In taking this action, the FTC is relying on its administrative authority to “reopen and modify” orders to address alleged order violations, rather than to press its compliance case in federal court under the FTC Act. In doing so, the FTC seeks to significantly expand the scope and duration of the existing order to cover new conduct. Even against recent examples of aggressive FTC action (see examples here, here, and here), this one markedly stands out. And, in the face of mounting agency losses in challenges to its enforcement authority in Axon and AMG and its aftermath, the Proposed Order is extraordinary.

The Commission voted 3-0 to issue the Proposed Order and accompanying Order to Show Cause. Commissioner Bedoya issued a statement expressing reservations about the “monetization” restrictions described below, specifically questioning whether the provision related to minors’ data is sufficiently related to either the 2012 or 2020 violations or order. Meta has 30 days to answer the FTC’s proposal.

Order to Show Cause

The FTC’s 2020 Consent Order, which was obtained in federal court consistent with prior Commission practice, was itself a modification of a 2012 order. If the FTC adopts the Proposed Order, it would be the third order stemming from a single administrative complaint that was filed more than a decade ago. That alone sets the FTC’s action apart from any other Commission action in memory.

The heavily redacted Order to Show Cause alleges that Meta violated several obligations under the 2020 Consent Order. The FTC did not release its Preliminary Finding of Facts, but it is evident that the first report filed by the independent assessor, Protiviti, under the 2020 Consent Order, is the underlying source behind many of the FTC’s allegations. It is notable that the only unredacted conduct relates to practices that predate entry of the 2020 order, which is strange, given that 2020 order contained terms broadly releasing Meta from all pre-2020 order violations.

Specific alleged order violations include deficiencies in risk assessment and third-party risk management processes, security controls, and transparency practices, among others. The Order to Show Cause also asserts that Meta misrepresented the extent to which third-party developers would have access to users’ nonpublic information. The FTC acknowledges that Meta corrected one of these alleged instances by July 2019, but nonetheless alleges that Meta violated the 2012 Consent Order, Section 5 of the FTC Act, and the COPPA Rule (a Rule not included in the prior orders) during this time period. This, of course, raises the question of why the FTC is moving on this now, fully four years after it was corrected by Meta.

The Proposed Order

The FTC’s Proposed Order would expand the 2020 Consent Order by permanently prohibiting Meta from “[c]ollecting, using, selling, licensing, transferring, sharing, disclosing, or otherwise benefitting from Covered Information from Youth Users” except for specific purposes, such as operating a service, performing authentication, or maintaining security. “Youth Users” include not only children under the age of 13 but also minors who are ages 13 through 17.

This provision specifically prohibits using Youth Users’ information for targeted advertising or to train or improve algorithms models. Although the FTC’s press release focuses on stopping Meta from “monetizing” minors’ data, the Proposed Order goes further by prohibiting Meta from “benefitting” from minors’ data, except as permitted by this paragraph.

The Proposed Order also would require specific safeguards and assessment requirements concerning Youth Users and “enhanced monitoring of higher risk Covered Third Parties” at least once per year.

And, remarkably, it would prohibit Meta from releasing new or modified products, services, or features without written confirmation from the assessor that the Meta privacy program complies with the order’s requirements and presents no material gaps or weaknesses. This is an extraordinary provision that would essentially turn the independent privacy assessor into the master of all new launches on Facebook, Instagram, WhatsApp, and Oculus, among other services.

Why Isn’t this in Federal Court?

The FTC’s authority to reopen an administrative order stems from Section 5(b) of the FTC Act:

[T]he Commission may at any time, after notice and opportunity for hearing, reopen and alter, modify, or set aside, in whole or in part any report or order made or issued by it under this section, whenever in the opinion of the Commission conditions of fact or of law have so changed as to require such action or if the public interest shall so require, . . .

In the past, the FTC has touted how it eases conditions in its orders in response to changes in legal or factual circumstances, usually in response to a respondent’s petition. One relatively recent example comes from 2018, when the FTC granted Sears’ petition to modify its 2009 order to exempt certain first-party, mobile app-based data collection from the order’s opt-in consent requirements. The FTC agreed to modify the definition of “Tracking Application” to exclude software programs that only engage in types of tracking consumers have come to expect, citing changes to the mobile application marketplace that make the collection and transmission of certain types of consumer data critical to support application features expected by consumers. In light of market realities and consumer expectations, the FTC recognized that the original notice and consent requirements were burdensome, unnecessary, counterproductive, and potentially confusing to consumers, who might mistakenly fear that Sears’ applications were unusual or used consumer data in unusual ways.

This decidedly is not what is happening here. The FTC is leveraging § 3.72(b) to attempt to impose new and onerous obligations – without having to make its case in federal court -- based on what it perceives as changed circumstances, not to ease an order obligation as warranted by changed facts and the public interest.

What Happens Next?

The FTC’s Rules of Practice provide scant details about what happens next. According to 16 C.F.R. § 3.72(b), after receiving an answer from Meta, the FTC may determine whether the matter “raises issues of fact to be resolved” and order a hearing. If the briefs for a hearing raise “substantial factual issues,” the Commission may order an evidentiary hearing. It is then up to the Commission to determine whether modifying the order is “in the public interest” – a determination that a court of appeals may review.

At this point, the reach of any such modification is anyone’s guess. The Order to Show Cause asserts that the “changed conditions” include not only violations of FTC orders but also violations of “Section 5, COPPA, and the COPPA Rule,” and that it has “good cause to believe the public interest” and these “changed conditions” require modifying the 2020 Consent Order.

In the end, it may be up to a federal court of appeals to determine whether these assertions are correct. It is also possible, however, that the Supreme Court’s recent decision in Axon clears a path to an early challenge to the Proposed Order in federal district court. In a statement released on the same day as the FTC’s announcement, Meta stated that “[w]e will vigorously fight this action and expect to prevail.”

