The FTC is building up its army of watchdogs to police online marketing content and practices. Who those watchdogs are – and their relationship to the industry – might surprise you.
Earlier this month, the agency entered into a settlement agreement with Central Coast Nutraceuticals, an Internet marketer of weight-loss and health products. The agreement settles charges that were initiated against the company in 2010. The company is one of the many marketers targeted by the FTC for its tactics in selling acai berry diet products. Like more recent FTC targets, Central Coast was charged with deceptive advertising and unfair billing. The deceptive advertising allegations were based on (1) the marketer’s use of phony endorsements by Rachael Ray and Oprah Winfrey and (2) the marketer’s unsubstantiated claims about the benefits of its products. The unfair billing allegations were based on the marketer’s “free trial” scheme that baited consumers into pricy negative continuity programs.
Those tracking the FTC’s enforcement actions against online diet marketers are familiar with these allegations. Last spring, the FTC halted the sites of 10 operators who marketed acai berry diet pills for alleged fake endorsements from major media networks and unsubstantiated claims about the pills’ efficacy. An eleventh operator was slapped with an action last December for the same issues, including the use of negative continuity programs.
Since Central Coast was the first of these marketers to come under the agency’s fire, and the first to enter into a settlement agreement (the actions of the other 12 operators are still pending), it is likely that the Central Coast settlement agreement will be the template for the suits to follow. (The FTC uses its settlement agreements to establish its legal standards.)
A term in the settlement agreement that caught our attention is a requirement that the company monitor affiliate marketers it does business with in the future. This obligation includes reviewing marketing materials to make sure that those materials comply with the provisions of the settlement agreement. Again, the Central Coast agreement likely will be the standard for subsequent enforcement actions, so these monitoring duties likely will be included in future agreements with other companies.
There have been a few FTC actions in the past that have imposed monitoring duties on companies who find themselves in hot water with the agency. In March of last year, a seller of instructional DVDs entered into an agreement with the FTC that requires the company to periodically monitor and review affiliates’ representations and disclosures. That includes monthly visits to top affiliate websites “done in a way designed not to disclose to the affiliates that they’re being monitored.”
What does this mean? Corporate spying has taken on new meaning, thanks to FTC sanctions. Affiliate marketers have their business partners as their proverbial Gladys Kravitz. It is likely that this type of government-imposed self-regulation will become increasingly the norm. The FTC doesn’t like affiliate marketers or the layers of puffery they create between advertiser and consumer. Policing for free through private companies is a win-win for the agency.
Putting a snag in New Year’s resolutions for pound-shedding, the FDA and the FTC recently sent out warning letters to several companies that sell HCG-based diet products online. (These companies include Nutri-Fusion Systems LLC, Natural Medical Supply, HCG Platinum, LLC, theoriginalhcgdrops.com, HCG Diet Direct, LLC, and Hcg-miracleweightloss.com.)
The warning letters, which came at the outset of the holiday season (and just before the January windfall for the diet industry, which the government may or may not have had in mind), allege that the companies are in violation of federal law (1) for selling unapproved and misbranded new drugs and (2) for advertising the health benefits of products without sufficient back-up research.
The products at issue, generally liquid drops, contain the human chorionic gonadotropin (HCG) hormone, which comes from human placenta and is extracted from pregnant women’s urine. HCG has been popular for weight loss since the 1950s, when a British doctor published a study that the hormone aided dramatic weight loss (of up to a pound a day) by mobilizing fat stores without affecting muscle or normal/structural fat. The popularity of HCG-based diet products escalated in 2007 when the notorious infomercial man, Kevin Trudeau, published a diet book on HCG.
Responding to the increased demand, in came many enterprising online marketers. But there’s an issue with selling these products – government regulation. HCG is FDA-approved, but only as a prescription drug and only for certain medical conditions, which do not include weight loss.
To get around this government roadblock, companies have marketed their HCG products as “homeopathic.” The FDA allows for the manufacture and distribution – without FDA approval – of homeopathic drugs provided those drugs meet criteria set out in the agency’s Compliance Policy Guide under “Conditions Under Which Homeopathic Drugs May be Marketed (CPG 7132.15).”
