In its third recent Penalty Offense Authority notice, the FTC today notified more than 1,100 companies offering “money-making opportunities” that it intends to pursue civil penalties of up to $43,792 per violation for misrepresentations related to potential earnings and related characteristics about the opportunity.  Recipients of the notice include virtually every major direct selling company and others in the gig economy such as Amazon, DoorDash, Lyft, and Uber.

That makes more than 1,800 companies that have been put on notice of penalty offenses in the past month.  It also crosses another alleged deceptive practice off the list laid out in the October 2020 paper authored by current Bureau Director Sam Levine and former FTC Commissioner Rohit Chopra, entitled The Case for Resurrecting the FTC Act’s Penalty Offense Authority.  Next up?  Well, if the Chopra/Levine paper points the way (and it appears to), we should expect future notices that focus on allegedly unfair and deceptive data harvesting and targeted marketing.

In addition to the eight categories of misrepresentations in today’s notice ranging from the amount of earnings possible to the amount of training provided, the sample cover letter published online also includes a section on endorsements and testimonials.  This means that each company receiving today’s notice also will receive the notice published last week on endorsements and testimonials, which over 700 companies also received (with some minimal overlap in that list). Continue Reading Next Up – Earnings Claims:  Notice of Penalty Offenses Sent to 1,100 Direct Selling Companies and Others in the Gig Economy

Flexing the Agency’s Muscles: What FTC Notice of Penalty Offenses Really Means for AdvertisersOver the last ten days, 700 companies and 70 for-profit colleges received notice of the FTC’s intent to pursue civil penalties under Section 5(m)(1)(b), if these companies and colleges engage in certain conduct deemed by the FTC to be unfair or deceptive.  The notices sought to achieve two important Agency objectives: first, force addressees to consider their marketing messages and compliance programs; and second, reintroduce (or reinforce) the threat of significant monetary penalties for those who need discipline.  The warnings will undoubtedly alter the dynamic of new investigations as parties consider the costs and benefits of negotiating consent orders that include payment of consumer redress.

But what if parties resist and the Commission were forced to litigate?  There, a third objective – to convince a court that the FTC’s Penalty Offense Authority entitles it to civil penalties based on these notices – is much less likely to be realized. Continue Reading Flexing the Agency’s Muscles: What FTC Notice of Penalty Offenses Really Means for Advertisers

In 2017, California updated its automatic renewal law to create some of the strictest requirements in the country. Now, just four years later, the Governor Newsom signed a new law that will impose even stricter requirements.

  • Requirements for Free Trials: If a program includes a free or discounted trial period of 31 days or more, unless the consumer cancels, a business must send consumers a reminder that the service will renew, the length of the renewal term, and how to cancel. This notice must be sent between three and 21 days before the expiration of the trial period.
  • Requirements for One-Year Terms: If a program has an initial term of one year or longer, a business must  send a reminder that includes similar information as what is required for free trials. This notice must be sent between 15 and 45 days before the expiration of the term.
  • Cancellation Requirements: Existing law states that consumers must be allowed to cancel online if they were able to sign up online. The new law adds to this requirement. For example, for subscriptions a customer can purchase online, a business must provide a cancellation option via a prominent link which may be located within a customer account or profile, device or user settings, or via an immediately accessible termination e-mail provided by the business that a consumer can send without additional information.

Renewal ButtonThe revised law will replace the existing one and will go into effect on July 1, 2022. Companies will need to think about what changes they need to make to their programs to comply. This is an area that gets a lot of attention from regulators and class action attorneys, so the consequences of getting things wrong can be significant.

Last week, California’s Governor Gavin Newsom signed into law AB 694, which makes a few technical changes to the California Privacy Rights Act (CPRA).  The relevant changes to the CPRA are summarized below.

