Ignorance of the law is no excuse; nor is (willful) ignorance of a business partner’s illegal activities.
That’s a lesson to be learned from a recent amended complaint filed by the FTC which named a payment processor in its complaint against a telemarketer that allegedly engaged in a scam concerning credit card interest rate reduction. The Commission originally filed suit against the telemarketing company, Innovative Wealth Builders, Inc., and its owners in January for misrepresenting the debt relief service they were selling, charging a fee before providing debt relief services, and billing consumers without their express informed consent. The January action resulted in the temporary shutdown of the company’s operations pending outcome of the suit.
But earlier this month, the Commission filed an amended complaint, adding charges against Independent Resources Network Corp., IWB’s payment processor. The payment processor was accused of assisting and facilitating IWB’s deceptive practices, in violation of the Telemarketing Sales Rule (TSR). 16 C.F.R. § 310.3(b).
The TSR was created by the FTC in 1995 at the direction of Congress, which directed the Commission to proscribe rules to address abusive and deceptive telemarketing acts. The FTC has amended the TSR several times in order to respond to developments in telemarketing schemes. The amendments allow for liability for third parties such as payment processors and lead generators that have provided “substantial assistance or support” to any seller or telemarketer while knowing, or consciously avoiding knowing, that the seller or telemarketer is engaged in activity in violation of the TSR.
In the FTC’s complaint against IRN, the Commission notes that IRN “processed millions of dollars of credit card transactions for IWB, thereby earning considerable fees for itself.” The complaint identifies several indicators that would have, or should have, put IRN on notice of IWB’s practices in violation of the TSR, including the following:
• IWB sent IRN copies of company documents including, but not limited to, telemarketing scripts and samples of the IWB defendants’ “financial plan”
• IRN was aware that IWB had a variety of complaints on consumer websites
• IWB had an “F” rating with Better Business Bureau and IRN accessed the BBB website several times
• IRN received thousands of copies of chargeback disputes initiated by dissatisfied consumers
• IRN received multiple fraud alerts from Discover regarding IWB
Instead of ceasing to process transactions for IWB, IRN responded to these “red flags” by increasing the percentage it withheld from transactions processed for the telemarketer and holding such sums in a reserve account.
Some takeaways from the complaint and other FTC developments: if you are going to invest in basic due diligence to determine the risk level and credibility of a prospective account, you should probably follow through with your findings, following the letter of the law. The FTC recently issued additional proposed rule changes to the TSR to address more payment processing concerns.
Some affiliate marketers have recently gotten involved in the risky world of online trading. Online trading, particularly the trading of binary options, has become an attractive alternative for some affiliate marketers to traditional forms of online marketing.
However, those companies that do get involved in this market must be aware of the presence of the U.S. Commodity Futures Trading Commission (CFTC), which regulates these markets.
Simply put, binary options means “two options.” The system offers traders a simple choice whether an asset will close above a certain price (a “call option”) or below (a “put option”) at the end of the day. Lately, there seems to be a great deal of confusion regarding the legality of binary options trading in the United States.
The question is not so much whether binary options are legal in the United States but whether the firms offering them are listed on a proper U.S. exchange and are properly registered with and regulated by the Commodity Futures Trading Commission (CFTC). Nadex, for example, is a regulated U.S. exchange, which is designated by the CFTC and permitted to accept U.S. residents as members.
In a recent lawsuit, the CFTC charged the Ireland-based “Intrade The Prediction Market Limited” and “Trade Exchange Network Limited” with offering commodity option contracts to U.S. customers for trading, including option contracts on whether certain U.S. economic numbers or the prices of gold and currencies would reach a certain level by a certain future date, all in violation of the CFTC’s ban on off-exchange options trading.
For now, it seems that regulators like the CFTC have focused their attention on the actual firms offering these trading options. However, the CFTC has been sending cease and desist letters to affiliates in this space as well. Affiliates working in such risky markets must know the firms for which they are working. Some online trading firms may say they do not accept U.S. customers, but saying it is very different than actually representing and warranting that fact in a contractual document with their affiliates and indemnifying affiliates from liability.
For further information, see my article in the April 2013 issue of FeedFront, a magazine for affiliate marketers.
