The world is full of surprises, like the fact that Nutella chocolate spread is loaded with saturated fat and sugar and is not itself healthy.
Ferrero USA, Inc., the company that makes Nutella, learned the hard way that many American parents could not survive (nor perhaps could their children) without the aid and intervention of Captain Obvious. And so, following a recent settlement agreement with some confused parents, the maker of Nutella will modify its labeling, advertising, and website to clarify its nutritional value.
The problems arose from a line of advertisements and website content suggesting that Nutella could be part of a healthy breakfast. While many of us might understand that Nutella’s contributions to a healthy breakfast are the equivalent of Cheez Whiz’s contributions to a healthy side of broccoli, a couple of California moms said they were duped. They were surprised to learn that it was other elements of a breakfast – like a glass of milk, or the whole-grain bread the Nutella would top – that were healthy and that all Nutella did was to get children to the table.
The SoCal gals took their stupefaction to court, filing a class action for violations of state consumer protection laws in the U.S. District Court for the Southern District of California in early 2011. A literal reading of the advertisements (samples of which can be found on pages 19-27 of the complaint) should make it reasonably clear that Nutella, in and of itself, is not a nutritionist’s top pick. The ads qualify Nutella as a way to get children to eat healthy foods (see again, Cheez Whiz). But those qualifications were not clear enough to the plaintiffs, who were “shocked” that Nutella had the nutritional value of a candy bar.
Ferrero attempted to get the class action transferred to U.S. District Court in New Jersey, where a follow-on suit was filed, and also attempted to get the actions dismissed. The company’s tactics failed, leaving it with little choice but to pursue costly defense or to settle. The company chose the latter course and entered into a $3million-plus settlement for both cases. While the sum may seem staggering in comparison to the allegations, most of the settlement ($2.5 million) is dedicated to reimbursing consumers, in $4/purchase increments. The company has also agreed to clarify its nutritional value in its labeling, advertising and website.
What’s troubling is that Ferrero’s advertising was full of qualifications about the role Nutella can play in nutrition. It’s only the careless or dismissive or naïve parent who could have been “duped.” In the end, this appears to be yet another example of our system protecting willful blindness.
SOPA and PIPA, as legislative efforts to deal with online piracy and other infringing activity, have gone the way of the Edsel. But their next of kin, a new bill known as CISPA, has made it through the House, passing 248 to 168. It too seems unlikely to become law, as the White House has threatened to veto it.
SOPA and PIPA hit the skids after major online companies and consumer activist groups mounted a host of protests across the Internet, including Wikipedia’s and Google’s blackout in January. The concerns with SOPA and PIPA were that the legislation could cripple Internet innovation. The public concern over CISPA, and the declared basis for the White House veto threat, is that it the bill would significantly threaten civil liberties.
CISPA’s stated goal is to create new channels for communication between government intelligence entities and private firms regarding potential and emerging cybersecurity threats. It allows a company to intercept emails or text messages and to modify those messages or prevent them from reaching their destination if they qualify as a cybersecurity threat. It would allow the companies and the federal government to share information with each other in an attempt to foil hackers.
Like SOPA and PIPA, CISPA includes portions that protect intellectual property. If a person is potentially infringing on intellectual property and that infringing activity is considered a threat to cybersecurity, under CISPA his website or the place where his content was posted could be blocked. Critics argue that the proposed definition of “cybersecurity” is so broad that it allows for the possibility of the restriction of communications that are not in any way threatening.
CISPA would create a system of information sharing that would involve the oversight of the Director of National Intelligence, who would appoint members of the intelligence community who would work with employees of tech companies and grant security clearances. Any information that was categorized under the cyberthreat intelligence category could not be divulged beyond the two parties without approval.
Many tech companies that actively opposed SOPA are supporting CISPA. CISPA is drawing support from such firms as Facebook, Microsoft, AT&T, IBM, Intel, Oracle, and Verizon as well as business groups such as the Financial Services Roundtable and the U.S. Chamber of Commerce.
A key difference may be that under CISPA, companies like Facebook would not be required to share any information about their users with the authorities, and if they did, CISPA would protect them from liability. The bill currently states that any sharing that occurs under the legislation “supersedes any statute of a State or political subdivision of a State that restricts or otherwise expressly regulates” the exchanges between the government and other parties.
