InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC finalizes decision banning respondents from surveillance business
On December 21, the FTC announced a decision banning a data monitoring application and its CEO (collectively, “respondents”) from the surveillance industry. As previously covered by InfoBytes, the respondents allegedly violated Section 5 of the FTC Act by failing to provide reasonable data security for consumers’ personal information. According to the FTC, the respondents allegedly “secretly harvest[ed] and shar[ed] data on people’s live location, web use, and online activities through their product’s hidden device hack,” and sold real-time access to their surveillance system, which allowed stalkers and domestic abusers to “stealthily track” unknowing victims. Under the terms of the final decision, the respondents are: (i) ordered to “immediately disable all access to any information collected by or through a monitored Mobile Device” and immediately stop collecting any data through any app installed before the date of entry of the order; (ii) required to delete any information illegally collected from their apps; (iii) required to notify owners who installed respondents’ apps on their devices that their devices might have been monitored and may not be secure; and (iv) banned from offering, promoting, selling, or advertising any surveillance app, service, or business. The respondents are also required to implement a comprehensive information security program and obtain initial and biennial third-party security assessments.
DOJ, FTC ban firm and CEO from negative option marketing
On December 16, the DOJ and the FTC announced that a brokerage firm and its CEO (collectively, “defendants”) must pay $21 million in consumer redress and are permanently banned from engaging in deceptive negative option marketing for allegedly violating, among other things, the FCRA, TSR, and the Restore Online Shoppers’ Confidence Act (ROSCA). According to the FTC’s complaint filed by the DOJ, the defendants claimed that the company’s background reports on certain individuals had particular criminal records, even when they did not include such information, to mislead consumers into signing up for auto-renewing, premium subscriptions. The FTC claimed consumers who allegedly searched the firm’s website for an individual’s background report were shown search results that often falsely implied that the subject of the search may have records of criminal or sexual offenses, which could only be viewed by purchasing a subscription from the firm. The complaint alleged that the firm’s misleading statements resulted in some consumers believing that they, or other individuals, had arrest or criminal records. The complaint further alleged that the firm operated as a consumer reporting agency and violated the FCRA by, among other things, failing to maintain verifiable, reasonable procedures on how its reports would be utilized to ensure the information was accurate and to ensure that the information it sold would be used for legal purposes. Additionally, the defendants allegedly violated the TSR by misrepresenting its refund and cancellation policies. The complaint also alleged that the defendants’ misleading billing practices violated ROSCA by, among other things, failing to clearly disclose upfront charges.
Under the terms of the settlement, the defendants agreed to separate judgments, which total approximately $33.9 million. The settlement also banned the defendants from engaging in deceptive negative option marketing. The CEO is ordered to pay a total of $5 million, and the firm is ordered to pay a partially suspended judgment of $16 million due to the company’s inability to pay the full amount. Together, the money will be used to provide refunds to consumers. The firm is required to pay the full remaining amount of the judgment if the company is found to have misrepresented its finances and must implement a monitoring program to ensure the company is complying with the FCRA.
FTC proposes rule to combat impersonation fraud
On December 16, the FTC issued an advanced notice of proposed rulemaking (ANPR) seeking comments on a wide-range of questions related to government and business impersonation fraud. According to the FTC, reported losses due to impersonation fraud have spiked during the Covid-19 pandemic, with data from the Social Security Administration reporting $2 billion in total losses between October 2020 and September 2021. These impersonation scams include persons posing as government officials or employees or persons claiming they represent well-known businesses or charities, and may use “misleading domain names, URLs, and ‘spoofed’ contact information’” to create the illusion of legitimacy. The FTC added that scammers are looking for information that can be used to commit identity theft or seek monetary payment and often request that funds be paid through wire transfer, gift cards, or cryptocurrency. Government impersonators also often threaten consumers with severe consequences, while business impersonators regularly use ploys claiming they have identified suspicious activity on a consumer’s account or computer.
The ANPR - the FTC’s first action under its streamlined rulemaking procedures announced earlier this year (covered by InfoBytes here) - seeks feedback, data, and arguments from the public concerning the need for rulemaking to prevent this type of fraud.” Comments on the ANPR are due within 60 days of publication in the Federal Register.
