FTC Announces Settlement with Uber over Allegedly Deceptive Earnings Claims; Commissioner Ohlhausen Dissents

In its latest action involving allegedly deceptive earnings claims, the FTC announced yesterday that Uber had agreed to settle charges that it misled potential drivers with inflated earnings claims.  The complaint also alleges that Uber misrepresented benefits of its Vehicle Solutions Program, which connects potential drivers with auto companies to buy or lease a vehicle to be used to pursue the Uber opportunity.

To supports its allegations, the FTC cited a former post on Uber’s website that claimed that uberX Drivers’ “median income is more than $90,000/year/driver in New York and more than $74,000/year/driver in San Francisco.”  However, according to the complaint, actual median incomes were significantly less in those cities — $29,000 less in New York and $21,000 less in San Francisco. The complaint also cites allegedly inflated per hour earnings claims made for other major cities across the United States. According to the FTC’s analysis of Uber’s data, typically only between 10-30% of drivers made as much as the quoted hourly rate in a particular city.

The complaint also alleges that Uber made misrepresentations about its Vehicle Solutions Program to induce consumers to sign up as a driver.  These claims included “own a car for as little as $20/day” and enter into a lease with “unlimited miles.”  The FTC alleged that Uber lacked any basis for making these claims and that Uber actually had information at the time suggesting these claims were false.  For example, the FTC suggested that actual payments made by consumers were significantly higher than those represented and that many leases imposed significant mileage limits.

In her dissent, Commissioner Ohlhausen explained that she did not see the monetary settlement of $20 million as tied to any estimate of consumer harm and asserted that settlements for partial disgorgement of profits, as here, are “inappropriate for a non-fraudulent enterprise that significantly benefits consumers.”  Commissioner Ohlhausen also seemed to question whether certain representations were misleading in the first place, suggesting that the complaint erroneously “suggests that the sole acceptable description of earnings potential is the median earnings of participants.”   She also contended that the complaint unjustifiably excluded certain incentive and promotional payments from the FTC’s calculations of earnings.

The case is a reminder for entities making earnings claims that such claims should be substantiated prior to making the claim, and not false or misleading in the context in which they are made.  It’s worth emphasizing that the FTC never alleged that Uber drivers don’t make money, or that the Uber drivers would have been better off never pursuing the opportunity.  For the two Commissioners in the majority, the discrepancy between actual and represented earnings was enough to support a Section 5 violation and the $20 million monetary settlement.

Announcing the Advertising and Privacy Law Webinar Series

Webinar Series

Please join Kelley Drye in 2017 for the Advertising and Privacy Law Webinar Series. Like our annual in-person event, this series will provide engaging speakers with extensive experience and knowledge in the fields of advertising, privacy, and consumer protection. These webinars will give key updates and provide practical tips to address issues faced by counsel.

This webinar series will commence January 25 and continue the last Wednesday of each month, as outlined below.

January 25, 2017 | February 22, 2017 | March 29, 2017 | April 26, 2017 | June 28, 2017
July 26, 2017 | September 27, 2017 | October 25, 2017 | November 29, 2017

Kicking off the series will be a one-hour webinar on “Marketing in a Multi-Device World: Update on Cross Device Tracking” on January 25, 2017 at 12 PM ET. For more information and to register, please click here. CLE credit will be offered for this program.

FTC Chairwoman Ramirez Announces Resignation Effective February 10

Federal Trade Commission Chairwoman Edith Ramirez announced today that she will resign her position effective February 10, leaving the Commission with three vacancies and just two remaining commissioners.  Chairwoman Ramirez has been a commissioner since April 5, 2010 and became Chairwoman on March 4, 2013.

In announcing her resignation, she remarked: “It has been the honor of a lifetime to lead the Federal Trade Commission and to have played a role in advancing American consumers’ ability to navigate fast-paced digital markets and promoting business competition across the economy. I thank my fellow Commissioners and all of the talented FTC staff for their support and dedicated public service during my tenure.”  As noted in the FTC’s press release, Chairwoman Ramirez’s tenure was notable for aggressive enforcement of consumer protection and antitrust laws, resulting in “nearly 400 law enforcement actions covering a range of consumer protection issues and approximately 100 enforcement actions challenging anticompetitive mergers and business conduct in major sectors of the economy.”

