If a review site ranks your product as the top in a category, can you advertise that you’re “number 1” in that category? The answer may not be as simple as it seems, and two NAD cases – one from three years ago and one from last month – demonstrate why companies can’t simply rely on third-party rankings. Instead, they need to look at the methodology behind the rankings to determine whether the review site’s conclusions provide a reasonable basis for the claim.

In 2019, NAD recommended that TaxSlayer stop claiming that it was “Rated #1 in the Tax Prep Software Category on Trustpilot” – even though the claim was literally true – because “Trustpilot’s collection of user reviews did not provide reliable evidence to support the challenged Rated #1 claim or demonstrate the comparative satisfaction of users of tax preparation software.” Check out our previous post for more details about why NAD was concerned with the ratings methodology.

Last month, NAD recommended that CreditAssociates stop claiming that it was “America’s #1 Debt Relief Company” based on Trustpilot reviews – again, even though the claim was literally true – because it continued to have concerns over Trustpilot’s ratings methodology. Some of the concerns are similar to the ones NAD expressed in the TaxSlayer case, while others are a little different and reflect changes on the Trustpilot platform. Here are a couple highlights from NAD’s list of concerns:

  • Trustpilot rewards companies that solicit reviews and states that “businesses that regularly invite their customers to write reviews tend to have a higher TrustScore than businesses that don’t.” NAD was concerned that “companies that do not actively solicit reviews in accordance with Trustpilot’s requirements and receive a certain number of reviews will not even be considered as part of the universe of companies against which Credit Associates is compared.”
  • Businesses with a free Trustpilot account can solicit up to 100 reviews per month, while businesses with a paid account can solicit 500 or more, depending on the plan they choose. NAD noted that “in essence, the ranking at issue is influenced by a company’s Trustpilot subscription which affords more opportunities to solicit reviews than companies which do not have a paid subscription.”

Bottom line, according to NAD, “Credit Associates can only be confident that its own reviews represent the opinions of its own consumers as the same cannot be said about the companies against which it is being compared. Consumers can be misled because they are not aware of the lack of representativeness of reviews, a fatal flaw given the strength of the challenged claim.”

Notably, although NAD recommended that the company stop the #1 claim, NAD didn’t seem to take issue with a claim that the company had achieved a “4.9 out of 5 based on 8,641 reviews” on Trustpilot. This suggests that companies may be able to make monadic claims based on their ratings on Trustpilot, but both this and the previous TaxSlayer case demonstrate that it may not be possible to make comparative claims based on those ratings.

No, we’re not talking about sinister sewing guides, but rather practices or formats that may manipulate or mislead consumers into taking actions they would not otherwise take.

We untangled the topic of so-called “dark patterns” in two in-depth blogs earlier this year, available here and here. At that time, we noted there was a common thread between practices that regulators were calling “dark patterns” and practices that have been core elements of consumer protection law and policy for years. We concluded that, despite the catchy new terminology, it did not appear we’d be seeing a new legal standard.

The FTC’s newly released dark patterns staff report may lead us to pause and reconsider. While the majority of identified practices fall squarely within the FTC’s prior enforcement activities (e.g., hidden fees, improper disclosures, bait-and-switch offers), the report also weaves in a handful of practices that may be more of a stretch under existing law, signaling a possible pivot towards more aggressive enforcement activities.  Here are a few of them:

  • Using shame to steer users away from certain choices, a concept the California Privacy Protection Agency (led by FTC alum Askhan Soltani) has also proposed to include in the draft CPRA regulations.
  • Making the free version of a game so cumbersome and labor-intensive that the player is induced to unlock new features with in-app purchases;
  • Making users create an account or share their information to complete a task;
  • Asking repeatedly and disruptively if a user wants to take an action;
  • Making a request that doesn’t let the user permanently decline – and then repeatedly prompting them with the request.

The report also focuses specifically on dark patterns seeking to obscure or subvert consumers’ privacy choices.  These include:

  • Asking users to give consent but not informing them in a clear, understandable way what they are agreeing to share, an issue France’s data protection authority has addressed;
  • Telling users the site is collecting their information for one purpose but then sharing it with others or using it for other purposes;
  • Including default settings that maximize data collection and making it difficult for users to find and change them.

In text on which staff did not elaborate, the report also contends that businesses should use consumer information only for “the service the consumer requested, and nothing more.” Such restrictive purpose limitations are not contemplated by state privacy laws and would foreclose innovation.

