FTC Business Blog

FTC’s AppFolio case: The Fair Credit Reporting Act does more than just abide lfair December 8, 2020 | 2:16PM FTC’s AppFolio case: The Fair Credit Reporting Act does more than just abide By Lesley Fair Cult classic The Big Lebowski proves that mistaken identity can be entertaining on film. But for people looking to rent a house or apartment, it wasn’t so entertaining when tenant background reports about them provided by California company AppFolio included someone else’s convictions and evictions. An FTC settlement that includes a $4.25 million civil penalty reminds businesses like AppFolio of the Fair Credit Reporting Act’s requirement that they follow reasonable procedures to ensure the accuracy of information in their reports. Consumer reporting agency AppFolio assembles and merges information obtained from other CRAs to create background screening reports, which it then sells to property managers. Given the harmful impact inaccuracies can have on consumers looking for a home, a job, or some other necessity, the Fair Credit Reporting Act requires that CRAs like AppFolio “shall follow reasonable procedures to assure maximum possible accuracy of the information concerning the individual about whom the report relates.” In addition, the law requires CRAs to exclude certain obsolete information. But according to the FTC, before including criminal records, evictions, etc., in its background reports, AppFolio didn’t have procedures in place to adequately review the accuracy of the information it received from vendors. As a result, the complaint alleges that: AppFolio failed to follow reasonable procedures to assess whether the identifiers in criminal records and eviction records in its reports reasonably matched the applicant; AppFolio failed to follow reasonable procedures to assess whether there were internal inconsistencies in the identifiers or results indicating that the company was including information about multiple people in one report; AppFolio failed to follow reasonable procedures to assure that criminal records and eviction records in its reports accurately reflected the disposition, offense name, and offense type; and AppFolio failed to follow reasonable procedures to prevent the inclusion of multiple entries for the same criminal or eviction case in one report. The FTC says those lapses had serious practical consequences. For example, AppFolio’s tenant background reports sometimes included information about other people with different names or dates of birth or misrepresented criminal or eviction records. The complaint also alleges that in violation of the FCRA, AppFolio included evictions and non-conviction criminal records that were more than seven years old. In addition to the $4.25 million penalty, the proposed settlement requires AppFolio to maintain reasonable procedures to ensure the maximum possible accuracy of information in its reports. The order also prohibits the company from including non-conviction criminal or eviction records older than seven years. The case suggests two other compliance takeaways for CRAs. Caveat (re)venditor? Our Latin is atrocious, but the principle is sound. The FCRA’s requirement of “reasonable procedures to assure maximum possible accuracy” applies to companies that compile the information themselves and to resellers like AppFolio that put together reports based on data from vendors. It’s a risky – and illegal – practice simply to pass along what others have told you without an appropriate process for assessing the accuracy of the information. For more top-line tips, read What Tenant Background Screening Companies Need to Know About the Fair Credit Reporting Act. Respond and reassess. The FTC says AppFolio received complaints disputing the accuracy of information in its reports, but didn’t change its practices to address those failures. It might not seem like it at the time, but consumer complaints can be an effective tool for paving potholes in your procedures. How would your company respond in similar circumstances? In case you thought we wouldn’t close with a comparison between The Big Lebowski and the Fair Credit Reporting Act, think again. As Walter Sobchak said to a guy who crossed the lane’s foul line, “Smokey, this is bowling. There are rules.” To paraphrase Walter, “This is the FCRA. There are rules.” And the FTC expects companies to honor them.  