Over the past decade the Federal Trade Commission has brought cybersecurity enforcement actions against various private companies, imposing tens of millions of dollars in monetary penalties and requiring companies to maintain more stringent data-security practices. No company has ever challenged the FTC’s authority to regulate cybersecurity in this way in court – until now. On June 17, 2013, a federal court will finally get a chance to weigh in on whether the scope of the FTC’s regulatory jurisdiction is so broad as to include setting standards for cybersecurity.
In FTC v. Wyndham Worldwide Corporation, et al., the FTC launched a civil action against the parent company of the Wyndham hotels and three of its subsidiaries for data security failures that led to three major data breaches in less than two years. The Commission’s complaint charges that Wyndham’s security practices were unfair and deceptive in violation of the FTC Act.
Unlike many other data-security FTC enforcement actions, in which the defendant has chosen to cut its losses and settle out of court, Wyndham has decided to stand and fight with a motion to dismiss. Judge Esther Salas of the U.S. District Court for the District of New Jersey is expected to rule on Wyndham’s motion on June 17.
With respect to the FTC’s unfairness claim, Wyndham’s motion asserts that the FTC is attempting to circumvent the legislative process by acting as if “it has the statutory authority to do that which Congress has refused: establish data-security standards for the private sector and enforce those standards in federal court.”
According to Wyndham, “on multiple occasions in the 1990s and early 2000s the FTC publicly acknowledged that it lacked authority to prescribe substantive data-security standards under the [FTC Act]. For that very reason, the FTC has repeatedly asked Congress to enact legislation giving it such authority.” Further, Wyndham highlights the Senate’s failure to pass the Cybersecurity Act of 2012, which sought to address the need for specific data-security standards for the private sector, and President Obama’s February 2013 Executive Order on cybersecurity that was issued in response to the Congressional stalemate.
On its face, Wyndham’s motion to dismiss seems quite strong. However, the facts that the FTC is alleging do not cut in Wyndham’s favor. The Commission’s complaint alleges that Wyndham’s failure to “adequately limit access between and among the Wyndham-branded hotels’ property management systems, [Wyndham] Hotels and Resorts’ corporate network, and the Internet” allowed intruders to use weak access points (e.g., a single hotel’s local computer network) to hack into the entire Wyndham Hotels and Resorts’ corporate network. From there, the intruders were able to gain access to the payment management systems of scores of Wyndham-branded hotels.
According to the FTC, Wyndham failed to remedy known security vulnerabilities, employ reasonable measures to detect unauthorized access, and follow proper incident response procedures following the first breach in April 2008. Thus, the corporation remained vulnerable to attacks that took place the following year. All told, the intruders compromised over 600,000 consumer payment card accounts, exported hundreds of thousands of payment card account numbers to a domain registered in Russia, and used them to make over $10.6 million in fraudulent purchases.
Unfortunately – as Wyndham notes in its motion to dismiss – hacking has become an endemic problem. There has been no shortage of stories about major cyber-attacks on private companies and governmental entities alike: from Google and Microsoft to the NASA and the FBI. And the FTC has not been shy about bringing enforcement actions against private companies with inadequate security measures.
If Wyndham prevails, the case could usher in a major reduction in FTC enforcement efforts. However, if the court sides with the FTC, the commission will be further empowered to regulate data security practices. With such high stakes on both sides, any decision is likely to result in an appeal. In the meantime, companies in various industry sectors that maintain personal consumer information are awaiting next week’s decision.
On May 6, 2013, the U.S. Senate passed the “Marketplace Fairness Act,” which allows states to collect sales tax on online purchases, whether or not the online retailer has a physical presence in the state. If this bill becomes law, it would change the structure that has been in place since the 1992 Supreme Court ruling in Quill v. North Dakota, 504 U.S. 298 (1992), which held that states could collect sales tax on online transactions only if they also had a physical presence in the state such as a warehouse, a store, or in some cases, an online affiliate.
