FTC Settles With Lead Generation Firm For Illegally Selling Consumer Data, False Data Security Promises

The FTC announced last week a settlement with Blue Global Media, LLC  and its CEO Christopher Kay.  The company operated 38 Internet domains that solicited online loan applications from consumers.  The applications collected extensive sensitive personal information, including social security numbers, bank routing numbers, credit scores, and incomes. The company represented to consumers it would use this information to match them with “trusted lending partners” that offered the most favorable loan offers, for example, with the lowest interest rate and the highest qualified loan amount.  As alleged, Blue Media offered these leads to potential buyers through multiple “ping trees”, which are automated, instantaneous, auction-style processes common in the payday lending industry. However, the company’s ping tree participants were not required to be engaged in lending or use lead information to offer loans. In fact, Blue Media allegedly sold the lead to the first buyer, regardless of whether the buyer was a loan provider or offered favorable terms to the consumer.  Blue Media received from buyers up to $200 for each lead sold. Blue Media collected more than 15 million loan applications in this manner. It allegedly sold 26% of the applications to non-lenders, and less than 2% to lenders. In many cases, these lenders were not legally authorized to make loans.

In addition, Blue Media made a number of data security promises it did not deliver. For example, the company represented in its privacy policy that it employed industry-leading security protocols and technology and would “never store [consumers’] information, so your online identity is always safe.” In contrast, Blue Media allegedly shared consumer information indiscriminately, failing to impose any restrictions or conditions to protect against the unauthorized access, use, modification, or disclosure of consumer information.

The FTC alleged these practices constituted unfair and deceptive acts in violation of Section 5. The settlement includes a judgment seeking all revenue received from these practices, an amount over $104 M.

The FTC has recognized the proliferation of online lead generation in various industries.  On October 30, 2015 the FTC held a public workshop entitled “Follow the Lead,” focused on lead generation practices and related privacy and consumer protection issues, which we discussed here and here. Here are some key takeaways from this case and other FTC guidance documents for lead generation operators:

  • Implement transparency and consumer choice. Disclose clearly and conspicuously to consumers what information is being shared and with whom; and allow consumers to make informed choices about when and how to share their personal information.
  • Exercise caution when selling leads that aren’t purchased through the ping tree (commonly referred to as a “remnant lead”). Depending on the circumstances, you may be liable under the FTC Act if the buyer has no legitimate need for the information.
  • Vet potential lead buyers before doing business with them and monitor lead buyers for any misuse of consumer data.
  • Engage in data security protocols that are appropriate for the sensitivity of the information you are collecting
  • Review your privacy policy regularly to ensure it accurately reflects your collection and disclosure practices.

“Give the Money to One Percenters, Not to Non-Profits,” 11 State Attorneys General Argue

On July 5, bipartisan Attorneys General from 11 states filed an astonishing brief in the Third Circuit Court of Appeals, asking that court to reject the proposed class action settlement in In re Google Inc. Cookie Placement that would give settlement monies to non-profits rather than class members.

The plaintiffs in Google Cookie allege that Google circumvented the cookie-blocker settings in Microsoft’s Internet Explorer and Apple’s Safari browsers and placed advertising tracking cookies without user consent.  The putative class—theoretically, every user of those hugely popular browsers—obviously is massive.  The “damages” suffered by class members, however, if any, is vanishingly small.

In 2016, Google and the plaintiffs’ counsel reached a proposed $5.5 million class action settlement.  The plaintiffs’ counsel requested a $2.5 million fee, with the balance (after administrative costs) to be distributed to privacy rights non-profits such as the Berkman Center for Internet and Society at Harvard University and the Privacy Rights Clearinghouse.  Individual class members would receive nothing.

The Competitive Enterprise Institute’s Center for Class Action Fairness filed an objection to the settlement, arguing that if money cannot be distributed to class members, then the settlement class should not be certified at all.  The Delaware federal judge hearing the case disagreed and approved the settlement.  The objector took its arguments to the Third Circuit, and now 11 state Attorneys General have joined it.

The AG coalition brief, written by the office of the Arizona Attorney General, took no issue with the amount of the settlement and acknowledged that the settlement class is huge.  They contend, however, that “[d]irecting settlement funds to members of the class wherever feasible is important,” and that “there is a feasible path to distribution here.”  That “feasible path” is where the brief took an unprecedented turn for an AG objection.