Stick with Security: Apply sound security practices when developing new products lfair September 8, 2017 | 9:37AM Stick with Security: Apply sound security practices when developing new products By Thomas B. Pahl, Acting Director, FTC Bureau of Consumer Protection Your company has a killer concept for an innovative app or a connected product and you’re in that initial blue-sky-and-whiteboard stage. You’ll have lots of opportunities to develop your distribution chain, create eye-catching ads, and start the social media buzz. But there’s one task that can’t wait. Now is the time to start with security – and that includes applying sound security practices when developing new products. Tech experts will tell you it’s tough to graft security on after the fact. The sounder strategy – and the one more likely to win consumer confidence – is to build security in from the start. A look at FTC investigations, law enforcement actions, and the experiences that businesses have shared with us suggest the importance of starting with security in product development. Here are examples gleaned from those sources. Train your engineers in secure coding. The premium your company places on sound data security can’t be an “It goes without saying . . .” kind of thing. Say it clearly, sincerely, and frequently. Create a work environment where your staff is encouraged at every stage to factor security into product development. From concept to marketplace and beyond, articulate your expectation that employees keep security at the forefront of their decisionmaking. Ultimately, it’s the best strategy for your customers, your corporate reputation, and your profitability. Example: A company launching a new software product emphasizes to its software engineers the importance of coding quickly to ensure that the product reaches the market as soon as possible – and the engineers meet in-house coding deadlines. But only after the product is in consumers’ hands does the company discover that the engineers have repeatedly created code that is susceptible to common, well-known security vulnerabilities for which there are available solutions. To correct the problem, the company has to implement an expensive after-the-fact fix. The more efficient – and ultimately, more cost-effective – practice would have been for the company to emphasize to its software engineers the importance of secure coding throughout the development process and to provide them with the training necessary to meet that expectation. Follow platform guidelines for security. Starting with security doesn’t necessarily mean starting from scratch. Every major platform has guidelines for developers to help keep sensitive data secure. Wise companies take that advice into account in designing new products. Example: A company creates a mobile app for two different app platforms. Both platforms require data to be encrypted in transit and both have Application Programming Interfaces (APIs) that provide industry-standard encryption. By using the platforms’ APIs correctly, the company’s engineers can help keep data secure. Verify that security features work. Keeping an umbrella in your car is a prudent idea, but test it while the sun is shining. Don’t wait until a torrential downpour to find out that the ribs are bent or the handle is broken. In a similar vein, it’s wise to build security features into your products, but before you head to the marketplace, verify that they’re enabled and operating properly. Furthermore, if you make any claims to consumers about the nature of the security your product provides, those representations must be truthful and supported by proof you have in hand before you start selling. “But we don’t make any security-related claims.” Maybe so, but are you sure? Under the FTC Act, companies are responsible for all representations – express and implied – that consumers acting reasonably under the circumstances take from a company’s marketing materials. That includes statements or depictions conveyed on TV or radio, in print, on your website, in online ads, on packaging, through social media, in privacy policies, or in an app store. Businesses are free to put security features front and center in their marketing materials as long as they honor established truth-in-advertising standards. So before you tout the security benefits of your product, verify that they live up to your advertised promises. Example: A company that sells a household budgeting app runs an ad claiming that its product has “bank grade security.” But the company doesn’t have a written security program, doesn’t conduct risk assessments, doesn’t train its employees in secure information practices, and fails to implement other practices commonly associated with “bank grade security.” By making representations that are false or unsubstantiated, the company has likely violated established truth-in-advertising standards. Test for common vulnerabilities. Is there any way to make your product 100% hack-proof? Without reverting to the days of tin cans connected with string, the answer is no. But there are steps you can take to protect your customers from well-known vulnerabilities that are preventable with tried-and-true security tools. The good news is that many of those tools are free or available at low cost. Before you release your product, make sure it’s ready for prime time. Test it to ensure that you’ve built in defenses against known risks. Of course, new threats emerge periodically, which is why security should be a dynamic process at your business. The security protocols you put in place for last year’s product may not be sufficient for Version 2.0. How can you keep your ear to the ground about defending against the latest threats? There is robust public cross-talk among researchers, tech experts, industry members, government agencies, and others committed to sticking with security. Follow their discussions on trusted websites, heed their warnings about new risks, and revise your design decisions accordingly. Example: A 10K race application requires registrants to enter their name, address, date of birth, credit card number, and fastest 10K