But according to the FDA’s warning letters such as this one, the HCG products marketed by these companies don’t meet the Compliance Policy Guide criteria. The biggest issue, which companies are going to have a hard (read impossible) time getting around is that HCG is not an established homeopathic active ingredient. And if a product has any non-homeopathic active ingredients, it falls out of the homeopathic exceptions under the CPG. Since HCG is a regulated drug (several states, including California and New York, list it as a Schedule III controlled substance) and can’t fall under the homeopathic exception, companies marketing HCG-based products are subject to a host of FDA regulations that require FDA involvement and approval. As these companies operated outside the FDA’s purview, they now find themselves in hot water.
The FDA isn’t the only government agency barking up these marketers’ money trees. The FTC joined the investigation and incorporated their allegations into the warning letters. The letters note that the companies’ websites make a host of claims that the government alleges are unsubstantiated. Any advertisement that includes health claims requires “competent and reliable scientific evidence,” such as human clinical studies.
The letters give the companies 15 days to take corrective measures and notify the government of those measures. If you go on these companies’ sites today, you’ll notice a lot of “coming soon” and “products currently being improved”-type language. And this all takes place during the New Year’s resolution timeframe, when these companies could be raking it in.
A few takeaways from the warning letters: (1) If you are going to invest time and money into a product being marketed purely through a regulatory loophole, make sure you satisfy all the criteria to meet that exception. (2) Don’t go where Kevin Trudeau has gone. This is meant to be partially glib, but the fact of the matter is that Trudeau is an FTC pet peeve. You can be sure of FTC involvement if you trek the same path he has. (3) Disclaimers are not enough to avoid the FDA. A couple of the HCG marketers to whom warning letters were issued had included disclaimers on their websites that the products are not intended to treat, cure or prevent disease. Such disclaimers, according to the FDA, could not overcome other health claims and language on the sites. (4) At the end of the day, if the government wants to give you a hard time, there is little you can do about it. Other warning letters issued by the FDA regarding homeopathic products noted that “that there may be circumstances where a product that otherwise may meet the conditions set forth in the CPG may nevertheless be subject to enforcement action.” With this last pointer, all we can say is, do a cost-benefit risk analysis.
Speaking at a Dec. 15 Capitol Hill forum on children’s and teens’ online privacy, Federal Trade Commission Chairman Jon Leibowitz said that the agency is recommending that the Children’s Online Privacy Protection Act (COPPA) expand the definition of personally identifiable information.
Leibowitz explained that he supports expanding the definition of “personally identifiable information” to include geolocation information, photos, videos, IP addresses, and similar items found on computers or mobile devices.
COPPA applies to the online collection of personal information from children under 13 years old. The act applies to websites and online services that are operated for a commercial purpose and are directed at children under the age of 13 or whose operator has actual knowledge that children under 13 are providing information to the site online.
In September, the FTC announced proposed revisions to the COPPA rules, the first significant changes to the Act since it the rules were issued in 2000. The FTC has been seeking public comments on the proposed revisions since September.
According to Leibowitz, the definition of personally identifiable information should be expanded from information provided by the consumer, to also include information used by the user’s computer or mobile device. This would include information held in cookies, processor numbers, IP addresses, geolocation information, photographs, videos, and audio files. Additionally, the new definition would now include information that web site operators, advertising networks, and others use to track consumers as they use the Internet.
The proposed rule changes would also expand the definition of what it means to “collect” data from children. The new definition would make it clear that personal information is being collected not only when the operator is requiring the personal information but also when the operator prompts or encourages a child to provide the information.
The way parental consent is obtained from parents would also be changed to add several new methods such as electronic scans of parental consent forms and the use of government issued identification that is checked against a database. The rules would also eliminate the popular “e-mail plus” mechanism .
The new rules would also present a data retention and deletion requirement, which would mandate that data that is obtained from children is only kept for the amount of time necessary to achieve the purpose that it was collected for. The rules would also add the requirement that operators ensure that any third parties to whom a child’s information is disclosed have reasonable procedures in place to protect the information.
These proposed changes to COPPA will have a significant effect on online operators, particularly the expansion of the definition of personally identifiable information. We note, particularly, that the expansion of the definition of “personally identifiable information” in the children’s privacy context could lead to a general expansion by the FTC of the definition in all contexts. The FTC has cracked down on COPPA violations in the past, and these new powers will likely continue this trend.
