A good bit of fanfare surrounded the Obama Administration’s release of its Consumer Privacy Bill of Rights in late February. The publication reflects the Administration’s efforts to improve online consumer privacy protections while not stifling the growth of the Internet industries.
The document is entitled, “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy.”
The “Bill of Rights” is supposed to establish a “baseline of clear protections for consumers and greater certainty for companies,” providing for the following:
• Transparency: Consumers have a right to easily understandable information about privacy and security practices.
• Respect for Context: Consumers have a right to expect that organizations will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.
• Security: Consumers have a right to secure and responsible handling of personal data.
• Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data are inaccurate.
• Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.
• Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.
But in our view, there is not that much here that is new, and the privacy protections that it purports to provide are not as comprehensive as they sound.
The framework is based in part upon the concept that the Federal Trade Commission will have the power to enforce privacy policies established by companies themselves. But that is something that the FTC has already been doing; see here for an example.
It is true that lately, more companies have been signing on to privacy policies with “Do Not Track” features. Through the Digital Advertising Alliance, member companies (including Google, Yahoo, Microsoft and AOL) have agreed to a “Do Not Track” option on their browsers that would let consumers opt out of certain data tracking. But again, that’s something that’s already been in the works. See an example here. And the exceptions to the “Do Not Track” option make it pretty weak.
The “Do Not Track” policies provided for would not apply to search engines or other first-party sites; they would apply only to third-party sites. So when the Administration touts the cooperation of these industry leaders through the Digital Advertising Alliance, it should be understood that the leaders are giving their blessing to restraints on others, not so much on themselves (although Google subsidiaries that are third-party sites, like DoubleClick, would be covered).
Under the “Do Not Track” policy, first-party sites can still collect user data and serve users ads based upon that data. Even third-party sites under the policy can maintain and use consumer data. They are simply restricted in how they can use it: They can use it only for market research and analytics.
Another major exception to the “Bill of Rights” is that it only applies to commercial use of data.
The White House’s publication notes that “Americans value privacy and expect protection from intrusions by both private and governmental actors.” But governmental actors are not subject to this “Bill of Rights.” The statement says in a footnote that it does not cover the government’s access to data in the possession of private parties.
We generally think of a “Bill of Rights” as having universal application. Perhaps the Administration shouldn’t have been so hasty to publish something and instead have waited and taken the time to prepare a statement that would have been more meaningful.
Pomegranate juice maker POM Wonderful has declared victory against the FTC . . . in spite of an administrative law judge’s ruling that upholds many claims in the agency’s complaint. But the California company has good reason to celebrate: certain FTC standards, the ones that POM cried foul on, were rejected by the court.
The epic battle between POM Wonderful and the FTC began roughly two years ago during an agency investigation of the company for false advertising. The FTC had approached POM with a proposed requirement of enhanced advertising standards for medical and health claims. These would have required the company to seek FDA approval before making certain claims; the standards would also have required more stringent research requirements for substantiation of such claims.
To support these new standards, the FTC showed POM consent orders it had recently entered into with Nestle U.S.A. and Iovate Health Systems, Inc. That’s when POM cried foul. It saw the FTC’s moves – shifting and enhancing standards through consent orders with other companies, as opposed to traditional notice and hearing procedures – as a major overstepping and defiance of the rulemaking process. The company took its complaint to court, filing a lawsuit in U.S. District Court for D.C. against the FTC for violating its First and Fifth Amendment rights. The FTC within two weeks issued its administrative complaint against POM for false advertising.
Now, two years later, after a voluminous hearing record in the administrative proceeding, the administrative law judge in the FTC’s action has issued an opinion upholding certain false advertising allegations in the FTC’s complaint – based on implied as opposed to express claims – but also siding with POM on the company’s major issues of contention. (Note that POM’s action in the U.S. District Court appears to still be pending as of May 23, 2012.)
POM is touting victory based on rulings by the judge that (1) any FDA pre-approval requirement “would constitute unnecessary overreaching” and that (2) more stringent double-blind, randomized, placebo-controlled studies were not necessary. It appears that these rulings effectively put the kibosh on the FTC’s sliding scale of regulation through settlement agreements … at least in this instance.