As of this writing, the FTC hasn’t announced any cases challenging practices in these more innovative categories. Some of these same categories have also been discussed by State Attorneys General in recent months at meetings such as the NAAG Consumer Protection conference, but similarly, AGs have been reluctant so far to push the boundaries of which of these practices they believe constitute a violation of state law. We will continue to monitor this issue on both the state and federal fronts and post updates as they occur.  In the meantime, companies should give serious consideration (both in light of this FTC development and the emerging state law emphasis on dark patterns) in their product interfaces, disclosure and notice design, purchases flows, cancellation methods, and other consumer communications.


As we’ve noted in other posts, an FTC rule prohibits companies from stating or implying that a product is made in the USA unless: (1) the final assembly or processing of the product occurs in the USA; (2) all significant processing that goes into the product occurs in the USA; and (3) all or virtually all components are made or sourced in the USA. It can be a challenge to figure out whether a product you make meets that standard, especially when you get components from suppliers. A new FTC closing letter sheds some light on how companies should go about this.

Sassy Baby makes toys and other products for babies. Up until recently, the companySassy Baby Diaper Sacks claimed that some of the products were “Made in USA” based, in part, on assurances it had received from its supplier. When the company learned that it had been misled by the supplier, it stopped making the claims and voluntarily reported the issue to the FTC. The FTC decided not to pursue the investigation – presumably because Sassy Baby had done initial due diligence and quickly fixed the problem when they discovered it – but the staff took the opportunity to discuss whether companies can generally rely on their suppliers.

Notably, companies should not just assume that the components they obtain from suppliers are all or virtually all made in the USA. Instead, they should ask their suppliers for information about the percentage of US content in those components. The letter notes that, depending on context, supplier-provided certifications may constitute a “reasonable basis” for an advertiser to make a “Made in USA” claim. In a footnote, FTC staff point to a 1998 guidance document that actually includes sample language that companies can use in purchase orders with suppliers.

Although this case seemed to stem from the company’s voluntary report, rather than from the FTC’s own investigation, “Made in USA” claims are still a hot topic for the FTC and the agency is likely to continue its own investigations. If you make claims about domestic origin, be sure to take a close look at the FTC’s new Made in USA Labeling Rule and assess how well you’re complying. With the enactment of the new Rule, companies can find themselves paying steep penalties for failure to comply.

Last month, we discussed the broad authority that State Attorneys General have in enforcing price gouging laws – many of which remain in effect given the number of states that are still under some state of emergency.  We noted the significant expansion in recent AG enforcement, and observed that at least two courts had pushed back on these efforts, dismissing cases brought by the Texas and New York Attorneys General.  Just a short month later however, both cases have now been reinstated by appellate courts, again raising the prospects that AGs will continue to push the boundaries in price gouging enforcement, especially while consumers are struggling to deal with high prices due to labor shortages and inflation. Continue Reading State Attorney General Price Gouging Claims Find New Life

For centuries, monsters have been vilified in countless books and films. Although the bad reputation that monsters have earned is generally well-deserved – they do, after all, frequently hurt people, destroy things, and otherwise cross the line of what’s socially acceptable – it’s important to keep in mind that some monsters are actually a lot like us. They go to work, they spend time with their families, and they like to unwind at the end of a long day. And that’s where this story begins.

A recent Spectrum commercial shows a mummy, the grim reaper, a demon, and a creepy puppet getting ready to play an online game, when their attempts to unwind are thwarted by slow internet speeds. When the puppet asks the demon whether he gets his internet through a fax, the demon responds that it’s all he could get in his place with AT&T. An announcer states that “bad download speeds are evil,” and that “Spectrum downloads speeds are 20X faster than AT&T,” as the same words appear on the end card.

Shot of TV CommercialAT&T argued that the commercial conveys a “line claim” – in other words, that consumers will think that Spectrum download speeds are 20X faster than AT&T download speeds on all plans – which isn’t accurate. In fact, AT&T offers plans with higher speeds than the ones Spectrum used for its comparison. Spectrum disagreed that consumers would interpret the commercial as conveying a line claim, arguing that a disclosure in the ad clearly states the basis of the comparison: “Spectrum Internet Gig against AT&T Internet 50.”