“Claims rates in small-dollar cases are reliably in the very low single digits (if not below one percent),” the brief argued, citing cases with low claims rates.  “Even assuming a class in the tens of millions, such a claims rate would result in an economically meaningful” payment of “a few dollars to $15 or $20, if not more) to those lucky “one-percenters.”  That, these Attorneys General argued, “is preferable to making no distribution to any class members.”

In the years since the Class Action Fairness Act of 2005 required federal litigants to notify State AGs of proposed class action settlements, State AGs have taken a leading pro-consumer role in trying to limit the forms that settlements can take.  A multistate AG objection to a coupon settlement a decade ago, for example, has sharply curtailed the use of coupon settlements.  This is the first time, however, that AGs have argued it is better to direct small dollars to a tiny fraction of a large class than to pay millions of dollars to non-profits that ostensibly could advocate on behalf of the interests of the class as a whole. 

It will be very interesting to see how the Third Circuit responds to this argument.

Joining Arizona on the brief were the Attorneys General of Alaska, Arkansas, Louisiana, Mississippi, Missouri, Nevada, Oklahoma, Rhode Island, Tennessee, and Wisconsin.

BRIEF OF ELEVEN STATE ATTORNEYS GENERAL AS AMICI CURIAE IN SUPPORT OF OBJECTOR-APPELLANT AND REVERSAL

Summer Road Trippin’: The FTC and NHTSA Workshop on Connected Cars

On June 28, the FTC and National Highway Traffic Safety Administration (NHTSA) brought together a variety of stakeholders including regulators, automakers, software companies, and consumer groups to discuss connected cars, including current innovations and challenges in the field of data privacy. Acting FTC Chairwoman Maureen Ohlhausen opened the day by asserting that regulators will need to show “humility” in trying to understand the risks associated with connected cars. However, she emphasized that the FTC will still use their enforcement authority against those who misuse consumer data, while taking care not to conflict with NHTSA’s oversight efforts. Terry Shelton, acting executive director of NHTSA, agreed with these goals.  The day’s panels focused on three main themes:

Safety – Fewer Accidents, Better Recall Compliance, and Privacy

Connected cars are expected to be able to decrease accidents and traffic fatalities. According to Terry Shelton, Acting Executive Director of NHTSA, 94% of fatal car accidents are due to human error. Additionally, both Shelton and Acting FTC Chairwoman Ohlhausen emphasized that the number of automobile-related fatalities has risen considerably in recent years.

It is less clear what happens when the artificial intelligence (AI) systems responsible break down. As cars become better able to make decisions on their own, the question of liability when a mistake occurs will be brought to the forefront. However, connected cars may increase compliance with safety recalls as self-driving cars may bring themselves into the shop for repair, and manufacturers will more easily be able to trace automated cars that have not been updated. The panel also discussed whether consumers should be allowed to opt out of sharing safety data and whether safety concerns may be used as excuses to collect information for commercial use.

Data – Notice and Consent, Types and Use of Data

As is the case with all connected devices, data collection and use presents many questions. Current technology allows devices to use driving patterns to detect drowsy driving, but newer devices will use biometric data for this purpose.  Depending on how the data is gathered, mechanisms for consumer notice and consent remain a challenge.

Stephen Pattison of ARM offered three important categories of data that may be taken from connected vehicles. The first is information linking the user to the vehicle. He asserted that this is the most sensitive information, and should be controlled by the consumer. The second is information that is brand sensitive, and may be of interest to competitors. This also includes information about individual components of the car. It will be up to the manufacturer how and when this information is shared. The third category is non-identifying information such as road conditions. This information is useful for other companies and law enforcement to use under some agreement that outlines the terms of use.

Panelists noted that the information produced by these vehicles is not encrypted or anonymized, as doing so would destroy the value of the data. It is important for the car or car system to be able to understand why a mistake occurred, or be able to make choices using very granular data, and share that data either with itself or in vehicle to vehicle communications to make other cars smarter and more able to make those decisions as well.

After-market products that are purchased by consumers and voluntarily placed into their cars are also collecting data. These include devices such as remote start, backup cameras, or an insurance dongle. While there is more consumer acknowledgement that these devices will be tracking personal information, the panelists at the workshop were in general agreement that more information should be given to consumers in clear and concise ways to enable them to make informed choices.

Security and Privacy – It’s Not If, But When A Breach Will Happen

One phrase that was repeated during the conference was: it is not a question of if, but when a breach will happen. Carrie Morton of the University of Michigan’s Mcity automated-vehicle research center explained that consumers are often “okay with the tradeoff” of exposing their personal driving information if they see a benefit. However, there is some information that even the most connected of drivers do not want exposed. While it may be true that consumers care less about who has their data is than what is being done with it, this cannot be mistaken for a lack of care concerning data privacy in general.