time. The data is stored in a SQL database that combines data from race events all over the country. The event organizers didn’t consult free resources to stay current on security risks, and never performed any code analysis or penetration tests to assess whether their application was vulnerable to a SQL injection attack. By staying current with free resources – for example, OWASP’s Top Ten Project – the event organizer could have reduced the risk of exposing racers’ personal information to unauthorized access. Example: An app company regularly consults public resources like US-CERT for updated information about cyberthreats. The company realizes that the product it’s developing includes a security flaw some hackers have started to exploit. By catching the problem early and implementing an appropriate fix, the company has protected its customers and its reputation. What can companies learn from these examples? Building security from the ground up is a cost-effective approach to innovation. Next in the series: Make sure your service providers implement reasonable security measures

$586 million Western Union settlement: Be careful about the company your company keeps lfair January 19, 2017 | 12:11AM $586 million Western Union settlement: Be careful about the company your company keeps By Lesley Fair “For many years, Western Union’s money transfer system has been used by fraudsters around the world to obtain money from their victims.” That’s how the FTC’s complaint against Western Union opens – and it tells a compelling story of a corporation the FTC says knew that massive fraud was afoot and had the ability to address it, but chose to look the other way. It didn’t end there because according to the lawsuit, even in the face of obvious evidence that many of its own agents were complicit, Western Union ignored it while pocketing massive cash. The global $586 million settlement, which also resolves separate Justice Department criminal investigations into the company’s failure to maintain an effective anti-money laundering program in violation of the Bank Secrecy Act, sounds a cautionary note for other businesses to consider the company they keep.  Many people use Western Union’s money transfer system to send money to family and friends, but Western Union also was a fan favorite of crooks and con artists around the world. According to the lawsuit, the company’s own in-house data documented that.  For example, between 2004 and 2015, Western Union received 146,909 complaints about bogus online purchases, totaling at least $187 million in losses. Fraudulent lotteries accounted for another 75,543 complaints, totaling $86 million in losses. And those “Wire money to get me out of jail!” scams that target unsuspecting family members generated 41,897 complaints and at least $73 million in losses. Of Western Union’s total network of 515,000 agents, the FTC says a small number account for the vast majority of consumer complaints. You’ll want to read the complaint for details, but here’s just one example. In 2012, Mexico had 17,710 Western Union agent locations, but 137 – less than 1% of them – accounted for more than 80% of the reported fraud. And those are stats based on Western Union’s own documents. Sky-high consumer complaint rates were just the start. Thirty-nine Western Union agents have been charged in the U.S. and Canada for crimes like mail fraud, wire fraud, or money laundering, with more than 100 arrested by law enforcement agencies in other countries. Some were prosecuted for being in cahoots with con artists. Others were charged with setting up their own scams. But even in the face of consumer complaints, criminal prosecutions, a 2005 settlement with AGs from 47 states and the District of Columbia, a 2009 FTC action against competitor MoneyGram, and warnings from the U.S. Secret Service and authorities in Canada, Japan, the U.K., Spain, and elsewhere, the FTC says it was business as usual for Western Union. In certain countries where Western Union was at a particularly high risk for use by criminals – Nigeria, for example – Western Union had rarely, if ever, terminated an agent for fraud as of October 2015. Among other things, the lawsuit alleges that despite what Western Union knew, it failed to take prompt action against agents with high levels of consumer fraud, didn’t conduct adequate background checks of prospective new agents or those up for contract renewal, didn’t adequately train and monitor its agents, and failed to adequately record consumer fraud complaints. In addition to violations of the Telemarketing Sales Rule, the FTC alleges that Western Union’s failure to take timely, appropriate, and effective action in the face of fraud-induced money transfers was an unfair trade practice. The settlement imposes the $586 million payment and requires Western Union to put a comprehensive A-to-Z anti-fraud program in place, complete with meaningful training and monitoring to protect consumers in the future. The order also prohibits the company from transmitting a money transfer it knows – or reasonably should know – is fraud-induced. In addition, Western Union will have block money transfers to anyone who is the subject of a fraud report, provide clear and conspicuous warnings to consumers, make it easier for consumers to report fraud, and refund a fraudulently-induced money transfer if the company failed to comply with its anti-fraud procedures. Two related reminders: The FTC amended the Telemarketing Sales Rule recently to ban telemarketers’ use of pet payment methods favored by fraudsters, including cash-to-cash transfers like the kind offered by Western Union.  The scope of the FTC Act is broad. Monitor what others are doing on your behalf and take consumer complaints seriously. Don’t dither when you have reason to smell a rat.   ____________________ NOTE FROM THE FTC ADDED ON JANUARY 8, 2018.  If you are a consumer with questions about the refund process in the Western Union case, please visit the FTC’s Western Union refund page for more information. Also, we have a new post on our Consumer Blog that addresses issues that may be on your mind.    