Assuming no new appointments between President-Elect Trump’s inauguration and February 10, the Commission will be in the rare situation of having only two commissioners on the five-person body.  The Commission could continue to bring enforcement actions under FTC rules, assuming Commissioners Ohlhausen and McSweeny both agreed.  With just two confirmed commissioners, any Commission enforcement decision and most official actions would require both to agree.  Commissioner Ohlhausen, a Republican, has been a commissioner since April 2012 and could take the chair under the new administration.  Commissioner McSweeny, a Democrat, was appointed in April 2014 to a term that expires in September 2017.

California Choice of Law Provision Defeats Claim Under NJ Consumer Protection Law

On Monday, a California federal judge enforced the California choice-of-law clause in Facebook’s online terms of use, and on that basis refused to consider the claims of a New Jersey resident that aspects of those terms of use violated New Jersey’s consumer contract disclosure law, the Truth-in-Consumer Contract, Warranty, and Notice Act (“TCCWNA”).  The decision should provide some peace-of-mind to online retailers based outside New Jersey who have choice-of-law clauses in their terms of use.  A note of caution is warranted, however, because the judge found it important that Facebook’s contract chose California law, and “California’s consumer protection laws have been recognized as among the strongest in the country.”  

The case is Palomino v. Facebook, Inc., No. 16-cv-4230-HSG (N.D. Cal.).  The plaintiffs claimed that Facebook’s terms of use contained provisions purporting to “disclaim liability” for willful misconduct, and to “bar claims for personal and economic injury and punitive damages” and “for deceptive and fraudulent conduct.”  Whether provisions like this actually violate the TCCWNA is a matter of dispute in other cases pending in state and federal courts in New Jersey and elsewhere.  Judge Haywood S. Gilliam held that he did not have to reach that question, however, because Facebook’s enforceable choice-of-law clause favoring California law precluded the plaintiff, a New Jersey resident, from suing under his home state’s consumer protection laws.

California’s test for enforcing a choice-of-law clause, set forth by the California Supreme Court in Washington Mut. Bank, F.A. v. Superior Court, 24 Cal. 4th 906, 916 (2001), begins by asking whether the chosen state has a substantial relationship to the parties or their transaction or, if not, whether there is any other reasonable basis for the choice.  If the answer to either question is yes, a plaintiff seeking to avoid application of the contractual choice must establish both “that the chosen law is contrary to a fundamental policy” of the alternative state and that the alternative state “has a materially greater interest in the determination of the particular issue.”  Facebook easily cleared the burden-shifting hurdle because it is headquartered in California.  Plaintiffs then failed to meet their burden because they “failed to show that California’s consumer protection law,” which itself precludes a wide array of false and deceptive practices and “aim[s] to accomplish the same end,” is “contrary to New Jersey policy.”  That California’s law “affords different rights and remedies” is immaterial because “[c]ourts should not refrain from applying the chosen law merely because this would lead to a different result.”     

The decision’s caveats are important, but the bottom line is that non-New Jersey choice-of-law clauses, applied by online retailers outside New Jersey, may preclude TCCWNA claims.  

 

May Old Memoranda Be Forgot: White House Issues New Memorandum on Breach Response Plan

The White House Office of Management and Budget (“OMB”) marked the beginning of the 2017 Federal calendar year by issuing a memorandum to all agency and department heads with new guidance on breach preparation and response. While the guidance is not directed to the business sector, it is instructive for corporate counsel as it complements the breach response guide the Federal Trade Commission issued back in October.

The FTC Breach Response Plan focuses on what a company should do once it has discovered a breach. The OMB guidance includes more comprehensive advice on how to prepare for a breach and highlights several best practices that can prove useful for any business. In short, it is a great counterpart to the FTC’s guidance for any company conducting a Breach Response Plan review.

Here are some helpful topics/resources from the memorandum:

  • Breach response plan defined terms and listing of common examples of a breach
  • Overview of minimum breach response plan elements, including:
    • Breach Response Team
    • Privacy Compliance Documentation
    • Secure Interdepartmental and Third-Party Information Sharing
    • Reporting Requirements
    • Assessing and Mitigating Risk of Harm
    • Notification
  • Breach response contract terms for third party vendors
  • Considerations for identifying logistical support and technical support when responding to a breach, and
  • Appendices which include a breach reporting template, general and category specific guidance for affected individuals, and examples of services a company can provide

Here’s hoping that Baby New Year doesn’t welcome you to 2017 with a security breach, but read together, the FTC and OMB resources can be a helpful way to start the new year by making resolutions on breach prevention and response planning.

