Federal Trade Commission

On November 27, the FTC Commissioners testified on a range of issues before the Senate Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security. One excerpt that caught our attention was their comments on “Made in USA” advertising and the potential for increased scrutiny.

Here’s an excerpt of the Q&A between Sen. Shelly Moore Capito (R-WV) and the FTC Commissioners (emphasis added):

CAPITO: Okay, last question I have on fraudulent marketing would be the… fraudulent Made in America label. How prevalent is this? And what are some of the means you’re going to try to curb this practice?

SIMONS: This is fairly prevalent. We get hundreds of these, hundreds of complaints a year, that people are improperly using the Made in the USA label. We are committed to investigating those, and usually a lot of times what happens is the firm, the company doesn’t even realize that it’s a violation. So we explain to them it’s a violation and they stop it.

Sometimes companies do it intentionally, sometimes we tell them and they don’t stop and those people we sue. And one of the things that we’re exploring now, as a general rule, we have only gotten injunctive relief in cases like this previously. Now we’re exploring whether we can find a good case that would be appropriate for monetary relief to serve as an additional deterrent.

CHOPRA: I just want to add here that I think there are manufacturers out there who hire American workers and who purposely do that because they want to put the flag on their product. And for those who lie, this cheapens the Made in the USA label so it’s not just hurting American consumers, it’s hurting every American manufacturer who is trying to do right. So I want us to be much more aggressive with this, actually. And if you and Senator Cortez-Masto want to team up, finding civil penalties for some of these bad actors, we can make sure we increase compliance levels. And I got to tell you — right now there’s a country of origin labeling issues in agriculture, country of origin issues in product marketing. We have to do more to put a stop to this because this is extremely unfair to honest companies.

Continue Reading FTC Testimony Signals Possible Increase in “Made in USA” Advertising Scrutiny

Yesterday, a D.C. district court upheld a recent opinion letter issued by FTC staff that extended robocalling restrictions to telemarketing calls that use so-called soundboard technology or “avatars.”  This technology generally allows a live agent to communicate with a call recipient by playing recorded audio snippets instead of using his or her own live voice.

In September 2009, the FTC staff had taken the position that avatar calls were not considered prerecorded messages under the Telemarketing Sales Rule (TSR).  See FTC Staff Opinion Letter to Call Assistant LLC (Sept. 11, 2009).  In November 2016, however, the FTC decided to revoke its previous letter, explaining that it is now the FTC staff’s opinion that outbound telemarketing calls that utilize avatars are subject to the TSR’s prerecorded call provisions. See FTC Staff Opinion Letter to Call Assistant LLC (Nov. 10, 2016).

The 2016 opinion letter explained that the staff’s change in position is due to the increasing volume of consumer complaints, the increase in how this technology has allegedly been abused by using it to conduct multiple calls at the same time without giving appropriate responses to consumers, and that the soundboard technology does “deliver a prerecorded message” under the statutory language used in the TSR.  The staff said that, even with a 1-to-1 limitation in place (i.e., using the technology to place one call at a time), this would not change the staff’s analysis.

A trade group representing companies that manufacture and use soundboard technology had challenged the FTC staff’s opinion letter, stating that the FTC: (1) circumvented the Administrative Procedures Act’s (APA) notice-and-comment requirements, and (2) violated the First Amendment by exempting pre-recorded solicitation calls between a non-profit charitable organization and its existing donors, but failing to exempt such calls to potential first-time contributors.  The court rejected both claims in Soundboard Ass’n v. FTC, No. 1:17-cv-00150 (D.D.C. Apr. 24, 2017).

First, the court found that, although the November 2016 letter is a final, reviewable agency action, it was at most an interpretive rule that the FTC was not required to issue through notice and comment under the APA.  Second, the court concluded that the letter did no more than subject soundboard calls to valid time, place, and manner restrictions. The court explained that the exemption provided to pre-recorded calls on behalf of charitable organizations to existing donors, but not to charitable organizations’ calls to potential, first-time donors, is a content-neutral regulation of speech that easily satisfies the requisite intermediate scrutiny.