  • As defined in the CPRA, “personal information” does not include publicly available information or lawfully obtained, truthful information that is a matter of public concern.  The bill modifies the definition of “publicly available” by removing the apparently superfluous language “or by the consumer.”  The change to the definition in the CPRA is as follows:
    • “‘[P]ublicly available’ means: information . . . lawfully made available . . . or information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media, or by the consumer; or information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience.”
  • The bill changes when the California Privacy Protection Agency will assume responsibility for rulemaking from the “earlier” to the “later” of two dates: July 1, 2021 or six months after the Agency provides notice to the Attorney General that it is prepared to begin rulemaking.  The change in the CPRA is as follows:
    • “The agency shall perform the following functions: . . . (b) On and after the earlierlater of July 1, 2021, or within six months of the agency providing the Attorney General with notice that it is prepared to assume rulemaking responsibilities under this title, adopt, amend, and rescind regulations pursuant to Section 1798.185 to carry out the purposes and provisions of the California Consumer Privacy Act of 2018 . . . .”
  • The bill also adds an exemption to the consumer’s right to opt out of the sale of their personal information by a third party.  A consumer cannot opt out when the information pertains to “vessel information” and ownership information shared between a “vessel dealer” and a manufacturer, if such information is shared for certain purposes.  The bill adds definitions for the terms “vessel information” and “vessel dealer.”

We will continue to monitor and report on CPRA developments as they occur.

Monica Kulkarni, a law clerk with Kelley Drye & Warren, assisted in the drafting of this post.

CPRA

FTC Blankets Companies With Warning Letters Over Endorsements and ReviewsAs we have noted in earlier posts, in the wake of the Supreme Court’s holding that Section 13(b) of the FTC Act does not allow for monetary restitution, the Federal Trade Commission has been attempting to creatively utilize other provisions of the Act in order to obtain money from the companies and individuals it prosecutes. One threat it seems the FTC is now making good on is the use of the FTC’s long dormant Penalty Offense Authority, found in Section 5(m)(1)(B) of the Act.

That provision, which has rarely been used, authorizes the Commission to seek civil penalties against other parties where (1) a final cease and desist order has been entered against a party in an administrative proceeding under Section 5(b) of the FTC Act, (2) there is a Commission determination that a specific practice is unfair or deceptive, as part of that order, and (3) a party with actual knowledge that the practice is unfair or deceptive has engaged in that practice after the order became final. Civil penalties can add up quickly – potentially nearly $44,000 per violation.

Earlier today, the FTC sent warning letters to more than 700 companies recommending that recipients review their practices related to endorsements and reviews to ensure that those practices comply with the law. The warning letters are explicitly meant to serve as a predicate for what could be a sweep of civil penalty investigations of advertisers. In the Commission’s announcement of the warning letters, it emphasized that, in the Commission’s view, the blanket warning letter to over 700 companies in nearly every industrial sector “puts those businesses on notice that deceptive practices in the future could result in penalties of up to $43,792 per violation.”

The warning letters outline a broad array of purportedly deceptive practices the FTC has determined to be unfair or deceptive in prior administrative cases, including:

  • claiming – directly or by implication – that a third party has endorsed a product or its performance when that’s not the case (this includes fake reviews);
  • misrepresenting that an endorsement reflects the experience, views, or opinions of users or purported users;
  • misrepresenting an endorser as an actual, current, or recent user of a product;
  • continuing to advertise an endorsement unless the advertiser has good reason to believe the endorser continues to subscribe to the views presented in the endorsement;
  • using testimonials to make unsubstantiated or otherwise deceptive performance claims – even if the testimonial is genuine;
  • failing to disclose a connection between an endorser and seller of a product if that connection might materially affect the weight or credibility of the endorsement or review and if consumers wouldn’t reasonably expect that connection; and
  • misrepresenting – explicitly or implicitly – that the experience of an endorser represents the typical or ordinary experience of users of the product.

The warning letter informs its more than 700 corporate recipients that “FTC staff is not singling out your company or suggesting that you have engaged in deceptive or unfair conduct.” Instead, staff is “widely distributing similar letters and the notice to large companies, top advertisers, leading retailers, top consumer product companies, and major advertising agencies.” It remains to be seen whether such a blanket “notice of penalty violation” will survive what will surely be multiple, inevitable court challenges.

These types of letters are usually precursors to investigations. The FTC recently passed resolutions giving staff wide latitude in issuing Civil Investigative Demands, so now may be a good time to review your practices. Be sure to read our other posts on endorsements, reviews, and influencers for tips on how to comply with the law.