Siding with AT&T, NAD noted that the audible parts of the commercial and the end card prominently mention “Spectrum” and “AT&T,” rather than the specific service plans being compared. Although the disclosure did mention the specific plans, a “small print” disclosure was not sufficient to “prevent a broad line claim message from being conveyed.” Accordingly, NAD urged the advertiser to stop making the claim or to more clearly and conspicuously disclose the specific plans being compared.

Usually, when NAD recommends that an advertiser make a clear and conspicuous disclosure, it doesn’t elaborate on what that means. In this case, though, NAD did provide additional detail: “If the 20X Faster Claim is audible, the basis of comparison must also be clearly and conspicuously audible to ensure that consumers who only hear the 20X Faster Claim are informed of the specific service tiers upon which the download speed comparison is based.”

Does this mean that advertisers will always need an audible disclosure to ensure that TV ads don’t convey line claims? Not necessarily. NAD notes that “in reviewing line claims, the question as to whether both visual and audio disclosures are necessary depends on the merits and context of each case . . . .” But the end to that sentence is telling: “disclosing the basis of comparison in both visual and audio formats considerably lessens the potential for consumer confusion.”

This case has lessons for everyone. If you’re an advertiser making comparative claims, make sure that you are clear about exactly what products or services you are comparing so that you lessen the potential for consumer confusion –  not to mention the potential for your competitor to argue that consumers are confused. If you’re a monster focused on online gaming, make sure you spring for the faster internet plan. Either way, a little prior planning can save you a lot of frustration later.

This week, 38 Attorneys General joined forces in a letter promulgated by the National Association of Attorneys General (NAAG) to urge Congress to provide them with authority to address consumers’ frustrations with airlines, further advocating for a shift of federal authority over consumer complaints away from the Department of Transportation.

Stating that the airline industry has “failed their customers,” the Attorneys General discuss the thousands of complaints they receive from consumers that they are unable to act upon due to the US Department of Transportation’s preempting authority. The AGs blame USDOT throughout multiple administrations for not taking appropriate action against the airlines even when made aware of the AG consumer complaints. General Weiser of Colorado additionally has raised antitrust concerns further impact consumers. Ultimately, the AGs ask Congress to pass legislation to authorize State AGs to enforce consumer protection laws against airlines. As an essential service to the economy and both personal and professional lives of consumers, the AGs state that the airline industry’s impact on consumers is a bipartisan issue that should be policed by State AGs to increase consumer confidence.

While the AGs don’t specifically note in the letter how their powers have become limited, two important cases highlight the broad preemptive power of the Airline Deregulation Act of 1978. In the first, Morales v. Trans World Airlines, 504 US 374 (1992), the United States Supreme Court held that the Airline Deregulation Act preempts States from enforcement of their general consumer protection statutes, in this case specifically pertaining to allegedly deceptive advertisements. States had created airline industry guidelines through the National Association of Attorneys General as part of a multistate effort in the 1980s, which Texas later sought to enforce in the TWA case.

Later in 2012 California filed suit under its Online Privacy Protection Act against Delta over its app lacking a privacy policy. A California appeals court in 2016 ruled that the state did not have the ability to enforce its privacy statute because the Airline Deregulation Act disallows states from enforcing laws “related to a price, route or service of an air carrier.”

The takeaway? States AGs will continue to push boundaries where their consumers have interest and where they believe their enforcement efforts can complement and enhance federal protections.  Moreover, when issues arise but they cannot enforce their laws, they will use those opportunities to expand their consumer protection authority.


Last November, the FTC sought public comment on a draft strategic plan for 2022-2026.  As we blogged here and discussed in a comment submitted to the FTC (one of only 21 submitted), a key change from prior strategic plans was deletion of the phrase “without unduly burdening legitimate business activity” from the FTC’s Mission Statement – a change that the Commission majority just adopted in its final Strategic Plan for 2022-2026.

Here’s the Mission Statement from the FY 2018-2022 plan, which generally tracks wording that the FTC has used for decades:

  • Protecting consumers and competition by preventing anticompetitive, deceptive, and unfair business practices through law enforcement, advocacy, and education without unduly burdening legitimate business activity (emphasis added).

And here’s the Mission Statement that the FTC just finalized for 2022-2026:

  • Protecting the public from deceptive or unfair business practices and from unfair methods of competition through law enforcement, advocacy, research, and education.