FTC case against DeVry yields $100 million settlement lfair December 15, 2016 | 11:59AM FTC case against DeVry yields $100 million settlement By Lesley Fair Claims about employment prospects and income levels are like any other objective advertising representation – and Job #1 for advertisers is to support those promises with solid evidence. DeVry University and its parent company have entered into a $100 million settlement to resolve the FTC’s allegations that the defendants’ claims didn’t make the grade. According to the FTC, DeVry violated the law by deceptively claiming that 90% of its grads actively seeking employment landed jobs in their field within six months of graduation. The complaint also challenged as misleading DeVry’s representation that one year after graduation, its bachelor’s degree grads had, on average, incomes that were 15% higher than the incomes of bachelor’s degree grads from all other colleges and universities. How will the $100 million settlement be distributed? DeVry will pay $49.4 million in cash to qualifying students who were harmed by the deceptive ads. The proposed order includes an additional $50.6 million in debt forgiveness. That figure represents the full balance owed on all unpaid private student loans issued to DeVry undergrads between September 2008 and September 2015 – $30.35 million – plus $20.25 million in student debt for things like tuition, books, and lab fees. But that’s not all the defendants will be doing for students the FTC alleges were deceived. The order also requires DeVry to: directly notify consumers who will be receiving debt forgiveness; inform credit bureaus and collection agencies of the debt forgiveness; release transcripts and diplomas that DeVry withheld from students because of outstanding debt and cooperate with future requests for diplomas, transcripts, and related enrollment or graduation information; and set up a dedicated telephone hotline where consumers can call with questions about debt forgiveness, their credit reports, or collections concerns. The settlement also includes provisions that will change how DeVry does business from here on in. Among other things, the order prohibits DeVry from misrepresenting the likelihood that graduates will get a job as a result of their degree. In addition, if the defendants want to make future claims about its graduates’ success in finding jobs near graduation, they can’t include jobs that students landed more than six months before graduating. The settlement also prohibits DeVry from misrepresenting the compensation students or grads have earned or can expect to earn. What lessons can others can learn from the FTC’s action against DeVry University? 1.   For many consumers, education is the second-largest purchase they’ll ever make. Companies in that sector and within the FTC’s jurisdiction are held to the same truth-in-advertising standards as any other business. 2.   Say “substantiation” and some advertisers erroneously assume the term refers just to things like health claims. Wrong.  If your company makes any objective representation expressly or by implication – including statements about employment or earnings prospects – you need solid proof to back up those promises. Visit ftc.gov/devry for more information about the DeVry settlement and share consumer tips from the FTC about evaluating educational opportunities.  

Ashley Madison settles with FTC over data security lschifferle December 14, 2016 | 12:05PM Ashley Madison settles with FTC over data security By Lisa Weintraub Schifferle If you care about data security and privacy, you’ll want to read about the FTC’s settlement with ruby Corporation, ruby Life Inc., and ADL Media Inc. –  the companies that operate AshleyMadison.com. AshleyMadison.com advertised a dating website that’s “100% secure and anonymous.” It bolstered those claims by including an icon of a “Trusted Security Award” and an image indicating that the website was a “100% discreet service.” The website lured you in with promises of “thousands of women” in your city (and mind you, about 16 million of the 19 million U.S. profiles were of men). Then, it used “engager profiles” – fake profiles created by staff who communicated as if they were actual female users. The company created these profiles by using information from existing members who had not had any account activity for a while. Many times, non-paying users upgraded to full memberships so they could send messages to what they believed were real users but were, in fact, fake profiles. For users who were concerned about others finding out about their activities on the website, the website promised that you could “remove your digital trail.” For $19, you could buy a “Full Delete” that promised to remove all of your information from AshleyMadison.com. We’re talking information like: name; relationship status; sexual preferences and desired encounters; desired activities; photographs; and financial information. Sounds like information people wouldn’t want to get out in the public, right?     In July 2015, a group called “The Impact Team” hacked into Ashley Madison’s computer system. The group threatened to release all of the website’s user information unless Ashley Madison shut down. When the company balked, the group published personal information about 36 million users. That’s a lot of very personal information of a lot of people. It even included information from people who had paid for a “Full Delete.” It turned out that Ashley Madison kept personal information for up to 12 months after a “Full Delete,” and sometimes failed to remove the profiles altogether. How did this happen? The FTC’s complaint alleges that AshleyMadison.com engaged in several practices that failed to provide reasonable data security, including: Failure to have a written information security policy Failure to implement reasonable access controls Failure to adequately train personnel about data security Failure to monitor third-party service providers These basic principles are all outlined in the FTC’s Start with Security guide. The FTC’s five-count complaint alleges both deception and unfairness. The deception counts involve: misrepresentations that the company took reasonable steps to ensure that AshleyMadison.com was secure; misrepresentations that the engager profiles were from actual women; misrepresentations about deleting profiles; and misrepresentations about the data security seal (you guessed it – the company without a written data security policy did not in fact receive a “Trusted Security Award”). Finally, the complaint alleges that the company’s unfair security practices injured or are likely to injure consumers. The FTC’s settlement with ruby Corporation and its subsidiaries prohibits the companies from making those types of misrepresentations. It also requires them to maintain a comprehensive information security program and get biennial assessments. And the FTC isn’t in this alone. The FTC’s settlement is in conjunction with thirteen states and the District of Columbia. The FTC also had help from its international counterparts in Canada and Australia. Based on a joint investigation, the Office of the Privacy Commissioner of Canada entered into a compliance agreement and the Office of the Australian Information Commissioner entered into an enforceable undertaking with Toronto-based ruby Corporation. Those agreements focus on remedial measures to improve the company’s data security and data retention policies.  So, what’s the lesson learned from the Ashley Madison case? Businesses must keep their promises. And if you collect sensitive personal information, you must protect it.  For further guidance about how to do that, check out Protecting Personal Information: A Guide for Business and Start with Security: A Guide for Business. And for more compliance resources, visit the Business Center’s Privacy and Security portal.  

