In an aggressive expansion of its security and privacy enforcement programs, on September 15, 2021, the FTC issued what it characterized as a “Policy Statement” reinterpreting an old rule about personal health records.

First, some background. In 2009, Congress directed the FTC to create a rule requiring companies to provide notice when there is an unauthorized acquisition of certain health information not covered by HIPAA.  At the time, the FTC explained that its Health Breach Notification Rule was narrow, consistent with the text of the law, applying only to security breaches by vendors of certain health data repositories (called “personal health records” or “PHRs”) and certain companies that work with PHR vendors.

Flash forward to September 2021. The FTC’s Policy Statement declares a broad range of health, fitness, wellness, and related technologies to be covered by the Rule if they can draw information from “consumer inputs” and APIs that include “personal health records.”  This scope is markedly broader than the agency’s previously-issued guidance, which reiterated the narrow application of the Rule. To further illustrate, the FTC now says that health apps, such as glucose monitors or fitness trackers, are subject to the Rule if they draw information from a device or wearable and a phone calendar. In an unprecedented, expansive application of a narrow breach notice rule to consumer privacy, presumably to address what Chair Khan characterizes as “surveillance-based advertising,” the Statement also asserts that the “sharing of covered information without an individual’s authorization” triggers breach notification obligations. The FTC issued this policy statement even as the Commission was in the midst of seeking public comment on the rule as part of its periodic rule review process.

Companies violating the Rule face civil penalties of $43,792 per violation.

Commissioners Wilson and Phillips issued strong dissents, calling the Commission majority to task for abandoning prior business guidance and ignoring the Administrative Procedure Act’s notice and comment requirements.  FTC Chair Khan, in turn, lamented the fact that the Commission had not brought an enforcement action under the Rule, cautioning that “the Commission should not hesitate to seek significant penalties against developers of health apps and other technologies that ignore [the Rule’s] requirements.”

App developers and other companies providing health, wellness, fitness, and related apps should consider the implications of the FTC’s Statement, and assess the potential applicability to their business, even if they do not normally view themselves as covered by HIPAA or operating in an adjacent space.  Indeed, the FTC’s Policy Statement underscored that its guidance was intended to sweep broadly, noting its relevance for apps and other technologies that “track diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, diet, and other vital areas.”  Unfortunately, the Policy Statement raises more questions than it answers. For example:

  • Is all personal information collected by such technologies subject to the FTC’s new interpretation of the Health Breach Notification Rule?
  • Do current data governance policies and practices provide appropriate safeguards?
  • Are existing consumer disclosures and consents adequate to mitigate risk?  For example, what level of “authorization” would be required for sharing personal information for interest-based advertising and analytics purposes?

* * *

We will closely monitor developments and post updates as they occur.

The future composition of the FTC became a bit clearer on Monday, as the White House announced that President Biden will nominate privacy expert and scholar Alvaro Bedoya as FTC commissioner.  If confirmed, Bedoya would take the seat currently held by Commissioner Rohit Chopra, whose nomination as CFPB Director remains pending, and serve in a term that ends in September 2026.

Bedoya is currently a Visiting Professor of Law at Georgetown and is the Founding Director of Georgetown’s Center on Privacy & Technology (CPT).  Before moving to Georgetown, Bedoya served as Chief Counsel of the U.S. Senate Judiciary Subcommittee on Privacy, Technology and the Law.  Bedoya’s background as a privacy expert sends a supportive signal from the White House of broader privacy initiatives at the FTC and bolsters privacy expertise at the Commission level.

With bipartisan support at the Commission  for a privacy rulemaking and more aggressive agency enforcement against “data abuses,” Bedoya could push the FTC to take an even broader view of its role in privacy enforcement and policy development.  To this point, Chair Lina Khan’s statement on Bedoya’s nomination cites his “expertise on surveillance and data security” as being “enormously valuable” to the FTC.