As we stated in our prior post and comment, we think omitting the phrase “without unduly burdening legitimate business activity” sends a troubling message to the public about the FTC’s purpose and intent. The omission is doubly concerning now that the FTC has stated (in the final plan) that “[s]enior staff met to discuss the public comments that were received, and changes were made to the draft plan in response” – thus affirming that deletion of the phrase was deliberate and not simply an oversight.

Indeed, some of the Commission’s recent actions convey the same troubling message. For example, as we discuss here, the FTC’s ANPR on “commercial surveillance” addresses the benefit of privacy regulation in great detail but says very little about the potential costs of such regulation on consumers, competition, and legitimate business activity.

Here’s a quick reminder of why this phrase and the principle it embodies is so important: For years, it has communicated that, in enforcing the law and developing regulations, the FTC will tailor its allegations, prohibitions, and remedies to illegal conduct, and will take care to preserve the legitimate business functions that provide products and services to consumers and maintain our vibrant, competitive economy. In other words, the FTC has recognized that legitimate business activity benefits consumers and competition, and has consistently made a public commitment to preserve it.

In addition, as we detailed in our prior post and comment, the concept of preserving legitimate business activity is integral to many laws and policies that have long governed the agency’s authority and processes – including unfairness, deception, substantiation, “fencing in,” and precedent governing unfair methods of competition.

The FTC’s mandate – to prevent deceptive, unfair, and anticompetitive practices – is essential to maintaining a thriving economy that serves and protects the American public. So is preserving the legitimate business activity that consumers across this country rely upon every day.


The FTC and six states just announced that they had filed a lawsuit against Roomster – a platform through which people can find rooms and roommates – along with its owners, alleging that they had “inundated the internet with tens of thousands of fake positive reviews to bolster their false claims that properties listed on their Roomster platform are real, available, and verified.” At the same time, the regulators announced a settlement with an individual who allegedly sold Roomster many of the fake reviews.

Roomster advertised that its platform had “millions of verified listings” in a “safe community with real members worldwide.” To test how well Roomster verified the listings, the regulators listed a room for rent on the platform at an attractive price. Had Roomster attempted to verify the review, it would have learned that the address of the listing was actually a US Postal Office commercial facility. According to the complaint, though, Roomster never asked any questions.

To bolster its marketing campaign, the company allegedly flooded the internet and app stores with tens of thousands of 4- and 5-star reviews, many of which were fake. In fact, Roomster bought over 20,000 reviews from AppWinn alone. (More on them later.) Emails between Roomster and AppWin show a detailed plan addressing how and when the reviews should be posted. According to the complaint, the number of positive fake reviews diluted the real reviews, many of which warned of scams on the platform.

Although the case against Roomster is pending, the owner of AppWin agreed to sign a proposed settlement with the FTC and six states. Under the settlement, he has agreed – among other things – to notify the Apple and Google app stores that Roomster paid him for posting reviews, to specifically identify those reviews, and to pay a total of $100,000 to the states. The proposed settlement also bans him from selling consumer reviews or consumer endorsements.

Although our regular readers would never engage in the type of practices alleged in this complaint, the case is worth noting for a number of reasons. Among other things, the case demonstrates that the FTC and state AGs continue to focus on the integrity of reviews. This case involves fake reviews, but regulators have applied similar principles in cases that involved legitimate reviews, when those reviews were incentivized, but the incentives weren’t clearly disclosed. If nothing else, hopefully we’ve saved you from renting a fake room in a post office.

It’s late August, but there’s a lot going on at the FTC and in consumer protection news more generally.  This blogpost highlights some recent FTC-related news, as well as several issues related to the FTC’s legal authority that bear watching.


As we blogged here, the FTC filed suit in March against Intuit for its alleged deception in claiming that its online tax preparation service is “free” when it’s only free for taxpayers filing “simple returns.”  As we reported, the FTC filed an administrative complaint while also seeking a TRO in federal district court, even as multiple State AGs were investigating and Intuit claimed it had pulled its “free” claims off its website. Soon after, the FTC lost its motion for the TRO; the States and Intuit entered into a multi-state settlement; and Intuit moved for withdrawal of the FTC’s case from administrative adjudication (per FTC Rule 3.26(c), to allow the FTC to determine “whether the public interest warrants further litigation”), which the FTC granted.

In its motion for withdrawal, Intuit argued that the case had become moot, in large part due to the multi-state settlement. However, on August 19, the Commission issued an order disagreeing with that assessment and returning the case to administrative litigation. Soon after, FTC complaint counsel filed a motion for summary decision seeking entry of a cease-and-desist order without need for a trial.