2015’s top-pick topics: A 10-tative list lfair December 31, 2015 | 10:26AM 2015’s top-pick topics: A 10-tative list By Lesley Fair 2015 saw the end of The Late Show with David Letterman, but his Top 10 List legacy lives on. From the home office in Washington, D.C., here is our informal take on ten topics we covered this year in the BCP Business Blog. Advertising substantiation.  People will be citing the D.C. Circuit’s POM Wonderful opinion for years to come, so we extracted a dozen quotable quotes. Other relevant posts: Spilling the beans: The anatomy of a diet craze discussed what some folks call “The Oz Effect” and analyzed how green coffee bean extract became a weight loss thing (an unsubstantiated thing, according to the FTC). Five principles to help keep your health claims healthy offered lessons from recent cases. Other health-related highlights: the Tommie Copper settlement and the workshop on advertising for homeopathic products. Auto ads.  It’s been an eventful year in the FTC’s drive to ensure accuracy in auto advertising. For instance, in Operation Ruse Control, the FTC and 32 law enforcement partners brought more than 200 actions alleging illegal claims or conduct in auto sales. Cognition claims.  Whether the target market is brainy babies, successful students, or sharp-as-a-tack seniors, advertisers are promoting products that promise to improve what’s between the ears. The FTC took on a number of purported cognition claims, including a videogame pitched to improve kids’ school performance and a dietary supplement advertised to reverse age-related mental decline. Data security and privacy.  The Third Circuit’s decision in FTC v. Wyndham and the subsequent settlement are worth a reread. The proposed settlement with Oracle involving Java SE updates and two COPPA cases addressing the use of persistent identifiers are notable, too. But the action hasn’t just been on the law enforcement front. To help businesses build sound security into their day-to-day operations, the FTC debuted its Start with Security initiative, featuring a new publication, videos, and conferences. Next on the itinerary is Start with Security: Seattle on February 9, 2016. Debt collection.  This year saw unprecedented activity against questionable debt collection tactics. For example, Operation Collection Protection involved 115 actions by the FTC and state, federal, and international partners. In addition, the list of banned debt collectors now numbers 93. The $63 million FTC-CFPB settlement with Green Tree alleged a host of violations related to loan servicing and debt collection. We’ve also worked to keep the lines of communication open with industry members and other stakeholders by hosting Debt Collection Dialogues in Buffalo, Dallas, and Atlanta. Enforcement.  The FTC’s $100 million settlement with Lifelock for alleged violations of an existing order proves that it’s about the follow-through. Settlements with Bed Bath & Beyond, Nordstrom, J.C. Penney Company, and Backcountry.com for “bamboo” claims send the related message that companies should heed warnings about possible law violations. Fair Credit Reporting Act.  As the adage goes, life begins at 40. Look no further than the Fair Credit Reporting Act. 2015 saw a $2.9 million settlement with Sprint for alleged violations of the Risk-Based Pricing Rule. For employers interested in how the FCRA applies to the personnel process, this post put a disco spin on compliance. Native advertising and endorsements.  The FTC’s Enforcement Policy Statement on Deceptively Formatted Advertisements and the accompanying guide for business explore how established truth-in-advertising and disclosure principles apply to native ads. On the related topic of testimonials, the proposed settlement with Machinima, a blog post debunking seven myths about endorsements, and The FTC’s Endorsement Guides: What People Are Asking offer advice on keeping your practices compliant. Technology.  Tech touches pretty much everything the FTC does these days, but here are some noteworthy developments: the $40 million settlement with TracFone for purported promises of “unlimited” data, lawsuits challenging deceptive claims for apps, the Internet of Things report and business brochure, workshops on lead generation and cross-device tracking, and the establishment of OTECH, BCP’s Office of Technology Research and Investigation. Telemarketing. Lifestyles of the pitchin’ shameless describes lawsuits by the FTC, all 50 states, and D.C. challenging illegal telemarketing practices and other alleged violations by the Cancer Fund of America and related parties. A partial summary judgment in the pending FTC-state AG action against Dish Network cited 57,606,609 calls made in violation of the Telemarketing Sales Rule. In the ongoing battle against illegal robocalls, the FTC joined forces with 10 state AGs to challenge a campaign by Caribbean Cruise Line and others that involved robocalls by the billion. We also sponsored a new challenge, Humanity Strikes Back, to encourage tech solutions to pesky pre-recordings. And following a public comment period, the FTC announced updates to the TSR. What should consumers know about the year in review? This post from our Consumer Blog recaps law enforcement actions and warns about emerging scams. In addition, our Every Community initiative continues to bring the FTC to neighborhoods across the country.  