In November 2011, we at Ifrah Law expressed our views on a number of current issues in our blogs, Crime in the Suites and FTC Beat. This post summarizes and wraps up our thoughts from the month.
ACLU Wins FOIA Appeal on Prosecutors’ Use of Cell Phone Location Data
The Justice Department must turn over the names and docket numbers of numerous cases in which the government accessed cell phone location data without probable cause or a warrant.
Options for Suing the Federal Government Under Bivens Unlikely to Expand
U.S. Supreme Court argument indicates that the Justices are unlikely to extend Bivens to cover cases against private employees.
Judge Imposes 15-Year Sentence in FCPA Case; Appeal to Follow
This case will test the Justice Department’s expansive definition of “foreign official” under the statute.
High Court Hears Argument in GPS Fourth Amendment Case
The Justices grapple with issues of search and seizure in an online, wired world.
In Appeal of Construction Fraud Case, DOJ Seeks Tougher Sentences
This case, arising from Boston’s “Big Dig” project, will test the limits of a trial judge’s sentencing discretion.
Self-Regulation Reigns, for Now, on Consumer Data Privacy Issues
The online advertising industry is inching its way to more comprehensive policies regarding the collection of consumer data.
Google, Microsoft Assume Roles of Judge, Jury and Executioner on the Web
The Internet giants cancel the Web connections of companies that are accused by the government of mortgage fraud but have not been convicted.
New House Hearing Shows Strength of Hill Support for Legal Online Gaming
Many members of Congress remain serious that legal and technical obstacles can be overcome and that legislation can be passed in this area.
Convicted of Fraud but Changed Their Lives; Appeals Court Takes Note
A couple committed mortgage fraud back in the late ‘90s. The 7th Circuit gives them sentencing credit for self-rehabilitation.
More Big Pharma Companies Cough Up Big Dollars in DOJ Settlements
How high will these settlements go? The government has the power to strong-arm drug companies into settlements. How much will it demand?
Google, Yahoo! and Bing have suspended their accounts with hundreds of advertisers and agents associated with mortgage programs under federal investigation. The move by Google and Microsoft (Microsoft powers Bing and Yahoo!) has basically shut down these businesses: Without the vehicle of the search engines, these sites cannot effectively generate traffic.
Why did Google and Microsoft cut the cord of these companies, and is there anything the companies can do? Google and Microsoft (we’ll call them the Government’s “Judge, Jury, and Executioner” or the “Enforcers”) acted upon the request of SIGTARP, a federal agency charged with preventing fraud, waste, and abuse under TARP’s Home Affordable Modification Program. (The pressure started a while back, as we wrote last March.)
SIGTARP is investigating mortgage programs that it believes have been wrongly charging “struggling homeowners a fee in exchange for false promises of lowering the homeowner’s mortgage.”
According to a source at SIGTARP, the agency handed Google and Microsoft a list of some 125 mortgage “schemes.” Apparently, the Enforcers then took that list, identified advertisers and agents associated with those mortgage programs, and opted to suspend relations with those companies (about 500 advertisers and agents for Google and about 400 for Microsoft). (SIGTARP’s announcements on these actions can be found here and here.)
So it looks as if these companies have been penalized through government action without any adjudicative process, merely through government pressure on private companies, i.e. Google and Microsoft. (More analysis from us on this to come.)
It’s easy to understand why the Enforcers would feel pressure. Google just settled with the Department of Justice and agreed to pay more than $500 million for its role in publishing prescription drug ads from Canada. Those familiar with that settlement may see Google’s recent actions for SIGTARP as follow-on. Likely Google is more apt to buckle to the Feds quickly because of the costly settlement, but the matters are not directly related. In fact, the prescription drug settlement agreement relates to prescription drug ads only.
While the SIGTARP investigation is “ongoing,” and Google and Microsoft are continuing to cooperate with the agency, what can companies who have been caught up in this firestorm do? The Enforcers do, fortunately, have grievance processes (see, for instance, Google’s grievance process here).
Either on their own, or with some added strength through legal representation, the companies can try to make their cases regarding the content and nature of the ads at issue.
What is the next step going to be? If the Federal Trade Commission identifies, say, a group of websites that it believes are promoting bogus weight-loss schemes, will the Enforcers simply move to shut off their access to the Web, without further ado?
