Federal Trade Commission (FTC)

In guidance released last week, the New York State Office of the Attorney General urged businesses to incorporate safeguards to detect and prevent credential-stuffing attacks in their data security programs.  The guidance stemmed from the AG’s finding that 1.1 million customer accounts at “well-known” companies appeared to have been compromised in credential-stuffing attacks.

Credential stuffing

After months of speculation, we now know what rules the FTC will launch or possibly amend in 2022, thanks to a Statement of Regulatory Priorities the FTC published December 9.

The headlines? In addition to reviewing or taking action on almost 20 existing rules and guides, the FTC plans to develop multiple new rules on surveillance, unfair methods of competition, and potentially a slew of other issues. And the Republican Commissioners are crying foul.

New rules  

The new rules highlighted in the FTC’s Statement pack a whole lot of punch, as they encompass multiple issues and could lead to multiple separate rules. They include:

  • Rule(s) to halt “abuses stemming from surveillance-based business models,” which could curb “lax security practices” and “intrusive surveillance,” and “ensur[e] that algorithmic decision-making does not result in unlawful discrimination.” The FTC’s Statement signals that these rule(s) will address both consumer protection and competition issues.
  • Rules defining “unfair methods of competition,” which could include (citing the President’s Executive Order on Competition) rules related to “non-compete clauses, surveillance, the right to repair, pay-for-delay pharmaceutical agreements, unfair competition in online marketplaces, occupational licensing, real-estate listing and brokerage, and industry-specific practices that substantially inhibit competition.”
  • Rules to “define with specificity unfair or deceptive acts or practices” – a potentially infinite category of issues and regulations.

As the FTC explains, the agency’s renewed focus on rulemaking is a response to “changed circumstances,” including the Supreme Court’s AMG ruling (limiting the FTC’s redress authority), the insufficiency of the “case-by-case” approach to competition, and the FTC’s removal of steps in its Section 18 (Mag-Moss) rulemaking process. Notably, when the FTC is enforcing a rule, it can seek consumer redress and/or civil penalties; this authority was not affected by AMG.
Continue Reading What Rulemaking is the FTC planning for 2022? Now We Know

In case you missed it, last week (on November 30), the National Telecommunications and Information Administration (NTIA) announced that it would convene a series of virtual listening sessions on privacy, equity, and civil rights. According to NTIA, the sessions (scheduled for December 14, 15, and 16) will provide data for a report on “the ways

For decades, the FTC has explained that the omission of information can lead to liability.  It is also a canon of statutory construction that an amendment helps reveal legislative intent. And of course, your mother put it simply: words that you say (and take back) have meaning.

Earlier this month, the Commission released its draft

Last week. FTC Commissioner Christine Wilson delivered a speech with a title that made clear she intended to speak her mind: The Neo-Brandeisian Revolution: Unforced Errors and the Dimunition of the FTC.  

Predicting that the new FTC Leadership will fall far short of achieving its objectives — most of which she opposes — Commissioner Wilson

In a much-anticipated announcement last week, the FTC amended the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, and proposed a further amendment requiring certain financial institutions to provide the FTC with notice in the event of certain security events.  Although these changes were announced after FTC Commissioner Chopra left the agency to lead the CFPB, he apparently voted prior to leaving to ensure 3/2 approval of the amendments in a Commission that remains divided.

What is GLBA Safeguards?

For nearly 20 years the Safeguards Rule has required financial institutions to develop, implement, and maintain comprehensive information security programs to protect their customers’ personal information.  Such programs must be appropriate to each entity’s “size and complexity, the nature and scope of [its] activities, and the sensitive of the customer information at issue.” For a generation, the Rule’s requirements have influenced data security standards in other sectors, emphasizing a flexible, process-based approach.  The amended Rule replaces some of that flexibility with more specificity.
Continue Reading GLBA Safeguards Gets a Makeover: Why it Matters for Businesses with Customer Information

In its third recent Penalty Offense Authority notice, the FTC today notified more than 1,100 companies offering “money-making opportunities” that it intends to pursue civil penalties of up to $43,792 per violation for misrepresentations related to potential earnings and related characteristics about the opportunity.  Recipients of the notice include virtually every major direct selling company and others in the gig economy such as Amazon, DoorDash, Lyft, and Uber.

That makes more than 1,800 companies that have been put on notice of penalty offenses in the past month.  It also crosses another alleged deceptive practice off the list laid out in the October 2020 paper authored by current Bureau Director Sam Levine and former FTC Commissioner Rohit Chopra, entitled The Case for Resurrecting the FTC Act’s Penalty Offense Authority.  Next up?  Well, if the Chopra/Levine paper points the way (and it appears to), we should expect future notices that focus on allegedly unfair and deceptive data harvesting and targeted marketing.

In addition to the eight categories of misrepresentations in today’s notice ranging from the amount of earnings possible to the amount of training provided, the sample cover letter published online also includes a section on endorsements and testimonials.  This means that each company receiving today’s notice also will receive the notice published last week on endorsements and testimonials, which over 700 companies also received (with some minimal overlap in that list).
Continue Reading Next Up – Earnings Claims:  Notice of Penalty Offenses Sent to 1,100 Direct Selling Companies and Others in the Gig Economy

Flexing the Agency’s Muscles: What FTC Notice of Penalty Offenses Really Means for AdvertisersOver the last ten days, 700 companies and 70 for-profit colleges received notice of the FTC’s intent to pursue civil penalties under Section 5(m)(1)(b), if these companies and colleges engage in certain conduct deemed by the FTC to be unfair or deceptive.  The notices sought to achieve two important Agency objectives: first, force addressees to consider their marketing messages and compliance programs; and second, reintroduce (or reinforce) the threat of significant monetary penalties for those who need discipline.  The warnings will undoubtedly alter the dynamic of new investigations as parties consider the costs and benefits of negotiating consent orders that include payment of consumer redress.

But what if parties resist and the Commission were forced to litigate?  There, a third objective – to convince a court that the FTC’s Penalty Offense Authority entitles it to civil penalties based on these notices – is much less likely to be realized.
Continue Reading Flexing the Agency’s Muscles: What FTC Notice of Penalty Offenses Really Means for Advertisers