What’s on boomers’ minds? lfair July 8, 2015 | 10:36AM What’s on boomers’ minds? By Lesley Fair Baby boomers are running scared and marketers are in hot pursuit. What strikes such fear? The specter of memory loss and cognitive impairment severe enough to turn you into “a prisoner” in your own home who is “unable to recall who you are, where you live, or to whom you are related.” According to an FTC lawsuit, Brain Research Labs, KeyView Labs, MedHealth Direct, and others deceptively touted the dietary supplement Procera AVH as a solution to that problem. Ads for Procera asked consumers to imagine what their lives would be like if: “You are no longer allowed to handle your financial matters.” “You are no longer trusted to purchase anything . . . for you or anyone else.” “You are moving to a nursing home to live with strangers.” “You must sell your car, or give it to a family member.” “Your lifelong possessions are to be sold or given away.” According to the FTC, the defendants claimed Procera could prevent and reverse age-related mental decline and memory loss, and improve concentration, focus, mental clarity, and mood. Consumers paid between $40 and $80 for a 3-4 week supply. The defendants sold some buyers on the supposed benefits of an automatic shipment program, charging their credit cards for regular supplies. The pitch didn’t end there. On their site and in other promotions, the defendants brought out the heavy artillery: assurances that “a landmark clinical study” proved that their “breakthrough nutritional formula” would “help reverse up to 15 years of mental decline, effectively restoring a 50-year-old’s brainpower to that of a 35-year-old.” A print ad, for example, touted “randomized, double-blind, placebo-controlled research” where “clinicians witnessed a startling transformation in study participants’ brains.” Many of those claims were conveyed through Josh Reynolds, the stated “creator” of Procera and “Science Director” of defendant Brain Research Labs. But the FTC says the defendants didn’t have proof to back up their claims that the product would significantly improve memory, concentration, focus, clarity, and mood or stop or reverse age-related mental decline and memory loss – especially cognitive impairment severe enough to interfere with independent living. The complaint also challenges those “clinically proven” claims as false and alleges that Josh Reynolds didn’t appropriately exercise his purported expertise in endorsing the product. The proposed settlement includes broad injunctive provisions to protect consumers in the future. In addition, the defendants will pay $1.4 million with $400,000 of that reserved to satisfy a judgment in a case brought by local California law enforcement officials. The order also imposes a $61 million judgment against defendant KeyView Labs and a $91 million judgment imposed jointly against the remaining defendants. Under the terms of the settlement, KeyView will shut down the Procera automatic shipment program. What can other companies take from this case? Advertisers shouldn’t need a heads-up that misleading cognition claims are an important enforcement priority. Recent FTC actions have challenged deceptive representations about teaching toddlers to read, boosting students’ grades and SAT scores, and improving memory in older adults, to name just a few. Many consumers are concerned about cognition at every stage of life, but companies shouldn’t rush into the market unless they have – at minimum – competent and reliable scientific evidence to support their claims. There may not be an I in T-E-A-M, but there are three of ‘em in L-I-A-B-I-L-I-T-Y. The promotion of Procera involved multiple parties. You’ll want to check the pleadings for the specifics, but the complaint names the businesses that have sold Procera; MedHealth Direct, a company involved in creating the ads; John Arnold, MedHealth Direct’s President; Josh Reynolds, the expert endorser and manager of the company that commissioned and reviewed the study; and a company that owned that company. When faced with compliance choices, prudent businesses are mindful of the breadth of liability under the FTC Act.  