FTC settles with advertising platform for COPPA violations
On December 15, the FTC announced a settlement with a California-based online advertising platform for allegedly engaging in deceptive acts of practices and violating the Children’s Online Privacy Protection Act Rule (COPPA). (See also DOJ press release here.) According to the FTC, the defendant operates a programmatic advertising exchange that monetizes websites and mobile apps through the sale of ad space. The defendant also contracts with advertising technology companies that aggregate and sell advertising inventory for publishers and then send the defendant ad requests. The DOJ, on behalf of the FTC, filed a complaint claiming the defendant, among other things, violated COPPA by collecting personal information about children under the age of 13 without notifying their parents and obtaining their consent. Additionally, the FTC claimed that while the defendant’s privacy policy provided users the option to opt-out of the collection of their location data, the defendant still allegedly collected geolocation information from users who specifically asked not to be tracked. The FTC stated that the defendant reviewed hundreds of apps that were directed to children under 13, but did not flag the apps or their data as “child-directed” and permitted the apps to participate in the ad exchange. In addition, the FTC claimed that the defendant allegedly disclosed this personal data to third parties for ads targeted at users of these child-directed apps.
Under the stipulated final order, the defendant must, among other terms, (i) implement a comprehensive privacy program to ensure compliance with COPPA and stop collecting and retaining personal information from children under 13 without verifiable parental consent; (ii) stop misrepresenting a user’s ability to opt-out of the collection of personal information and location information (collectively, “covered information”) and confirm that a user has provided affirmative consent for the collection of location information; (iii) implement safeguards to protect covered information and conduct annual reviews to assess for internal and external risks to the privacy of covered information that could lead to unauthorized access; (iv) engage a third party to conduct biennial privacy assessments; (v) delete all ad request data collected to serve targeted ads prior to the issuance of the order; and (vi) periodically re-review apps to identify those that are directed towards children and ban these apps from its ad exchange. The order also provides for a $7.5 million penalty that will be suspended upon payment of $2 million due to the defendant’s inability to pay the full amount.
FTC settles with debt collectors
On December 13, the FTC announced a settlement with several South Carolina-based debt collection companies and an individual (collectively, "defendants") for allegedly engaging in fraudulent debt collection practices. The FTC filed a complaint against the defendants alleging that they violated the FTC Act and the FDCPA by, among other things: (i) using robocalls to leave deceptive messages; (ii) falsely representing that an individual is an attorney or is in communication with an attorney; (iii) “falsely claiming or implying that nonpayment of a debt will result in the arrest or imprisonment of a person”; (iv) threatening to take unlawful legal action; and (v) making false representations or using deceptive means to collect or attempt to collect a debt. The action was taken as part of the FTC’s “Operation Corrupt Collector”—a nationwide enforcement and outreach effort established by the FTC, CFPB, and more than 50 federal and state law enforcement partners to target illegal debt collection practices (covered by InfoBytes here). The effort previously resulted in settlements with two other debt collectors, which included permanent bars from the industry.
Under the terms of the settlement, in addition to being permanently banned from participating in debt collection and debt brokering activities, the defendants will also be prohibited from making misrepresentations to consumers, including (i) whether consumers are legally obligated to pay defendants; (ii) whether defendants are attorneys or affiliated with a law firm; (iii) the terms of any refund policy; and (iv) any material facts concerning products or services. The order also requires the defendants to surrender the contents of numerous bank and investment accounts, including property and the value of certain assets. An approximately $12 million monetary judgment will be partially suspended upon completion of asset transfers from all financial institutions holding accounts in the defendants’ names.
FTC releases 2021 National Do Not Call Registry Data Book
On November 23, the FTC released the National Do Not Call Registry Data Book for Fiscal Year 2021. The Data Book provides the most recent fiscal year information available on telemarketing sales calls and robocall complaints, including the types of calls reported to the FTC and a state-by-state analysis. In FY 2021, the Commission received 3.4 million robocall complaints—an increase from the 2.8 million robocall complaints received in FY 2020 but consistent with the higher number of complaints received in prior years. Imposters posing as government representatives or legitimate business entities topped the complaint list, followed by warranties and protection plans and supposed debt-reduction offers. Other common complaints included calls related to medical and prescription issues as well as computers and technical support. The Data Book contains aggregate data about phone numbers on the Do Not Call Registry, telemarketers and sellers that access the registry, as well as DNC complaints by topic and type.
Chamber of Commerce requests access to FTC privacy-related communications
On November 19, the U.S. Chamber of Commerce sent FOIA requests to the FTC seeking, among other things, communications on consumer data privacy policies the FTC has discussed or considered as ordered by President Biden’s broad July 9 executive order, which tasked the FTC with establishing rules to address concerns about “unfair data collection and surveillance practices that may damage competition, consumer autonomy, and consumer privacy.” (Covered by InfoBytes here.) The Chamber is seeking all communications between FTC Chair and Commissioner Lina Khan and former commissioner Rohit Chopra related to the FTC’s Penalty Offense Authority and/or enforcement policy statements addressing privacy-related topics, as well as communications with the Center on Privacy and Technology at Georgetown Law. As previously covered by InfoBytes, the Center’s founder, Alvaro Bedoya, was nominated in September by President Biden to serve as an FTC commissioner. With respect to the requests for records related to the FTC’s Penalty Offense Authority, over the past few months the FTC has issued several warnings using its Penalty Offense Authority related to false money-making claims, misleading online endorsements, and unlawful for-profit education institution practices. (Covered by InfoBytes here, here, and here.) Among other things, the FOIA letters also request all records related to artificial intelligence, including communications between the FTC and the White House Office of Science and Technology Policy and/or the CFPB.
