Federal Trade Commission

InMobiThe FTC announced a settlement on Wednesday with mobile advertising company, InMobi Pte Ltd., concerning allegations that the company deceptively tracked the geolocation of hundreds of millions of unknowing consumers, including children, to serve them geo-targeted advertising.  As part of the settlement, InMobi will pay $950,000 in civil penalties relating to violations of the Children’s

The Federal Trade Commission furthered its outreach to the mobile app developer community last week by issuing new guidance for integrating privacy and security into mobile health apps, as well as an interactive online tool for determining whether key laws apply. As referenced in Consumer Protection Bureau Director Rich’s testimony a few weeks ago,

On November 5, the FTC hosted its second “Start With Security” event in Austin, Texas in an effort to provide companies with practical tips and strategies for implementing effective data security.

FTC Commissioner Terrell McSweeny opened the event discussing the FTC’s “Start With Security” business initiative and guidance document, which provides “best practices” (and not so best practices) in the 50+ data security cases brought by the FTC.  A few key takeaways from the Commissioner’s opening remarks –  (1) ensure products live up to advertised claims and promised privacy practices; (2) even in the rush to innovate, privacy and security should not be overlooked; and (3) from the FTC’s perspective, the standard is not “perfect” security, but “reasonable” security.

The event continued with a series of panels providing information on security by design, common security vulnerabilities, strategies for secure development, and vulnerability response.
Continue Reading Highlights from the FTC’s Second “Start With Security” Initiative

Amending the Electronic Communications Privacy Act (ECPA) has long been under consideration in Congress, but recent testimony indicates that ECPA reform may have deeper implications for companies subject to FTC investigations.

The ECPA, passed almost 30 years ago, generally prohibits the unauthorized access to communications systems and the disclosure of the contents of wire and electronic communications by a service provider.  The ECPA Amendments Act of 2015 (S.356/H.R. 283) is intended to “bring privacy protections for the digital world in line with those in the physical world.”

Since its introduction in Congress, several stakeholders have raised concerns that the current bill could hamper civil investigations by regulatory agencies, such as the FTC or SEC, since these agencies – like all others – must have a warrant to obtain emails and other electronic communications.  On September 16, 2015, the Senate Judiciary Committee held a hearing entitled “Reforming the Electronic Communications Privacy Act” to provide stakeholders the opportunity to provide additional insight.

In testimony by Daniel Salsburg, FTC’s Chief Counsel in the Office of Technology, Research and Investigation, Salsburg explained that although the Commission does not currently seek the content of electronic communications from ECPA service providers, he believes that in the future, as more electronic communication moves to the cloud, the effectiveness of the FTC’s fraud prevention program may be hampered if the proposed legislation is not appropriately modified.  Where the target is a fraudulent marketer, for example, obtaining the electronic communications through a civil investigative demand (“CID”) to the marketer may not be a viable option, and the FTC should be able to obtain this information through warrantless means.

Notably, Salsburg requested the ECPA be modified to:

  1. Allow the FTC to obtain copies of previously public commercial content that advertises or promotes a product or service directly from the service provider, without a warrant; and
  2. Provide a judicial mechanism that would authorize the FTC to seek a court order directing the service provider to produce the content if the FTC establishes it has sought to compel it directly from the target, but the target has failed to produce it.

So what does this mean for your business? 
Continue Reading Will the FTC Have Access to Your Electronic Communications?

Last week, the FTC sent a closing letter to Morgan Stanley Smith Barney LLC (“Morgan  Stanley”) relating to the agency’s investigation over whether Morgan Stanley engaged in unfair or deceptive acts or practices by failing to secure certain account information related to its Wealth Management clients.

The investigation examined allegations that a Morgan Stanley employee

On September 4, 2014, the FTC announced a settlement with Google Inc., which requires the search giant to pay at least $19 million in refunds to consumers that the Commission alleges were billed for unauthorized in-app charges incurred by kids.  The settlement follows a similar settlement in January with Apple (which required Apple to pay a minimum of $32.5 million in refunds), and a recent complaint filed by the FTC in federal court against Amazon.

The FTC’s complaint against Google alleges that the company offered free and paid apps through its Play store.  Many of these apps are rated for kids and offer “in-app purchases” ranging from $0.99 to $200, which can be incurred in unlimited amounts.  The FTC alleges that many apps invite children to obtain virtual items in a context that blurs the line between what costs virtual currency and what costs real money. 