Online advocacy groups are gearing up to protest against CISPA. The Center for Democracy and Technology, as well as the American Civil Liberties Union and the Electronic Frontier Foundation are rallying against the bill, and the number of blogs and websites calling for CISPA to be defeated is increasing rapidly.
Although CISPA’s approach is different from that of SOPA and PIPA, this bill has many of the same potential problems that those bills had. The very broad language defining a cybersecurity threat could be prone to abuse. Several amendments were added to the bill in order to appease civil liberties concerns, such as limiting the government’s use of private data and which cyberthreat data can be shared. Even with these amendments, advocacy groups remain concerned about the legislation, and the veto threat persists. It remains to be seen what will happen with CISPA, but we hope it goes the way of SOPA and PIPA. We will keep you updated as things progress.
The Federal Trade Commission has obtained an order from the federal court for the Central District of California for a preliminary injunction and asset freeze against all the defendants in an alleged mortgage modification scam.
The complaint was filed against California-based Sameer Lakhany and a number of related corporate entities for violating the Federal Trade Commission Act and the Mortgage Assistance Relief Services Rule, now known as Regulation O. This was the first FTC complaint against a mortgage relief scheme that falsely promised to get help for homeowners who joined with other homeowners to file so-called “mass joinder” lawsuits against their lenders.
The complaint listed two separate alleged schemes that collected over $1 million in fees and used images of President Obama to urge consumers to call for modifications under the “Obama Loan Modification Programs.”
The first scheme was a loan modification plan under which the defendants allegedly promised substantial relief to unwary homeowners from unaffordable mortgages and foreclosures. Their website featured a seal indicating that it was an “NHLA accredited mortgage advocate” and that NHLA is “a regulatory body in the loan modification industry to insure only the highest standards and practices are being performed. They have an A rating with the BBB.” Unfortunately, the NHLA is not a “regulatory body” and it actually has an “F” rating with the BBB.
The defendants reinforced their sales pitch by portraying themselves as nonprofit housing counselors that received outside funding for all their operating costs, except for a “forensic loan audit” fee. According to the FTC, the defendants told consumers that these audits would uncover lender violations 90 percent of the time or more and that the violations would provide leverage over their lenders and force the lenders to grant a loan modification. The defendants typically charged consumers between $795 and $1595 for this “audit.” Also, if the “audit” did not turn up any violations, the consumers could get a 70 percent refund. Unfortunately, there were often no violations found, any “violations” did not materially change the lender’s position, and it was nearly impossible to actually get a refund for this fee.
The second alleged scheme was that the defendants created a law firm, Precision Law Center, and attempted to sell consumers legal services. Precision Law Center was supposed to be a “full service law firm”, with a wide variety of practice areas. It even claimed to “have assembled an aggressive and talented team of litigators to address the lenders in a Court of Law.” However, the FTC charged that the firm never did anything besides for filing a few complaints, which were mostly dismissed.
To assist Precision Law Center in getting new clients, the defendants sent out direct mail from their law firm that resembled a class action settlement notice. The notice “promised” consumers that if they sued their lenders along with other homeowners in a “mass joinder” lawsuit, they could obtain favorable mortgage concessions from their lenders or stop the foreclosure process. The fee to participate in this lawsuit was usually between $6,000 to $10,000. The material also allegedly claimed that 80 to 85 percent of these suits are successful and that consumers might also receive their homes free and clear and be refunded all other charges.
The defendants’ direct mail solicitation also contained an official-looking form designed to mimic a federal tax form or class action settlement notice. It had prominent markings urging the time sensitivity of the materials and it requested an immediate response.
Obviously, these defendants employed many egregious marketing techniques that crossed the FTC’s line of permissibility. However, in light of the FTC’s renewed focus on Internet marketing, even a traditional marketing campaign should be carefully crafted with legal ramifications in mind.
As a final note, it is always smart not to antagonize the FTC by proclaiming (like the defendants here did) that they are “Allowed to Accept Retainer Fees” because it was “Not covered by FTC.” We couldn’t think of a better way to get onto the FTC’s radar screen!
For more than a decade, the Federal Trade Commission has been releasing its list of the top ten categories of consumer complaints received by the agency in the previous year. This list always serves as a good indication of the areas toward which the FTC may choose to direct its resources and increase its scrutiny.
For the 12th year in a row, identity theft was the number one complaint received by the FTC. Out of more than 1.8 million complaints the FTC received last year, 15% – or 279,156 – were about identity theft. Of those identity theft complaints, close to 25 percent were related to tax or wage-related fraud. The number of complaints related to identity theft actually declined in 2011 from the previous year, but this type of fraud still topped the list.
