In 2015, Amazon filed suit against over 1,000 unnamed individuals for allegedly offering to sell fake online reviews (positive or negative) on Fiverr.com (“Fiverr”). The unnamed defendants offer to provide 5-star reviews and some defendants even encourage sellers to provide their own text to use in the review. In order to avoid detection, defendants offer to submit reviews from multiple IP addresses, utilize multiple Amazon accounts, and to complete a Verified Review (which means the reviewed has purchased the product, even though they don’t always require the actual product to be shipped for review). In short, the allegations are that these reviews for sale violate Amazon’s Customer Review Guidelines (which prohibit paid reviews), Fiverr’s own Terms of Service (which requires compliance with third party guidelines), and deceptively provides false reviews to consumers (which violates consumer protection laws).
Interestingly, Amazon did not name Fiverr as a party to the complaint. Instead, Amazon went after the individual sellers and indeed explicitly stated in the complaint that “Amazon will amend this complaint to allege their true names and capacities when ascertained.”
In contrast to Amazon’s approach, the Metallica Plaintiffs in a previously filed case against Napster, sued Napster directly and not the individual users (and eventually obtained their desired result). Indeed, Amazon has not always omitted operators from its case captions. Last April, Amazon filed a similar lawsuit against a number of companies that operated websites to promote the sale of Amazon reviews. That lawsuit contained very similar allegations to this recent suit against individuals and alleged selling positive reviews, offering a Verified Review, a slow posting of reviews to avoid detection by Amazon, etc. Similar as well to the Napster case, the first Amazon lawsuit also yielded a successful result because the websites targeted in that case were all closed down.
So why is Amazon now going after the individual sellers? And why did Amazon omit Fiverr in this lawsuit?
One possible explanation is that Amazon, like Napster, first attempted to take down the providers (i.e. the website owners) that enabled the fraudulent review process. While that was successful, Amazon likely realized that it was insufficient because the individual reviewers would easily migrate to sites like Fiverr to continue their activities. So, Amazon was forced to file suit against the individual users.
At the same time, Amazon did not include Fiverr as a named defendant because it is more likely to get Fiverr’s cooperation in providing the identities of the unnamed defendants, and, because Fiverr is a legitimate global online marketplace offering tasks and services- in sharp contrast to the defendants in the prior Amazon lawsuit that operated sites and companies for the sole purpose of providing fraudulent Amazon reviews (and further antagonized Amazon by utilizing the Amazon logo on their sites). Additionally, as noted in the current Amazon complaint, Fiverr itself prohibits paid reviews and has tried to prevent them- again in sharp contrast to the companies in the first Amazon lawsuit, whose entire business was selling Amazon reviews.
Or it may be that Amazon has embarked on a process to stop paid reviews and these are the first steps in that ongoing process. As noted in this complaint against the Fiverr sellers, the lawsuit is “the next step in a long-term effort to ensure these providers of fraudulent reviews do not offer their illicit services through other channels.” Thus, Amazon may have simply first pursued the enablers (i.e. the company websites dedicated to fraudulent reviews) and then it pursued the individual reviewers on Fiverr.
The extent to which Amazon will continue to pursue questionable reviews remains to be seen. In 2015, Amazon limited its lawsuits regarding fraudulent reviewers to paid reviewers. In 2016, we may see an assault on the groups of independent people who exchange positive reviews on Amazon (i.e. each party agrees to submit a positive review of the other’s product). This type of arrangement also violates Amazon terms and poses similar concerns to the reliance of consumers on Amazon reviews. Amazon may also question whether this prohibited practice merits attention.
Every e-mail user receives them, some days in numbers hitting the triple digit mark – those targeted, often annoying and unsolicited e-mails that clog our inboxes, originating from any of a multitude of establishments, including retailers, service establishments, and even our own social media. Regulation over unwanted e-mails has been limited mostly to the federal Can Spam Act of 2003, which doesn’t prohibit the deluge of e-mails, but rather protects against misleading and deceptive ones and requires the sender to comply with certain requirements, including offering a clear opt-out. A private consumer has limited retribution to enforce the Act, however, and must rely on the FTC, as well as other government entities and Internet service providers, to bring suit to stop the unwanted e-mails. It seems that consumers in recent years are ever more fed up and frustrated with “spam” messages and desire change. However, as evidenced by a recent class action lawsuit by certain LinkedIn members against the social media giant, consumers may utilize other legal maneuvers to get relief from new marketing tactics employing spam.