An important holding from the court that POM has cited in its press release is that “[t]he greater weight of the persuasive expert testimony in this case leads to the conclusion that where the product is absolutely safe, like POM Products, and where the claim or advertisement does not suggest that the product be used as a substitute for conventional medical care or treatment, then it is appropriate to favor disclosure.”
The court thus addressed some of POM’s concerns over a chilling effect on free speech that could have resulted from the FTC’s attempts to require FDA preapproval for certain health claims. This is a concern we had identified in an earlier post on the matter. While many articles published on the judge’s opinion to date have been headlining POM’s losses, the more important aspect may be the judge’s findings in favor of the company.
Whether you or not you are an avid gamer, you have probably realized that a significant segment of the general population takes gaming quite seriously. Probably a little too seriously sometimes.
It seems that the ending to the popular game Mass Effect 3 (“ME3”), which is produced by BioWare, disappointed many devoted players so much that they filed a petition with the FTC for deceptive advertising. According to the petition, the company’s advertising convinced the players that they were able to change the game’s ending, but in reality, there were only three different endings and they were relatively similar.
Unsurprisingly, the FTC did not comment on the petition. One can only imagine the “parade of horribles” that would happen if the FTC acted on the petition. We might see petitions against any movie that was not as good as advertised, against ball clubs for not being as competitive as advertised, against colleges for not being as good as advertised, and the like.
Generally, the FTC takes the reasonable position that consumers have a certain amount of responsibility for their purchases and should understand that even legitimate advertising is meant to persuade the consumer to purchase something. (On the other hand, BioWare’s co-founder, Dr. Ray Muzyka, did take the petition seriously and released a statement that “the team are hard at work on a number of game content initiatives that will help answer the questions, providing more clarity for those seeking further closure to their journey.”)
However, the same argument can be applied to some of the advertising campaigns that the FTC has criticized. For example, one could argue that a reasonable consumer should understand that Google is not going to hire him to work from home and compensate him handsomely, with absolutely no experience, and even without any job interview. Likewise, one could persuasively argue that the government is obviously not giving out grants to nearly every applicant for any random cause, just so long as you sign up for the monthly fee. Yet the FTC does oppose these forms of suggestive/misleading advertising.
One wonders if the true distinctions are the targeted audience of the advertising and the nature of consumer loss. If the targeted audience represents a more unfortunate and vulnerable segment of society, then the FTC is more likely to step in to protect the unfortunate and vulnerable consumer. If the targeted audience is more able to fend for themselves, however, the FTC is less likely to step in to protect them.
In addition, the consumer who is taken in by a misleading work-at-home scheme has, at the very least, lost valuable time and money. The consumer who plays ME3 has had a game experience for his or her money, just one that is perhaps not as exciting as he or she expected. There is a difference.
As a final note, there is a bright side to this petition. In an effort to draw attention, an online petition to redo the ending of ME3 also started a donation drive for Child’s Play, which provides video games for patients at children’s hospitals worldwide. In less than two weeks, the drive reached its goal and raised slightly more than $80,000. We are confident that even the FTC can agree that the charity drive was a good thing!
The world is full of surprises, like the fact that Nutella chocolate spread is loaded with saturated fat and sugar and is not itself healthy.
Ferrero USA, Inc., the company that makes Nutella, learned the hard way that many American parents could not survive (nor perhaps could their children) without the aid and intervention of Captain Obvious. And so, following a recent settlement agreement with some confused parents, the maker of Nutella will modify its labeling, advertising, and website to clarify its nutritional value.
The problems arose from a line of advertisements and website content suggesting that Nutella could be part of a healthy breakfast. While many of us might understand that Nutella’s contributions to a healthy breakfast are the equivalent of Cheez Whiz’s contributions to a healthy side of broccoli, a couple of California moms said they were duped. They were surprised to learn that it was other elements of a breakfast – like a glass of milk, or the whole-grain bread the Nutella would top – that were healthy and that all Nutella did was to get children to the table.