Under Bedoya’s leadership, CPT has tackled a wide range of privacy issues, including commercial practices that are squarely within the FTC’s focus.  For instance, CPT joined more than two dozen organizations on a September 2020 letter urging the FTC to “support further study of data and discrimination in any and all forthcoming 6(b) investigations undertaken by the FTC.”  (In December 2020, the FTC announced that it had sent orders to nine online platforms seeking information about their use of race, ethnicity, and several other factors for ad selection, content selection, and other purposes under Section 6(b) of the FTC Act, which authorizes the FTC to require annual or special reports from entities.)  Two years earlier, CPT joined a 2018 comment encouraging the FTC to examine the role of “tech giants” in allegedly causing or facilitating discrimination, the spread of misinformation, and other qualitative, broadly distributed hams.

CPT under Bedoya’s watch has also studied privacy and data-related issues that fall outside the FTC’s ambit.  For example, CPT scored law enforcement agencies’ use of face recognition technologies along civil rights and data protection dimensions and filed an amicus brief in federal district court arguing that aerial surveillance conducted by the Baltimore Police Department is unconstitutional.  In writings published under his own name, Bedoya has criticized government agencies’ use of commercial technologies and data for law enforcement and immigration purposes.  In a September 2020 op-ed, for example, Bedoya described a “panoply” of companies that provide data and software that support federal agencies’ immigration enforcement actions.

In addition to pursuing privacy and data security policy under the FTC Act, it’s also likely that Bedoya will examine how the FTC enforces specific privacy laws, such as the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act (FCRA), and related rules.  The Commission recently finalized changes to five rules implementing the FCRA. While those changes were largely technical, they serve as important reminders regarding the host of overlapping obligations imposed on entities under FCRA and FTC and CFPB implementing regulations.

The timeline for Bedoya’s confirmation process is unclear and is likely to depend on further action on Commissioner Chopra’s CFPB nomination.  We will post updates as they occur.


Privacy Expert Alvaro Bedoya Nominated to FTC

Subscribe here to Kelley Drye’s Ad Law News and Views newsletter to see another side of the team in our second annual Back to School issue. Subscribe to our Ad Law Access blog here.

As they often have done in the past, the FTC and the FDA issued joint cease and desist letters last week to 10 companies suspected of making unproven health claims – in this instance, claims that dietary supplements treat or cure diabetes. The FTC and the FDA join forces on such letters in order to deliver a strong and consistent message that unsubstantiated health claims are illegal under the laws enforced by both agencies.

The FTC warned that the claims do not appear to be supported by competent and reliable scientific evidence, in violation of the FTC Act. The FDA warned that the products are being marketed as drugs that could cure, treat, mitigate, or prevent disease, but are not generally recognized as safe and effective for the marketed uses and not approved by the FDA. As such, the products are misbranded and illegal under the Food Drug and Cosmetic Act (FD&C Act).  The letters demanded that the companies cease and desist from making unsubstantiated claims within 15 days.

Deceptive Claims under the FTC Act

To be sure, these letters are noteworthy for companies making diabetes-related claims, but their importance is not necessarily limited to that. Advertisers should pay attention more broadly to the FTC section of the letters, as it may signal the FTC testing its authority to seek penalties under Section 5(m)(1)(B).

In particular, in describing how and why the claims violate the FTC Act, the letters cite to cases holding that unsubstantiated disease claims of various types are unlawful, and appear to be styled as so-called Section (5)(m)(1)(b) letters laying the groundwork for civil penalties – similar to letters the FTC has sent companies making allegedly unsubstantiated claims that their products are made from bamboo. In general, the FTC has limited authority to obtain civil penalties. However, Section (5)(m)(1)(b) of the FTC Act authorizes the agency to seek penalties when the FTC has (1) previously determined in a litigated administrative proceeding that a practice is unfair or deceptive (2) issued a final cease and desist order with respect to such practice, and (3) put a company on notice of this fact (such that it has “actual knowledge) via warning letter.

It’s not clear yet whether the FTC will actually seek civil penalties based on these letters. But if it does, it would be testing the limit of its authority under Section 5(m)(1)(b). That’s because the law arguably contemplates that the “final cease and desist order” cited in a Section 5(m)(1)(b) letter be more specific to the practice being warned about than the potpourri of health cases cited in these current letters. Put another way, to confer “actual knowledge” on the companies, the cited cases should address unsubstantiated diabetes claims, not wholly different health claims about heart disease, cancer, erectile dysfunction, etc. Indeed, the language of Section (5)(m)(1)(m) and precedent from the bamboo cases support this narrower reading. Top FTC officials have called for more frequent and aggressive use of the FTC’s Section 5(m)(1)(b) authority, and this appears to be a move in that direction.