Screen regs and spam? wfg-adm109 March 7, 2013 | 11:31AM Screen regs and spam? By Lesley Fair Do you like them on the screen Of your mobile phone machine? I do not like text message spam. I do not like them, Sam I am. Fighting back against text message spam isn’t child’s play, and consumers have sent the strong message they’re not fans of unsolicited texts — especially ones conveying deceptive claims.  A series of law enforcement actions just filed by the FTC drives that point home and represents the latest move against misleading practices in mobile advertising and affiliate marketing. According to the FTC, the defendants sent (or had someone send) bazillions of texts to consumers’ cell phones that deceptively offered “free” merchandise or prizes.  One count in the complaint charges that sending unauthorized or unsolicited commercial texts is an unfair practice, in violation of Section 5 of the FTC Act.  Why unfair?  Many consumers who received the texts have wireless plans that require them to pay for each text they get.  Others have plans that allow a fixed number of texts per month, but charge customers if they go over that amount.  That means that many consumers actually had to pay for the defendants’ messages.  Applying the legal definition of an “unfair practice” under the FTC Act, it’s likely the defendants caused substantial injury that consumers couldn’t reasonably avoid and that wasn’t outweighed by benefits to consumers or competition. But the FTC says the violations don’t stop there.  Many of the more than 180 million texts claimed the person had won a contest or had been specially selected for a prize — for example, “You have won a free $1000 Walmart Gift Card” or similar merchandise from Target, Best Buy, or other major retailers. The next step:  The texts directed people to click on a link and enter a code to claim the “prize.”  After more complicated steps, consumers were sent to other sites operated by third parties.  Those sites reinforced the “prize” message, but required people to participate in numerous other offers — often more than 10 — to qualify for the promised free item.  According to the FTC, in most cases, it wasn’t possible for people to get the “free” merchandise without shelling out cash.  Some of the offers involved complicated negative options or required people to turn over their credit card numbers.  Even if people made it through the exhausting travail, they were finally told that to get the promised gift card, they had to line up three more people to complete the process.  None of that was clearly disclosed in the text messages. Furthermore, at various points in the process, consumers had to input a substantial amount of personal information.  Although the defendants often collected it under the guise of needing to know where to ship the “prize,” the FTC says the info was sold for marketing purposes — something else that wasn’t clearly disclosed to people. The lawsuits name 19 individuals and companies that sent the unwanted texts, as well as 10 operators of the deceptive sites.  According to the FTC, it was an affiliate marketing operation.  The defendants who sent the texts were paid by the operators of the sites based on how many people eventually entered their information.  Then in turn, the operators of the sites were paid by the businesses that gained customers or subscribers through the “offer” process. One defendant worth special mention:  Phillip Flora, who was barred for life in an earlier case from sending spam texts.  The FTC says he’s part of this operation, so the agency is pursuing a contempt action against him. The cases are pending in federal courts in California, Georgia, Illinois, and Texas.  