Bottom Line: Companies that use soundboard technology will need prior written consent and will need to comply with the prerecorded message requirements under the TSR effective May 12, 2017, per the FTC’s grace period for compliance (as well as the TSR’s abandoned call provisions, as applicable).

Western UnionLast week, California became the 50th state to join the multistate settlement with Western Union over its alleged complicity in fraud-induced wire transfers.  This followed Western Union’s $5 million agreement with 49 state and the District of Columbia for costs and fees in January, not to mention a whopping $586 million in settlement agreements with the United States DOJ and FTC.  While DOJ brought wire fraud and anti-money laundering charges against Western Union, and the FTC alleged violations of Section 5 of the FTC Act, and the Telemarketing Sales Rule, the states raised violations of their respective consumer protection laws.  California brought its complaint pursuant to the Unfair Competition Law, Cal. Bus. & Prof. Code §§ 17200-17209 (“UCL”), its analog to the FTC Act.

Some quick background on the UCL:

  • Traditionally, the UCL is thought to prohibit unfair competition, which includes unfair, deceptive, misleading, or false advertising.  § 17200; see Lavie v. Procter & Gamble Co., 105 Cal. App. 4th 496, 512 (2003) (whether “the ordinary consumer acting reasonably under the circumstances” is likely to be deceived).
  • But the UCL also forbids business activity unconnected with advertising when such activity constitutes an “unlawful” or “unfair” business practice that either violates another law or violates an established public policy.  § 17200; see e.g., In re Anthem Data Breach Litig., 162 F. Supp. 3d 953, 990 (N.D. Cal. 2016); Ballard v. Equifax Check Servs., Inc., 158 F. Supp. 2d 1163, 1176 (E.D. Cal. 2001).  Some common defenses to these claims include compliance with the underlying law, the practice is not unfair or is justified, and federal preemption.
  • The UCL provides private plaintiffs with the ability to bring claims for restitution and injunctive relief, while the government can also impose civil penalties of up to $2,500 per violation.  §§ 17203, 17206; see e.g., People v. JTH Tax, Inc., 212 Cal. App. 4th 1219, 1254 (2013) (“[T]he court could have imposed penalties of over $9 million, but only imposed penalties of $715,344 for these advertisements.”).

Here, the California Attorney General alleged that Western Union, during the course of its money transferring services, failed to scrutinize and stop complicit agents that did not comply with anti-money laundering policies, inadequately trained, vetted and reported agents, and overall did not “prevent fraudulent telemarketers, sellers, and con artists from using Western Union’s money transfer system to perpetrate their frauds.”  In other words, Western Union exposed its customers to fraud in violation of the UCL.

As part of the global settlement, Western Union agreed to implement a comprehensive anti-fraud program to detect and prevent future incidents.  California consumers who made a wire transfer through Western Union are entitled to a share of the DOJ restitution fund and may be eligible for more than $65 million in refunds.  The California Department of Justice also may recoup costs and fees from the $5 million multistate fund.

Bottom line: the UCL is a dynamic enforcement mechanism with the potential to curtail many different types of business activities that seemingly harm consumers, and provides the Attorney General with the ability to inflict stiff penalties for violations.

Just over one week after being named acting chair of the Federal Trade Commission (FTC), Maureen Ohlhausen delivered the keynote address at the American Bar Association’s biennial Consumer Protection Conference in Atlanta on February 2.

During her remarks, acting chair Ohlhausen offered insight into consumer protection priorities during her tenure as acting chair.

First, acting chair Ohlhausen signaled the importance of the Agency focusing on stopping fraudulent schemes, especially those targeting vulnerable populations such as the elderly or military members.

Second, the acting chair noted that remedies sought in FTC cases should be more closely linked to actual, rather than speculative, consumer injury or harm, echoing her recent dissent in Qualcomm, and further posited that the FTC’s efforts in recent cases to collect disgorgement in non-fraud cases is inconsistent with prior FTC practice.  Specifically, the acting chair called into question the Agency’s practice of seeking disgorgement that is disproportionate to actual consumer injury.  As an example, she referred to her dissent in Uber, where she wrote that “I dissent from the complaint against Uber and the settlement resolving that complaint because the monetary settlement of $20 million is not tied to an estimate of consumer harm.”  And for privacy enforcement actions, she emphasized the need for “concrete injury” to justify agency action.