LinkedIn is often referred to as the “Facebook of the Professional World.” With over 300 million+ users, LinkedIn has become the world’s largest professional network since it launched in 2003. One feature of the network allows a member to import his or her e-mail contacts list and send invitations to connect with others on LinkedIn. A user is prompted by LinkedIn to click an “Add Connections” link, which then allows LinkedIn to import the list from external e-mail accounts. LinkedIn uses this feature to grow its number of members.
According to the class action lawsuit filed against LinkedIn, if a connection invitation was not accepted within a certain period of time, up to two “reminder’ spam e-mail messages would be sent to the prospects, without the LinkedIn member’s consent to do so. In Perkins v. LinkedIn Corp., the federal district court in the Northern District of California determined that the motion to dismiss filed by LinkedIn would be granted in part and denied in part, thereby allowing the suit to move forward. In its partial denial of the motion to dismiss, the court reasoned that although the members consented to importing their contacts and sending the invitation to connect, they did not consent to sending the reminder messages on their behalf. In her Order, Judge Lucy Koh explains,
“Nothing in LinkedIn’s disclosures alerts users to the possibility that their contacts will receive not just one invitation, but three. In fact, by stating a mere three screens before the disclosure regarding the first invitation that ‘We will not . . . email anyone without your permission,’ LinkedIn may have actively led users astray.”
(Order Granting in Part and Denying in Part Defendant’s Motion to Dismiss with Leave to Amend *30). The plaintiffs also contended that LinkedIn members did not consent to the use of their names and likenesses in the reminder e-mails and were embarrassed and felt that the unwanted e-mails sent to personal contacts affected their professional reputations.
Following the court’s Order, the parties agreed to settle the suit. The settlement requires the social media giant to pay at least $13 million, as well as $2.25 million in legal fees, to LinkedIn members who had accounts between Sept. 17, 2011 and Oct. 31, 2014 and sent e-mails through the Add Connections feature. Although LinkedIn did not admit any wrongdoing in the settlement, it agreed to revise its disclosures and clarify that the reminder e-mails would be sent as part of the “Add Connections” service. LinkedIn also indicated its intent to provide an option to cancel the connection invitation, and thereby the reminders, by the end of the calendar year.
Interestingly, with perhaps the fear of a lawsuit on the horizon, Mark Zuckerberg preemptively announced at a recent town hall meeting held in Delhi, India, that Facebook will be reducing the number of invitations it sends to outside contacts of players of the game Candy Crush Saga. Facebook often sends the invitations to contacts who have never used a game and never played games on Facebook, suggesting that they join their friends in a Candy Crush Saga game. Zuckerberg noted that reducing the number of invitations received was the most upvoted question in an online thread, and he has promised to reduce the number of these unwanted requests. After the recent LinkedIn settlement, we advise Mr. Zuckerberg to take action swiftly or we may see other unhappy consumers following suit. . . . with their own suit!
These developments should offer welcomed relief for consumers and our busy delete buttons. However, this may be the tip of the iceberg with regard to the use of the courts and unwanted e-mails. Is the broad Can-Spam Act sufficient to deter spammers? Does the Can-Spam Act do enough to filter out unwanted e-mails? New scenarios have arisen since the enactment of the Act in 2003 and consumers seem to desire more regulation to deter the deluge of e-mails. If swift action isn’t taken by Congress and other regulators, it seems that consumers may take to the courts to set precedent in this ever-changing arena.
Exploiting consumers and exploiting consumer data were popular themes in the FTC’s October 30th workshop on lead generation, “Follow the Lead.” The day-long workshop explored the mechanics of lead generation and its role in the online marketplace. With a focus on the lending and education spaces, panelists discussed the many layers of marketing involved in lead generation—and importantly—how those many layers can add confusion to how consumer data gets collected, sold, used … and misused.
Panelists of the five workshop sessions hailed from industry, government, advocacy groups, and research institutions. They offered insights into both the vulnerabilities and opportunities flowing from the extensive “behind the scenes” market of lead generation. But unsurprisingly, the benefits of lead generation were overshadowed largely by attendant concerns: why is so much consumer data collected, what is done with it, and are consumers aware of how their personal information is being traded and used?