FTC Files Lawsuit Against Taiwanese Manufacturer for Alleged Lax Security in Wireless Routers and Cameras and Related Marketing Claims

150px-US-FederalTradeCommission-Seal_svg

The Federal Trade Commission has filed a lawsuit in federal court claiming that a networking equipment manufacturer engaged in unfair and deceptive acts, exposing thousands of consumers to the risk of cyberattack from vulnerable wireless routers and internet cameras.

The complaint against Taiwan-based networking equipment manufacturer D-Link Corporation and its U.S. subsidiary D-Link Systems alleges that the companies failed to take reasonable steps to protect the internet routers and IP cameras from “widely known and reasonable foreseeable” vulnerabilities. According to the complaint, these risks were not purely theoretical: D-Link equipment has been compromised by attackers, including being made part of “botnets,” which are large-scale networks of computers infected by malicious software.

In particular, the complaint alleges that the company failed to take steps to address well-known and easily preventable security flaws, such as:

  • “hard-coded” login credentials integrated into D-Link camera software — such as the username “guest” and the password “guest” — that could allow unauthorized access to the cameras’ live feed;
  • a software flaw known as “command injection” that could enable remote attackers to take control of consumers’ routers by sending them unauthorized commands over the Internet;
  • the mishandling of a private key code used to sign into D-Link software, such that it was openly available on a public website for six months; and
  • leaving users’ login credentials for D-Link’s mobile app unsecured in clear, readable text on their mobile devices, even though there is free software available to secure the information.

Count I of the complaint alleges that D-Link’s failure to take reasonable measures to secure the products from these vulnerabilities was unfair under Section 5 of the FTC act.  It alleges that D-Link’s practices caused, or are likely to cause, substantial injury to consumers that is not outweighed by countervailing benefits to consumers or competition and is not reasonably avoidable by consumers.

But the FTC is not only concerned with the potential vulnerabilities of the D-Link products; in Counts II through VI, the FTC alleges that D-Link violated Section 5(a) of the FTC Act by making deceptive statements about the products’ security.  These allegedly deceptive statements include the following:

Count II:  D-Link advertised a Security Event Response Policy, implying that D-Link had taken reasonable measures to secure the products from unauthorized access;

Count III:  In promotional materials, D-Link claimed that its routers were “EASY TO SECURE” and had “ADVANCED NETWORK SECURITY,” among other claims, implying that the routers were secure from unauthorized access and control;

Count IV: In promotional materials, D-Link advertised that its cameras provided a “secure connection,” among other claims, implying that the cameras were secure from unauthorized access and control;

Count V: To begin using the routers, a graphical user interface provided security-related prompts such as “To secure your new networking device, please set and verify a password below,” implying that the routers were secure from unauthorized access and control; and

Count VI: To begin using the cameras, a graphical user interface provided security-related prompts such as “Set up an Admin ID and Password” or “enter a password” in order “to secure your camera” and featured a lock logo, implying that the cameras were secure from unauthorized access and control.

In a press release announcing the lawsuit, FTC Bureau of Consumer Protection Director Jessica Rich commented, “When manufacturers tell consumers that their equipment is secure, it’s critical that they take the necessary steps to make sure that’s true.”

The Commission vote authorizing the staff to file the complaint was 2-1, with Commissioner Maureen K. Ohlhausen voting against the complaint. The complaint was filed in the U.S. District Court for the Northern District of California.

The complaint is just the most recent action in the FTC’s efforts to crack down on potential vulnerabilities in the Internet of Things (IoT). The FTC has also brought enforcement actions against ASUS over allegedly insecure routers and cloud services and against TRENDnet over its allegedly insecure cameras.  This case serves as yet another reminder that the FTC remains focused on cyber security, especially for IoT devices, and that it is important for all businesses that handle or have access to customer information to ensure that they have implemented reasonable security practices, and confirmed the accuracy of all related marketing claims and public representations (including in public-facing policies and product dashboards) about the security of their products.