Misbranding Under the FD&C Act

The FDA section of the letters doesn’t break new ground, but it does provide a helpful gauge for risk and a reminder about the importance of context.

Companies marketing supplements and foods to people with diabetes or pre-diabetes should review the claims cited in the letters to help assess risk of their current marketing. For example, some letters cite to claims that clearly exceed the bounds of structure function claims, e.g., claiming that the ingredients or products produced quantifiable improvements in fasting blood sugar, A1C levels, and reduced blood pressure as well as risk of heart attacks. However, other letters cite to claims that many marketers may think fall more squarely on the structure-function side of the line, e.g., “promote healthy glycemic response” and “supports healthy glucose tolerance.”  In addition to product labels and websites, the letters also cite to claims on social media – including testimonials dating as far back as 2018 – and to Amazon store fronts.

As is standard, the letters cite to specific claims, but it’s important to also consider the broader context. When marketing diabetes-related products, it’s risky to position any product as the fix for a condition that likely requires medication along with constant dietary discipline and monitoring. Even if the product claims are substantiated and within structure-function limitations, the context of positioning the product as one part of an overall diabetes management plan is key to managing risk.


We will closely monitor developments in these matters, as well as the agencies’ future use of warning letters and sources of legal authority, and post updates as they occur.

Subscribe here to Kelley Drye’s Ad Law News and Views newsletter to see another side of the team in our second annual Back to School issue. Subscribe to our Ad Law Access blog here.


Jessica L. Rich and Laura Riposo VanDruff, Two Former Senior FTC Officials Further Bolstering Kelley Drye’s Privacy and Advertising PracticesWe are thrilled that Jessica Rich and Laura Riposo VanDruff have joined the firm’s Privacy and Advertising practice groups. Both attorneys are former top officials at the Federal Trade Commission (FTC), with Rich having served as Director of the Bureau of Consumer Protection (BCP) and VanDruff as an Assistant Director in BCP’s Division of Privacy and Identity Protection (DPIP).

Jessica and Laura join our impressive list of former FTC officials, including the firm’s managing partner, Dana Rosenfeld, who served as Assistant Director of BCP and attorney advisor to FTC Chairman Robert Pitofsky, former Bureau Directors Bill MacLeod and Jodie Bernstein, as well as Aaron Burstein,  having served as senior legal advisor to FTC Commissioner Julie Brill.

Jessica served at the FTC for 26 years and led major initiatives on privacy, data security, and financial consumer protection.  She is credited with expanding the FTC’s expertise in technology and was the driver behind FTC policy reports relating to mobile apps, data brokers and Big Data, the Internet of Things, and federal privacy legislation.  She also directed the agency’s development of significant privacy rules, including the Children’s Online Privacy Protection Rule and Gramm-Leach-Bliley Safeguards Rule. She is a recipient of the FTC Chairman’s Award, the agency’s highest award for meritorious service and the first-ever recipient of the Future of Privacy Forum’s Leadership Award.  Jessica is also a fellow at Georgetown University’s Institute for Technology Law & Policy. Prior to joining Georgetown, she was an Independent Consultant with Privacy for America, a business coalition focused on developing a framework for federal privacy legislation.

Laura also brings significant experience to Kelley Drye. As Assistant Director for the FTC’s Division of Privacy & Identity Protection, Laura led the investigation and prosecution of matters relating to consumer privacy, credit reporting, identity theft, and information security.  Her work included investigation initiation, pre-trial resolution, trial preparation, and trial practice relating to unreasonable software security, mobile operating system security update practices, and many other information privacy and identity protection issues.  She joins the firm from AT&T where she served as an Assistant Vice President – Senior Legal Counsel advising business clients on consumer protection risks, developing and executing strategies in response to regulatory inquiries, and participating in policy initiatives within the company and across industry.

Jessica and Laura are an impressive duo and are sure to be an asset to our clients as they prepare for the future of privacy and evolving consumer protection law.

*                      *                      *

Subscribe here to Kelley Drye’s Ad Law News and Views newsletter to see another side of Jessica, Laura and others in our second annual Back to School issue. Subscribe to our Ad Law Access blog here.

