InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC bans MCA providers, returns $2.7 million to consumers
On June 6, the FTC obtained a stipulated court order permanently banning a company and owner from participating in the merchant cash advance and debt collection industries. As previously covered by InfoBytes, last June the FTC filed an amended complaint against two New York-based small-business financing companies and a related entity and individuals (including the settling defendants), claiming the defendants engaged in deceptive and unfair practices by, among other things, misrepresenting the terms of their merchant cash advances, using unfair collection practices, deceiving consumers about personal guarantees, forcing consumers and businesses to sign confessions of judgment, providing less funding than promised due to undisclosed fees, and making unauthorized withdrawals from consumers’ accounts. Under the terms of the stipulated order, the settling defendants are required to pay a more than $2.7 million monetary judgment to go towards refunds for harmed consumers and must vacate any judgments against former customers and release any liens against their customers’ property. The announcement notes that the settling defendants are also “prohibited from misleading consumers about any key facts about any good or service, including any fees, the total cost of the product, and other facts that reflect their deceptions in this case.”
Earlier in January, a stipulated order was entered against two other defendants (covered by InfoBytes here), which permanently banned them from participating in the merchant cash advance and debt collection industries and required the payment of a $675,000 monetary judgment.
FTC secures TRO against credit repair scheme
On May 31, the FTC announced that the U.S. District Court for the Eastern District of Maryland granted a temporary restraining order against a credit repair operation for allegedly engaging in deceptive practices that scammed consumers out of more than $213 million. According to the FTC’s complaint, the operation targeted consumers with low credit scores promising its products could remove all negative information from their credit reports and significantly increase credit scores. The operation allegedly violated the FTC Act, the Credit Repair Organizations Act, and the Telemarketing Sales Rule by, among other things, (i) making misrepresentations regarding its credit repair services; (ii) selling a product that purportedly sends rent payment information to credit bureaus even though “this information is not generally part of consumers’ credit score and many credit bureaus don’t accept this kind of information directly from consumers”; (iii) charging illegal advance fees; (iv) failing to provide consumers required information such as refund and cancellation policies; and (v) recruiting consumers to sell credit repair products to other consumers as part of a pyramid scheme even though few consumers ever received the promised earnings (and many consumers actually lost money as agents). Beyond the temporary restraining order, the FTC is seeking a permanent injunction, monetary relief, and other equitable relief.
FTC takes action against telemarketing operation
On May 25, the FTC announced an action resolving allegations against a subscription scam operation and its officers (collectively, “defendants”) that allegedly deceptively used telemarketing schemes on consumers. According to the complaint, which was filed in the U.S. District Court for the District of Nevada, the defendants allegedly violated the FTC Act and the Telemarketing Sales Rule (TSR) by calling consumers to claim that they were conducting a survey and offering “free” or low-cost magazine subscriptions. After the survey, the defendants allegedly sent consumers a bill falsely stating that they agreed to pay several hundred dollars for the magazine subscriptions. According to the FTC, there was a “no-cancellation policy,” and the defendants allegedly harassed consumers when they refused to pay the exorbitant bills, including by threatening to initiate collection actions or threatening to submit derogatory information about them to the major credit bureaus. The proposed order follows a 2010 permanent injunction that was entered against the same defendants, which prohibited them from committing future violations. The recent order requires the defendants to pay a suspended judgment of $14.4 million and requires them to give up all claims to money already paid to the FTC. Additionally, the defendants are required to monitor their compliance with the proposed order “and may face significant contempt remedies if they violate its terms.” The FTC noted that the original monetary relief was vacated after the Supreme Court’s decision in AMG Capital Management LLC v. FTC, which limited the FTC’s ability to obtain monetary relief in federal court (covered by InfoBytes here). The FTC pointed out that the “settlement of this matter for a suspended judgment of $14.47 million, after originally having been awarded $24 million at trial, demonstrates the challenges since the Supreme Court’s AMG decision.”