The workshop included two “case study” panels on lending and education. For the panel on lead generation in lending, Tim Madsen of PartnerWeekly provided an overview of how the “ping tree” model works. Connecting prospective borrowers with lenders through a reverse auction of borrower leads, the “ping tree” model may be an efficient way of matching borrowers and lenders. However, Pam Dixon, Executive Director of World Privacy Forum, highlighted her concerns that lenders are receiving consumer data that would otherwise be protected under the Equal Credit Opportunity Act and therefore that the online process is circumventing important consumer protection laws. For instance, the online lending process may require certain personal information from borrowers in order filter fraudulent requests. But that personal information (e.g., gender or marital status) otherwise could not be part of the loan application process. Dixon felt the disclosure of protected information was one that needed to be addressed from both a technical and a policy standpoint. And it is an issue she raised on subsequent panels during the conference, indicating a possible pressure point for future regulatory action.
The panel on lead generation in education was highly charged, due to the controversial nature of marketing higher education and due to the negative attention on for-profit education. Despite many people’s assumption that online marketing in education is largely a tool of the for-profit education industry, Amy Sheridan, CEO of Blue Phoenix Media, provided some surprising statistics: state and private institutions represent roughly forty percent of her business in the education vertical. Even renowned schools like Harvard and Yale are employing lead generation to gain students in their programs.
But given the extensive access to federal funds through higher education, consumer advocates highlighted concerns over students being preyed upon by unscrupulous educators. Jeff Appel, Deputy Undersecretary of Education at the Department of Education, attributed the problem in part to the lack of underwriting in federal student loans. [Query: Wouldn’t it make sense to add underwriting to the federal student loan process? Statistically, private student loan repayment fares much better thanks to this preliminary screening.]
In support of responsible advertising for educational programs, Jonathan Gillman, CEO of Omniangle Technologies, identified the need for clear guidance on appropriate marketing tactics, which may better address problems than resorting to law enforcement. He pointed out the adverse consequences of clamping down on educators’ online advertising: educators are now afraid to advertise online and that space is being filled by affiliates who are more apt to cross the line into deceptive advertising.
Appel provided some general guidance for schools working with lead generators. Schools should (1) monitor how lead generators are representing programs and ensure their ads are not deceptive, (2) make sure payment for advertising does not implicate regulations against incentive-based compensation, and (3) be aware that the actions of lead generators may come under the Education Department’s purview if they are providing additional assistance (e.g., processing student applications).
Both Appel and consumer advocates seemed to agree, though, that laws and regulations already in place were sufficient to address consumer protection concerns in the education marketing space. It is only a matter of having the resources to enforce those laws and regulations. Appel also suggested that state regulators could curb issues by better screening schools.
Throughout the day and across the panels, FTC representatives turned to the concept of “remnant information,” i.e. consumer information that is longer being used. FTC attorney Katherine Worthman asked panelists various questions about what ultimately happens to this information. R. Michael Waller, another FTC attorney and panelist, noted his concern that companies have an economic interest in maintaining and possibly selling remnant information, and that such information is increasingly vulnerable to fraudsters. These FTC attorneys thus pressed about policies on consumer data retention. Aaron Rieke of Upturn supported the FTC concerns and noted that nothing in the company privacy policies (that he’s reviewed) prevents the sale of consumer data: “privacy policies are shockingly permissive when you look at how much information is being provided.”
Another popular issue was whether and to what extent disclosures to consumers are sufficient: are consumers aware of how their information is being traded? The general consensus among panelists was that consumers remained ignorant to the sale and use of the personal information they provide online.
Upshot from the workshop: Lead generators, and the companies using them, should be aware of the growing interest by federal regulators in (1) how consumer data is being collected, retained, and sold and (2) the extent to which people up and down the online marketing supply chain are vetting the buyers and sellers of consumer data. Other takeaways from the conference: Companies should ensure their data collection and retention policies comply with applicable state and federal law. Finally, it is important for companies to ensure their practices comply with both their policies and their disclosures.
If you didn’t know any better, you might have gotten pretty fiery over for-profit education after reading one of the front page stories of Tuesday’s New York Times. The lengthy article titled “For-Profit Colleges Fail Standards, but Get Billions” is all about accusations of greedy institutions bilking taxpayers and taking advantage of students through fraud and other deceptive practices. Why the story ran on page one of the paper is anybody’s guess: the only timely element in the piece appeared toward the end of the article, where the author mentioned the Defense Department’s recent decision to bar the University of Phoenix from its tuition assistance program. By the time you got to that part of the article, you might have cheered the DOD’s decision to cut the educator off, despite the fact that the decision appears premature, based on allegations as opposed to findings (meaning they are meting out punishment before a full investigation or review).