At the time Google introduced in-app charges in March 2011, users were notified of an in-app charge with a popup containing information about the virtual item and the amount of the charge.  A child, however, could clear the popup simply by pressing a button labeled “CONTINUE.”   In many instances, once a user had cleared the popup, Google did not request any further action before billing the account holder for the corresponding in-app charge. 

It was not until mid- to late-2012 that Google begin requiring password entry in connection with in-app charges. The complaint alleges, however, that once a password was entered, it was stored for 30 minutes, allowing a user to incur unlimited in-app charges during that time period.  Regardless of the number or amount of charges incurred, Google did not prompt for additional password entry during this 30 minute period.

Google controls the billing process for these in-app charges and retains 30 percent of all revenue.  For all apps, account holders can associate their Google accounts with certain payment mechanisms, such as a credit card, gift card, or mobile phone billing.  The complaint highlights that Google received thousands of complaints related to unauthorized in-app charges by children and that unauthorized in-app purchases was the lead cause of chargebacks to consumers.
Continue Reading Google to Refund at Least $19 Million Over Kids’ In-App Purchases

Last week, the FTC announced it had reached another settlement with a plastic lumber company regarding its green marketing claims.  This is the FTC’s third settlement in five months relating to environmental claims for plastic lumber products (the other cases involved N.E.W. Plastics Corp. and American Plastic Lumber, Inc.).

The FTC’s complaint alleges that

On July 10, 2014, the FTC filed a complaint in federal court alleging that Amazon unlawfully billed parents and other Amazon account holders for unauthorized in-app charges incurred by kids.  The complaint follows a similar FTC settlement with Apple and a similar class action lawsuit against Google

The FTC’s complaint alleges that Amazon offers free and paid apps through its App store, many of which are rated for kids and allow in-app charges ranging from $0.99 to $99.99.  Amazon controls the billing process for these in-app charges and retains 30 percent of all in-app revenue.  For all apps, Amazon requires its users to link their mobile device to an Amazon account, which is funded by a credit card or Amazon gift card. 

At the time Amazon introduced in-app charges to the App store in November 2011, users were notified of an in-app charge with a pop-up containing information about the app virtual item identified for purchase and the amount of the charge.  The FTC asserts, however, that a child user could clear the pop-up notification by pressing the “Get Item” button.  Once the user clears the pop-up, the FTC asserts that Amazon did not request further action before billing users’ accounts.  

The complaint highlights internal communications among Amazon employees from December 2011 noting that unlimited in-app charges without requiring a password were causing problems for a large percentage of its customers.   According to the complaint, in March 2012, Amazon updated its in-app charge system to require a password for any single in-app charge over $20, but continued allowing an unlimited number of lesser in-app purchases with no password.
Continue Reading FTC Files Suit Against Amazon Over Kids’ In-App Purchases

On May 8, 2014, the FTC announced a settlement with Snapchat resolving allegations that the popular mobile messaging app deceived consumers over the disappearing nature of users “snaps” and made false and misleading representations concerning its privacy and information security practices.  The FTC took issue with several of Snapchat’s practices and representations:

  • Disappearing “Snaps” – Snapchat represents to users that their snaps (i.e., photos and videos) will “disappear forever” after the user-set time period expires, thereby ensuring users’ privacy and safeguarding against data collection.  According to the FTC’s complaint, however, recipients could circumvent the settings to save or access the snaps in a number of ways.  For example, recipients could open Snapchat messages in third-party apps, take a screen shot of the snaps on an iPhone, or access videos by connecting their mobile device to a computer and retrieving the files through the device directory.  The complaint alleges that these types of workarounds were highly publicized. 
  • Misrepresenting Data Collection Practices – Snapchat’s privacy policy represented to users that the app did not access or track users’ geolocation information.  The FTC complaint asserts that in October 2012, Snapchat integrated an analytics tracking service in the Android system, which transmitted Wi-Fi based and cell-based location information from users’ mobile devices.  Snapchat continued representing in the privacy policy that it did not collect or use geolocation information until February 2013.  In addition, the app allows users to “Find Friends” by entering their mobile number or by accessing the Find Friends feature in the apps menu options.  The privacy policy implied that the user’s mobile phone number was the only information Snapchat collected to find the user’s friends. The FTC contends, however, that when the user chose to Find Friends, Snapchat also collected the names and phone numbers of all the contacts in users’ address books.
    Continue Reading Snapchat Captured in FTC Enforcement