The SoCal gals took their stupefaction to court, filing a class action for violations of state consumer protection laws in the U.S. District Court for the Southern District of California in early 2011. A literal reading of the advertisements (samples of which can be found on pages 19-27 of the complaint) should make it reasonably clear that Nutella, in and of itself, is not a nutritionist’s top pick. The ads qualify Nutella as a way to get children to eat healthy foods (see again, Cheez Whiz). But those qualifications were not clear enough to the plaintiffs, who were “shocked” that Nutella had the nutritional value of a candy bar.
Ferrero attempted to get the class action transferred to U.S. District Court in New Jersey, where a follow-on suit was filed, and also attempted to get the actions dismissed. The company’s tactics failed, leaving it with little choice but to pursue costly defense or to settle. The company chose the latter course and entered into a $3million-plus settlement for both cases. While the sum may seem staggering in comparison to the allegations, most of the settlement ($2.5 million) is dedicated to reimbursing consumers, in $4/purchase increments. The company has also agreed to clarify its nutritional value in its labeling, advertising and website.
What’s troubling is that Ferrero’s advertising was full of qualifications about the role Nutella can play in nutrition. It’s only the careless or dismissive or naïve parent who could have been “duped.” In the end, this appears to be yet another example of our system protecting willful blindness.
SOPA and PIPA, as legislative efforts to deal with online piracy and other infringing activity, have gone the way of the Edsel. But their next of kin, a new bill known as CISPA, has made it through the House, passing 248 to 168. It too seems unlikely to become law, as the White House has threatened to veto it.
SOPA and PIPA hit the skids after major online companies and consumer activist groups mounted a host of protests across the Internet, including Wikipedia’s and Google’s blackout in January. The concerns with SOPA and PIPA were that the legislation could cripple Internet innovation. The public concern over CISPA, and the declared basis for the White House veto threat, is that it the bill would significantly threaten civil liberties.
CISPA’s stated goal is to create new channels for communication between government intelligence entities and private firms regarding potential and emerging cybersecurity threats. It allows a company to intercept emails or text messages and to modify those messages or prevent them from reaching their destination if they qualify as a cybersecurity threat. It would allow the companies and the federal government to share information with each other in an attempt to foil hackers.
Like SOPA and PIPA, CISPA includes portions that protect intellectual property. If a person is potentially infringing on intellectual property and that infringing activity is considered a threat to cybersecurity, under CISPA his website or the place where his content was posted could be blocked. Critics argue that the proposed definition of “cybersecurity” is so broad that it allows for the possibility of the restriction of communications that are not in any way threatening.
CISPA would create a system of information sharing that would involve the oversight of the Director of National Intelligence, who would appoint members of the intelligence community who would work with employees of tech companies and grant security clearances. Any information that was categorized under the cyberthreat intelligence category could not be divulged beyond the two parties without approval.
Many tech companies that actively opposed SOPA are supporting CISPA. CISPA is drawing support from such firms as Facebook, Microsoft, AT&T, IBM, Intel, Oracle, and Verizon as well as business groups such as the Financial Services Roundtable and the U.S. Chamber of Commerce.
A key difference may be that under CISPA, companies like Facebook would not be required to share any information about their users with the authorities, and if they did, CISPA would protect them from liability. The bill currently states that any sharing that occurs under the legislation “supersedes any statute of a State or political subdivision of a State that restricts or otherwise expressly regulates” the exchanges between the government and other parties.
Online advocacy groups are gearing up to protest against CISPA. The Center for Democracy and Technology, as well as the American Civil Liberties Union and the Electronic Frontier Foundation are rallying against the bill, and the number of blogs and websites calling for CISPA to be defeated is increasing rapidly.
Although CISPA’s approach is different from that of SOPA and PIPA, this bill has many of the same potential problems that those bills had. The very broad language defining a cybersecurity threat could be prone to abuse. Several amendments were added to the bill in order to appease civil liberties concerns, such as limiting the government’s use of private data and which cyberthreat data can be shared. Even with these amendments, advocacy groups remain concerned about the legislation, and the veto threat persists. It remains to be seen what will happen with CISPA, but we hope it goes the way of SOPA and PIPA. We will keep you updated as things progress.
