords? Make sure you’re complying with the Fair Credit Reporting Act (FCRA). The FTC’s new guidance for landlords and for tenant background screening companies can help. What do landlords need to know? Landlords must take certain steps before getting a consumer report and after taking an adverse action based on the report. A consumer report can include a credit report, a rental history report or a criminal history report. Landlords can only get consumer reports if they have a “permissible purpose,” like tenant screening. Before you get a consumer report, you must certify to the company providing the report that you’ll use the report only for housing purposes. If you, as a landlord, take an adverse action against a tenant or rental applicant, then you must give notice – orally, in writing or electronically. An adverse action could include denying a lease, requiring a co-signor, or requiring higher rent than for another applicant. The FTC’s guidance has more examples of when an adverse action notice is required. When you send an adverse action notice, it must include the contact information for the company who supplied the report and an explanation of the right to dispute the report.   What should tenant background screening companies keep in mind? Even if you don’t think of your company as a consumer reporting agency, it may be one if it provides information about people to landlords for use in housing decisions. Background screening reports provided by your company are covered by the FCRA if they’re used to help decide eligibility for housing and include information “bearing on a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living.” If your tenant background screening company is covered by the FCRA, then you have four main requirements: Follow reasonable procedures to ensure accuracy. Get certifications from your clients. Provide your clients with information about the FCRA. Honor the rights of applicants and tenants. The new guidance includes details about each of these requirements, as well as a handy chart of key FCRA provisions. Whether you’re a landlord or a screening company, when you’re done using a consumer report, you must securely dispose of it. For more information, read Disposing of Consumer Report Information? Rule Tells How. Share these resources – and the FTC’s Credit Reporting and Human Resources portals – with others in your company.