The case marks two important firsts for advertisers offering products or services through automatic renewal terms and for companies making money-making claims or using endorsements and testimonials. Specifically, the action is the first time the FTC has obtained civil penalties under the Restore Online Shoppers’ Confidence Act (ROSCA). The FTC also made good on its promise to bring cases under its Penalty Offense Authority, marking the first time the FTC has obtained civil penalties from a recipient of its Penalty Offense Notice for Money-Making Claims.

Civil Penalties for Misrepresentations related to Automatic Renewal Terms under ROSCA

The FTC previously laid the groundwork for the ROSCA count against WealthPress in its 2021 action against MoviePass, which we discussed here. In that case, the FTC alleged that MoviePass violated ROSCA by deceptively advertising its passes as offering “one movie per day” and then preventing subscribers from using the service as advertised. While that settlement did not include civil penalties, then-Commissioner Phillips dissented on the grounds that ROSCA could not be fairly interpreted as addressing any claim about the characteristics of a product/service subject to an automatic renewal term. Instead, ROSCA authorizes civil penalties for failure to clearly and conspicuously disclose “all material terms of the transaction” before obtaining a consumer’s express informed consent to the negative option offer.

That tension is also present in the WealthPress case – with Commissioner Wilson issuing a concurring statement on the 4-0 vote (Commissioner Phillips’ former slot remains open) stating that she supports “the inclusion of a ROSCA count in this complaint under the highly specific circumstances presented here.” Commissioner Wilson goes on to explain that the defendant made the deceptive claims “part of the terms of sale” by including a disclosure about profitability in the Terms and Conditions that consumers consented to at purchase. She notes that “[i]nformation of this type that appears in another format, though, may more appropriately be viewed as a claim about the good or service and not a term of the transaction,” which would render it outside the scope of ROSCA.

Other Commissioners appear to be less cognizant of that distinction, such that any advertiser offering an automatic renewal feature could be on the hook for civil penalties for alleged misrepresentations if the FTC views the misrepresentation as part of the “material terms of the transaction.”

Civil Penalties under Penalty Offense Authority

While the FTC has brought many actions involving earnings and opportunity claims (including one in November that explicitly references the Penalty Offense Notices), the WealthPress case marks the first time that the FTC has obtained civil penalties against an advertiser following receipt of its Penalty Offense Notice for Money-Making Claims.

Many of the claims identified in the complaint are quintessential examples of aggressive claims likely to garner regulatory scrutiny, whereas others are more mundane, such as “we give you everything you need, and if you’re a beginner not a problem.” The FTC also notes that disclaimers in the Terms and Conditions (for example, “The past performance of any trading system or methodology is not necessarily indicative of future results”) were incapable of qualifying the aggressive earnings claims made elsewhere.

In addition to Penalty Offense Notices concerning Money-Making Claims, the FTC has issued notices concerning Endorsements and Testimonials and For-Profit Educational Institutions, which may be the next target for civil penalties under the Penalty Offense Authority.

Late last week (Oct. 29), FTC Commissioner Rohit Chopra (D) and his Attorney Advisor Samuel Levine released a paper entitled “The Case for Resurrecting the FTC Act’s Penalty Offense Authority.” In it, Commissioner Chopra and Mr. Levine argue that the Commission should “resurrect one of the key authorities it abandoned in the 1980s: Section 5(m)(1)(B) of the FTC Act, the Penalty Offense Authority.” The principal objective, according to the paper’s authors, is to increase “the agency’s ability to deter and correct wrongdoing,” but the authors also assert that “resurrecting the Penalty Offense Authority would mitigate the ongoing gamesmanship around Section 13(b), showing the marketplace that the FTC has more than one trick up its sleeve, regardless of how the Supreme Court rules.”

The Penalty Offense Authority, which has been rarely used over the years, authorizes the Commission to seek civil penalties against other parties where (1) a final cease and desist order has been entered against a party in an administrative proceeding under Section 5(b) of the FTC Act, (2) there is a Commission determination that a specific practice is unfair or deceptive, as part of that order, and (3) a party with actual knowledge that the practice is unfair or deceptive has engaged in that practice after the order became final. Civil penalties, as the authors acknowledge, are “intended to punish the wrongdoer” and can add up quickly; for example, under certain FTC statutes, there is liability of up to $43,280 per violation. There also is no statute of limitations under the Penalty Offense Authority.

Critics of an expansive use of the Penalty Offense Authority have focused on the lack of due process afforded a party. FTC case decisions are not written like a rule, and facts are contested and often complex. One would expect subsequent defendants to distinguish the underlying case and claim that it did not give them adequate notice that their activity was also unlawful. Even if the Commission is abundantly clear that a respondent is liable under Section 5(b), there may be no clear holding that a particular practice, in a more general sense, is unfair or deceptive.

How do you generalize beyond the facts of a specific case?

The Chopra paper does not see any of this as problematic, arguing that the Penalty Offense Authority “includes strong due process protections for defendants,” specifically, they (1) must have actual knowledge of the FTC’s determination, (2) are entitled to a de novo hearing on issues of fact, and (3) can challenge the Commission’s prior conclusion that the underlying conduct violated Section 5. With regard to actual knowledge, the Commission would issue a “synopsis” of applicable case law, putting parties on notice of the allegedly illegal practices.

The Chopra paper goes on to discuss certain practices that would lend themselves to Penalty Offense Authority, including for-profit college fraud, income misrepresentations, online disinformation, deceptive data harvesting, and illegal targeted marketing.

The discussion regarding MLM pyramid allegations and income representations is illustrative of the authors’ thinking. As an initial matter, the Chopra paper discusses the perceived failure of the Commission’s current efforts to curtail deceptive practices by MLMs:

Determining whether a multilevel marketing operation qualifies as an illegal pyramid scheme requires resource-intensive investigations that can last years. During this time, more victims will suffer, while owners and top distributors can dissipate assets. Furthermore, the structure and size of a multilevel marketing operation can change considerably during this period, which can complicate litigation should the FTC decide to sue. Finally, if the FTC does sue, litigation can drag on for years, as experts battle over whether the structure of the business is illegal. Altogether, it is not clear that the Commission’s current enforcement approach is adequately deterring the most pernicious pyramid schemes, which continue to emerge year after year in spite of decades of FTC warnings.