The New York Times piece seems narrowly focused on denigrating an industry that has become the bastard-stepchild of higher education. Ever since U.S. Sen. Tom Harkin decided to take on for-profit education, the industry has been under intense scrutiny from state and federal regulators as well as partisan research and advocacy groups. The article would have readers believe that all the negative attention is the equivalent of substantiated claims that for-profit education is a fraud on federal student loan programs. Thirty-seven state attorneys general, the Securities and Exchange Commission, the Consumer Financial Protection Bureau, the Department of Justice, and the Federal Trade Commission are all investigating for-profit schools. These schools must be horrible, right? But what the article lacks are legal holdings or findings of fact.
That several agencies are investigating industry participants is not tantamount to guilt: it is more reflective of the fact that regulators take their cues from other regulators. Once an industry becomes unpopular, everyone wants to jump in and get their piece of the pie … or the felled lion. For-profit education is now an obvious target. But, again, that does not make the industry per se bad.
Nor does the fact that many for-profit educators have settled with regulators mean they are guilty: people and companies alike perform a cost-benefit analysis when it comes to whether to fight or stand down. It often makes economic sense to settle out with regulators rather than stay the course through potentially lengthy costly litigation.
What is troubling is the undercurrent – and application – of guilt before innocence, both by the New York Times article and by regulators. What is missing is a comparison of how much for-profit education costs per student versus how much other schools cost, or what dropout rates and post-graduation employment rates look like across schools for single parents and the poor (the types of individuals typically enrolled in for-profit colleges). For instance, studies have shown that community colleges are costing taxpayers billions of dollars for uncomfortably high drop out rates. Other studies identify taxpayer subsidies covering significant amounts of college operating costs.
One of the major reasons why for-profit education has high drop-out rates and poor post-grad employment rates is that they are reaching individuals who otherwise may not have access to degree programs, such as single parents or people in economically depressed areas. These individuals have other complications in their lives that can make completing a degree or finding gainful employment more challenging (e.g., scheduling, transportation). These challenges are not the schools’ fault, but a reflection of external factors. Punishing the schools and taking away educational opportunities does not seem like the most thoughtful decision, but it’s the one that partisan groups, partisan journalists, and regulators seem to be angling for.
Instead of celebrating the Defense Department’s decision to cut off the University of Phoenix from its tuition assistance program, we should be troubled that it is doing so before completing an investigation. In a statement, the University noted that: “It is troubling that DoD has used requests for information from other governmental agencies as grounds for placing the university’s DoD MOU in a probationary status.”
For-profit education does have, and has had, its bad actors… as does every industry. But the all-out slam against the sector, the fight for its demise, is unfair and shortsighted. In the end, the greatest losers will be historically underserved populations who will be denied education opportunities.
TCPA Trouble Continues: FCC Slams Lyft and First National Bank for Terms of Service Requiring Consent
Most of the attention involving the Telephone Consumer Protection Act (“TCPA”) has centered on the stream of class actions around the country. It is important to remember that the Federal Communications Commission (“FCC”) and state attorney generals can, and do, enforce the TCPA. In fact, the FCC recently issued citations to Lyft, the ride-sharing service, and First National Bank (“FNB”). Under the Communications Act, before the FCC may issue monetary penalties against a company or person that does not hold an FCC license or authorization, it must first issue a citation warning the company or person.
The TCPA requires prior express written consent for telemarketing calls/texts to mobile phones utilizing an autodialer or prerecorded call and for prerecorded telemarketing calls to residential lines. FCC rules mandate that the “prior written consent” contain certain key features. Among these requirements is the disclosure informing the consenting person that “the person is not required to sign the agreement – directly or indirectly – or agree to enter into an agreement as a condition of purchasing any property, goods, or services.”
For years, the FCC focused on actual consumer complaints of having received telemarketing calls/texts without the required prior express written consent. Interestingly, here, the FCC did not allege that either Lyft or FNB sent texts/robocalls without the required consent. The FCC’s accompanying press release indicates that its Enforcement Bureau initiated the two investigations after becoming aware of “violative provisions in those companies’ service agreements.” The citations issued to Lyft and FNB, along with recent correspondence by the FCC to Paypal concerning similar issues, represent new FCC attention on terms/conditions of service in the TCPA context, particularly on “blanket take it or leave it” agreements. The FCC Enforcement Bureau Chief, Travis LeBlanc, put all companies on notice, urging “any company that unlawfully conditions its service on consent to unwanted marketing calls and texts to act swiftly to change its policies.” The FCC directed Lyft and FNB to take “immediate steps” to comply with FCC rules and the TCPA – presumably meaning that the companies should immediately revise their terms and practices.