As AMG recedes further into the past, lower courts are becoming more comfortable disposing of 13(b) actions where the proceedings are attempting to obtain monetary restitution as a matter of course. In many instances below, the FTC has conceded its inability to obtain monetary relief and has focused on the injunctive relief it seeks. However, there are still outstanding cases wherein, despite AMG, the FTC refuses to concede defeat on the issue of monetary relief under Section 13(b).


Latest update follows. Continue Reading Post-AMG Scorecard (Updated): FTC Claims for Monetary Relief in 13(b) Actions Dwindle

Following the momentum of President Biden’s sweeping competition executive order, the FTC now wants in on the action. In a unanimous vote, the Commission approved to adopt a policy statement calling for more aggressive enforcement against manufacturer restrictions that prevent consumers and businesses from repairing their own products. The policy statement also pushes for more enforcement of the Magnuson-Moss Warranty Act, which restricts a company from tying a warranty to the use of a specific service provider.

This policy statement flows from a two year process. As we have previously reported, in 2019, the FTC called for public comment and empirical research on repair restrictions, and in May 2021, the FTC released its “Nixing the Fix” report to Congress. Based on those results, the FTC issued this statement that it will now “prioritize investigations into unlawful repair restrictions under relevant statutes such as the Magnuson-Moss Warranty Act and Section 5 of the FTC Act.”

In her prepared remarks before the vote, Chair Lina Khan stated that repair restrictions “can significantly raise costs for consumers, stifle innovation, close off business opportunity for independent repair shops, create unnecessary electronic waste, delay timely repairs, and undermine resiliency.” She expressed that the FTC “has a range of tools it can use to root out unlawful repair restrictions” and called on the public to submit complaints about potential violations.

Commissioner Chopra echoed Khan’s sentiment and recommended that the Commission take steps in addition to reinvigorating enforcement: (1) engage the independent repair community, and conduct a close review on the user experience on; (2) work with other agencies to reform existing procurement policies that allow contractors to block government buyers from self-repair or seeking third-party repair services; and, (3) assist policymakers, including at the state level, to draft Right-to-Repair laws.

All companies offering a product warranty should review its terms, particularly any terms limiting repairs under the warranty. As we are bound to see more activity on the state and federal levels with right to repair legislation and enforcement, we will continue to monitor these developments.

On July 20, the U.S. House of Representatives passed H.R. 2668, the Consumer Protection and Recovery Act, to clarify the Federal Trade Commission’s enforcement authority under Section 13(b) of the FTC Act. H.R. 2668, authored by Representative Tony Cárdenas (D-CA), would explicitly authorize the FTC to seek permanent injunctions and other equitable relief, including restitution and disgorgement, to redress perceived consumer injury. The bill was passed by a vote of 221-205, with two Republicans joining all Democrats in support.

In a joint statement issued after the vote, House Energy and Commerce Committee Chair Frank Pallone (D-NJ) and Consumer Protection and Commerce Subcommittee Chair Jan Schakowsky (D-IL) said: “The Consumer Protection and Recovery Act will restore the FTC’s ability to force scammers that have broken the law to repay those who have been harmed or defrauded.” Chairs Pallone and Schakowsky moved quickly to usher the bill through their committee and the House just three months after the Supreme Court ruled in AMG Capital Management, LLC v. FTC that the Federal Trade Commission did not have the authority to pursue monetary penalties under Section 13(b).

Facing increasing legal uncertainty in the months leading up to the AMG decision, bipartisan FTC Commissioners had urged Congress to clarify the agency’s enforcement authority – and bipartisan Members of Congress expressed support, citing a shared desire to protect consumers and hold fraudsters accountable. Those bipartisan sentiments, however, did not translate to bipartisan legislative text. As we’ve written previously, House Energy and Commerce Committee Republicans have voiced process concerns, accusing Democrats of rushing the legislation through the House. Republicans have also stressed the need for statutory “guardrails” to ensure due process and protect legitimate businesses. Throughout the legislative process, for instance, Republicans have sought to amend the legislation to reduce the 10-year statute of limitations and to more narrowly tailor the language to target outright fraudulent acts. Republicans have also expressed concerns about retroactivity, questioning the legality of allowing the FTC to go after prior conduct with the expanded authorities included in H.R. 2668.