There are numerous final, litigated orders in which the Commission has determined that deceptive practices by multilevel marketing companies are unlawful under Section 5 If these orders were served on major multilevel marketers today, they would be on notice that they face substantial civil penalties for engaging in any of the prohibited conduct. For example, numerous litigated orders condemn the practice of misleading potential recruits about the income they can earn. Serving notice of the Commission’s determination on this issue alone would make clear that false earnings claims constitute a penalty offense. Doing so could offer a number of advantages for the Commission’s enforcement program. First, designating income misrepresentations as a penalty offense has potential to deter one of the most problematic yet ubiquitous features of this industry: false promises of rich profits, which is what lures so many recruits. Second, it would give the Commission additional tools to correct and deter violations: if operators ignore warnings, the Commission could launch a full investigation to determine if an operator is a pyramid, and then seek both equitable relief through Section 13(b), including broad remedial injunctions and civil penalties. Or, it could pursue a narrower approach that targets the income misrepresentations, which may allow it to obtain meaningful relief much more expeditiously than a full-blown pyramid prosecution.

For more information, see:

• John Villafranco
  • Bio
  • LinkedIn
• Advertising and Privacy Law Resource Center
• Ad Law News and Views Newsletter
• Ad Law Access Blog
• Advertising Law Practice Page

During the hearing, Congressman Tony Cardenas (D-CA) expressed concern about the lack of “Made in USA” enforcement activity and urged a more aggressive approach. Chairman Simons said the agency has historically relied upon injunctive relief in “Made in USA” cases, but the upcoming workshop would provide a venue for current Commissioners to examine how to “beef up” remedies going forward. Commissioner Chopra, who has been outspoken on the issue, stressed the need for monetary penalties to deter future violations and protect “honest” American manufacturers.

This hearing comes after the FTC Commissioners testified before the Senate Commerce Committee’s Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security addressing three settlements that came under scrutiny, which we previously wrote about here.

As we’ve tracked here, the FTC initiated talks of stricter enforcement of penalties and remedies for “Made in USA” fraud that includes the workshop referenced by Chairman Simons to Congress. Commissioner Chopra released a statement calling for more stringent enforcement of the agency’s “Made in USA” advertising policies, as he emphasized in his testimony above.

In an April 2019 settlement, a US-based marketer of water filtration systems agreed to pay a civil penalty of $110,000 in addition to injunctive measures to settle false claims charges brought by the FTC in 2017. The company admitted to deceiving consumers with “Made in USA” advertising when in fact the marketer’s filters are either wholly imported or are made with a significant portion of parts from overseas. The admission of deceptive conduct is new term in FTC settlements, and has the potential to increase liability given the likelihood of follow-on regulatory investigations or consumer class litigation. This case is also notable because it is one of relatively few in which the FTC has sought civil penalties.

With this context in mind, advertisers relying on “Made in USA” claims may want to revisit the FTC’s guidance on “Made in USA” claims to ensure they are in compliance. For more information on “Made in USA” advertising, check out our webinar and materials.

Here’s an excerpt of the Q&A between Sen. Shelly Moore Capito (R-WV) and the FTC Commissioners (emphasis added):

CAPITO: Okay, last question I have on fraudulent marketing would be the… fraudulent Made in America label. How prevalent is this? And what are some of the means you're going to try to curb this practice?

SIMONS: This is fairly prevalent. We get hundreds of these, hundreds of complaints a year, that people are improperly using the Made in the USA label. We are committed to investigating those, and usually a lot of times what happens is the firm, the company doesn't even realize that it's a violation. So we explain to them it's a violation and they stop it.

Sometimes companies do it intentionally, sometimes we tell them and they don't stop and those people we sue. And one of the things that we're exploring now, as a general rule, we have only gotten injunctive relief in cases like this previously. Now we're exploring whether we can find a good case that would be appropriate for monetary relief to serve as an additional deterrent.

CHOPRA: I just want to add here that I think there are manufacturers out there who hire American workers and who purposely do that because they want to put the flag on their product. And for those who lie, this cheapens the Made in the USA label so it's not just hurting American consumers, it's hurting every American manufacturer who is trying to do right. So I want us to be much more aggressive with this, actually. And if you and Senator Cortez-Masto want to team up, finding civil penalties for some of these bad actors, we can make sure we increase compliance levels. And I got to tell you -- right now there's a country of origin labeling issues in agriculture, country of origin issues in product marketing. We have to do more to put a stop to this because this is extremely unfair to honest companies.

SLAUGHTER: I agree with everything my colleagues have said and I would add to Commissioner Chopra's point about financial penalty authority is a well taken one. In order for us to assess monetary penalties, in order for us to get a monetary remedy right now, we would have to show a monetary harm and show a price premium and make that demonstration, that can be very difficult to do.

So we can't just say you've broken the law, now pay the government money even if the ability to do so might deter some of this reprehensible behavior.

CHOPRA: We would like to reduce these, I would like to reduce the settlements that end in no money, no findings of fact no nothing. We just received a comment letter from a company who actually was denied the ability to sell their products to members of the military, because one of our respondents actually was violating this. So this is extremely unfair and we need to fix it.

CAPITO: All right. Thank you.

*****

Putting these comments into context, as we’ve written about here, the FTC has consistently pursued deceptive “Made in USA” advertising over the last few years. However, most investigations resolve through closing letters in which the respondent company agrees to modify its advertising and the agency agrees to forego further enforcement. A small number of cases have resulted in settlements in which the company agrees to injunctive terms but, as noted in the testimony, no financial penalty.

Recently, the FTC announced three settlements that prompted scrutiny from the manufacturing community and from members of the Senate. The cases involved advertising for hockey pucks, backpacks and related outdoor equipment, and mattresses. Each respondent relied heavily on “Made in USA” claims in product marketing but all of them allegedly imported their products. The companies agreed to injunctive terms but were not required to pay a financial penalty pursuant to the settlements. Commissioner Chopra argued in a dissenting opinion that these settlements were too lenient and urged his colleagues to consider harsher measures going forward to deter similar conduct.