New Jersey’s TCCWNA: New Year, Same Uncertainty

NJ

In 2016, many retailers found themselves on the wrong end of class actions brought under New Jersey’s Truth-in-Consumer Contract, Warranty and Notice Act (“TCCWNA”). The suits allege that these retailers’ website terms of service either contained provisions that violated some “clearly established” New Jersey or federal law, or else stated that violative terms might not apply in “some states” without saying which specific terms are ineffective in New Jersey.  The TCCWNA statute has major teeth, especially in class actions, with statutory penalties of $100 per “violation.”  Plaintiffs, however, must clear some equally major hurdles, including demonstrating that they were “aggrieved” by a violative contract and that the contractual terms they are attacking truly run afoul of a New Jersey or federal right that is “clearly established.”

Many retailers recently have scrutinized their website terms with the TCCWNA in mind, and the pace of new TCCWNA lawsuits has significantly slowed. As for past liability, major national retailers have had motions to dismiss TCCWNA cases fully briefed for several months now.  Both the plaintiffs’ and defense bar in New Jersey had hoped to end 2016 with some clarity about the TCCWNA’s contours.  Unfortunately, that clarity has not yet come.

Two judges have dismissed TCCWNA claims for lack of Article III standing, citing the Supreme Court’s recent decision in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016), that a plaintiff cannot sue in federal court without having suffered “concrete and particularized” harm.  Neither court reached the merits of the plaintiffs’ TCCWNA claims.  The more recent of the two Spokeo dismissals came in October, and the plaintiff immediately appealed to the Third Circuit.

The Third Circuit already has another TCCWNA case before it, fully briefed. In November, the Third Circuit certified two questions arising from that appeal to the New Jersey Supreme Court that are relevant to several pending motions to dismiss:  (1) Is a consumer who received a contract that does not comply with a particular state regulation, but who has not suffered any adverse consequences from that noncompliance, an “aggrieved consumer” able to sue under the TCCWNA?  (2) Does a violation of that regulation alone constitute violation of a “clearly established legal right” and thus provide a basis for relief under the TCCWNA?

The New Jersey Supreme Court has not yet said whether it will rule on those questions, but that Court definitely will rule later this year on two other TCCWNA cases alleging that restaurants violated the law by not clearly posting prices on drink menus and, in one case, charging different prices for the same drink, depending upon whether the drink was served at a table or at the bar.

Those appellate goings-on may be impacting the District Court’s consideration of the other pending motions to dismiss. In early December, the judge presiding over a TCCWNA terms-of-use case against a major retailer “administratively terminated” that company’s motion to dismiss and effectively stayed the case pending the outcome of the two Third Circuit appeals.  No other district judges have taken that step, but motions to dismiss several other significant TCCWNA cases remain sub judice before them.

Decisions in those cases still could come at any time, but it also is possible that retailers must wait until the New Jersey Supreme Court and/or Third Circuit decides the TCCWNA cases before them — possibly not until late 2017 — before we learn how easy, or difficult, it is for plaintiffs to sue under this problematic law.

The Ninth Circuit’s Briseno Decision Is Not As Bad As It Looks for Consumer Class Action Defendants

The Ninth Circuit’s decision this week in Briseno v. ConAgra Foods, Inc., No. 15-55727, refused to engraft an “administrative feasibility” requirement to Federal Rule of Civil Procedure 23’s prerequisites for certifying a class action.  What this means, basically, is that in Ninth Circuit courts, a named plaintiff seeking class certification need not “demonstrate an administratively feasible way to identify all class members at the certification stage.”  (Slip Op. at 11 n.6).  “All,” however, is a very important word in that sentence.

On the face of it, the Ninth Circuit’s decision conflicts with the Third Circuit’s decision in Carrera v. Bayer Corp., 727 F.3d 300 (3d Cir. 2013) and later cases.  The Third Circuit explicitly requires class plaintiffs to demonstrate “ascertainability” at the certification stage.  In reality, however, there would seem to be major areas of agreement between the Ninth Circuit’s decision in Briseno and the Third Circuit’s core holding.  Consumer class action defendants still have plenty of arguments — even in the Ninth Circuit — that proposed classes fail because there will never be a reliable way to determine who is a member of the class.