According to the FCC, Lyft’s terms require customers to expressly consent to receive communications from Lyft to customer’s mobile numbers, including text messages, calls, and push notifications. The messages could include Lyft-provided promotions and those of third party partners. The terms advise customers that they can opt-out by following the “unsubscribe” option, and that customers are not required to consent to receive promotional messages as a condition of using the Lyft platform or the services.
However, the FCC found that contrary to Lyft’s terms of service, Lyft does not actually provide “unsubscribe options” for consumers. If a consumer independently searches and gets to Lyft’s “help center,” the only option to opt-out subsequently prevents consumers from using Lyft’s service. Thus, per the FCC, “Lyft effectively requires all consumers to agree to receive marketing text messages and calls on their mobile phones in order to use services.”
The FCC concluded that while Lyft’s terms of service stated that consumers were not required to consent as a condition to using Lyft, in actuality, consumers could not refuse consent and remain Lyft users. Thus, the FCC cited Lyft, warning that it would be liable for any advertising text messages for which it did not collect proper, prior express written consent. The agency further stated that it would continue to monitor Lyft’s practices.
In FNB’s investigation, the FCC noted that consumers wishing to use FNB’s online banking services are required to agree to receive text messages and emails for marketing purposes at consumer-provided phone numbers. FNB customers wishing to enroll in the Apply Pay service are similarly required to consent to receive marketing-related text messages and emails. The FCC objected to FNB requiring consumers to agree to receive marketing text messages in order to use the online banking and Apple Pay services, and failing to inform consumers that they have the option to refuse consent. The agency reiterated that under FCC rules, prior express written consent to receive telemarketing messages requires that, among other things, consumers receive a clear and conspicuous disclosure informing the consumer of his or her right to refuse to provide consent.
When it comes to autodialed/prerecorded telemarketing calls and texts to mobile phones and prerecorded telemarketing calls to residential lines, companies need to be diligent in ensuring they have proper, defensible prior express written consent. The FCC’s citations to Lyft and FNB make clear that organizations may not rely on blanket mandatory opt-in agreements. While it may be acceptable to seek consent in terms of service, consumers must be informed of their opt-out abilities, and must be able to access the opt-out and still use the service or make the purchase.
Companies should review their service agreements and the operational mechanisms to make sure consumers have information on opting-out. Further, any opt-out mechanisms must work as promised. A user’s opt-out should not block services/purchases. Of course, the best way to obtain consent is to seek a separate, prior express written consent in an agreement that contains all the required elements, as follows:
- Is in writing (can be electronic);
- Has the signature (can be electronic) of the person who will receive the advertisement/telemarketing calls or texts;
- Authorizes the caller to deliver advertisements or telemarketing messages via autodialed calls, texts, or robocalls;
- Includes the telephone number to which the person signing authorizes advertisements or telemarketing messages to be delivered;
- Contains a clear and conspicuous disclosure informing the person signing that:
- By executing the agreement, the person signing authorizes the caller to deliver ads or telemarketing messages via autodialed calls, texts or robocalls; and
- The person signing the agreement is not required to sign the agreement (directly or indirectly) or agree to enter into such an agreement as a condition of purchasing any property, goods, or services.
As a reminder, the FCC repeatedly takes the position that the company claiming prior express written consent will bear the burden of providing that consent.
Car dealerships are notorious for running loud, flashy ads with too-good-to-be-true offers for outrageous deals to buy or lease cars. Some dealerships downplay or even hide the seemingly endless list of qualifications on those offers which render many potential buyers ineligible for the deals, much to the irritation of misled consumers. The FTC has taken action to stop these misleading practices by continuing its effort to crack down on deceptive advertising among automobile dealerships, which began in 2014 with the FTC’s “Operation Steer Clear,” a nationwide sweep of deceptive car dealership advertising. The FTC’s efforts in this area have continued, most recently resulting in settlement with two Las Vegas auto dealerships.
Planet Hyundai and Planet Nissan of Las Vegas were the subject of FTC enforcement actions alleging that the dealers’ ads misrepresented the cost to buy or lease a car by omitting critical information or deceptively hiding it in fine print. For instance, Planet Hyundai advertised a car for sale with “$0 Down Available,” but fine print revealed that a buyer would have to trade in a car worth a minimum of $2,500 or meet other qualifications in order to take advantage of the offer. Planet Nissan’s advertisements ran purportedly reduced prices side by side with former prices which had been struck through (“Was
$12,888, Now $9,997”). However, the ads did not adequately disclose the qualifications which buyers had to meet to get those prices. Similarly, the ads touted that the cars were for “Purchase! Not a lease!,” when in fact many of the cars were leases. In both cases the FTC alleged that the prominently advertised prices are not generally available to consumers. The dealerships both entered into consent agreements in which they did not have to admit guilt or pay any fines or penalties, but were obligated to abide by relevant laws and regulations pertaining to deceptive advertising.