Shortly after these settlements were announced, Senators Brown (D-OH), Baldwin (D-WI), and Murphy (D-CT) wrote a letter to the FTC urging the agency to pursue more stringent violations of the rules regarding “Made in USA” advertising. Domestic manufacturers also spoke out in favor of more aggressive enforcement.

As highlighted above, Chairman Simons has now acknowledged that the agency is exploring whether there is a case that is ripe for monetary relief. With all of this context in mind, advertisers relying on “Made in USA” claims may want to reevaluate their substantiation to ensure that it complies with the FTC’s guidance on “Made in USA” claims. Also, check out our webinar and materials for more information.

In September 2009, the FTC staff had taken the position that avatar calls were not considered prerecorded messages under the Telemarketing Sales Rule (TSR). See FTC Staff Opinion Letter to Call Assistant LLC (Sept. 11, 2009). In November 2016, however, the FTC decided to revoke its previous letter, explaining that it is now the FTC staff’s opinion that outbound telemarketing calls that utilize avatars are subject to the TSR’s prerecorded call provisions. See FTC Staff Opinion Letter to Call Assistant LLC (Nov. 10, 2016).

The 2016 opinion letter explained that the staff’s change in position is due to the increasing volume of consumer complaints, the increase in how this technology has allegedly been abused by using it to conduct multiple calls at the same time without giving appropriate responses to consumers, and that the soundboard technology does “deliver a prerecorded message” under the statutory language used in the TSR. The staff said that, even with a 1-to-1 limitation in place (i.e., using the technology to place one call at a time), this would not change the staff’s analysis.

A trade group representing companies that manufacture and use soundboard technology had challenged the FTC staff’s opinion letter, stating that the FTC: (1) circumvented the Administrative Procedures Act’s (APA) notice-and-comment requirements, and (2) violated the First Amendment by exempting pre-recorded solicitation calls between a non-profit charitable organization and its existing donors, but failing to exempt such calls to potential first-time contributors. The court rejected both claims in Soundboard Ass’n v. FTC, No. 1:17-cv-00150 (D.D.C. Apr. 24, 2017).

First, the court found that, although the November 2016 letter is a final, reviewable agency action, it was at most an interpretive rule that the FTC was not required to issue through notice and comment under the APA. Second, the court concluded that the letter did no more than subject soundboard calls to valid time, place, and manner restrictions. The court explained that the exemption provided to pre-recorded calls on behalf of charitable organizations to existing donors, but not to charitable organizations’ calls to potential, first-time donors, is a content-neutral regulation of speech that easily satisfies the requisite intermediate scrutiny.

Bottom Line: Companies that use soundboard technology will need prior written consent and will need to comply with the prerecorded message requirements under the TSR effective May 12, 2017, per the FTC’s grace period for compliance (as well as the TSR’s abandoned call provisions, as applicable).

Some quick background on the UCL:

• Traditionally, the UCL is thought to prohibit unfair competition, which includes unfair, deceptive, misleading, or false advertising. § 17200; see Lavie v. Procter & Gamble Co., 105 Cal. App. 4th 496, 512 (2003) (whether “the ordinary consumer acting reasonably under the circumstances” is likely to be deceived).
• But the UCL also forbids business activity unconnected with advertising when such activity constitutes an “unlawful” or “unfair” business practice that either violates another law or violates an established public policy. § 17200; see e.g., In re Anthem Data Breach Litig., 162 F. Supp. 3d 953, 990 (N.D. Cal. 2016); Ballard v. Equifax Check Servs., Inc., 158 F. Supp. 2d 1163, 1176 (E.D. Cal. 2001). Some common defenses to these claims include compliance with the underlying law, the practice is not unfair or is justified, and federal preemption.
• The UCL provides private plaintiffs with the ability to bring claims for restitution and injunctive relief, while the government can also impose civil penalties of up to $2,500 per violation. §§ 17203, 17206; see e.g., People v. JTH Tax, Inc., 212 Cal. App. 4th 1219, 1254 (2013) (“[T]he court could have imposed penalties of over $9 million, but only imposed penalties of $715,344 for these advertisements.”).

Here, the California Attorney General alleged that Western Union, during the course of its money transferring services, failed to scrutinize and stop complicit agents that did not comply with anti-money laundering policies, inadequately trained, vetted and reported agents, and overall did not “prevent fraudulent telemarketers, sellers, and con artists from using Western Union’s money transfer system to perpetrate their frauds.” In other words, Western Union exposed its customers to fraud in violation of the UCL.

As part of the global settlement, Western Union agreed to implement a comprehensive anti-fraud program to detect and prevent future incidents. California consumers who made a wire transfer through Western Union are entitled to a share of the DOJ restitution fund and may be eligible for more than $65 million in refunds. The California Department of Justice also may recoup costs and fees from the $5 million multistate fund.

Bottom line: the UCL is a dynamic enforcement mechanism with the potential to curtail many different types of business activities that seemingly harm consumers, and provides the Attorney General with the ability to inflict stiff penalties for violations.

During her remarks, acting chair Ohlhausen offered insight into consumer protection priorities during her tenure as acting chair.

First, acting chair Ohlhausen signaled the importance of the Agency focusing on stopping fraudulent schemes, especially those targeting vulnerable populations such as the elderly or military members.

Second, the acting chair noted that remedies sought in FTC cases should be more closely linked to actual, rather than speculative, consumer injury or harm, echoing her recent dissent in Qualcomm, and further posited that the FTC’s efforts in recent cases to collect disgorgement in non-fraud cases is inconsistent with prior FTC practice. Specifically, the acting chair called into question the Agency’s practice of seeking disgorgement that is disproportionate to actual consumer injury. As an example, she referred to her dissent in Uber, where she wrote that “I dissent from the complaint against Uber and the settlement resolving that complaint because the monetary settlement of $20 million is not tied to an estimate of consumer harm.” And for privacy enforcement actions, she emphasized the need for “concrete injury” to justify agency action.