Social media company to pay $150 million to settle FTC, DOJ data security probe
On May 25, the DOJ filed a complaint on behalf of the FTC against a global social media company for allegedly misusing users’ phone numbers and email addresses uploaded for security purposes to target users with ads. (See also FTC press release here.) According to the complaint, the defendant deceived users about the extent to which it maintained and protected the security and privacy of users’ nonpublic contact information. Specifically, from May 2013 to September 2019, the defendant asked users to provide either a phone number or an email address to improve account security. The defendant, however, allegedly failed to inform the more than 140 million users who provided phone numbers or email addresses that their information would also be used for targeted advertising. The FTC claimed the defendant used the collected information to allow advertisers to target specific ads to specific users by matching the phone numbers or email addresses with data they already had or obtained from data brokers. DOJ’s complaint alleged that the defendant’s conduct violated the FTC Act and the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield agreements, which require participating countries to adhere to certain privacy principles in order to legally transfer data from EU countries and Switzerland. This conduct also allegedly violated a 2011 FTC consent order with the defendant stemming from claims that the defendant deceived users and put their privacy at risk by failing to safeguard their personal information. According to DOJ’s complaint, the 2011 order “specifically prohibits the company from making misrepresentations regarding the security of nonpublic consumer information.”
Under the terms of the proposed order, the defendant would be required to pay a $150 million civil penalty and implement robust compliance measures to improve its data privacy practices. According to the FTC and DOJ announcements, these measures would (i) “allow users to use other multi-factor authentication methods such as mobile authentication apps or security keys that do not require users to provide their telephone numbers”; (ii) require the defendant to “notify users that it misused phone numbers and email addresses collected for account security to also target ads to them and provide information about [its] privacy and security controls”; (iii) require the defendant to implement and maintain a comprehensive privacy and information security program, including conducting “a privacy review with a written report prior to implementing any new product or service that collects users’ private information,” regularly testing its data privacy safeguards, and obtaining regular independent assessments of its data privacy program; (iv) limit employee access to users’ personal data; and (v) require the defendant to notify the FTC should it experience a data breach, and provide reports after any data privacy incident affecting 250 or more users. Additionally, the defendant would be banned from profiting from deceptively collected data.
FTC orders credit card payment ISO to comply with heightened monitoring practices
On May 24, the FTC finalized an order against an independent sales organization and its owners (collectively, “respondents”) to settle allegations that they violated the FTC Act and the Telemarketing Sales Rule by helping scammers launder millions of dollars of consumers’ credit card payments from 2012 to 2013 and ignored warning signs that the merchants were fake. According to the FTC’s administrative complaint, the respondents, among other things, created 43 different merchant accounts for fictitious companies and provided advice to the organizers of the scam on how to spread out the transactions among different accounts to evade detection (covered by InfoBytes here).
Under the terms of the final order, the respondents are required to make several substantial changes to their processes, and are prohibited from engaging in credit card laundering, as well as any other actions to evade fraud and risk monitoring programs. Additionally, the respondents are banned from providing payment processing services to any merchant that is, or is likely to be, engaged in deceptive or unfair conduct, and to any merchant that is flagged as high-risk by the credit card industry monitoring programs. Furthermore, the respondents are required to screen potential merchants who are engaged in certain activities that could harm consumers, and monitor and designate as necessary current merchants who may require additional screening. The FTC noted that it is unable to obtain a monetary judgment in this action due to the U.S. Supreme Court’s decision in AMG Capital Management v. FTC, which held that the FTC does not have statutory authority to obtain equitable monetary relief under Section 13(b) of the FTC Act (covered by InfoBytes here).
FTC addresses importance of effective incident response and breach disclosure
On May 20, the FTC’s Team CTO and the Division of Privacy and Identity Protection published a blog post, titled Security Beyond Prevention: The Importance of Effective Breach Disclosures. The blog noted that the FTC Act creates a de facto data breach notification requirement because failure to disclose can increase the likelihood that affected parties will suffer harm. The post outlines effective security breach detection and response programs, which can: (i) permit an organization time to take remedial actions to counter, prevent, or mitigate an attack; (ii) prevent and minimize consumer harm from breaches; (iii) provide valuable information to the prevention function of a security team; and (vi) remove an attacker and allow for post-breach remedial measures. According to the FTC, failure to maintain such practices could indicate a lack of competition in the marketplace. The post stated that “[r]egardless of whether a breach notification law applies, a breached entity that fails to disclose information to help parties mitigate reasonably foreseeable harm may violate Section 5 of the FTC Act.” Listing recent cyber-related FTC enforcement actions, the post explained that deceptive statements can limit consumers’ ability to mitigate foreseeable harms like identity theft, loss of sensitive data, or financial impacts. Looking at these cases together, the post further noted that “companies have legal obligations with respect to disclosing breaches, and that these disclosures should be accurate and timely.”