Further automobile enforcement efforts may be on the horizon. In a late July regulatory filing, GM disclosed that it is currently the subject of an ongoing FTC investigation regarding “certified pre-owned vehicle advertising where dealers had certified vehicles allegedly needing recall repairs.” GM and the FTC declined to comment further, so it is not immediately clear whether the individual dealers were following GM corporate policy when certifying the pre-owned cars in need of recall repairs, or specifically how the ads were allegedly deceptive.
While many of the FTC’s enforcement actions focus on lower-cost products with a large national customer base, such as dietary supplements sold over the internet, these cases serve as a reminder that the FTC’s advertising requirements apply equally to big-ticket items sold locally. Merchants and service providers of every type, whether operating online or in brick and mortar shops, must ensure that their advertisements adequately disclose all material terms and conditions in a way that is not misleading or deceptive.
Every week, we learn about new data breaches affecting consumers across the country. Federal government workers and retirees recently received the unsettling news that a breach compromised their personal information, including social security numbers, job history, pay, race, and benefits. Amid a host of other public relations issues, the Trump organization recently discovered a potential data breach at its hotel chain. If you visited the Detroit Zoo recently, you may want to check your credit card statements, as the zoo’s third party vendor detected “malware” which allowed access to customers’ credit and debit card numbers. And, certainly, none of us can forget the enormous data breach at Target, and the associated data breach notifications and subsequent lawsuits.
For years, members of Congress have stressed the need for national data breach standards and data security requirements. Aside from mandates in particular laws, such as HIPAA, movement on data breach requirements had stalled in Congress. Years ago, however, the states picked up the slack, establishing data breach notification laws requiring notifications to consumers and, in many instances to attorneys general and consumer protection offices when certain defined “personal information” was breached. California led the pack, passing its law in 2003. Today, 47 states have laws requiring organizations to notify consumers when a data breach has compromised consumers’ personal information. Several states’ laws also mandate particular data security practices, including Massachusetts, which took the lead on establishing “standards for protection of personal information.”
Many businesses and their lobbying organizations have urged Congress to preempt state laws and establish a national standard. Most companies have employees or customers in multiple states. Thus, under current laws, organizations have to address a multitude of state requirements, including triggering events, types of personal information covered, how quickly the notification must be made, who gets notified, what information should be included in the notification, among others. State Attorneys General, on the other hand, assert that, irrespective of these inconveniences, their oversight of data breaches through the supervision of notifications and enforcement has played a critical role in consumer protection.
This week, the Attorneys General from the 47 states wrote to Congressional leaders, urging Congress to maintain states’ authority in any federal law, by requiring data breach notifications, and preserving the states’ enforcement authority.
The AGs’ key points are:
- State AG offices have played critical roles in investigating and enforcing data security lapses for more than a decade.
- States have been able to respond to constant changes in data security by passing “significant, innovative laws related to data security, identity theft, and privacy.” This includes addressing new categories of information, such as biometric data and login credentials for online accounts.
- States are on the “front lines” of helping consumers deal with the fallout of data breaches and have the most experience in guiding consumers through the process of removing fraudulent charges and repairing their credit. By way of example, the Illinois AG helped nearly 40,000 Illinois residents remove more than $27 million in unauthorized charges from their accounts.
- Forty states participate in the “Privacy Working” group, where state AGs coordinate to investigate data breaches affecting consumers across multiple states.
- Consumers keep asking for more protection. Any preemption of state law “would make consumers less protected than they are right now.”
- States are better equipped to “quickly adjust to the challenges presented by a data-driven economy.”
- Adding enforcement and regulatory authority at the federal level could hamper the effectiveness of the state law. Some breaches will be too small to have priority at the federal level; however, these breaches may have a large impact at the state or regional level.
Interestingly, just this week, Rep. David Cicilline (D-RI) introduced a House bill mandating that companies inform consumers within 30 days of a data breach. The bill also requires minimum security standards. Representative Cicilline’s bill would not preempt stricter state-level data breach security laws. The bill also contains a broad definition of “personal information” to include data that could lead to “dignity harm” – such as personal photos and videos, in addition to the traditional categories of banking information and social security numbers. The proposed legislation would also impose civil penalties upon organizations that failed to meet the standards.