The act would allow states to require all retailers with more than $1 million in sales to collect and remit sales taxes to state and local jurisdictions. Retailers would collect the tax at the point of purchase, code each sale by zip code, and remit the taxes to the eligible states and local municipalities. Although states would not be required to implement a tax on online sales, many would probably choose to do so as they look for ways to generate much-needed revenue to compensate for budget shortfalls. By taxing online sales, states could generate an estimated $23 billion a year in local and state sales taxes. Additionally, states are likely to receive pressure from local businesses seeking to level the playing fields for brick-and-mortar retailers who feel that they’re at an unfair advantage for having to charge tax on goods that customers can often buy tax-free online.
As Internet sales taxes become more common, one group likely to benefit is Internet affiliates. Prior to this bill, states such as Illinois sought to circumvent Quill by stating that Internet affiliates created the requisite “nexus” of a physical presence within a state. This caused online stores, including retailer behemoth Amazon, to cease using affiliates in any states where the affiliate would constitute a nexus. If a physical nexus is no longer required, affiliates would no longer be singled out and terminated due to their presence in any particular state.
Considerable support for a bill of this sort was likely inevitable. When online shopping was still new, online sales were minimal and most people did their shopping locally, meaning that the loss of state and local tax revenue was minimal. However, the dramatic increase in the choices available online, along with quick and free shipping, means that by some estimates up to 85 percent of Internet users do at least some shopping online. The corresponding decrease in patronage at local stores meant that states were missing out on taxes from those purchases. As a result, this bill would give states the opportunity to collect what they see as lost revenue.
That is not to say, however, that the bill will eventually become law. The bill faces stiff opposition in the Republican-controlled House, where some lawmakers see the bill as a tax increase. They face additional pressure from the Conservative Action Project, which has obtained more than 50 signatures from business and political leaders in a letter opposing the Marketplace Fairness Act on the premise that “retailers would be subject to laws imposed by states with which they have no direct connection, and in whose political system they have no voice. It is regulation without representation, allowing politicians to raise revenue, without fear of a public backlash.”
Currently, it appears that the bill is unlikely to become law. However, politicians will continue to raise revenue regardless. If the federal law does not pass, states will likely continue to issue broad and increasingly strained interpretations of what constitutes a “presence” in the state in order to collect revenues from online merchants.
The Federal Trade Commission has made it quite clear that it is serious about advising mobile app developers that the rules of the road will be changing very soon. Since 2011, the Commission has been working to update the rules governing the collection of children’s personal information by mobile apps. The relevant law is the Children’s Online Privacy Protection Act (COPPA), and the rules are set to change in just over a month, on July 1.
As part of its effort to encourage compliance, the Commission recently issued more than 90 warning letters to app developers, both foreign and domestic, whose online services appear to collect data from children under the age of 13. The letters alert the recipients about the upcoming COPPA rule change and encourage them to review their apps, policies, and procedures for compliance. According to the letters, the Commission did not evaluate whether the recipients’ apps or company practices are in compliance. Therefore, we view this move as a public warning to all app developers that may be collecting personal information from children.
Until now, COPPA, which was originally enacted in 1998, defined “personal information” to include only the basics such as a child’s name, contact information, and social security number. Over the past decade, it has become antiquated by the development of mobile apps and other technological advancements affecting data collection. Unfortunately but understandably, COPPA’s original incarnation failed to account for the proclivities of today’s children, who – reared in the age of smartphones, Facebook, and Google-everything – routinely use mobile apps to share their lives with their friends, their family, and the world.
The FTC has expressed major concerns that, unbeknownst to many users, mobile app developers also collect and disseminate their users’ persistent identifiers (things such as cookies, IP addresses, and mobile device IDs). This information, which can recognize users over time and across different websites and online services, is often used by developers and third parties to market products to children based on each child’s specific online behavior. Come July 1, this practice will be illegal.
Under the revised rule, the definition of “personal information” has been expanded to include persistent identifiers, photos and videos with a child’s image, and recordings of a child’s voice. Additionally, developers of apps directed to children under 13 – or that knowingly collect personal information from children under 13 – will be required to post accurate privacy policies, provide notice, and obtain verifiable parental consent before collecting, using, or disclosing such information. However, there are some exceptions for developers that only use the information to support internal operations (i.e., analyze the app’s functionality, authenticate app users, etc.)