The Federal Trade Commission has obtained an order from the federal court for the Central District of California for a preliminary injunction and asset freeze against all the defendants in an alleged mortgage modification scam.
The complaint was filed against California-based Sameer Lakhany and a number of related corporate entities for violating the Federal Trade Commission Act and the Mortgage Assistance Relief Services Rule, now known as Regulation O. This was the first FTC complaint against a mortgage relief scheme that falsely promised to get help for homeowners who joined with other homeowners to file so-called “mass joinder” lawsuits against their lenders.
The complaint listed two separate alleged schemes that collected over $1 million in fees and used images of President Obama to urge consumers to call for modifications under the “Obama Loan Modification Programs.”
The first scheme was a loan modification plan under which the defendants allegedly promised substantial relief to unwary homeowners from unaffordable mortgages and foreclosures. Their website featured a seal indicating that it was an “NHLA accredited mortgage advocate” and that NHLA is “a regulatory body in the loan modification industry to insure only the highest standards and practices are being performed. They have an A rating with the BBB.” Unfortunately, the NHLA is not a “regulatory body” and it actually has an “F” rating with the BBB.
The defendants reinforced their sales pitch by portraying themselves as nonprofit housing counselors that received outside funding for all their operating costs, except for a “forensic loan audit” fee. According to the FTC, the defendants told consumers that these audits would uncover lender violations 90 percent of the time or more and that the violations would provide leverage over their lenders and force the lenders to grant a loan modification. The defendants typically charged consumers between $795 and $1595 for this “audit.” Also, if the “audit” did not turn up any violations, the consumers could get a 70 percent refund. Unfortunately, there were often no violations found, any “violations” did not materially change the lender’s position, and it was nearly impossible to actually get a refund for this fee.
The second alleged scheme was that the defendants created a law firm, Precision Law Center, and attempted to sell consumers legal services. Precision Law Center was supposed to be a “full service law firm”, with a wide variety of practice areas. It even claimed to “have assembled an aggressive and talented team of litigators to address the lenders in a Court of Law.” However, the FTC charged that the firm never did anything besides for filing a few complaints, which were mostly dismissed.
To assist Precision Law Center in getting new clients, the defendants sent out direct mail from their law firm that resembled a class action settlement notice. The notice “promised” consumers that if they sued their lenders along with other homeowners in a “mass joinder” lawsuit, they could obtain favorable mortgage concessions from their lenders or stop the foreclosure process. The fee to participate in this lawsuit was usually between $6,000 to $10,000. The material also allegedly claimed that 80 to 85 percent of these suits are successful and that consumers might also receive their homes free and clear and be refunded all other charges.
The defendants’ direct mail solicitation also contained an official-looking form designed to mimic a federal tax form or class action settlement notice. It had prominent markings urging the time sensitivity of the materials and it requested an immediate response.
Obviously, these defendants employed many egregious marketing techniques that crossed the FTC’s line of permissibility. However, in light of the FTC’s renewed focus on Internet marketing, even a traditional marketing campaign should be carefully crafted with legal ramifications in mind.
As a final note, it is always smart not to antagonize the FTC by proclaiming (like the defendants here did) that they are “Allowed to Accept Retainer Fees” because it was “Not covered by FTC.” We couldn’t think of a better way to get onto the FTC’s radar screen!
For more than a decade, the Federal Trade Commission has been releasing its list of the top ten categories of consumer complaints received by the agency in the previous year. This list always serves as a good indication of the areas toward which the FTC may choose to direct its resources and increase its scrutiny.
For the 12th year in a row, identity theft was the number one complaint received by the FTC. Out of more than 1.8 million complaints the FTC received last year, 15% – or 279,156 – were about identity theft. Of those identity theft complaints, close to 25 percent were related to tax or wage-related fraud. The number of complaints related to identity theft actually declined in 2011 from the previous year, but this type of fraud still topped the list.
Most identity theft complaints came from consumers reporting that their personal information was stolen and used in government documents — often to fraudulently collect government benefits. Complaints about government document-related identity theft have increased 11% since 2009 and represented 27% of identity theft complaints last year. These numbers are likely to increase as concerns about consumer data privacy continue to garner the attention of the FTC.