FTC temporarily halts unlawful credit repair operation
On May 6, the FTC announced that the U.S. District Court for the Middle District of Florida granted a temporary restraining order against a credit repair operation for allegedly engaging in deceptive practices. According to the FTC’s complaint, the operation violated the FTC Act, the CROA, and the TSR by, among other things; (i) making misrepresentations regarding credit repair services; (ii) making misrepresentations regarding a money-making opportunity associated with a government benefit related to Covid-19; (iii) making untrue or misleading representations to consumers, which included increasing their credit score; (vi) charging for the performance of credit repair services that the defendants agreed to perform prior to such services being fully performed; (v) making untrue or misleading statements with respect to their sales pitch on credit worthiness, credit standing, or credit capacity to consumer reporting agencies, creditors, and potential creditors; and (vi) charging illegal advance fees. Beyond the temporary restraining order, the FTC is seeking a permanent injunction, the appointment of a receiver, immediate access to business premises, an asset freeze, and other equitable relief.
National retailers must pay $5.5 million to resolve deceptive product representation
On May 10, the DOJ announced that two national retailers agreed to pay a $2.5 million and a $3 million civil penalty (see here and here) to resolve allegations that they engaged in false labeling and marketing tactics by presenting rayon textile products as bamboo. As previously covered by InfoBytes, the DOJ on behalf of the FTC, filed complaints (see here and here) against the defendants, which alleged that since at least 2015, the companies made false or unsubstantiated representations in violation of the FTC Act by improperly labeling and marketing textile fiber products as “made of bamboo” in both product titles and descriptions. In addition to paying the civil money penalties, the defendants are prohibited from making deceptive claims, including false and/or unsubstantiated claims, relating to bamboo fiber products, and are prohibited from engaging in future violations of the FTC Act, Textile Act and Textile Rules.
FTC settles with VoIP service provider for TSR violations
On April 26, the FTC announced the filing of a proposed consent order with a Voice over Internet Protocol (VoIP) service provider, a related company, and the company’s owner (collectively, “defendants”) for allegedly “help[ing] scammers blast millions of illegal robocalls.” In the complaint the FTC claims that the defendants violated Section 5(a) of the FTC Act, the Telemarketing Act, and the TSR by continuing to provide VoIP services to customers despite “knowing or consciously avoiding knowing” the customers were: (i) using the services to place calls to numbers on the FTC’s Do Not Call (DNC) Registry; (ii) delivering prerecorded messages; and (iii) displaying spoofed caller ID services to callers involved in scams related to credit card interest rate reduction, tech support, and the Covid-19 pandemic.
According to the announcement, this is the third such action by the FTC against VoIP service providers during the past two years. Under the terms of the consent order, the defendants are (i) banned from assisting and facilitating abusive telemarketing practices, including the use of VoIP services; (ii) prohibited from further violations of the TSR or assisting others in doing so; (iii) banned from providing services or assigning telephone numbers without employing automated procedures to block calls from unassigned or invalid numbers; and (iv) required to ensure that they do not provide VoIP to suspected telemarketers. The proposed order also provides for a $3 million civil money penalty that is suspended due the company’s inability to pay.
FTC charges funeral company with deceptive marketing practices
On April 22, the DOJ filed a complaint on behalf of the FTC against certain defendants providing funeral goods and services to consumers throughout the U.S. for alleged violations of Section 5 of the FTC Act and the FTC’s Funeral Rule. (See also FTC press release here.) According to the complaint, the defendants, who arrange third-party cremation services, allegedly (i) misrepresented that they perform local funeral services, which were instead outsourced to unaffiliated third parties; (ii) charged consumers additional undisclosed costs; and (iii) illegally threatened to withhold remains or information about the remains from consumers who refused to pay previously undisclosed fees or the new, higher prices. The complaint seeks injunctive relief, monetary relief, and civil penalties.