Protecting children’s privacy continues to be one of the Commission’s major initiatives, and the FTC has levied some hefty penalties for COPPA violations over the past year. That said, the Commission has indicated that it may be more lenient in cases where a small business has violated the rule despite well-intentioned attempts to comply. As we mentioned back in February, developers should beware of increased data privacy enforcement on the state level, as well. We encourage all mobile app developers to be proactive and review/update their policies to ensure compliance and avoid costly penalties.
On April 3, 2013, the Federal Trade Commission issued a press release that marks yet another step in its continuing trend of actions involving data brokers and data providers. As we have noted in earlier blog posts, the agency is making a concerted effort on a number of fronts to enforce the laws that protect consumer data and privacy.
The FTC’s current action involves a letter that it sent to a number of data brokerage companies that provide tenants’ rental histories to landlords. The letter is simply a notification to the companies that they may be considered credit reporting agencies under the Fair Credit Reporting Act (FCRA) and that they thus may be required to ensure that their websites and practices comply with that law.
The FTC letter also listed some of the obligations of credit reporting agencies to take reasonable steps to ensure the fairness, accuracy, and confidentiality of their reports — such as (1) ensuring that landlords are actually using the report for tenant screening purposes and not as a pretext, (2) ensuring the maximum possible accuracy of the information in the tenant reports, (3) if the company is a nationwide provider, providing consumers with a free copy of their report annually, and (4) ensuring that all obligations are met concerning notifications to landlords (e.g. letting consumers know about a denial based on a tenant report, the right to dispute information in the report, and the right to get a free copy of the report).
The FTC letter specifically noted that the agency has not evaluated whether the company receiving the letter is in compliance with the FCRA but that “we encourage you to review your websites and your policies and procedures for compliance.”
We have discussed FTC actions against data brokers before. In March, we discussed the FTC’s announcement of a settlement with Compete, Inc., a web analytics company. Compete sells reports on consumer browsing behavior to clients looking to drive more traffic to their websites and increase sales. Compete obtained the information by getting consumers to install the company’s web-tracking software in their computers. The FTC alleged that the company’s business practices were unfair and deceptive because the company did not sufficiently describe the types of information it was collecting from its users.
We are confident that the companies that received the letter regarding tenant information are reviewing their websites and polices, as encouraged by the FTC. However, what really intrigues us is the motivation behind the FTC sending the letters to the companies.
Of course, part of that motivation is to help ensure that the companies follow rules for privacy protection. Nonetheless, it is also interesting to note that there is a significant consequence under the FCRA – namely, individuals are permitted to seek punitive damages for deliberate violations of the FCRA. Thus, the letter arguably provides notice for the companies to become compliant immediately since future violations may be considered deliberate breaches that warrant punitive damages.
The Federal Trade Commission recently approved nine final orders that settle charges against seven rent-to-own stores and a software design firm and its principals. The charges stemmed from shocking allegations that the companies spied on consumers using computers that the consumers had rented from them. Among other things, the Commission’s complaint alleged that the computers were equipped with software (PC Rental Agent) that used the rented computer’s webcam to take “pictures of children, individuals not fully clothed, and couples engaged in sexual activities.”
PC Rental Agent was designed by one of the defendants, DesignerWare, LLC, a Pennsylvania-based software company that licenses software to rent-to-own companies to assist them in locating stolen merchandise and collecting late payments. PC Rental Agent has three critical features: a kill switch, geophysical location tracking, and a Detective Mode. Using the “kill switch” and geophysical location tracking, DesignerWare could remotely disable and locate the rented computers. However, at the request of the rent-to-own stores, DesignerWare would remotely activate the “Detective Mode” on an individual computer and “surreptitiously log the computer user’s keystrokes, capture screenshots and take pictures with the computer’s webcam and send the data to DesignerWare servers.”
DesignerWare did not review the data gathered, rather it forwarded it, unencrypted, directly to an email account designated by the particular rent-to-own store. In numerous instances the data included “private and confidential details about the computer users” including user names and passwords for email, banking, and social media accounts in addition to users’ social security numbers, financial statements, and medical records.
In settling the complaint, the companies agreed to a ban on the use of monitoring software and deceptive methods to gather consumer information. This includes a bar on the use of fake software registration screens to collect personal consumer information and the use of geophysical location tracking without consumer notice and consent. The seven rent-to-own companies are also barred from using improperly gathered information to collect on customer accounts. DesignerWare and its principals are barred from providing others with the means to commit illegal acts. Additionally, all of the defendants are subject to recordkeeping requirements that will allow the FTC to monitor their compliance for the next 20 years.