Earlier this year, NHTSA released a set of best practices to protect connected cars against cyberattacks and data breaches. These included a push for earlier integration of breach detection, a feature which Jeff Massimilla of GM said they are building into their cars from the beginning. NHTSA will look to the FTC for support in enforcing these regulations. There was also support from some panelists for harsher FTC sanctions for those that unlawfully access or re-identify anonymized data, as the data will likely be easy to de-anonymize.

*          *          *

We’ll continue to follow these issues and related connected product developments here at Ad Law Access.

 

Summer Associate Carmen Tracy contributed to this post. Ms. Tracy is not a practicing attorney and is practicing under the supervision of principals of the firm who are members of the D.C. Bar.

Rules Are Made to Be ….Reformed: FTC Announces Regulatory Reform Measures

As part of the FTC’s ongoing review of the needs, costs, and benefits of regulations, the agency recently announced it is reviewing the following rules:

  • The Picture Tube Rule requires manufacturers to base screen size measurements on the horizontal measure of the viewable area, unless the alternative method of measurement is clearly disclosed. This rule was originally intended to help consumers compare products, but with the changes in television technology. In determining whether the rule is still needed, relevant concerns include changes in television technology such as the incorporation of plasma, LED, OLED, and other similar materials in flat display screens. The full list of questions the FTC hopes to address can be found on the Notice of Public Rulemaking here. Comments are due August 31.
  • The FTC is also seeking comment on a proposal to eliminate the “housemark” provisions of the Textile Rules. The housemark provisions require marketers who want to use a “housemark” (a distinctive mark used to identify all a firm’s products) on a textile’s tag in lieu of their business name only if they first register their housemark with the Commission. It is the agency’s position that that provision, imposed in 1959, is no longer necessary because trademark owners can easily be identified by searching online or via the U.S. Patent and Trademark Office website. Therefore, the FTC believes that removing these requirements will reduce compliance costs and increase firms’ flexibility. Comments are due by July 31.
  • The FTC is seeking public comment on its CAN-SPAM Rule, which requires a commercial email to contain accurate header and subject lines, identify itself as an ad, include a valid physical address, and offer recipients a way to opt out of future messages. The FTC is seeking comment on whether consumers have benefitted from the Rule, whether it should be modified, the costs of compliance, whether it should be amended to account for technological or economic changes, among other things. Comments are due by August 31.
  • The Energy Labeling Rule is also being edited to eliminate burdens on the industry and account for new products. The Energy Labeling Rule requires yellow EnergyGuide labels on certain appliances to help consumers compare similar models using estimated operating cost and energy consumption ratings. The comments period for this change has ended. The FTC sought public comment on these changes in September 2016. The accepted changes eliminate obsolete marking requirements for plumbing products, exempt certain ceiling fans from labeling requirements, and update the labels to cover electric instantaneous water heaters.

Overall, this announcement is consistent with the FTC’s recent systematic review of rules and guides. We will continue to track the comments and provide updates on any important developments.

 

Summer Associate Carmen Tracy contributed to this post. Ms. Tracy is not a practicing attorney and is practicing under the supervision of principals of the firm who are members of the D.C. Bar.

California Ruling Requires TransUnion to Pay Record $60M for FCRA Violations; Suit Alleged Consumer Reports Erroneously Linked Consumers to Criminals in OFAC Database

A California jury in federal court ruled on Tuesday, June 20, that TransUnion violated the Fair Credit Reporting Act (FCRA) by erroneously linking certain consumers with similarly named terrorists and criminals in the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC’s) database.  The jury awarded statutory and punitive damages in excess of $60 million, which could set a record for the largest FCRA verdict to date.

Initially filed in 2012, plaintiffs alleged that TransUnion willfully violated FCRA by failing to maintain reasonable procedures to assure maximum possible accuracy of the consumer reports it sold, and by failing to provide required disclosures to consumers.  TransUnion offers an add-on service to its standard consumer reports whereby it would check consumers against OFAC’s “Specially Designated Nationals and Blocked Persons List” (SDN), which lists terrorists, drug traffickers, and other criminals.  Companies that do business with individuals on the SDN face strict liability penalties approaching $290,000 per transaction, so companies have a strong incentive to cross-reference the SDN before undertaking certain transactions – depending on the type of transaction and other factors.