Third, acting chair Ohlhausen indicated a desire for the FTC to be more transparent about its investigation and enforcement matters.  She noted that there may be value in disclosing (without disclosing confidential information) details of investigations where the FTC closes an investigation without nay enforcement action.  According to acting chair Ohlhausen, such transparency would help provide guidance to businesses about practices and policies that the Commission deems permissible, in addition to those that are not.  It is unclear how much additional information acting chair Ohlhausen envisions disclosing beyond information contained in Commission closing letters at present.

Also with respect to investigations, the acting chair signaled the need for the Agency to narrowly tailor investigative requests to only obtain information that is necessary and relevant to its investigations.  Recognizing the burden of overly broad information requests, she stated that “the FTC must remain able to collect the information we need to enforce the law, but I am certain that we can do this while reducing the burden on businesses, particularly third parties who are not under investigation.”

Although her remarks were brief, the acting chair’s address suggests a more restrained approach by the FTC than it has pursued in recent years.  Given the three open seats on the Commission yet to be filled, two by Republicans, and the future appointment of a permanent chairperson, more changes are a certainty.

The FTC recently announced a settlement with Breathometer, Inc., a company that marketed a smartphone accessory that it claimed could detect blood alcohol levels.  Users could simply plug the accessory into the headphone jack, open the Breathometer app, blow, and receive a reading of their blood alcohol content within five seconds.  Breathometer marketed the products as “FDA registered devices,” featuring “law enforcement”-grade technology, to help you “make informed, dependable decisions” about whether to drive after drinking.

The FTC alleged that Breathometer did not have adequate substantiation for its performance claims. Specifically, the products were tested to determine accuracy at .02% blood alcohol content, not .08%, which is the legal limit under state laws.  In addition, testing revealed that the accuracy of the Breeze version of the product degraded over time and the company did not have a means of recalibrating it remotely.  Breathometer stopped selling the Breeze product but allegedly did not adequately inform consumers of the issue.

This case is yet another illustration of the FTC taking the lead on mobile health products that are or could potentially be regulated by the FDA. As readers of our Food and Drug Law Access blog may know, FDA has taken a risk-based approach to regulation of such products and, with the exception of products that could cause patient harm or death upon malfunction, is exercising regulatory discretion. Yet, many companies, particularly those who are new to the health market, presume that FDA is the primary, if not the only, regulator likely to have an interest in their product and claims.

Not so. The FTC has repeatedly voiced concerns about the proliferation of mobile health apps and whether claims were being properly substantiated, particularly where disease diagnosis, treatment, or mitigation claims are featured.  Along with the Breathometer matter, the Lumosity, Melanoma Detective and Aura Labs cases collectively demonstrate that when it comes to many consumer-directed mobile health products, the regulator most likely to take interest is the FTC.

The FTC announced a settlement with Mars Petcare U.S. concerning allegations that the company did not have proper substantiation to support quantified health benefit claims for its Eukanuba brand dog food.

The FTC’s complaint alleges that a 2015 ad campaign for Eukanuba expressly or impliedly claimed that the dog food could increase the lifespan of dogs by 30 percent or more or could help to provide an “exceptionally long life.” Claims included examples of dogs living 17 years with disclosures of the typical breed lifespan.

Eukanuba

The complaint contends that these claims were based on a single, 10-year study of dogs that were fed Eukanuba, the results of which showed no significant difference in the median age at death of the dogs in the study relative to the typical age at death of dogs of the same breed.

The proposed stipulated order applies broadly to all health benefit claims for Mars Petcare’s Pet Food (defined in the order as “any food that is used for food or drink for domestic pets”), and prohibits the company from making any of the following representations absent competent and reliable scientific evidence:

  1. That with any Pet Food, dogs live 30 percent or more longer than their typical lifespan;
  2. That any Pet Food can enable dogs to live exceptionally long lives; or
  3. About the health benefits of such products.