FTC Blankets Companies With Warning Letters Over Endorsements and Reviews

Since Congress enacted the Children’s Online Privacy Protection Act (COPPA) in 1998, the regulatory wall between kids and teens has been a remarkably durable one. During all this time, COPPA, the primary U.S. law protecting kids’ privacy, has protected children under 13 but hasn’t provided any protections for teens. While California’s privacy law grants some rights to teens under 16, these protections are narrow (opt-in for data sharing) and only apply within that state. This means that teens are generally treated like adults for purposes of privacy in the U.S.

It’s not exactly clear why COPPA’s age 13 cut-off was chosen the first place. First year of teen-hood? Bar Mitzvah age? The age when children become too independent and tech-savvy to let their parents control their media? (Ahem – that happened at age six in my house.) Whatever the reasons for the original choice, age 13 has stuck, even as concerns about teens’ privacy and use of social media have grown, and Senator Markey and others have repeatedly proposed extending privacy protections to teens.

However, we might finally be seeing some cracks in the kid-teen privacy wall – cracks that could lead to a federal law protecting teens in the not-too-distant future.

These cracks are due to a confluence of events. Notably, in September 2020, the U.K. passed a law (the Age Appropriate Design Code or AADC) that requires all online commercial services “likely to be accessed by” kids and teens (including apps, programs, websites, games, community environments, and connected toys or devices) to meet 15 standards to ensure that their content is age appropriate. The law, which became fully effective in September 2021, starts with the principle that any service be designed with the “best interest of the child” as a primary consideration. It then details more specific requirements, including that defaults be set at the most protective level (e.g., location tracking and profiling are set to “off”), that data is not shared with third parties without a “compelling reason,” and that “nudge” techniques aren’t used to encourage minors to provide data or reduce their protections.

In response to the law, U.S. companies operating in the U.K. (notably, some of the large tech platforms) recently announced new protections for teens – a significant development in the long-running kid-teen debate, but one that has received relatively little attention. For example, Facebook/Instagram now says that for kids under 16, it will default them into private accounts; make it harder for “suspicious” accountholders to find them; and limit the data advertisers can get about them. Meanwhile, Google/YouTube has pledged similar protections for kids under 18, including private accounts by default; allowing minors to remove their images; applying restrictive default settings; turning off location history permanently; and limiting the data collected for ad targeting.

Following these announcements, Senator Markey and two House members sent a letter to the FTC urging it to ensure that these companies keep their promises, using its authority to stop deceptive practices under the FTC Act.

And there’s more. Last week, in developments widely covered in the media, a former Facebook employee detailed what she viewed as manipulation of teens using algorithms that kept them on the platform and exposed them to harmful content. Also, with broad-based privacy legislation perennially stalled, there’s been talk that Congress might prefer to tackle privacy issues that are more manageable and bipartisan (like kids’ and teen privacy) – talk that has only grown louder since the developments regarding Facebook.

Adding to the momentum, Senator Markey recently introduced a bipartisan bill (with Republican Senator Cassidy) that would provide privacy protections specific to teens, and Representative Castor has introduced a similar bill in the House. Further, the FTC has expressed a strong interest in protecting kids’ privacy, and in undertaking enforcement and rulemakings to extend U.S. privacy protections beyond the status quo.

In short, the kid-teen privacy wall is under pressure, and we could soon see a federal law, FTC enforcement, and/or (a harder climb) an FTC rulemaking using the agency’s Magnuson-Moss authority. For companies that collect teen data in connection with marketing or providing commercial products or services, this means double-checking your data practices to ensure that they’re age-appropriate and don’t expose teens to harms that can be avoided. (While the U.K.’s AADC principles are very ambitious, and do not apply to U.S.-only companies, they’re a valuable reference point.) It also means being prepared to explain and defend your data practices with respect to teens if regulators come knocking.

We will continue to monitor developments on this issue and provide updates as they occur.

Last week, California’s Governor signed a law that will likely impose significant limitations on companies’ abilities to make recyclability claims or use the popular “chasing arrows” symbol in California.