Third, acting chair Ohlhausen indicated a desire for the FTC to be more transparent about its investigation and enforcement matters. She noted that there may be value in disclosing (without disclosing confidential information) details of investigations where the FTC closes an investigation without nay enforcement action. According to acting chair Ohlhausen, such transparency would help provide guidance to businesses about practices and policies that the Commission deems permissible, in addition to those that are not. It is unclear how much additional information acting chair Ohlhausen envisions disclosing beyond information contained in Commission closing letters at present.

Also with respect to investigations, the acting chair signaled the need for the Agency to narrowly tailor investigative requests to only obtain information that is necessary and relevant to its investigations. Recognizing the burden of overly broad information requests, she stated that “the FTC must remain able to collect the information we need to enforce the law, but I am certain that we can do this while reducing the burden on businesses, particularly third parties who are not under investigation.”

Although her remarks were brief, the acting chair’s address suggests a more restrained approach by the FTC than it has pursued in recent years. Given the three open seats on the Commission yet to be filled, two by Republicans, and the future appointment of a permanent chairperson, more changes are a certainty.

The FTC alleged that Breathometer did not have adequate substantiation for its performance claims. Specifically, the products were tested to determine accuracy at .02% blood alcohol content, not .08%, which is the legal limit under state laws. In addition, testing revealed that the accuracy of the Breeze version of the product degraded over time and the company did not have a means of recalibrating it remotely. Breathometer stopped selling the Breeze product but allegedly did not adequately inform consumers of the issue.

This case is yet another illustration of the FTC taking the lead on mobile health products that are or could potentially be regulated by the FDA. As readers of our Food and Drug Law Access blog may know, FDA has taken a risk-based approach to regulation of such products and, with the exception of products that could cause patient harm or death upon malfunction, is exercising regulatory discretion. Yet, many companies, particularly those who are new to the health market, presume that FDA is the primary, if not the only, regulator likely to have an interest in their product and claims.

Not so. The FTC has repeatedly voiced concerns about the proliferation of mobile health apps and whether claims were being properly substantiated, particularly where disease diagnosis, treatment, or mitigation claims are featured. Along with the Breathometer matter, the Lumosity, Melanoma Detective and Aura Labs cases collectively demonstrate that when it comes to many consumer-directed mobile health products, the regulator most likely to take interest is the FTC.

The FTC’s complaint alleges that a 2015 ad campaign for Eukanuba expressly or impliedly claimed that the dog food could increase the lifespan of dogs by 30 percent or more or could help to provide an “exceptionally long life.” Claims included examples of dogs living 17 years with disclosures of the typical breed lifespan.

The complaint contends that these claims were based on a single, 10-year study of dogs that were fed Eukanuba, the results of which showed no significant difference in the median age at death of the dogs in the study relative to the typical age at death of dogs of the same breed.

The proposed stipulated order applies broadly to all health benefit claims for Mars Petcare’s Pet Food (defined in the order as “any food that is used for food or drink for domestic pets”), and prohibits the company from making any of the following representations absent competent and reliable scientific evidence:

1. That with any Pet Food, dogs live 30 percent or more longer than their typical lifespan;
2. That any Pet Food can enable dogs to live exceptionally long lives; or
3. About the health benefits of such products.

The order also prohibits any misrepresentation: (A) about the existence, contents, validity, results, conclusions, or interpretations of any test, study, or research, including that studies, research, or trials prove that, with its Pet Foods, dogs live 30 percent or more longer or substantially longer than their typical lifespan or that the Pet Foods enable dogs to live exceptionally long lives; or (B) that any health benefits of such product are scientifically proven or otherwise established.

The settlement differs from others involving health benefit claims (see here, here, and here) insofar as it does not prescribe a definition of “competent and reliable scientific evidence” beyond the language that has traditionally been used, nor does it include a provision requiring the company to maintain clinical study data beyond the typical record retention requirements. Notwithstanding, it is still worth noting for companies selling foods or dietary supplements, because it demonstrates the risks in making quantified claims and the importance of ensuring a close nexus between the study endpoint and the advertising claim. It is also one of only a handful of FTC settlements involving pet care products in recent years and clearly evidences that the standards required for substantiation are applied to products intended both for two-legged and four-legged consumers.*

The previous guidance, titled “Cookies: Leaving a Trail on the Web” (last updated in November 2011), primarily addressed cookies (including first-party cookies, third-party cookies, and flash cookies), provided consumers with general information on how to control cookies, identified how consumers can opt-out of receiving targeted ads, provided a brief overview of “Do Not Track,” and identified that new technologies were constantly emerging.

The updated guidance document updates and expands upon this information to address new forms of online tracking (e.g., device fingerprinting, cross-device tracking), new tracking technologies (e.g., use of unique device identifiers or HTML 5 cookies), how tracking in mobile apps occurs, and how consumers can generally limit or block tracking online, in apps, or across devices.

So what is the big-picture takeaway for businesses? Consumers may not fully understand online tracking, including their options for minimizing or preventing such tracking from occurring. Businesses can help educate consumers concerning their online tracking by providing clearly identifiable ways in which consumers can review information about the company’s collection, use, and disclosure practices, and ways to limit cookies and other tracking technology. This may include a clearly written privacy policy or other consumer facing document, or in the device settings as suggested by the FTC. Lessons learned from past FTC enforcement actions (including the FTC’s action announced yesterday against InMobi) also illustrate the risks associated with business practices that appear to circumvent a user’s privacy decisions or a device’s privacy settings.

InMobi’s Practices

InMobi provides an advertising platform for app developers and advertisers. App developers can integrate the InMobi software development kit (SDK) for its Android and iOS apps, allowing them to monetize their applications by allowing third party advertisers to advertise to consumers through various ad formats (e.g., banner ads, interstitial ads, native ads). Advertisers, in turn, can target consumers across all of the mobile apps that have integrated the InMobi SDK.