After ID theft, the FTC’s top consumer complaints for 2011 were as follows:
• Debt collection complaints
• Prizes, sweepstakes, and lotteries
• Shop-at-Home and catalog sales
• Banks and lenders
• Internet services
• Auto-related complaints
• Imposter scams
• Telephone and mobile services
• Advance-fee loans and credit protection or repair
While credit cards are intertwined with many of the above complaints, complaints about credit cards themselves are noticeably absent from the 2011 list. In past years, credit card fraud was a major source of complaints from consumers. The drop in credit card-fraud-related complaints, however, is not surprising given the passage of the Credit CARD Act of 2009. This landmark federal legislation banned interest rate hikes “at any time for any reason” and limited the instances when rates on existing card balances could be hiked by issuers. The law also required lenders to give customers at least 45 days advance notice of significant changes in terms to allow card users time to shop around for better terms.
With the upcoming changes to the FTC’s advertising guidelines, there may very well be new additions to the consumer complaint list next year. Those complaints that already appear on the list are also likely to receive increased scrutiny.
When hackers breached the computer systems of online retailer Zappos.com in January, they gained access to the personal information of up to 24 million customers. The information included customer names, billing and shipping addresses, email addresses, and phone numbers. In a predictable response, customers immediately filed federal class action lawsuits against Zappos, and the attorneys general of nine states sent a joint letter to the company demanding more information about the breach of consumer data.
Despite the rush to accuse, much of the personal information that was taken— names, addresses, and phone numbers — is available in any phone book or internet search. Customers and state attorneys general were so quick to accuse Zappos of wrongdoing that they did not stop to consider what Zappos did right.
Thanks to Zappos’ prior planning, the hackers were unable to reach the most sensitive information, such as passwords and full credit card numbers, because they were secured, encrypted, and stored in a separate database. When the breach came to light, Zappos responded immediately by putting into effect its existing contingency plan for a data breach. Zappos quickly alerted customers to the breach via email and automatically reset the passwords of all 24 million customers. Additionally, Zappos informed its employees of the facts of the breach and trained all employees to pitch in and respond to customer inquiries.
Certainly, as the attorneys general’s letter pointed out, there are huge risks involved with any security breach. For instance, even the limited information the hackers obtained from Zappos could be used in carrying out a targeted email phishing scheme aimed at the customers. Keeping customers’ personal information secure is a huge responsibility that all online retailers must take seriously and take every step to avoid.
While Zappos will certainly have to review the circumstances of how this happened and put into place further steps to protect customers’ information, the company’s prior planning prevented a much more serious breach, and its response was swift and effective. Zappos set a good example of the precautions that online merchants should take with customers’ information, and how to respond in case of a breach.
The data free-for-all that’s been enjoyed by the app industry is over … more or less. No longer should the industry expect to collect and use customer data – so accessible and abundant in smartphones and tablets – without notice to its customers. Since the Path fiasco (and the revelation of other major data collection controversies), data collection practices by companies with mobile applications have come under increased scrutiny on a number of levels. Congress, federal regulators (like the FTC), state regulators (like the California Attorney General), consumer advocacy groups and the media are in action mode.
Initiatives by some state and federal regulators have clearly been in the works for some time. But the Path story – in which the app company acknowledged that it took users’ address book data without permission when the app loaded on an iPhone or Android machine — brought another group into the mix of those in pursuit of the app world and its data collection practices: plaintiffs’ attorneys. A class action suit was filed in federal district court in Texas in mid-March against Path, Twitter, Apple, Facebook and other companies with online services that use consumer address books. While the suit may not get very far – the complaint does not allege much in the way of damages other than privacy violations – it nonetheless is an added cost for the companies that have to defend against it.
The best way to shift the harsh light of public concern away from the app industry is for the industry to change its practices. This has been under way since the big six mobile application platforms entered into an agreement with the California Attorney General in late February. Apple, Google, Microsoft, Amazon, Hewlett-Packard and Research In Motion signed onto a Joint Statement of Principles with the attorney general that aims to “increase awareness among application developers about their obligations to respect consumer privacy and to promote transparency in privacy practices” (and to get apps to comply with the California Online Privacy Protection Act, which is basis of the AG’s agreement).