The order also prohibits any misrepresentation: (A) about the existence, contents, validity, results, conclusions, or interpretations of any test, study, or research, including that studies, research, or trials prove that, with its Pet Foods, dogs live 30 percent or more longer or substantially longer than their typical lifespan or that the Pet Foods enable dogs to live exceptionally long lives; or (B) that any health benefits of such product are scientifically proven or otherwise established.

The settlement differs from others involving health benefit claims (see here, here, and here) insofar as it does not prescribe a definition of “competent and reliable scientific evidence” beyond the language that has traditionally been used, nor does it include a provision requiring the company to maintain clinical study data beyond the typical record retention requirements.  Notwithstanding, it is still worth noting for companies selling foods or dietary supplements, because it demonstrates the risks in making quantified claims and the importance of ensuring a close nexus between the study endpoint and the advertising claim.  It is also one of only a handful of FTC settlements involving pet care products in recent years and clearly evidences that the standards required for substantiation are applied to products intended both for two-legged and four-legged consumers.*

TYDTW
*Crystal Skelton and Griffin at Kelley Drye’s “Take Your Dog to Work” Day

FTC Consumer Information LogoOn June 23, the FTC updated its consumer information page to provide updated guidance on “Online Tracking.”  The updated guidance is intended to provide consumers with information on different methods of tracking, how they work, and how consumers can control such tracking.  While directed to consumers, updates to this page can also help businesses understand how these online tracking technologies work, and identify what the FTC expects businesses to do.

The previous guidance, titled “Cookies: Leaving a Trail on the Web” (last updated in November 2011), primarily addressed cookies (including first-party cookies, third-party cookies, and flash cookies), provided consumers with general information on how to control cookies, identified how consumers can opt-out of receiving targeted ads, provided a brief overview of “Do Not Track,” and identified that new technologies were constantly emerging.

The updated guidance document updates and expands upon this information to address new forms of online tracking (e.g., device fingerprinting, cross-device tracking), new tracking technologies (e.g., use of unique device identifiers or HTML 5 cookies), how tracking in mobile apps occurs, and how consumers can generally limit or block tracking online, in apps, or across devices.

So what is the big-picture takeaway for businesses? Consumers may not fully understand online tracking, including their options for minimizing or preventing such tracking from occurring.  Businesses can help educate consumers concerning their online tracking by providing clearly identifiable ways in which consumers can review information about the company’s collection, use, and disclosure practices, and ways to limit cookies and other tracking technology.  This may include a clearly written privacy policy or other consumer facing document, or in the device settings as suggested by the FTC.  Lessons learned from past FTC enforcement actions (including the FTC’s action announced yesterday against InMobi) also illustrate the risks associated with business practices that appear to circumvent a user’s privacy decisions or a device’s privacy settings.

InMobiThe FTC announced a settlement on Wednesday with mobile advertising company, InMobi Pte Ltd., concerning allegations that the company deceptively tracked the geolocation of hundreds of millions of unknowing consumers, including children, to serve them geo-targeted advertising.  As part of the settlement, InMobi will pay $950,000 in civil penalties relating to violations of the Children’s Online Privacy Protection Act (COPPA), and agreed to implement a comprehensive privacy program.

InMobi’s Practices

InMobi provides an advertising platform for app developers and advertisers.  App developers can integrate the InMobi software development kit (SDK) for its Android and iOS apps, allowing them to monetize their applications by allowing third party advertisers to advertise to consumers through various ad formats (e.g., banner ads, interstitial ads, native ads).  Advertisers, in turn, can target consumers across all of the mobile apps that have integrated the InMobi SDK.

InMobi also offers several geo-targeting products, which allow advertisers to target consumers based on specific location information.  For instance, advertisers could target consumers based on their device’s current or previous location, or if the consumer visits a certain location at a particular time of day or on multiple occasions.

FTC Charges

The FTC alleges that InMobi mispresented that its advertising software would track consumers’ locations and serve geo-targeted ads only if the consumer provided opt-in consent, and only when it was done in a manner consistent with their device’s privacy settings.  According to the complaint, InMobi was actually tracking consumers’ locations whether or not the apps with InMobi SDKs requested consumers’ permission to do so, and even when consumers had denied permission to access their geolocation.