Track afield: What the FTC’s Google case means for your company wfg-adm109 August 13, 2012 | 12:04PM Track afield: What the FTC’s Google case means for your company By Lesley Fair After two weeks of talk about track, the trending topic is tracking, including the FTC’s $22.5 million settlement with Google for violating an earlier order.  Google told users of the Safari browser it wouldn’t place tracking cookies or serve them targeted ads, but the FTC charged that the company’s tracking practices went far afield of its claims.  Of course, the terms of that settlement apply just to Google, but there’s a lot savvy executives can take from the case and other recent FTC actions that touch on tracking. It’s a decathlon, not a dash.  By now, most companies have (we hope) gotten the message that what they say in their privacy policies has to line up with their day-to-day operations.  But chances are you’re conveying claims not just in your privacy policy, but also where you talk about choice mechanisms, opt-outs, and other ways users can customize their experience.  The FTC’s complaint against Google cites — among other things — alleged misrepresentations on the company’s Advertising Cookie Opt-Out Plug-in page.  The message for businesses?  Like decathletes, prudent companies excel across the board.  They know where they make privacy promises, maintain an inventory of the cookies they use, and don’t launch new ones without thinking through the implications. Members only.  No, not the sporty jackets from the 80s.  We’re talking here about what’s conveyed when companies highlight their affiliation with self-regulatory programs.  To join the Network Advertising Initiative (NAI), a voluntary self-regulatory group for the online ad industry, companies agree to disclose their data collection and use practices.  Although Google touted its NAI membership, the FTC says the company didn’t truthfully disclose what it was doing with Safari users’ data.  Therefore, the FTC charged that Google misrepresented the extent to which it honored NAI’s Code.  Membership in self-regulatory programs is your call, but once you advertise your adherence to an industry code, live up to its terms. Ill-advised disguise.  Marathoners dream of entering the stadium first and running that last stretch in front of a cheering crowd.  But remember American Frank Shorter in the ‘72 Olympics?  He led the pack into the arena, but didn’t know someone had donned a uniform, hidden under the bleachers, and taken a victory lap before officials figured out the ruse.  Of course, the circumstances are different, but our point relates to the FTC’s allegation that Google used code to disguise its cookie to work around Safari’s opt-out default setting.  The take-away for careful companies is that sidestepping users’ preferences can lead to costly legal missteps. Relay race.  Many recent FTC privacy cases suggest a disconnect between what companies say they’re doing and what’s actually happening behind the scenes.  How do businesses overcome that hurdle?  Coaches love to quote the Lombardi-esque chestnut, “There is no I in T-E-A-M.”  But if you’re talking about your company’s data management team, there should be an I-T.  Your information technology staff needs to run a strong lead-off with smooth baton passes to your marketing execs and legal advisors.  But victory depends on a solid anchor leg from top management committed to crossing the finish line in front. (We’ll stop with the sports metaphors for now.)  

The Reebok settlement: What the FTC order means for advertisers and retailers wfg-adm109 September 29, 2011 | 1:11PM The Reebok settlement: What the FTC order means for advertisers and retailers By Lesley Fair The FTC’s settlement with Reebok requires the company to get their ad claims in shape and works out a $25 million refund program for people who bought EasyTone and RunTone shoes and apparel. Of course, the terms of the lawsuit apply only to Reebok, but experienced advertisers understand the benefits of mining FTC orders for compliance nuggets applicable to their business. What if you sell Reebok shoes or apparel or represent companies that do? You’ll definitely want to read the order for provisions relating to retailers. So what’s in the Reebok settlement? Strong injunctive provisions for a starter. Under Part I of the order, the company will need competent and reliable scientific evidence to support future claims that a product will strengthen muscles or result in a quantified percentage or amount of toning or strengthening. The order defines “competent and reliable scientific evidence” in this context to mean “at least one Adequate and Well-Controlled Human Clinical Study of the Covered Product that conforms to acceptable designs and protocols, the results of which, when considered in light of the entire body of relevant and reliable scientific evidence, is sufficient to substantiate that the representation is true.” Another interesting aspect: The order makes it clear that it covers claims made directly or by implication, “including through the use of a product name, endorsement, depiction, or illustration.” What about other health or fitness-related claims for covered products? The order requires Reebok to have competent and reliable evidence to back up those claims, too. For those — covered by Part II of the order and including representations about “muscle tone and/or muscle activation” — that means “tests, analyses, research, or studies that have been conducted and evaluated in an objective manner by qualified persons and are generally accepted in the profession to yield accurate and reliable results.” Part III makes it illegal for Reebok to misrepresent “the existence, contents, validity, results, conclusions, or interpretations of any test, study, or research.” What about the refund program? Reebok will be paying $25 million, which will go toward consumer refunds. The order adds that “consumer redress that otherwise would be conducted” by the FTC “may be instead conducted through prompt, court-approved resolution of one or more private class action lawsuits” against Reebok. The order makes it clear that key parts of any class action resolution submitted for court approval — for example, the class action notice, claim form, settlement claim procedures, and privacy and security practice — have to be OKed by the FTC. In addition to reporting and compliance requirements common in FTC law enforcement actions, the order requires Reebok to send a letter to retailers that sell the products in question. The letter — which is attached to the order — directs retailers to: 1)  remove promotional materials on display that include claims about improving or increasing muscle tone, muscle strength, muscle activation, or posture; 2)  cover over those claims on product boxes with stickers Reebok will provide; 3)  remove package inserts with those claims; and 4)  remove hangtags on shoes and remove or sticker over hangtags on apparel if they make those claims. If you have clients that sell Reebok products, they’ll get the letter soon.