Most identity theft complaints came from consumers reporting that their personal information was stolen and used in government documents — often to fraudulently collect government benefits. Complaints about government document-related identity theft have increased 11% since 2009 and represented 27% of identity theft complaints last year. These numbers are likely to increase as concerns about consumer data privacy continue to garner the attention of the FTC.
After ID theft, the FTC’s top consumer complaints for 2011 were as follows:
• Debt collection complaints
• Prizes, sweepstakes, and lotteries
• Shop-at-Home and catalog sales
• Banks and lenders
• Internet services
• Auto-related complaints
• Imposter scams
• Telephone and mobile services
• Advance-fee loans and credit protection or repair
While credit cards are intertwined with many of the above complaints, complaints about credit cards themselves are noticeably absent from the 2011 list. In past years, credit card fraud was a major source of complaints from consumers. The drop in credit card-fraud-related complaints, however, is not surprising given the passage of the Credit CARD Act of 2009. This landmark federal legislation banned interest rate hikes “at any time for any reason” and limited the instances when rates on existing card balances could be hiked by issuers. The law also required lenders to give customers at least 45 days advance notice of significant changes in terms to allow card users time to shop around for better terms.
With the upcoming changes to the FTC’s advertising guidelines, there may very well be new additions to the consumer complaint list next year. Those complaints that already appear on the list are also likely to receive increased scrutiny.
When hackers breached the computer systems of online retailer Zappos.com in January, they gained access to the personal information of up to 24 million customers. The information included customer names, billing and shipping addresses, email addresses, and phone numbers. In a predictable response, customers immediately filed federal class action lawsuits against Zappos, and the attorneys general of nine states sent a joint letter to the company demanding more information about the breach of consumer data.
Despite the rush to accuse, much of the personal information that was taken— names, addresses, and phone numbers — is available in any phone book or internet search. Customers and state attorneys general were so quick to accuse Zappos of wrongdoing that they did not stop to consider what Zappos did right.
Thanks to Zappos’ prior planning, the hackers were unable to reach the most sensitive information, such as passwords and full credit card numbers, because they were secured, encrypted, and stored in a separate database. When the breach came to light, Zappos responded immediately by putting into effect its existing contingency plan for a data breach. Zappos quickly alerted customers to the breach via email and automatically reset the passwords of all 24 million customers. Additionally, Zappos informed its employees of the facts of the breach and trained all employees to pitch in and respond to customer inquiries.
Certainly, as the attorneys general’s letter pointed out, there are huge risks involved with any security breach. For instance, even the limited information the hackers obtained from Zappos could be used in carrying out a targeted email phishing scheme aimed at the customers. Keeping customers’ personal information secure is a huge responsibility that all online retailers must take seriously and take every step to avoid.
While Zappos will certainly have to review the circumstances of how this happened and put into place further steps to protect customers’ information, the company’s prior planning prevented a much more serious breach, and its response was swift and effective. Zappos set a good example of the precautions that online merchants should take with customers’ information, and how to respond in case of a breach.
The data free-for-all that’s been enjoyed by the app industry is over … more or less. No longer should the industry expect to collect and use customer data – so accessible and abundant in smartphones and tablets – without notice to its customers. Since the Path fiasco (and the revelation of other major data collection controversies), data collection practices by companies with mobile applications have come under increased scrutiny on a number of levels. Congress, federal regulators (like the FTC), state regulators (like the California Attorney General), consumer advocacy groups and the media are in action mode.
Initiatives by some state and federal regulators have clearly been in the works for some time. But the Path story – in which the app company acknowledged that it took users’ address book data without permission when the app loaded on an iPhone or Android machine — brought another group into the mix of those in pursuit of the app world and its data collection practices: plaintiffs’ attorneys. A class action suit was filed in federal district court in Texas in mid-March against Path, Twitter, Apple, Facebook and other companies with online services that use consumer address books. While the suit may not get very far – the complaint does not allege much in the way of damages other than privacy violations – it nonetheless is an added cost for the companies that have to defend against it.