Even when users had denied the app permission to access geolocation, InMobi was collecting information about the WiFi networks that the consumer’s device connected to or that were in-range of the consumer’s device, feeding this information into its geocoder database, and using this information to infer the consumer’s longitude and latitude. The FTC claims that this process allowed InMobi to track the consumer’s location and serve geo-targeted ads, regardless of the app developer’s intent to include geo-targeted ads in the app, and regardless of the consumer’s privacy preferences or device settings.  As a result of these practices, app developers could not provide accurate information to consumers regarding their apps’ privacy practices.  The FTC concluded that InMobi’s misrepresentations regarding its data collection and use practices were deceptive in violation of Section 5 of the FTC Act.

In addition, the complaint alleges that InMobi violated COPPA by knowingly collecting personal information from children under the age of 13, despite representations to the contrary. The FTC claims that InMobi did not have adequate controls in place to ensure COPPA-compliance and did not test any controls it implemented to ensure they functioned as intended.  As a result, InMobi collected personal information (including unique device identifiers and geolocation information) in thousands of apps that developers had expressly indicated to InMobi were child-directed, and used this information to serve interest-based, behavioral advertising in violation of COPPA.

Settlement Provisions

Per the stipulated order, the company is prohibited from collecting consumers’ location information without their affirmative express consent and will be required to honor consumers’ location privacy settings.  The company is further prohibited from violating COPPA and from misrepresenting its privacy practices.  The order also requires the company to delete all information it collected from children, delete the location information collected from consumers without their consent, and establish a comprehensive privacy program.  The comprehensive privacy program is typical of what we see in other FTC privacy settlements.  It has provisions governing the designation of a responsible employee to oversee privacy compliance, requiring ongoing assessment of risks that could result in unauthorized collection of information, mandating implementation of reasonable privacy controls, requiring regular testing and evaluation of such controls, and addressing service provider oversight.  Under the terms of the settlement, InMobi is subject to a $4 million civil penalty, which was suspended to $950,000 based on the company’s financial condition.

Key Takeaways

Mobile technology practices continue to be a focus of the FTC’s consumer protection efforts.  Companies collecting personal and geolocation information from consumers should understand precisely what information will be collected from or about a user, clearly and accurately communicate its data practices, and respect any representations that are made.  Particular care should be taken when collecting information through child directed apps and websites.  Taking these simple steps can help avoid FTC scrutiny with respect to a company’s privacy practices and related representations.

The Federal Trade Commission furthered its outreach to the mobile app developer community last week by issuing new guidance for integrating privacy and security into mobile health apps, as well as an interactive online tool for determining whether key laws apply. As referenced in Consumer Protection Bureau Director Rich’s testimony a few weeks ago, the FTC has been working with a number of other agencies to address concerns about collection, storage, and use of consumer health information in light of the proliferation of consumer-directed health technology and consumers’ engagement in this area.

To use the tool, developers answer a series of high-level questions about the nature of their app, including about its function and the data it collects. Based on the answers to those questions, the tool advises the developer about whether the FTC Act, the FTC’s Health Breach Notification Rule, HIPAA, or the Federal Food, Drug and Cosmetic Act likely applies to the app.  In some cases, the tool links out to other guidance that may be relevant for the app, such as FTC’s guidance for complying with the Health Breach Notification Rule.  The FTC developed the tool in conjunction with the Department of Health and Human Services’ Office of National Coordinator for Health Information Technology, Office for Civil Rights and the Food and Drug Administration.

Along with the tool, the FTC released recommended best practices for privacy and security in mobile health apps.  The guidance encourages developers to minimize the information their apps collect, to limit and control access to the apps and to the data they collect, and to implement “security by design.” This health-app-specific guidance builds upon the FTC’s general guidance for mobile app developers.  For those developing apps, FDA’s policies regarding whether such apps are regulated as medical devices should also be considered.

The main lesson that is underscored in all of these tools is the same: Consider the nature of the information collected and its potential use at the concept phase and rather than after development is complete.   All too often, as companies rush to submit apps for approval on an app store, legal compliance is an afterthought.  As we have learned from the 100+ privacy and data security settlements that the FTC has released, these issues can be very difficult to cure on the back end.