The law states that using a “chasing arrows symbol, a chasing arrows symbol surrounding a resin identification code, orRecycling Symbol any other symbol or statement” on a product or package to indicate that it is recyclable, “or otherwise directing the consumer to recycle the product or packaging” is deceptive or misleading, unless the product or package is considered recyclable pursuant to specific criteria to be developed by the state’s Department of Resources Recycling and Recovery.

The Department is required to publish standards on or before January 1, 2024, specifying what sorts of material types and forms are considered recyclable. Among other things, the material type and form must be collected by recycling programs for jurisdictions that collectively encompass at least 60 percent of the population of California, and they must be sorted into defined streams for recycling processes by large volume transfer or processing facilities. The standards will be updated every five years.

Fortunately, the law provides a grace period for products or packages that are manufactured up to 18 months after the Department issues its standards. A similar 18-month grace period will be available after each five-year update, provided that a product or package met the recyclability requirements under the previous version of the standards. There are also other narrow exemptions for items that are covered by other state recycling laws, such as certain kinds of batteries and beverage containers.

The new law will create challenges for marketers because it is likely that a product that could be advertised as “recyclable” under the FTC’s Green Guides will not be able to be advertised as such in California. That said, the FTC has indicated that it will initiate a review of the Green Guides in 2022. Although it’s too early to predict what will come out of that review, it wouldn’t be surprising if the Commission also updates its standards for “recyclable” claims. Stay tuned.

It was an extraordinary week as the FTC continued to press the frontier of the post-AMG Capital Management landscape.

On Friday, the Commission, making good on promises to creatively explore all of its options for enforcement, announced by a 3-2 vote that it had reached a settlement pursuant to Section 19 of the FTC Act with Resident Home LLC and its owner Ran Reske.  At issue were allegedly false claims that the company’s imported mattresses are made from materials fully manufactured in the United States. As part of the settlement, Resident Home and Reske agreed to pay $753,000.

This action follows the FTC’s announcement earlier in the week that it had notified 70 for-profit higher educational institutions that it intends to make use of its long dormant Penalty Offense Authority.  As contemplated by the FTC, the Penalty Offense Authority would allow the Agency to obtain civil penalties when institutions make misrepresentations about their programs, and job and earnings prospects. Continue Reading Pushing the Boundaries of Existing Authority: Section 19 Post-AMG Capital Management

On October 6, 2021, the Senate Commerce Committee conducted its second in a series of hearings dedicated to consumer privacy and data, this time addressing Data Security.  Similar to last week’s privacy hearing, the witnesses and Senators appeared to agree that federal data security standards – whether as part of privacy legislation or on their own – are urgently needed. If there were to be consensus around legislative principles, the hearing provides clues about what a compromise might look like.

Prepared Statements. In their opening statements, the witnesses emphasized the need for minimum standards governing data security.

  • James E. Lee, Chief Operating Officer of the Identity Theft Resource Center, explained that without minimum requirements, companies lack sufficient incentives to strengthen their data security practices to protect consumer data. Lee also advocated for more aggressive federal enforcement rather than the patchwork of state actions, which, he said, produce disparate impacts for the same conduct.
  • Jessica Rich, former Director of the FTC’s Bureau of Consumer Protection and counsel at Kelley Drye, emphasized that current laws do not establish clear standards for data security and accountability. She advocated for a process-based approach to prevent the law from being outpaced by evolving technologies and to ensure that it accommodates the wide range of business models and data practices across the economy. Among her recommendations, Rich suggested that Congress provide the FTC with jurisdiction over nonprofits and common carriers and authority to seek penalties for first-time violations.
  • Edward W. Felten, former Deputy U.S. Chief Technology Officer, former Chief Technologist of the FTC’s Bureau of Consumer Protection, and current Professor of Computer Science and Public Affairs at Princeton University, focused on the need to strengthen the FTC’s technological capabilities, including increasing the budget to hire more technologists. Notably, Felten advocated for more prescriptive requirements in data security legislation such as requiring companies to store and transmit sensitive consumer data in encrypted form and prohibiting companies from knowingly shipping devices with serious security vulnerabilities.
  • Kate Tummarello, Executive Director at Engine, a non-profit organization representing startups, addressed the importance of data security for most startups. Tummarello advocated for FTC standards or guidance with flexible options. Cautioning against overburdening startups, Tummarello explained that newer companies take data security seriously because they do not have the name recognition or relationships with consumers that larger companies may have, and a single breach could be extremely disruptive. Additionally, Tummarello highlighted that the patchwork of state laws provides inconsistent and unclear data security guidance and imposes high compliance costs.