The online advertising industry is inching its way to more comprehensive policies regarding the collection of consumer data. Several announcements this month by different self-regulatory groups show that pressure from government agencies and consumer watchdog groups concerned about consumer privacy is taking effect . . . slowly but surely.
The most recent pronouncement comes from the World Wide Web Consortium (W3C), an international standards body made up of more than 300 members, including Google and Facebook. W3C announced earlier this week two first drafts for standards that provide consumers more information and control over how their data is tracked online.
The first set of standards, Tracking Preference Expression (DNT), is supposed to define means for users to establish their tracking preferences and see whether sites will honor those preferences. The second set of standards, Tracking Compliance and Scope Specification, is intended to set forth practices for websites to comply with a defined “Do Not Track” preference.
W3C’s announcement has generated a good bit of attention on the other side of the pond, where the EU has been pushing for years for more transparency and consumer control over online behavioral advertising. But W3C’s standards are not expected to be finalized until mid-2012.
On this side of the pond, more clamoring has gone on about the Digital Advertising Alliance’s consumer data tracking policies. The DAA, another self-regulatory project put together by the American Advertising Federation, the Interactive Advertising Bureau, the Better Business Bureau, and several other similar groups, announced last week its latest set of principles. These principles, known as Principles for Multi-Site Data, are supposed to govern companies’ collection and use of online consumer data – like earlier DAA standards, but more comprehensive. The DAA appears to have published these in response to the FTC’s concern that prior DAA standards did not sufficiently address forms of Internet tracking.
There seems to be a trend here: companies (and their consortiums) with major online presences are having a hard time reforming their online behavioral advertising (OBA) tracking, and are doing so with the speed and enthusiasm of a satiated pig. It makes sense: advertising, and OBA, has been the center of Web business models. Shaking up the models by giving consumers opt-outs across pages significantly interrupts, for instance, how sellers get leads to their sites, how advertisers track their effectiveness, and how affiliates get paid.
But like it or not, change is the reality for companies who use OBA. Growing concerns over data privacy will force companies to take new approaches, as we’ve discussed thoroughly here already. See this post, this post, and this post, for example.
Slow and steady as self-regulation may be going, it looks like government agencies like the FTC are willing to let companies take the lead on data privacy standards (with the ever ready government prod to coax them). FTC Chairman Jon Leibowitz made this point last week, while praising the DAA’s latest set of principles: “We believe that you, the advertising industry, should give consumers choices about how they are tracked online.”
Companies should be aware, though, that the FTC is not washing its hands of data privacy issues; it rather intends to enforce those company-prescribed standards. So another business beware: whatever data privacy policies you adopt, make sure you adhere to them. If not, the FTC may come to ensure you do. See, for example, this recent enforcement action.
Federal Trade Commission Chairman Jon Leibowitz delivered the keynote speech at a forum on Internet privacy on Oct. 11, 2011. He was part of a panel that discussed the protection of consumer data and the tracking of online consumer behavior. The Stanford Law School Center for Internet and Society also released a study the same day showing that data collection on the Internet is not anonymous and information about consumers is often leaked from websites.
Leibowitz emphasized that there are three key principles to protecting the privacy of consumers on the Internet. First, companies in the business of collecting and storing data need to build strong privacy policies. Data should be kept only for legitimate business needs and the more sensitive the data is, the more careful they need to be.
Second, there needs to be transparency. If data is being collected then consumers need to be told what is going on in a manner that they can easily understand. Lastly, there needs to be choice for the consumer. Consumers should have streamlined choices about the collection and usage of data based on their online behavior.
Leibowitz said there is a clear need for the development of a do-not-track mechanism for web users, similar to the do-not-call list that has been successful in blocking telemarketing calls. This mechanism would provide web users the ability to opt out of online tracking, which is used to provide targeted advertising based on a person’s online behavior.
Leibowitz emphasized that it is about providing consumers with the choice not to be tracked online, noting that if given the choice himself he would probably choose not to opt out because he enjoys the targeted advertising.
Leibowitz made clear that he does not care who creates this mechanism, but he does not think it needs to be administered by the government, though some members of Congress have proposed legislation to create a do-not-track system. (Note that the Interactive Advertising Bureau, a trade group for online advertisers, established a code of conduct that states that members should give clear and prominent notice of any online behavioral advertising collection and use. The code went into effect at the end of August.)