FTC expands criminal referral program
On November 18, the FTC announced the expansion of its criminal referral program as part of its effort to cease and deter corporate crime, which enhances the agency’s work in combating criminal misconduct in consumer protection and antitrust. According to the announcement, the new measures highlighted in the policy statement guarantee that cases are promptly referred to local, state, federal, and international criminal law enforcement agencies so that corporations and their executives partaking in criminal behavior are held accountable. According to the policy statement, the agency intends to refine its collaboration with its criminal law enforcement partners to stop and deter consumer protection and competition criminal violations, including by, among other things: (i) publicly and regularly reporting on the FTC’s criminal referral efforts; (ii) developing guidelines to ensure criminal law violations, specifically by major corporations and their executives, are identified; and (iii) “convening regular meetings with federal, state, and local criminal authorities to facilitate the coordination that will enable the appropriate law enforcement partners to take up cases referred by the FTC and develop best practices to enhance this coordination.” The policy statement builds on the agency’s continuing partnerships with criminal authorities to decrease misconduct. According to FTC Chair Lina M. Khan, the FTC “is redoubling its commitment and improving its processes to expeditiously refer criminal behavior to criminal authorities, promoting accountability and deterrence.”
FTC releases draft strategic plan for FY 2022 - 2026
On November 12, the FTC released a preliminary draft of the Strategic Plan for Fiscal Years 2022 to 2026 for public review and comment. Recognizing that protecting the public from unfair or deceptive acts or practices in the marketplace is a key FTC strategic goal, the draft Strategic Plan outlines several objectives guiding the Commission’s work in this area including (i) identifying, investigating, and taking enforcement action to deter these types of harm; (ii) providing consumers and businesses with guidance and tools to prevent harm; (iii) engaging in domestic and international collaboration efforts to enhance consumer protections, including those related to telemarketing, internet fraud, and privacy violations; and (iv) advancing measures to support underserved and marginalized communities. Recognizing that consumers cannot always identify whether unfair or deceptive practices have occurred, the FTC reports it will continue to identify consumer protection violations and collaborate with law enforcement partners to identify trends and targets and enforce consumer protection laws. These efforts will include safeguarding consumer privacy and litigating cases involving privacy risks.
Additional goals outlined within the draft Strategic Plan focus on marketplace competition, anticompetitive mergers, antitrust issues, resource management and workforce protections, and climate readiness. The draft Strategic Plan notes the importance of “cross-training staff on both consumer protection and competition issues” and of “grasping market realities” as “the economy becomes increasingly digitized.” According to the FTC, the “agency plans to be especially attentive to next-generation technologies, innovations, and nascent industries across sector.” Comments on the draft plan may be submitted through November 30.
FTC permanently bans payment processor from debt relief processing
On November 8, the FTC announced the permanent ban of a payment processor from processing debt relief payments and ordered payment of $500,000 in consumer redress. According to the FTC’s complaint, the payment processor and its owner (collectively, “defendants”) allegedly processed roughly $31 million in consumer payments on behalf of a student loan debt relief operation charged by the FTC in 2019 for allegedly engaging in deceptive practices when marketing and selling their debt relief services. As previously covered by InfoBytes, the FTC claimed the operators (i) charged borrowers illegal advance fees; (ii) falsely claimed they would service and pay down their student loans; and (iii) obtained borrowers’ credentials in order to change consumers’ contact information and prevent communications from loan servicers. The FTC alleged the defendants processed payments from tens of thousands of consumers even though they were aware of numerous issues with the scheme and had received complaints from consumers and banks. The FTC further alleged that the defendants continued to process payments until the FTC took enforcement action against the operation.
Under the terms of the settlement, the defendants are permanently prohibited from processing payments for debt relief services and student loan entities and are banned from processing payments for any merchant unless there is a signed, written contract. The defendants are also required to screen prospective high-risk clients to determine whether such clients are, or are likely to be, engaging in deceptive or unfair activities. In addition, the settlement imposes a $27.5 million judgment against the defendants, which is largely suspended following the payment of $500,000, due to the defendants’ inability to pay the full amount.