The case arose out of so-called “false positives,” whereby TransUnion would find and report a potential match to the SDN but that match would subsequently be found to be erroneous.  For example, lead plaintiff Sergio L. Ramirez was prevented from buying a car in 2011 because TransUnion told lenders that he potentially matched two individuals on the OFAC list.  Ramirez and other class members alleged that TransUnion failed to take reasonable steps, such as also cross-referencing date of birth or other information available on the SDN, before reporting the match on the consumer report.  TransUnion countered that it did all that was feasible for the time period in question to achieve maximum accuracy, as required by FCRA, while still helping its clients comply with OFAC regulations and avoid criminal penalties.

The case provides an interesting example of the competing legal obligations that a company can face under different statutes, and of the need to stay abreast of constantly evolving technology that informs the relevant legal standard.  Determining how to screen potential customers for OFAC compliance and use consumer reports consistent with FCRA depends on a number of factors, including the technology available at the time and the type and scope of transaction at issue.

Kelley Drye’s Export Controls and Sanctions Compliance Group regularly assists clients with obligations in connection with OFAC screening, and Kelley Drye’s Consumer Financial Protection Regulation regularly advises clients on FCRA compliance.    

 

CPSC Requests Feedback to Reduce Compliance Burdens

Have ideas to lighten the load for complying with consumer product safety regulations? The Consumer Product Safety Commission (“CPSC” or “Commission”) wants to hear about them.  The Commission has asked for comments and suggestions for ways it could potentially reduce burdens and costs of its existing rules, regulations or practices without harming consumers. CPSC requests that any submissions include information and data in support of the suggestions.

The CPSC is open to any proposals. According to Acting Chairman Ann Marie Buerkle, “The agency’s recent request for information seeking public input on ways to potentially reduce burdens and costs is not limited to existing rules. CPSC is interested in hearing any and all ideas, big or small, that might help ease regulatory burdens without compromising safety.” Acting Chairman Buerkle, who was nominated to the Commission by President Obama in 2013, has said that “seeking to reduce regulatory burdens is responsible governance.” The request for suggestions is in line with Buerkle’s general policy of promoting transparency and collaboration with the industry. For a further discussion of her policies, see our previous post here.

Submissions are due by September 30. This is an opportunity for companies to provide feedback in a collaborative, constructive context.  We will continue to track the comments and provide updates on any important developments.

Summer Associate Carmen Tracy contributed to this post. Ms. Tracy is not a practicing attorney and is practicing under the supervision of principals of the firm who are members of the D.C. Bar.

Instagram Announces a New Tool for Influencers

Last year, we posted that four consumer groups had sent letters to FTC, encouraging the agency to “investigate and bring enforcement actions related to the practice of non-Instagram Paid Partnershipdisclosed advertising through influencer user profiles on Instagram.” Earlier this year, the FTC responded by sending more than 90 letters to companies and influencers, reminding recipients of their obligation to disclose when posts are sponsored. Some of the letters addressed how the disclosures should appear on the Instagram platform. Now, Instagram is testing a tool designed to make the disclosures easier.

Instagram recently announced that that users will soon start to see a new “Paid partnership with” tag on posts and stories. This feature is intended to “help creators more clearly communicate to their followers when they are working in partnership with a business.” In addition to helping companies comply with FTC requirements, this tool is expected to offer other benefits. For example, when “partners use this tag, they will both have access to Insights to track exactly how their branded content posts and stories are performing. Creators will continue to see metrics in their Instagram Insights, and business partners will see shared reach and engagement metrics in their Facebook Page Insights.”

Currently, the tool is only available to a select number of users, but Instagram plans to collect feedback and to make the tool – along with an official policy – more widely available in the coming months.

FTC Submits Comments on IoT Device Security to NTIA Working Group

On Monday, the FTC submitted comments to the draft National Telecommunications and Information Administration (NTIA) guidance intended to improve Internet of Things (IoT) device security and increase consumer transparency. While recognizing the benefits (and proliferation) of IoT devices, the Commission’s comments caution that such benefits can only be realized when device manufacturers both incorporate – and adequately inform consumers of – reasonable security measures.

The comments begin by highlighting several “lessons learned” from FTC enforcement actions involving IoT devices such as home security cameras, baby monitors, and smart TVs. Specifically, the Commission explains that such actions emphasize the need for manufacturers to take reasonable security measures and to continuously manage security risks. The comments, in addition, note the several policy initiatives, consumer and business educational materials, and company-specific guidance (in lieu of enforcement) intended to assist IoT manufacturers with device security.