Leibowitz applauded Mozilla for going out of its way to provide consumers with the information to decide if they want to opt out of online tracking and said he was hoping other online browsers would soon follow. (Microsoft’s IE9 and Apple’s Safari also have do-not-track options.) Leibowitz emphasized that the FTC did not want to interfere with the normal data flow that makes the Internet efficient and did not see the need for the Internet to be a privacy-free zone, but still wanted to have a mechanism that allows for consumer protection.
Jonathan Mayer, a graduate student fellow at the Center for Internet and Society at Stanford University, and identifier of the “supercookie,” released a new study that showed that information collection from many websites is not as anonymous as many sites claim it is or consumers think it is. Identifying information from consumers was often leaked when the consumers went to various websites, though Mayer said that it was not clear that the leakage by websites was intentional and the study did not attempt to gauge this.
Mayer looked at the top 250 websites and signed up as a member on 185 of those websites. Mayer found that 61 percent of the websites leaked a user name or a user ID. Mayer stated that once an identity is provided in a pseudonymous system then it can be associated with what that person has done in the past and will do in the future. Full results of the study are available here.
The talks were sponsored by the ACLU, Center for Digital Democracy, Consumer Action, Consumer Federation of America, Consumers Union, Consumer Watchdog, Electronic Privacy Information Center, Privacy Rights Clearinghouse, US PIRG, and World Privacy Forum.
October is Breast Cancer Awareness month. And pink is everywhere – all over the shelves of retail stores like Wal-Mart and adorning the backs of NFL linemen. We’ve been trained to know that the color pink represents a supporter of breast cancer awareness or research. So sporting a pink ribbon, jersey, or band should demonstrate that you have put some of your dollars toward the cause.
“Not necessarily so,” say the Better Business Bureau and other consumer groups. It should come as no surprise that many an enterprising social deviant has jumped on the pink bandwagon to profit from people’s assumptions that purchasing pink means supporting the cure. What has become known as “pinkwashing” is a growing problem that has been highlighted in the media – from Reuters, to Marie Claire (yes, a fashion magazine, but nonetheless they wrote a substantive article on pinkwashing!) to Fox News. Consumers have been urged to inquire about where proceeds go before they purchase a pink product.
With all this attention being placed on the pink ne’er-do-wells (including the recent documentary, Pink Ribbon, Inc.), you can expect the FTC to start looking into these companies for false and deceptive practices. The FTC regularly picks up issues exposed by consumer advocacy groups and news reports. Indeed, some FTC staffers have the task of reviewing such reports and researching the underlying issues. Those companies that are holding themselves out as anti-cancer champions by donning pink should be on the lookout for some regulatory attention.
It seems pretty likely that a few of the companies profiled by the Marie Claire piece may be in for a thorough FTC review. One company’s website, with lots of “Donate Now” pink hyperlinks, has cleverly identified itself with established breast cancer foundations like the Susan G. Komen Foundation under its “History” tab or celebrity advocates under its “Ambassadors” tab. But a careful review of the vague representations on the site seems to indicate the organization itself is not directly affiliated with any of them.
State attorneys general are already looking into some of these breast cancer foundations. New York Attorney General Eric Schneiderman filed suit in June against Long Island-based Coalition Against Breast Cancer. That group allegedly solicited some $9.1 million over five years while spending virtually no money on breast cancer programs.
No surprises that some people want to take advantage of people’s soft and charitable spots. Pink profiteers should not be surprised if their acts result in a knock on the door from a federal or state agent who is not trick-or-treating this Halloween.
The bastard stepchild of online behavioral advertising – the supercookie – is in the hot seat.
Two members of the House of Representatives sent a letter to the FTC on September 27 calling on the commission to look into the usage and impact of supercookies on consumers. Reps. Ed Markey (D-Mass.) and Joe Barton (R-Tex.), co-chairmen of the bipartisan privacy caucus in the House, sent the letter in response to an August 18 Wall Street Journal article. The article reported on use of supercookies by major online presences like MSN.com and Hulu.com. Rep. Barton raised concerns that the existence of supercookies “eats away at consumer choice and privacy.”