The Third Circuit’s ascertainability doctrine arose from two cases with facts worthy of a law school exam. In Bayer, 727 F.3d at 304, the named plaintiff himself could not remember when he purchased the product he was challenging and was not even sure which product he purchased.  That testimony made it impossible for the Third Circuit to agree that the defendant should have to swallow affidavits from absent class members that they, too, purchased the challenged product, without being able to mount individual challenges to those affidavits.  And, in Marcus v. BMW of North America, LLC, 687 F.3d 583, 594 (3d Cir. 2012), neither the plaintiff nor the defendant had any idea which tires were on the plaintiff’s car.  The plaintiffs had discarded the tires, and the defendant had no relevant records.  The Third Circuit held that the plaintiff had to come forward with some kind of a plan to determine who was in the class, beyond proposing to rely on potential class members’ unreliable and unsupported “say so.”

To the extent the Third Circuit requires a separate showing of “ascertainability” that is not listed among the requirements in Rule 23(a) or (b) — separate, for example, from the requirements that common questions predominate over individual questions and that a class action be “manageable” — the Ninth Circuit refused to go that far.  At the same time, however, the Ninth Circuit panel suggested it agreed with the way other Courts of Appeals had adopted the Third Circuit’s core holding, focused on the predominance and manageability requirements, without going so far as to impose a separate requirement of ascertainability. Briseno’s footnote 6 cited with approval the First Circuit’s holding in In re Nexium Antitrust Litig., 777 F.3d 9, 19-20 (1st Cir. 2015), that district courts must be assured “that, by the time a case reaches the liability and claims administration stages, there will be an administratively feasible way to distinguish injured from uninjured class members.”  It also cited with approval the Second Circuit’s holding in Brecher v. Republic of Argentina, 806 F.3d 22, 24-26 (2d Cir. 2015), “that a class definition must be objective and definite.”

It therefore is possible to read Briseno narrowly.  The Ninth Circuit clearly held that sellers of small-ticket consumer goods do not have a free-standing defense to class certification solely because, at the class certification stage, the named plaintiff cannot say with certainty that she will be able to identify all purchasers of the product in a reliable manner.  The court most certainly did not, however, cut off arguments that injured vs. uninjured people never can be reliably distinguished, or that a class definition is improperly “fail safe” because it turns on merits issues.  Those defenses, grounded in the predominance and manageability requirements, remain.

Indeed, although the Ninth Circuit panel clearly was more supportive of “say so” affidavits than was the Third Circuit in Marcus and Bayer, even that part of the holding was limited.  In Briseno, the plaintiffs asserted that (1) they had a means of calculating aggregate damages to be awarded to the entire class, and (2) “say-so” affidavits would arrive only “after a liability [and damages] determination has already been made.”  For those reasons, the panel focused on the possibility of intentional fraud, not mistakes:  “Why would a consumer risk perjury charges and spend time and effort to submit a false claim for a de minimis monetary recovery?”  Slip Op. at 17.

The question in Briseno was not whether class members would reliably remember having purchased the relevant product, as in Bayer, or whether they would even have any way to know they were class members, as in Marcus.  Concerned only about fraud, the Ninth Circuit said that defendants have other tools to detect and refuse bad claims by “rel[ying] on claim administrators, various auditing processes, sampling for fraud detection, follow-up notices to explain the claims process, and other techniques tailored by the parties and the court to validate claims.”  Slip. Op. at 20 (internal quotation and citation omitted).  If “say so” affidavits would have impacted the amount the defendant was expected to pay if it lost, the Ninth Circuit panel explicitly said it might have reached a different result:  “[I]dentification of class members will not affect a defendant’s liability in every case.”  Slip Op. at 22 (emphasis added).

To be sure, Briseno is a setback for consumer class action defendants in the Ninth Circuit.  It also deepens a Circuit conflict and increases the odds of Supreme Court review.  Absent high court review, however, or while we are awaiting it, Briseno need not be a significant setback.  “Ascertainability” may be out as a free-standing requirement in the Ninth Circuit, but plaintiffs still have to satisfy predominance and manageability, and may not be able to do so if they cannot objectively and reliably determine who is in their proposed class.