Without a doubt data breaches will continue – whether from bad actors, technical glitches, or common employee negligence. The states have certainly “picked up the slack” for over a decade while Congressional actions stalled. Understandably, the state AGs do not want Congress taking over the play in their large and established “privacy sandbox.” Preemption will continue to be a key issue for any federal data breach legislation before Congress. As someone who has guided companies through multi-state data breach notifications, I have seen firsthand that requiring businesses to deal with dozens of differing state requirements is costly and extremely burdensome. Small businesses, in particular, are faced with having to grapple with a data security incident while trying to understand and comply with a multitude of state requirements. Those businesses do not have the resources of a “Target” and complying with a patchwork of laws significantly and adversely impacts those businesses. While consumer protection is paramount, a federal standard for data breach notification would provide a common and clear-cut standard for all organizations and reduce regulatory burdens. While the federal standard could preempt state notification laws, states could continue to play critical roles as enforcement authorities.
In the interim, companies must ensure that they comply with the information security requirements and data breach notifications of applicable states. An important, and overlooked aspect is to remember that while an organization may think of itself as, say a “Vermont” or “Virginia” company, it is likely that the company has personal information on residents of various states – for instance, employees who telecommute from neighboring states, or employees who left the company and moved to a different state. Even a “local” or “regional” company can face a host of state requirements. As part of an organization’s data security planning, companies should periodically survey the personal information they hold and the affected states. In addition to data breach requirements in the event of a breach, organizations need to address applicable state data security standards.
As online gaming companies compete for business, they are offering customers increasingly large incentives to play on their websites, often in the form of deposit bonuses. These deposit bonuses allow players to play with the bonus money as if it’s cash and keep the winnings (although players cannot cash out the bonus itself). However, some players and regulators believe that some of these promotions are misleading, because they allegedly do not clearly and conspicuously disclose all of the material terms of the offer.
The UK’s Advertising Standards Authority (ASA) recently banned an advertisement by online gaming operator Betway which allegedly failed to disclose the material terms of the offer. Betway’s homepage prominently advertised a “£50 Free Bet*.” By clicking on the asterisk, users were taken to a tab listing the bonus terms, which stated that the operator would match new customers’ first deposit, from £10 to £50, with a bonus that must be used within a week from the initial deposit.
The ASA determined that the “£50 Free Bet” advertisement was misleading because it did not disclose the material terms and conditions of the offer in a clear and conspicuous manner. The ASA asserted that the “£50 Free Bet” advertisement would lead the average user to believe that they would receive a truly free bet—not that they had to first pay £50 before they could receive the “free” bet as a deposit bonus.
Gaming companies, like all advertisers, must be vigilant in ensuring that their advertisements fully disclose the terms of any offer up front. This includes information such as how much money the customer will receive (in this case, a matching deposit bonus up to £50), what the customer must do to earn the bonus (make a deposit), when the customer will receive the incentive (whether they receive it in a lump sum immediately upon deposit, or whether additional milestones in play or deposits must be reached), and how long they have to use the bonus funds. In the United States, the Federal Trade Commission and state Attorneys General may bring actions for alleged deceptive advertising offers, and in many states customers may bring suit for the purportedly misleading offers. In operators’ quest to compete for customers and make attractive offers, they should proceed with caution and err on the side of full disclosure in doing so.
For-profit education was dealt a major blow in a federal court case challenging the Department of Education’s Gainful Employment Rule. U.S. District Court Judge Lewis Kaplan of New York dismissed a lawsuit that was filed last November by the Association of Proprietary Colleges. The lawsuit is one of two filed in federal court shortly after the Department of Education issued its revised version of the Gainful Employment Rule. The second lawsuit, brought by the Association of Private Sector Colleges and Universities, is still pending before a federal judge in D.C.
In his opinion, Judge Kaplan rejected APC’s arguments that the Gainful Employment Rule (1) violates colleges’ constitutional due process rights, (2) violates the plain language of the statute, exceeding statutory authority, and (3) is arbitrary and capricious. Kaplan held there could be no due process issues as for-profit colleges do not have a “vested right” to participate in federal student aid programs. He discounted as ill-conceived or misleading arguments that the rule exceeds statutory authority. And he dismissed APC’s allegations that the rule as drafted is arbitrary and capricious.