In a case with such sensational facts, it is quite notable that beyond the FTC monitoring requirement, the penalties are essentially a restatement of the rules by which all companies must regularly abide. It is unclear why no civil penalty was issued for behavior that sounds as egregious as this behavior does. Perhaps it is because there were no allegations of malicious intent or that the data was transferred to third parties or used in any way other than to retrieve rented computers. Whatever the case may be, this is yet another reminder that companies should ensure that they give proper notice before collecting customers’ personal information and avoid collecting more information than necessary.
“Cramming” – while it sounds like the experience of being in the middle row of a cross-country flight – actually refers to unauthorized charges on phone bills. Residential and business telecommunications customers have experienced cramming on their wireline bills for years, particularly for premium and other pay-per-call services. And the FTC has brought nearly two dozen cases against those companies.
With so many U.S. consumers using mobile phones (and many replacing their wireline phones and relying on wireless service exclusively), cramming has migrated to mobile phone bills. We have previously discussed the FTC’s ongoing review of mobile payments and the agency’s continuing concerns with cramming practices.
Last week, the FTC filed its first legal action to shut down a mobile cramming operation. In federal court in Georgia, the FTC alleges that since 2011, Wise Media, LLC, its CEO Brian Buckley, and its owner Winston Deloney have made millions of dollars by placing unauthorized charges for premium text messages services offering “horoscopes, flirting, love tips and other information” on consumers’ mobile phone bills. The FTC’s complaint also names Concrete Marketing Research, LLC, a company owned by Deloney, as having received funds earned through the allegedly unfair and deceptive practices.
According to the FTC, consumers did not “opt in” to receive these text message services, for which Wise Media charged $9.99 per month. The charges appeared on the bills and were repeated each month. Many consumers did not notice the charges and simply paid them. Some consumers noticed the charges but had great difficulty finding a contact for Wise Media, according to the complaint. Other consumers contacted the company, indicating they had not authorized the charges, but were still charged. Still others allegedly were told they would receive refunds, but Wise Media never issued those refunds. Instead, the underlying mobile phone carriers often ended up refunding money to complaining customers. The FTC noted that mobile phone carriers had experienced a high rate of complaints on Wise Media charges. One unnamed major phone carrier had even terminated Wise Media based on its excessive rates.
The FTC’s complaint charges that Wise Media and the other defendants violated Section 5 of the FTC Act by representing that consumers were obligated to pay for premium text services they never ordered. According to the FTC, these representations were false or misleading statements, constituting deceptive acts or practices under Section 5. Further, the complaint states that the placing of charges on consumers’ mobile phone bills without consumers’ “express informed consent” constituted unfair acts and practices also prohibited by Section 5.
The agency is seeking substantial relief and penalties from Wise Media and the other defendants. The FTC’s requested relief includes a request for a temporary and preliminary injunction to prevent future violations of the FTC Act by defendants, an asset freeze, and the refund of monies paid and “the disgorgement of ill-gotten monies.” In fact, after the filing of the complaint, Wise Media and the other defendants entered into a stipulation with the FTC agreeing to a temporary restraining order, an asset freeze, and other relief. The court also ordered that a receiver be appointed to oversee Wise Media’s assets and is requiring financial disclosures by the defendants.
This action signals that the FTC is continuing to monitor closely the mobile payment marketplace and that it will use its broad Section 5 authority to curb alleged deceptive practices in this medium. In fact, on May 8, the FTC staff will host a roundtable discussion on preventing mobile cramming, which will feature consumer advocates, industry leaders, and government regulators. It will be interesting to see what actions the major mobile carriers may propose, as the carriers have been on the receiving end of many of the consumer complaints (and refunds) resulting from third-party charges.
Some lawyers who deal regularly with the Federal Trade Commission in investigations of allegedly false and deceptive online advertising have noticed that the agency is beginning to take steps in these investigations that are unprecedented and draconian – and that judges seem to be going along. Below is a set of questions and answers with Jeff Ifrah, founding partner of Ifrah Law, on these new enforcement methods.