InMobi also offers several geo-targeting products, which allow advertisers to target consumers based on specific location information. For instance, advertisers could target consumers based on their device’s current or previous location, or if the consumer visits a certain location at a particular time of day or on multiple occasions.

FTC Charges

The FTC alleges that InMobi mispresented that its advertising software would track consumers’ locations and serve geo-targeted ads only if the consumer provided opt-in consent, and only when it was done in a manner consistent with their device’s privacy settings. According to the complaint, InMobi was actually tracking consumers’ locations whether or not the apps with InMobi SDKs requested consumers’ permission to do so, and even when consumers had denied permission to access their geolocation.

Even when users had denied the app permission to access geolocation, InMobi was collecting information about the WiFi networks that the consumer’s device connected to or that were in-range of the consumer’s device, feeding this information into its geocoder database, and using this information to infer the consumer’s longitude and latitude. The FTC claims that this process allowed InMobi to track the consumer’s location and serve geo-targeted ads, regardless of the app developer’s intent to include geo-targeted ads in the app, and regardless of the consumer’s privacy preferences or device settings. As a result of these practices, app developers could not provide accurate information to consumers regarding their apps’ privacy practices. The FTC concluded that InMobi’s misrepresentations regarding its data collection and use practices were deceptive in violation of Section 5 of the FTC Act.

In addition, the complaint alleges that InMobi violated COPPA by knowingly collecting personal information from children under the age of 13, despite representations to the contrary. The FTC claims that InMobi did not have adequate controls in place to ensure COPPA-compliance and did not test any controls it implemented to ensure they functioned as intended. As a result, InMobi collected personal information (including unique device identifiers and geolocation information) in thousands of apps that developers had expressly indicated to InMobi were child-directed, and used this information to serve interest-based, behavioral advertising in violation of COPPA.

Settlement Provisions

Per the stipulated order, the company is prohibited from collecting consumers’ location information without their affirmative express consent and will be required to honor consumers’ location privacy settings. The company is further prohibited from violating COPPA and from misrepresenting its privacy practices. The order also requires the company to delete all information it collected from children, delete the location information collected from consumers without their consent, and establish a comprehensive privacy program. The comprehensive privacy program is typical of what we see in other FTC privacy settlements. It has provisions governing the designation of a responsible employee to oversee privacy compliance, requiring ongoing assessment of risks that could result in unauthorized collection of information, mandating implementation of reasonable privacy controls, requiring regular testing and evaluation of such controls, and addressing service provider oversight. Under the terms of the settlement, InMobi is subject to a $4 million civil penalty, which was suspended to $950,000 based on the company’s financial condition.

Key Takeaways

Mobile technology practices continue to be a focus of the FTC’s consumer protection efforts. Companies collecting personal and geolocation information from consumers should understand precisely what information will be collected from or about a user, clearly and accurately communicate its data practices, and respect any representations that are made. Particular care should be taken when collecting information through child directed apps and websites. Taking these simple steps can help avoid FTC scrutiny with respect to a company’s privacy practices and related representations.

To use the tool, developers answer a series of high-level questions about the nature of their app, including about its function and the data it collects. Based on the answers to those questions, the tool advises the developer about whether the FTC Act, the FTC’s Health Breach Notification Rule, HIPAA, or the Federal Food, Drug and Cosmetic Act likely applies to the app. In some cases, the tool links out to other guidance that may be relevant for the app, such as FTC’s guidance for complying with the Health Breach Notification Rule. The FTC developed the tool in conjunction with the Department of Health and Human Services’ Office of National Coordinator for Health Information Technology, Office for Civil Rights and the Food and Drug Administration.

Along with the tool, the FTC released recommended best practices for privacy and security in mobile health apps. The guidance encourages developers to minimize the information their apps collect, to limit and control access to the apps and to the data they collect, and to implement “security by design.” This health-app-specific guidance builds upon the FTC’s general guidance for mobile app developers. For those developing apps, FDA’s policies regarding whether such apps are regulated as medical devices should also be considered.

The main lesson that is underscored in all of these tools is the same: Consider the nature of the information collected and its potential use at the concept phase and rather than after development is complete. All too often, as companies rush to submit apps for approval on an app store, legal compliance is an afterthought. As we have learned from the 100+ privacy and data security settlements that the FTC has released, these issues can be very difficult to cure on the back end.

FTC Commissioner Terrell McSweeny opened the event discussing the FTC’s “Start With Security” business initiative and guidance document, which provides “best practices” (and not so best practices) in the 50+ data security cases brought by the FTC. A few key takeaways from the Commissioner’s opening remarks – (1) ensure products live up to advertised claims and promised privacy practices; (2) even in the rush to innovate, privacy and security should not be overlooked; and (3) from the FTC’s perspective, the standard is not “perfect” security, but “reasonable” security.

The event continued with a series of panels providing information on security by design, common security vulnerabilities, strategies for secure development, and vulnerability response.

• PANEL 1: Starting up Security -- Building a Security Culture

The first panel included a discussion with founders, executives, and employees at major companies to better understand how information security can be a core value and ways to address and mitigate common security vulnerabilities. A common theme of the panel was that security should be incorporated into the company’s culture from the beginning. While this is often a top-down approach beginning with a push from senior level executives, it may require building in a security culture from the ground up. Panelists agreed, however, that it is most cost effective to build in security from the beginning, rather than having to address security vulnerabilities after the fact. This is especially true as more start-ups and companies are moving to a cloud-based platform. Panelists also addressed common vulnerabilities, the importance of having a proper risk management framework, and appropriate security training for employees. Although companies should consider potential threats and vulnerabilities from the start, this should be an ongoing process, and companies should continually evaluate how PII comes in, how it is used, where it is stored, and with whom it is shared.