The merits of this case are interesting – FTC counsel argues that Intuit shouldn’t be able to use the word “free” unless the product is free for everyone or, alternatively, the conditions for making it free (and the fact that it isn’t free for everyone) are clearly disclosed at the outset of the offer. But the dynamics between the FTC and the State AGs are just as notable. In its recent motion, FTC counsel argues that an FTC order is necessary because the State settlement is “inadequate, allow[s] ongoing deception and harm, and … undermine[s] consumer welfare.” In particular, says FTC counsel, the State settlement allows key disclosures to be “hidden behind” a hyperlink for “space-constrained” ads and sunsets key provisions after 10 years. At a time when the FTC is increasingly teaming with the States to obtain monetary relief (post-AMG), this battle over the adequacy of their settlement could get messy.    Continue Reading FTC Updates – Intuit, Mag-Moss, and More

Warning that “[t]here are no more excuses,” California Attorney General on August 24, announced the first public settlement under the California Consumer Privacy Act (CCPA). The settlement order, which the court approved on the same day, requires beauty-product retailer Sephora, Inc., to pay a $1.2 million civil penalty to resolve allegations that the company failed to disclose to consumers that it was selling their personal information, and failed to process consumer requests to opt-out of sale by either offering a “Do Not Sell My Personal Information” link or via user-enabled global privacy controls.  The order also requires Sephora to implement, assess, and report on a CCPA compliance program, in addition to other injunctive terms.

Treatment of Sales and Opt-Out Signals in the Settlement

The allegations in the complaint are consistent with the AG Office’s long-standing position that Do Not Sell is a central feature of the CCPA – “the hallmark of the CCPA,” in the language of the complaint – and indicate that the AG takes a broad view of “sales” under the CCPA. According to the complaint, the CCPA’s opt-out provision establishes “certain straightforward rules: if companies make consumer personal information available to third parties and receive a benefit from the arrangement – such as in the form of ads targeting specific consumers – they are deemed to be ‘selling’ consumer personal information under the law.”

Taken together, the complaint and order entrench a sweeping view of sales: “online tracking technologies” that make personal information available to third parties “in exchange for monetary or other valuable consideration,” including analytics and “free or discounted services” are defined as sales under the order. The AG alleges that Sephora disclosed its use of online tracking technology but not the sale of personal information. According to the complaint, the opposite was true: the privacy policy stated “we do not sell personal information,” and the company did not offer an opt-out of sale by any method. (The complaint also includes a deception count under California’s Unfair Competition Law, which focuses on these representations.)

The “online tracking” described in the AG’s complaint is not limited to Sephora’s use of advertising cookies, pixels, or other technology. The AG also alleges that Sephora’s use of “analytics,” which is characterized as part of “third-party surveillance,” constituted sales, and the order requires that Sephora enable restricted data processing for its service providers.

In addition to alleging sales through online tracking technologies, the AG’s complaint also charges Sephora with failing to respond to user-enabled global privacy controls (GPC).  The complaint states that Sephora’s practices were investigated as part of a June 2021 sweep of “large retailers,” to determine “whether they continued to sell personal information when a consumer signaled an opt-out via the GPC.” Although the GPC remains a proposed specification, the complaint alleges Sephora “completely ignored the GPC.”

Other Terms in the Order

In addition to imposing $1.2 million in civil penalties, the order requires Sephora to revise its disclosures and establish opt-out mechanisms via homepage link and GPC, to the extent that the company continues to sell personal information. The order also requires Sephora to conform its service provider agreements to the CCPA’s requirements, and provide an initial and two annual reports to the AG relating to its sale of personal information, the status of its service provider relationships, and its efforts to honor the GPC.

What does this mean for businesses subject to CCPA?

First, if the AG sends a letter advising a business of CCPA violations, swift action may prevent additional investigation or enforcement action.  Here, the complaint explains that the AG’s investigation followed Sephora’s “fail[ure] to cure any of the alleged violations” and “le[d] to this enforcement action.”

Second, companies that use technology to track consumer behavior online, which is ubiquitous, should reassess whether their practices result in CCPA sales.  In particular, the AG may not regard analytics categorically to warrant treatment as a service provider offering.

Finally, it is important to continue to monitor developments on opt-out preference signals, which are addressed in greater detail in the CPPA’s draft regulations.

We’re keeping an eye on these issues, new case examples from the AG, and more.