1. What is the first thing that a lawyer representing a company being probed by the FTC on false-advertising charges can expect to see?
IFRAH: Agency lawyers will go to a federal district judge with a copy of a temporary restraining order (TRO) for the judge to sign on an ex parte basis (without the defendant or its lawyers being present). Judges are allowed to do this as long as a hearing is set in a few days for a preliminary injunction, at which the defendant is represented. Meanwhile, the company is essentially barred from doing business by the terms of the TRO.
2. What is the FTC’s usual next step?
IFRAH: The agency will then go before the same judge with a draft of a preliminary injunction that is pretty much identical to the temporary restraining order. These injunctions basically require the business to continue to remain at a standstill until a trial is held and a settlement is reached. In addition, they require the company to disclose on all its web sites that it is being investigated for false and deceptive practices and to disclose online all of its sensitive financial information and that of its owners. Very often, the defendant will not contest this injunction request by the FTC. It is remarkable how many lawyers simply capitulate and agree to these draconian orders and set their clients up to fail.
3. What’s wrong with that? Isn’t the injunction lifted when the defendant agrees to settle the case?
IFRAH: Yes, but by that time, it may be too late, and the company may have gone out of business as a result of the restrictions that were imposed on it by the injunction and as a result of the disclosures that it had to make.
4. Are there other problems with these preliminary injunctions?
IFRAH: Yes. The FTC usually asks for a preliminary injunction with many standard features, and the judge usually grants it. But no two cases or defendants are the same. The courts are not taking into account the fact that different situations require different results. Instead, the injunctions are overbroad and reach behavior that is beyond what is alleged in the complaint.
Some of these restraining orders and injunctions restrict how much money a defendant can spend in a month or what type of online advertising it can use while the case is pending. Other injunctions require affirmative behavior, such as a requirement that the defendant report to the FTC every time it creates or operates any type of business. In either case, the defendant is forced to open its entire existence to the FTC, and everything it does is subject to scrutiny.
Another problem with standard, overbroad injunctions is that a defendant may become uncertain as to what it must do to prevent being held in contempt of court for non-compliance. The language in the injunction is often so vague and undefined that the FTC can act in its discretion to find a defendant in contempt.
5. And is that the end of the story?
IFRAH: No, unfortunately, plaintiffs lawyers often look to copycat an FTC action, and as a result companies may then have yet another headache to deal with, if they haven’t already been irreparably damaged by the FTC’s actions.
The increasing difficulties faced by internet providers and data gatherers in the international realm have yet again come to the fore. Privacy regulators in France, Germany, Spain, the Netherlands, the United Kingdom and Italy have banded together to investigate whether to fine Google for what they perceive to be violations of European Union privacy laws.
The background is that in March 2012, Google replaced its disparate privacy policies applicable to its various products (such as Gmail and YouTube) with a single policy that applied to all of its services.
However, as part of a report issued in October 2012, the EU’s Article 29 Data Protection Working Party then declared that Google’s unified policy did not comply with EU data protection laws. The EU’s primary, but not only, quibble with Google’s new policy involved the sharing of personal data across multiple Google services and platforms. At that time, the president of the French regulatory body, the CNIL, indicated that litigation would be initiated if Google did not implement the Working Party’s recommendations within three to four months.
As a result, Google now faces the time and costs of substantial regulatory oversight and investigation, as well as potential fines, from multiple national privacy protection watchdogs. In fairness, the EU privacy regulators have tended to be rather inclusive in their interpretation of what is and is not required by law. This is unfair to Google and to other companies that comply with what they believe to be the letter and spirit of the law, only to have regulators reinterpret the law to move the goal posts. But this is typical in the EU regulatory realm.
Google’s predicament sends a stern warning to all internet providers that gather personal data. Any provider’s natural inclination is to focus on complying with the applicable privacy rules applicable in the country where the provider is located. But the internet is borderless, subjecting providers to multiple laws in multiple jurisdictions. This creates the need for each provider to carefully analyze privacy policies to ensure as best as possible that it complies with the rules applicable across the globe. EU regulators and others are no longer content to allow the United States to set the guidelines for privacy and other rights, creating new challenges for privacy compliance in the United States and abroad.