The Commission also recommends several changes to the NTIA guidance’s “Elements of Updatability”:

  • Edits to “Key Elements” Prior to Purchase – The Elements of Updatability recommend three pre-sale “key elements”: (1) disclosure of whether the device can receive security upgrades, (2) disclosure of how the device receives such upgrades, and (3) the anticipated timeline for the end of security support. The FTC recommends that manufacturers disclose the minimum support period, rather than an anticipated timeline, as well as disclose if the device will lose functionality or become highly vulnerable when security support ends.
  • Edits to “Additional Elements” Before or After Purchase – The FTC adds several “additional elements” that manufacturers should consider conveying to consumers, either before or after purchase. Such additional elements include (1) adopting a uniform notification method to, for example, notify consumers of updates (if updates are not automatic); (2) enabling consumers to sign-up for affirmative security support notifications that are separate from marketing communications; and (3) providing real-time notifications when support is about to end.
  • Omission of One “Additional Element” – The FTC also advises omission of the “additional element” describing the update process, explaining that such description imposes costs on manufacturers with little benefit to consumers who can “feel overburdened by choice and ignore critical information.”

Lessons from the World of Trampoline Marketing

Last year, we wrote about an NAD case involving trampoline marketing. The Trampoline Safety website featured reviews designed to help buyers purchase a trampoline. But unless website visitors looked closely at a disclosure at the bottom of the site, they probably wouldn’t have realized that trampolines that had received the highest ratings were made by the same company doing the ratings. The NAD thought this was a problem because most visitors would assume that the site was independent, when it really wasn’t.

Yesterday, the FTC announced a settlement in another case involving trampolines. In this case, a company sold trampolines on a website that included logos from Fake Sealseemingly-independent entities. A click on one of those logos led to ratings sites that were — you guessed it — run by same the company selling the trampolines. Moreover, one of the company’s owners posted positive reviews of his company’s products and negative reviews of competing products on various sites, without disclosing his identify.

The problem here should be obvious, and the terms of the settlement are designed to ensure that the company does not mislead consumers into thinking that reviews are independent, impartial, or come from a third-party expert when they really come from the company or its employees. In many cases, that means the company will have to a include a clear and conspicuous disclosure explaining the relationship between any reviewer and the company.

Because most companies will never engage in the type of conduct alleged by the FTC, it may be tempting to dismiss this case as irrelevant. But keep in mind that some of the key principles underlying this case frequently present themselves in more mundane situations. Plenty of reputable companies have been investigated for allegedly failing to clearly disclose the connections or incentives behind reviews.

Fallout from Target’s 2013 Data Breach includes an $18 Million Multistate AG Settlement

Target Corporation agreed to an $18.5 million settlement with 46 State Attorneys General and the Attorney General of the District of Columbia this week, resolving allegations that the company failed to provide reasonable data security to its customers, as demonstrated by the Target’s 2013 holiday data breach that affected more than 60 million customers.

Background. In November 2013, hackers accessed Target’s customer service database using legitimate credentials stolen from a third-party vendor.  The breach affected the personal information of over 60 million customers and the payment card accounts of over 41 million customers.  The information accessed included full names, telephone numbers, email and mailing addresses, payment card numbers, expiration dates, card-validation value codes, and encrypted debit PINs.

Settlement Terms. The conditions of the settlement agreement, some of which will be effective for a five (5) year period, require Target to:

  • Implement a comprehensive information security program. Target must develop, implement, and maintain a comprehensive information security program and employ an executive for that purpose that will advise Target’s CEO and Board of Directors.
  • Encrypt and protect Cardholder data. Target must maintain encryption protocols and policies, and comply with the Payment Card Industry Data Security Standard.
  • Implement other technological safeguard measures. Target must implement specific safeguards including: implementing reasonable access restricting mechanisms and appropriate systems to collect logs and monitor network activity; managing and documenting changes to network systems; adopting improved industry-accepted payment card security technologies and; using encryption or similar masking techniques to devalue payment card information.

The $18.5 million settlement is the largest multistate data breach settlement to date and yet another multistate settlement concerning a breach more than three years old.  Companies can review FTC guidance on protecting personal information, as well as the California Data Breach Report, and this settlement for general guidance on legal expectations to protect customer financial and personal information and the potential fallout for failing to do so.

LexBlog