Judge Kaplan’s rejection of APC’s lawsuit is hailed as a victory by detractors of the for-profit education industry who are anxious to see the new rule implemented this July. Some project that Kaplan’s opinion will influence the direction of the pending federal case in D.C. But, despite these portents, the legal theories in the two suits are distinct enough that APSCU’s case should not be overshadowed. The APSCU’s suit centers on how and why the Gainful Employment Rule, as drafted, would disparately impact populations, identifying concern that the rule would “impose massive disincentives” on schools from recruiting “low-income, minority, and other traditionally underserved student populations, because, as an historical matter, those demographics are widely recognized as most at risk of failing the Department’s arbitrary test.”
The complaint also identifies concerns regarding the DoE’s rulemaking process, which it alleges was marred by “well-substantiated allegations of bias and misconduct that led several Members of Congress to accuse the Department of bad faith.” Perhaps it will not go without notice, the next opinion around, that the DoE’s proposed rule more than doubled in size at the 11th hour of the rulemaking process, flying in the face of the purpose of the public notice and comment period.
It is surprising to see so many consumer advocate groups cheering a marred process and pushing for standards that will have the effect of discouraging education opportunities for historically underserved low-income and minority students. It can’t be that their intentions are bad. It is more likely that detractors of for-profit education are narrowly focused on examples of bad actors in the field—that have been called out by authorities for predatory lending practices and misrepresenting the quality or results of their programs. Indeed the industry is not shy of regulators scrutinizing and penalizing bad practices. For-profit education has the likes of the SEC, CFPB, FTC, and a bevy of state attorneys general at the ready. You might think that those skeptical of for-profit education could look to the work done by these agencies and be satisfied that problems are being addressed.
While detractors breathlessly anticipate another judicial benediction of the DoE’s rulemaking, hopefully the next round of judicial opining will address not just the extent of the DoE’s statutory authority but also how the DoE can and should carry out its purpose. In the meantime, for-profit educators would do well to continue efforts to disseminate data that shows how they meet important needs that other schools do not and how their costs compare to actual costs of other schools (e.g., including data on taxpayer funding of community colleges). Perhaps many of the well-intentioned skeptics would be less anxious to see the end of the industry.
The FTC’s complaint stated that Nomi’s technology (called its “Listen” service) allows retailers to track consumers’ movements through stores. The company places sensors in its clients’ stores, which collect the MAC addresses of consumers’ mobile devices as the devices search for WiFi networks. While Nomi “hashes” the MAC addresses prior to storage in order to hide the specific MAC addresses, the process results in identifiers unique to consumers’ mobile devices which can be tracked over time. Nomi provided its retail clients with aggregated information, such as how long consumers stayed in the store, the types of devices used by consumers, and how many customers had visited a different location in a chain of stores. Between January and September 2013, Nomi collected information on approximately 9 million mobile devices, according to the FTC’s complaint.
Nomi’s settlement does not require any monetary payment but prohibits Nomi from misrepresenting the options through which consumers can exercise control over the collection, use, disclosure or sharing of information collected from or about them or their devices. The settlement also bars Nomi from misrepresenting the extent to which consumers will be provided notice about how data from or about a particular consumer or device is collected, used, disclosed or shared. Nomi is required to maintain certain supporting records for five years. As is typical with FTC consent orders, this agreement remains in force for 20 years.
What can companies learn from Nomi’s settlement, even those not in the retail tracking business?
- While this is the first FTC action against a retail tracking company, the FTC has repeatedly stated that it will enforce the FTC Act and other laws under its jurisdiction against emerging as well as traditional technologies.
- The FTC noted that Nomi had about 45 clients. Most of those clients did not post a disclosure or notify consumers regarding their use of the Listen service, and Nomi did not mandate such disclosures by its clients. The FTC did not address what, if any, obligation, these businesses may have to make such disclosures. Will it become common/mandated to see a sign in a retail location warning that retail tracking via mobile phones is occurring (similar to signs about video surveillance)? One industry group’s self-regulatory policy requires retail analytics firms to take “reasonable steps to require that companies using their technology display, in a conspicuous location, signage that informs consumers about the collection and use of MLA [mobile location analytics] Data at that location.” This issue will become more prevalent as more retailers and other businesses use tracking technology.
- Interestingly, the FTC brought this action even though traditional “personal information” was not collected (such as name, address, social security number, etc.). Organizations should not assume that collecting IP addresses, MAC addresses, or other less personalized information presents no issues. The FTC takes privacy statements seriously, whatever the information collected (though certainly there is more sensitivity toward certain categories such as health, financial, and children’s information).
The bottom line is “do what you say” when it comes to privacy practices. All companies should evaluate their privacy policies at least every six months to ensure that they remain accurate and complete, have working links (if any), and reflect a company’s current practices.