Like regular cookies, supercookies (aka “Flash cookies” and “zombie cookies”) are legal means to track a user’s online activity. But there are several differences that cause supercookies to pique the concerns of data privacy advocates. Unlike regular cookies, supercookies circumvent a user’s privacy settings and are hard to detect and remove. They are located in different files on the computer, like the Flash plug-in (hence the term “Flash cookies”), and cannot be found by browsers’ cookie detectors. Moreover – and this is one of the big issues for data privacy people – supercookies can regenerate (“respawn”) user profiles after regular cookies are deleted.
After the Wall Street Journal article came out, Microsoft and other companies identified as using supercookies were quick to disavow them. Microsoft, which created the code, claimed it was “alarmed” when the supercookie was brought to its attention. Hulu said it “acted immediately to investigate and address” the issue. Other companies, like Flixter, also pleaded ignorance.
Shortly following the Barton-Markey letter, the Interactive Advertising Bureau, a trade group for online advertisers, sent a reminder to its members of their advertising code of conduct. The code, which requires online advertisers to give notice to consumers of their data tracking and collection, was largely an industry response to placate regulatory agencies and keep them from establishing the parameters of online behavioral advertising. The supercookie, though, may inspire a heavier regulatory presence. Representative Barton declared that supercookies should be outlawed and the “constant abuse of online activity must stop.”
We have been guessing that data privacy will be one of the focal points of the “Dot Com Disclosures,” the FTC’s soon-to-be-released updated online advertising guidelines. Public comment on what the revised guidelines should include was closed in August. But the congressmen’s letter to the FTC will likely have an impact.
Online advertisers may want to take a different strategy on consumer data tracking. Instead of coming up with new ways to circumvent privacy settings, why not be upfront about data tracking but make it less scary? Location services on smart phones have gained considerable consumer appeal, so users are voluntarily allowing the tracking of their physical location (arguably scarier than much online tracking). If advertisers can demonstrate to consumers that they are in fact getting a benefit and not getting abused by data tracking, then tracking opt-ins could work for both consumers and marketers.
Like pawnbrokers, payday lenders cater to people in a tight squeeze. That means they can, in turn, put the squeeze on their customers, charging annual percentage interest rates above 300 percent for their short-term unsecured loans. That also means they are a popular target of federal regulators who are concerned about vulnerable consumers.
The FTC has recently brought a slew of cases against payday lenders. Some actions include one against a payday lender for allegedly tricking consumers into buying debit cards when they applied online for loans and another against a loan intermediary for allegedly tricking consumers into signing up for worthless continuity programs. The latest FTC action targeted a payday lender for garnishing borrowers’ wages.
One thing to glean from these actions is that the FTC is focused on the payday loan industry as a whole and not on some specific type of bad behavior by these lenders. In a twist on “if you build it, they will come,” if you have a payday lending operation, plan on a visit by the FTC. And any level of questionable behavior could very well become the basis of further FTC involvement.
The latest case, in which the FTC filed suit based upon Payday Financial LLC’s practice of garnishing borrowers’ wages, has an interesting twist: the FTC alleges that the payday lender deceived the borrowers’ employers.
The FTC goes after people and companies for false and deceptive practices affecting commerce – that’s its jurisdiction. Normally, its lawsuits allege practices that deceive consumers. So you would think in this case that the FTC would allege that the lender deceived borrowers, tricking them into giving permission for their wages to be garnished. Instead, the FTC alleges that Payday Financial deceived the borrowers’ employers, causing them to believe that Payday Financial was authorized to garnish the borrowers’ wages. The FTC alleged that the defendant’s notice to employers for wage garnishment looked “very similar, in both form and substance, to the documents sent by federal agencies when seeking to garnish wages for nontax debts owed to the United States.”
There are two unusual elements to this action. First, the FTC takes a bit of a circuitous route to get at jurisdiction, arguing that deceiving the borrowers/consumers’ employers impacted commerce. It makes sense when the FTC alleges that consumers’ actions, as a result of deceptive practices, impact commerce; it’s a bit of a stretch to move to a third party’s actions.
Secondly, the FTC argues that employers, normally considered sophisticated parties, were deceived. As we talked about earlier – the FTC focuses on protecting vulnerable consumers. Sophisticated parties are often held to a different standard.
So if you are a payday lender, a lesson from this may be: dot your I’s and cross your T’s. Your industry is not popular with the FTC. The agency is highly motivated to find that you have done something wrong.