Ahead of the vote, Consumer Protection and Commerce Subcommittee Ranking Member Gus Bilirakis (R-FL) said, “…this bill before us will provide the FTC with new authorities that far outpace the need supported by a consensus of the FTC Commissioners.” He went on to say that the expanded authority granted to the agency in the legislation “signals a return to the broad overreach we saw with the FTC in previous decades –  a situation so bad that a Democratic Congress crippled the FTC’s funding and stripped it of its authority at that time.”

Additionally, House Republicans argue that any 13(b) fix should be part of a broader package of FTC reforms and should move in concert with legislation establishing a national privacy framework – an issue itself full of partisan landmines.

H.R. 2668 now heads to the Senate, where bipartisan Members of the Commerce Committee have expressed interest in a legislative fix – and where Democrats don’t have the luxury of disregarding Republican opposition. Perhaps in a nod to that reality, ahead of the bill’s passage, Representative Cárdenas said on the floor, “It’s unfortunate that we weren’t able to negotiate more into this bill and make it bipartisan, but there will be other opportunities as we are a two-chamber legislature, and I’m sure the Senate has some ideas about how to make this bill better. And we’re all open to that opportunity.”

For his part, President Biden appears ready to sign the bill, should it make it to his desk. Ahead of the House vote, the White House issued a strong statement of support: “The Administration applauds this step to expressly authorize the FTC to seek permanent injunctions and pursue equitable relief for all violations of law enforced by the Commission and ensure that the cost of illegal practices falls on bad actors, not consumers targeted by illegal scams.”



Not All the Spaghetti Sticks: Post-AMG Court Rejects FTC 13(b) Statute SwitchThe week started badly for the FTC when the U.S. District Court for the District of Columbia dismissed its antitrust complaint against Facebook (as well as a similar case brought by the attorneys general of 46 states).  And things got a little worse yesterday for the FTC in FTC v. Cardiff – even if news of the decision was well below the fold — given a federal court ruling  that the FTC’s late-breaking theory of monetary damages under the Restore Online Shoppers’ Confidence Act (“ROSCA”) was ill-timed.

As readers of this blog know, we closely followed the aftermath of the Supreme Court’s AMG ruling, especially as it pertains to ongoing FTC actions.  And we have seen the FTC make good on its promise to pursue a variety of theories in an attempt to recover monetary penalties intended to  redress consumer injury.

In doing so, the FTC has taken varying positions as to whether and how it still seeks monetary remedies: in some cases, the FTC, acknowledging that 13(b) money remedies are no longer available post-AMG, has withdrawn its claim for monetary relief; in others, the FTC requests that the court delay decision on monetary relief in the light of the possibility of future congressional action providing 13(b) monetary powers; and in others still, the FTC has withdrawn its request for 13(b) monetary relief, but  attempted to obtain money judgments through another statutory provision.

FTC v. Cardiff fits this third category.  Pending in the Central District of California, the FTC attempted to pursue monetary relief post-AMG by way of a different statute:  ROSCA. While the court agreed with the FTC that it could have pursued monetary relief under ROSCA, the court found the FTC had waived the right to request such relief in this case.

The court noted that, in the FTC’s Rule 26 disclosures, the Agency had only calculated damages under 13(b), not under ROSCA, and had only disclosed its ROSCA expert after discovery closed (and, conveniently, after AMG was decided). The court concluded that the FTC had forfeited its right to seek monetary relief under the alternate statutory provision, and granted Cardiff’s motion for summary judgment, confirming that the FTC was entitled to no monetary relief.

The court’s Cardiff decision is a significant blow to the FTC.  Stephen Cochell, one of the party’s lawyers (who, by the way, has racked up an impressive 13(b) won-lost record), provided the following comment:

The Court’s exclusion of evidence for violating Rule 26 sends a signal that the FTC is subject to the same rules as any other litigant in federal court litigation.  Overcharging, under-disclosing or late-disclosing information in Rule 26 Disclosures will not be tolerated.  The FTC will need to give more thought as to how they are going to establish damages and timely comply with Rule 26.