Toward this end, the Big Six agreed to help build the framework requiring privacy policies (and easy access to those policies) for mobile applications that collect personal data. The principles are as follows:
(1) Where required by law, apps that collect personal data must conspicuously post their privacy policies, providing clear and complete information on how that data is collected and used.
(2) The Big Six will require apps to demonstrate clear access to privacy policies as a part of the application submission process (for launch on the mobile app platforms).
(3) The Big Six will develop systems for customers to report apps that do not comply with their terms of service and/or laws.
(4) The Big Six will develop systems to respond to non-compliance.
(5) The Big Six will continue to work with the AG on effective privacy measures, agreeing to reconvene in six months to evaluate privacy measures.
Notably, this agreement is yet one more instance of the way in which government agents are deputizing private companies to carry out their initiatives. While exerting pressure on major players has historically been an expeditious tack taken occasionally by government regulators, in the online world, it is the default strategy.
Here, the Big Six are clearly acting as gatekeepers to carry out the California AG’s goals: they will require app developers to institute privacy policies and they will monitor and enforce compliance. Similar deputized roles are being assumed by search engines (like Google, again) through the White House’s initiatives in its Online Privacy Bill of Rights and regulatory enforcement actions.
At first glance, this may seem troubling – who wants yet another layer of oversight? But the government and major players may be right. There are two somewhat opposing issues: interest in privacy protection and interest in encouraging app industry growth. Who best to figure the balance than companies that have skin in the game?
There may be a legal hurdle or two for the Consumer Financial Protection Board to jump after the recess appointment of agency director Richard Cordray (the House Judiciary Committee held a hearing on the matter on February 15). But the consumer protection agency created under the Dodd-Frank Wall Street Reform Act of 2010 is pressing forward with its initiatives. Not too surprisingly, several recently proposed initiatives from the agency would stretch the agency’s authority into areas that extend beyond the industries targeted in the Dodd-Frank Act.
The day after the House Judiciary Committee debated the constitutionality of Cordray’s appointment (it doesn’t appear that the hearing was much more than some Republican caterwauling for the record), the CFPB released news of its first major regulatory proposal: to bring consumer credit reporting agencies and debt collection services under its scrutiny.
Those who are vaguely familiar with Dodd-Frank may be aware that the legislation gives the CFPB oversight of specific nonbank markets for (1) nonbank mortgage companies, (2) payday lenders, and (3) private student lenders. These are popular and understandable targets for probes of predatory lending practices. Headlining these industries as needing increased oversight is part of what made the legislation popular and easier for Congress to pass. So where do credit reporting agencies and debt collectors fit under the regulatory scheme? Quite simply, the Dodd-Frank Act also provides for CFPB oversight of other nonbank financial companies that are “larger participants of a market for other consumer financial products or services.”
Oversight of “larger participants”? What on earth does that mean? Congress doesn’t appear to have given clear guidance on what it meant by “larger participants,” leaving the term to the agency to define. As certain as the law of gravity is the law of bureaucratic power: What is not confined (by legislative delineation) necessarily will expand.
Don’t assume that the Dodd-Frank Act’s vagueness concerning what the CFPB would oversee was … well, an oversight. Congress often provides a broad policy concept and then delegates to administrative agencies the power to run with their interpretation and execution of that concept. Hence the impossibly cumbersome Code of Federal Regulations. Even so, however, the breadth of the power delegated to the new consumer protection agency is a bit much.
To the CFPB’s immense credit, it has published at least two requests for public comment to help it define “larger participants” and included an article on the agency’s blog regarding the matter. Indeed, the CFPB seems to be doing a pretty good job of explaining its steps and initiatives and of providing a user-friendly forum to keep the public apprised of their actions. And it is not entirely the agency’s fault that it is obeying the laws of bureaucratic power reach – it would be unnatural for the agency to try to constrict its authority.
What we should glean from the CFPB’s latest proposal, though, is that the CFPB will be running with its power and companies that provide any kind of consumer finance product must be aware of the possibility of government scrutiny.