One Less (Regulator) Affair for AshleyMadison.com: Site Operators Agree to Settle U.S. Charges Stemming from 2015 Breach

Remember the 2015 AshleyMadison.com data breach, where hackers gained access to the personal information of about 36 million users from over 46 countries, and threatened and carried through on their promise to release the information to the public? This highly publicized incident has resulted in a $1.6 million settlement between operators of the dating website and the FTC, 13 states, and the District of Columbia, resolving allegations concerning inadequate security and deceptive practices connected to the website. The FTC also received investigative assistance from the Office of the Privacy Commissioner of Canada and the Office of the Australian Information Commissioner, both of which had concluded a joint investigation of the dating website in August.

The FTC’s complaint charges AshleyMadison.com with:

  • Creating Fake Profiles to Encourage Consumers to Upgrade Services. AshleyMadison.com staff created 24,414 female “engager profiles,” or fake profiles, through which staff would communicate with AshleyMadison.com users. According to the FTC, AshleyMadison.com staff used these engager profiles to entice users to upgrade to a full membership.
  • Failing to Remove Consumer Profiles Despite Representations to Consumers That Profiles Would be Deleted. AshleyMadison.com advertised a service option to users that enabled them to delete their “digital trail.” The company charged consumers for this service, but did not disclose until after the purchase was consummated that some information would be retained for legal and financial reasons. Moreover, the company in some instances altogether failed to remove or delete consumer profiles from internal systems.
  • Prominently Displaying/Advertising that the Site was Secure When Evidence and Practice Suggested the Contrary. AshleyMadison.com advertised their website as “100% secure”, “risk-free”, and “completely anonymous” and prominently displayed data security trustmarks (seals or icons designed to give consumers confidence in a company’s data security practices). One such trustmark was a “Trusted Security Award,” which the FTC says the company never received. AshleyMadison.com also advertised a privacy policy that touted “industry standard” security safeguards the company employed to protect against loss or unauthorized access. The FTC alleged this was deceptive given the inadequate security practices that contributed to the 2015 data breach.
  • Failing to Provide Reasonable Security. AshleyMadison.com did not take reasonable steps to prevent unauthorized access to their systems. According to the FTC, the company did not:
    • Maintain a written information security policy
    • Implement reasonable access controls
    • Provide adequate training for personnel with data security responsibilities
    • Have adequate measures in place to vet third-party service provider security measures
    • Use readily available security measures to monitor systems for data security events and verify the overall effectiveness of their security systems

As companies target consumers across borders and expand their global consumer reach, they should pay close attention to this global settlement and consider implementing proactive compliance measures to properly safeguard consumer data and avoid practices that can cause irreparable harm to consumer confidence and company reputation.

FTC Settles with Turn Over Alleged Privacy Policy Misrepresentations

On Wednesday, the FTC announced that Turn, a California-based ad-tech firm, agreed to settle charges that it misrepresented its consumer tracking practices to Verizon Wireless customers. According to the FTC, such customers could not delete or turn off advertising identifiers because Turn synced multiple identifiers without reconciling user preferences or express user requests to delete or reset identifiers. This practice allegedly ran afoul of consumer choice provisions in Turn’s privacy policy.

Specifically, the FTC’s complaint against Turn alleges the following two violations of the FTC Act:

  1. Making Misrepresentations about Deleting Cookies. The privacy policy’s description of cookies and web beacons (online identification mechanisms) stated that consumers could edit their browser options to “stop accepting cookies.” Turn continued, however, to track certain customers who had exercised this option.
  2. Making Misrepresentations about Restricting Tracking. Turn’s privacy policy also linked to a Turn opt-out page, where consumers could allegedly opt out of tailored advertising. The FTC claims that this opt-out was deceptive because, although consumers could opt out of tailored advertising on mobile browsers, they could not opt out of tailored advertising on mobile applications.

Under the proposed consent order, Turn is prohibited from making misrepresentations regarding identifier-related consumer information. Additionally, the company is required to honor consumer controls and make adequate disclosures regarding targeted advertising and opt-out mechanisms. This settlement is another reminder that it is extremely important that privacy policies accurately reflect businesses’ current practices, and that businesses honor representations about consumer choice.

LexBlog