So while it is not Facebook, the Cardiff case is important for defendants that are already deeply enmeshed in litigation with the FTC.   It strongly suggests that courts may not allow the FTC to change its legal theory for damages on such short notice, especially where such a modification could prejudice the defendant.

Coming Up:  FTC Commissioners expected to testify before the Energy & Commerce Consumer Protection and Commerce Subcommittee on July 28th.

*                      *                      *

Second Circuit Reverses the Commission and Orders Dismissal on 1-800-Contacts

Subscribe here to Kelley Drye’s Ad Law Access blog and here for our Ad Law News and Views newsletter. Visit the Advertising and Privacy Law Resource Center for update information on key legal topics relevant to advertising and marketing, privacy, data security, and consumer product safety and labeling.

Kelley Drye attorneys and industry experts provide timely insights on legal and regulatory issues that impact your business.  Our thought leaders keep you updated through advisories and articlesblogsnewsletterspodcasts and resource centers.  Sign up here to receive our email communications tailored to your interests.

Follow us on LinkedIn and Twitter for the latest updates. continues to aggressively beat the enforcement drum.  Today, its leaders sent a letter to Acting Director of the Bureau of Consumer Protection Samuel Levine encouraging the FTC “to implement a penalty offense program targeting the direct selling industry and its market-wide practice of utilizing deceptive earnings representations and false health claims.”

As we discussed in detail here, FTC Commissioner Rohit Chopra and his then attorney advisor Levine last year released a paper advocating for the Commission to resurrect the Penalty Offense Authority, which authorizes civil penalties where the following three conditions are met:

  • a final cease and desist order has been entered against a party in an administrative proceeding under Section 5(b) of the FTC Act;
  • there is a Commission determination that a specific practice is unfair or deceptive, as part of that order; and
  • a party with actual knowledge that the practice is unfair or deceptive has engaged in that practice after the order became final.

The letter argues that the Commission has issued “numerous final cease and desist orders following fully adjudicated administrative proceedings” that could be used as a predicate for an action under the Penalty Offense Authority.  Despite that assertion, the letter attaches only two orders: (1) the 1975 Koscot decision that established the standard for an illegal pyramid scheme under the FTC Act; and (2) a 2013 order against POM Wonderful LLC, which is not a direct selling company, but that involved allegations of misleading health claims for a food product.  While the FTC has indeed brought many enforcement actions and settlements against direct selling companies, the challenge that TINA and the FTC face in seeking to revitalize the Penalty Offense Authority is that its use requires a final order after an administrative proceeding.  Because the FTC for years relied almost exclusively on settlements and/or 13(b) litigated matters for enforcement, there are not many final orders after an administrative proceeding to rely on.

Undeterred by this limitation, the letter also provides a list of 660 direct selling companies with contact information “to assist the FTC in providing notice.”  The organization’s efforts are the latest in a series of efforts that explore how the FTC can obtain money through enforcement in novel ways in the wake of the Supreme Court’s unanimous AMG Capital Management decision.  For example, two weeks ago, the FTC filed an amended complaint against RCG Advances seeking civil penalties under the Gramm-Leach-Bliley Act under a new legal theory.  Before that, the FTC brought an action against MoviePass seeking civil penalties under the Restore Online Shoppers’ Confidence Act (ROSCA), again under a novel theory of statutory interpretation.

The Commission has also signaled that it may seek to amend the Business Opportunity Role to cover direct sellers and others in the “gig economy.”  The takeaway here is clear: even as the battle in Congress to pass legislation continues, the FTC and others are continuing to consider other methods to obtain money through enforcement.

Section 13(b)logThe ripple effects continue from the Supreme Court’s holding in AMG Capital Management, LLC v. FTC, explaining that Section 13(b) of the FTC Act does not allow (and never did allow) monetary remedies.

In some cases, the FTC has stricken equitable monetary remedies entirely by removing those requests for relief in amended complaints. In others, the FTC is attempting to retain its request for monetary relief by newly tying it to another statutory provision. In still others, the Agency has requested that courts ignore AMG, because Congress may, at some unspecified future date, amend the statute.

Latest update follows.

Continue Reading Post-AMG Scorecard (Updated): Different Roads Forward for the FTC in Pending Cases