• PANEL 2: Scaling Security -- Adapting Security Testing for DevOps and Hyper-Growth

The second panel focused on how security testing can be automated and adapted for a world of continuous delivery in a high-growth start-up environment. The discussion began with an overview of a recent study of approximately 35,000 websites which found that once a vulnerability is known, it takes on average nearly 200 days to fix it. Panelists commented that this statistic underscores the importance of a robust security system, particularly in a world where deploying new code multiple times per day is becoming more commonplace. One panelist noted that an easy place to start security monitoring is with maintaining and analyzing internal data logs to determine the most vulnerable places within a system and focus on running security tests in those areas. In addition to highlighting a number of specific security tools that start-ups can utilize to make system testing more efficient, panelists also stressed the need for security personnel to communicate effectively with developers and project managers about known vulnerabilities and threats. For instance, rather than preparing a 50-page security issues report, panelists suggested that security team members should distill any issues that are discovered down to essential threat information so that developers can address these problems quickly. Panelists noted that certain tools that enable automated testing, such as Gauntlt, can be incorporated into a company’s everyday security testing given that they use language and structures that are familiar to developers.

• Fireside Chat: Investing in Security

FTC Commissioner McSweeny led a brief discussion with a co-founder of an early-stage venture capital fund that invests in technology start-ups, primarily in Texas. Throughout the chat, McSweeny asked questions focusing on why it is important for early-stage start-ups to prioritize security and what role security plays when a start-up is looking for investors.

• PANEL 3: Third-Party AppSec-- Dealing with Bugs, Bug Reports, and Third-Party Code

The third panel included a discussion with security executives at major companies explaining how start-ups can manage risks from third-party code and services as well as how start-ups can harness the security community’s work to improve their secure development lifecycle. Panelists provided recommendations to start-ups about how to best manage service providers and how start-ups can vet third-party components. Specifically, start-ups should create channels or processes for addressing vulnerability reports, particularly if the startup is writing its own code. The panel also introduced a new “Vulnerability Coordination Maturity Model,” which provides start-ups with a baseline assessment of their security programs and provides companies with advice regarding five main principles: (1) organization, (2) engineering, (3), communications, (4) analytics, and (5) incentives.

• PANEL 4: Beyond Bugs -- Embracing Security Features

The fourth panel looked at the benefits of and challenges to embracing multifactor authentication, site-wide encryption, and content security policy. Panelists took turns defining the contours of these proactive security measures that can help eliminate vulnerabilities and protect consumers from threats. Panelists encouraged site-wide encryption, highlighting that browsers, such as Google, are incentivizing this practice by making it a factor in ranking and rolling out a feature that will warn users when a site does not have SSL/TLS. Panelists recommended that companies have site-wide encryption by default. The discussion around multifactor authentication suggested that although it was a useful trust indicator, there still are significant challenges with this security measure. Describing biometric information as a fad, panelists also cautioned against its use as part of multifactor authentication because biometric information cannot be reset. The panel concluded by addressing content security policy and free resources available online. The consensus with regards to a content security policy was that it should be implemented with new software. Retrofitting a content security policy into an existing website or project, while possible, would not be without significant challenges.

The FTC simultaneously released two videos to illustrate lessons businesses can learn from the FTC’s more than 50 data security settlements. The first, Implementing Strong Password Policies, includes tips on password practices that can help protect businesses. The second, Secure Devices and Paper, talks about the risks posed by a lax approach to securing files and devices, and simple steps to keep them safer. The FTC’s next “Start With Security” event will be held in Seattle on February 9, 2016.

The ECPA, passed almost 30 years ago, generally prohibits the unauthorized access to communications systems and the disclosure of the contents of wire and electronic communications by a service provider. The ECPA Amendments Act of 2015 (S.356/H.R. 283) is intended to “bring privacy protections for the digital world in line with those in the physical world.”

Since its introduction in Congress, several stakeholders have raised concerns that the current bill could hamper civil investigations by regulatory agencies, such as the FTC or SEC, since these agencies – like all others – must have a warrant to obtain emails and other electronic communications. On September 16, 2015, the Senate Judiciary Committee held a hearing entitled “Reforming the Electronic Communications Privacy Act” to provide stakeholders the opportunity to provide additional insight.

In testimony by Daniel Salsburg, FTC’s Chief Counsel in the Office of Technology, Research and Investigation, Salsburg explained that although the Commission does not currently seek the content of electronic communications from ECPA service providers, he believes that in the future, as more electronic communication moves to the cloud, the effectiveness of the FTC’s fraud prevention program may be hampered if the proposed legislation is not appropriately modified. Where the target is a fraudulent marketer, for example, obtaining the electronic communications through a civil investigative demand (“CID”) to the marketer may not be a viable option, and the FTC should be able to obtain this information through warrantless means.

Notably, Salsburg requested the ECPA be modified to:

1. Allow the FTC to obtain copies of previously public commercial content that advertises or promotes a product or service directly from the service provider, without a warrant; and
2. Provide a judicial mechanism that would authorize the FTC to seek a court order directing the service provider to produce the content if the FTC establishes it has sought to compel it directly from the target, but the target has failed to produce it.

Depending on if, and to what extent, this language is included in the ECPA Amendments Act, the FTC (and perhaps other civil investigative agencies) may have the broad authority to obtain, via simply court order, electronic communication content from third-party service providers. It is unclear, however, whether this would be limited solely to entities that refuse to participate in a civil investigation, or could extend to a situation where the target entity has participated in a CID, but the FTC believes the entity has not provided the agency with the information it is looking for.

Notably, in a statement released the same day, FTC Commissioner Julie Brill dissented with her colleague, saying that it is “exceedingly rare that it would be useful for the FTC to seek content through ECPA,” and highlighted the inherent privacy concerns and questionable constitutionality of Salsburg’s request.

Nonetheless, with 23 co-sponsors in the Senate, and more than 300 supporters in the House, companies should continue to monitor the ECPA Amendments Act and any corresponding revisions.

The investigation examined allegations that a Morgan Stanley employee misappropriated client information by transferring data from the Morgan Stanley computer network to a personal website accessed at work, and then onto other personal devices. The exported data subsequently appeared on multiple Internet websites, causing the potential for misuse of the data.