Continue Reading Hope Emerges at Senate Data Security Hearing – But Will Congress Grab the Brass Ring?

Making good on promises to creatively explore all of its options for enforcement, the FTC yesterday notified 70 for-profit higher educational institutions that it intends to use its long dormant Penalty Offense Authority to obtain civil penalties when institutions make misrepresentations about their programs and job and earnings prospects.  The move closely follows recommendations proposed in a paper authored by Commissioner Rohit Chopra and Bureau of Consumer Protection Director Sam Levine, which we previously discussed here.

Chopra was confirmed last week as CFPB Director and the announcement is likely to be one of his last acts as FTC Commissioner before he departs for the CFPB on Friday.  Levine was formally named Director of the Bureau of Consumer Protection last week by Chair Lina Khan, following his stint as Acting Director.  In prepared remarks announcing the notices, Chopra characterized the Penalty Offense Authority as “a unique authority in consumer protection enforcement . . . that past Commissioners largely ignored, depriving our hardworking staff of the ability to pursue the full range of sanctions against bad actors.”  Chopra emphasized that its use was particularly important in the wake of the Supreme Court’s decision in AMG Capital Management.  The move also follows last month’s cease and desist letters issued to companies making diabetes treatment claims, which were structured to include references to the FTC’s Penalty Offense Authority.

In yesterday’s notice, the FTC identifies seven categories of claims made by for-profit colleges that the FTC has determined to be deceptive or unfair, including misrepresentations about the need or demand for consumers who have graduated from the institution, employment prospects, the number or percentage of graduates who have obtained employment, and typical or potential earnings for graduates.  The notice includes cites to three dated decisions from 1980, 1971, and 1952 as support for use of the Penalty Offense Authority.  The Penalty Offense Authority requires the Commission to have determined in a litigated administrative decision under Section 5(b) that a specific act or practice is unfair or deceptive, issue a final cease and desist order regarding that practice, and provide notice to an entity such that they have “actual knowledge” that the act is prohibited.

While it is clear that the FTC intends to aggressively use its Penalty Offense Authority, there are many unanswered questions about that use:

  • Are precedents from 40 or more years ago sufficiently similar to serve as a predicate offense?  Legislative history to the Penalty Offense Authority makes clear that Congress intended use of the authority to be limited.  Does the FTC’s reliance on dated decisions involving different facts align with the provisions of the FTC Act, congressional intent, and due process standards?   Notably, the Commission itself never even issued a determination that any act or practice was unfair or deceptive in MacMillan, one of three cases relied upon in yesterday’s noticeInstead, the Commission allowed an initial unappealed decision by the ALJ to become final.  Particularly in the wake of AMG and courts taking a closer look at actual FTC authority, it seems unlikely that MacMillan qualifies under Section 5(b)’s requirement for the Commission to “make a report in writing in which it shall state its findings as to the facts.”
  • Are the facts and legal standards sufficiently similar?  A lot has changed in the 40-60 years from the decisions cited in the notice letters.  While the limits of the Penalty Offense Authority have not been extensively tested, at least one court has rebuked the FTC’s attempted use of the authority where the facts in the underlying decision were not sufficiently similar to the new conduct.
  • Who’s next?  For-profit colleges were just one of a number of targets identified in Chopra’s and Levine’s paper.  Other industries ripe for use of the Penalty Offense Authority according to the paper include direct sellers and others in the gig economy making earnings claims, deceptive online reviews and influencer campaigns, deceptive data harvesting and privacy misrepresentations, and targeted advertising that allegedly runs afoul of the Fair Credit Reporting Act.  Income claims seems like the most likely next target, particularly given the Commission’s forthcoming review of the FTC’s Business Opportunity Rule.