The agency, however, decided to informally close the case without taking further action because Morgan Stanley had established and implemented comprehensive policies and access controls designed to protect against insider theft of personal information. Despite having such policies and controls in place, the FTC found that certain controls applicable to a narrow set of client reports were improperly configured. This allowed the employee to access and misappropriate the data.

The FTC’s initiation of this investigation (and subsequent decision to close the case) provides a few key takeaways for companies that would prefer not to face the FTC:

• Employ reasonable and appropriate safeguards to protect against unauthorized misuse of all sensitive consumer information;
• Establish and implement comprehensive policies designed to protect against employee theft of personal information;
• Have controls in place to ensure that company employees and/or contractors have access to sensitive personal information only on a “need to know” basis;
• Monitor the size and frequency of data transfers by employees;
• Prohibit employee use of USB or other devices to exfiltrate data;
• Block employee access to certain high-risk Web applications and websites; and
• Train employees regularly in meaningful data security practices.

The FTC’s complaint against Google alleges that the company offered free and paid apps through its Play store. Many of these apps are rated for kids and offer “in-app purchases” ranging from $0.99 to $200, which can be incurred in unlimited amounts. The FTC alleges that many apps invite children to obtain virtual items in a context that blurs the line between what costs virtual currency and what costs real money.

At the time Google introduced in-app charges in March 2011, users were notified of an in-app charge with a popup containing information about the virtual item and the amount of the charge. A child, however, could clear the popup simply by pressing a button labeled “CONTINUE.” In many instances, once a user had cleared the popup, Google did not request any further action before billing the account holder for the corresponding in-app charge.

It was not until mid- to late-2012 that Google begin requiring password entry in connection with in-app charges. The complaint alleges, however, that once a password was entered, it was stored for 30 minutes, allowing a user to incur unlimited in-app charges during that time period. Regardless of the number or amount of charges incurred, Google did not prompt for additional password entry during this 30 minute period.

Google controls the billing process for these in-app charges and retains 30 percent of all revenue. For all apps, account holders can associate their Google accounts with certain payment mechanisms, such as a credit card, gift card, or mobile phone billing. The complaint highlights that Google received thousands of complaints related to unauthorized in-app charges by children and that unauthorized in-app purchases was the lead cause of chargebacks to consumers.

The FTC alleges that Google’s billing practices were unfair and violated Section 5 of the FTC Act. Under the terms of the proposed settlement order, Google must pay at least $19 million in refunds to consumers. Google is also required to obtain the “prior express, affirmative consent of the account holder” before billing a consumer for an in-app charge.

In instances where consent is sought for a specific in-app charge, the settlement requires Google to clearly and conspicuously disclose: (1) the in-app activity associated with the charge; (2) the specific amount of the charge; and (3) the account that will be billed for the charge. In addition, if consent is sought for potential future in-app charges, Google must clearly and conspicuously disclose: (1) the scope of the charges for which consent is sought, including the duration, devices, and apps to which consent applies; (2) the account that will be billed for the charge; and (3) the method(s) through which the account holder can revoke or otherwise modify the scope of consent.

The settlement with Google is a good reminder that app developers and mobile platforms should continue to review their advertising, marketing, and game experience (as well as consumer complaints), and determine whether existing disclosures may benefit from disclosure and process enhancements in line with the terms set forth in this latest settlement.

The FTC’s complaint alleges that Engineered Plastics Systems, LLC (“EPS”) marketed its plastic lumber products – including picnic tables and benches – as made of “recycled plastic,” made “entirely of recycled plastic lumber,” or having an “all recycled plastic design.” The FTC alleges that while consumers would likely interpret the claims to mean that the products are made from all, or virtually all, recycled plastic, the products contained, on average, only about 72 percent recycled plastic. The products also contained some non-recycled plastic and a mineral component.

The proposed consent order with EPS prohibits the company from misrepresenting the recycled content or environmental benefit of any product or package. For any recycled-content claims, the company must substantiate the claims by demonstrating that the content of its product or package is composed of materials that have been recovered or otherwise diverted from the waste stream. The FTC’s consent order will remain effective for 20 years.

The FTC’s complaint alleges that Amazon offers free and paid apps through its App store, many of which are rated for kids and allow in-app charges ranging from $0.99 to $99.99. Amazon controls the billing process for these in-app charges and retains 30 percent of all in-app revenue. For all apps, Amazon requires its users to link their mobile device to an Amazon account, which is funded by a credit card or Amazon gift card.

At the time Amazon introduced in-app charges to the App store in November 2011, users were notified of an in-app charge with a pop-up containing information about the app virtual item identified for purchase and the amount of the charge. The FTC asserts, however, that a child user could clear the pop-up notification by pressing the “Get Item” button. Once the user clears the pop-up, the FTC asserts that Amazon did not request further action before billing users’ accounts.

The complaint highlights internal communications among Amazon employees from December 2011 noting that unlimited in-app charges without requiring a password were causing problems for a large percentage of its customers. According to the complaint, in March 2012, Amazon updated its in-app charge system to require a password for any single in-app charge over $20, but continued allowing an unlimited number of lesser in-app purchases with no password.

In early 2013, Amazon implemented further updates to require a password entry for all in-app charges. The complaint alleges, however, that once the password was entered, the password was stored from 15 minutes up to one hour, allowing the user to incur unlimited in-app charges during that time period.

The complaint contends that Amazon received thousands of consumer complaints relating to unauthorized in-app purchases by kids, amounting to millions of dollars of charges. Amazon, however, has an express policy stating that all in-app charges are final. To the extent that parents sought an exception from the policy, the FTC’s complaint states that Amazon’s refund process is unclear and confusing.

The FTC alleges that Amazon’s billing practices were unfair and violated Section 5 of the FTC Act. The complaint seeks a permanent injunction to prevent future violations of the FTC Act, a court order to refund users for the unauthorized charges, and the costs of the action.