The best way to shift the harsh light of public concern away from the app industry is for the industry to change its practices. This has been under way since the big six mobile application platforms entered into an agreement with the California Attorney General in late February. Apple, Google, Microsoft, Amazon, Hewlett-Packard and Research In Motion signed onto a Joint Statement of Principles with the attorney general that aims to “increase awareness among application developers about their obligations to respect consumer privacy and to promote transparency in privacy practices” (and to get apps to comply with the California Online Privacy Protection Act, which is basis of the AG’s agreement).
Toward this end, the Big Six agreed to help build the framework requiring privacy policies (and easy access to those policies) for mobile applications that collect personal data. The principles are as follows:
(1) Where required by law, apps that collect personal data must conspicuously post their privacy policies, providing clear and complete information on how that data is collected and used.
(2) The Big Six will require apps to demonstrate clear access to privacy policies as a part of the application submission process (for launch on the mobile app platforms).
(3) The Big Six will develop systems for customers to report apps that do not comply with their terms of service and/or laws.
(4) The Big Six will develop systems to respond to non-compliance.
(5) The Big Six will continue to work with the AG on effective privacy measures, agreeing to reconvene in six months to evaluate privacy measures.
Notably, this agreement is yet one more instance of the way in which government agents are deputizing private companies to carry out their initiatives. While exerting pressure on major players has historically been an expeditious tack taken occasionally by government regulators, in the online world, it is the default strategy.
Here, the Big Six are clearly acting as gatekeepers to carry out the California AG’s goals: they will require app developers to institute privacy policies and they will monitor and enforce compliance. Similar deputized roles are being assumed by search engines (like Google, again) through the White House’s initiatives in its Online Privacy Bill of Rights and regulatory enforcement actions.
At first glance, this may seem troubling – who wants yet another layer of oversight? But the government and major players may be right. There are two somewhat opposing issues: interest in privacy protection and interest in encouraging app industry growth. Who best to figure the balance than companies that have skin in the game?
There may be a legal hurdle or two for the Consumer Financial Protection Board to jump after the recess appointment of agency director Richard Cordray (the House Judiciary Committee held a hearing on the matter on February 15). But the consumer protection agency created under the Dodd-Frank Wall Street Reform Act of 2010 is pressing forward with its initiatives. Not too surprisingly, several recently proposed initiatives from the agency would stretch the agency’s authority into areas that extend beyond the industries targeted in the Dodd-Frank Act.
The day after the House Judiciary Committee debated the constitutionality of Cordray’s appointment (it doesn’t appear that the hearing was much more than some Republican caterwauling for the record), the CFPB released news of its first major regulatory proposal: to bring consumer credit reporting agencies and debt collection services under its scrutiny.
Those who are vaguely familiar with Dodd-Frank may be aware that the legislation gives the CFPB oversight of specific nonbank markets for (1) nonbank mortgage companies, (2) payday lenders, and (3) private student lenders. These are popular and understandable targets for probes of predatory lending practices. Headlining these industries as needing increased oversight is part of what made the legislation popular and easier for Congress to pass. So where do credit reporting agencies and debt collectors fit under the regulatory scheme? Quite simply, the Dodd-Frank Act also provides for CFPB oversight of other nonbank financial companies that are “larger participants of a market for other consumer financial products or services.”
Oversight of “larger participants”? What on earth does that mean? Congress doesn’t appear to have given clear guidance on what it meant by “larger participants,” leaving the term to the agency to define. As certain as the law of gravity is the law of bureaucratic power: What is not confined (by legislative delineation) necessarily will expand.
Don’t assume that the Dodd-Frank Act’s vagueness concerning what the CFPB would oversee was … well, an oversight. Congress often provides a broad policy concept and then delegates to administrative agencies the power to run with their interpretation and execution of that concept. Hence the impossibly cumbersome Code of Federal Regulations. Even so, however, the breadth of the power delegated to the new consumer protection agency is a bit much.
To the CFPB’s immense credit, it has published at least two requests for public comment to help it define “larger participants” and included an article on the agency’s blog regarding the matter. Indeed, the CFPB seems to be doing a pretty good job of explaining its steps and initiatives and of providing a user-friendly forum to keep the public apprised of their actions. And it is not entirely the agency’s fault that it is obeying the laws of bureaucratic power reach – it would be unnatural for the agency to try to constrict its authority.
What we should glean from the CFPB’s latest proposal, though, is that the CFPB will be running with its power and companies that provide any kind of consumer finance product must be aware of the possibility of government scrutiny.
A federal judge in the U.S. District Court for the District of Columbia agreed earlier this month to fast-track a lawsuit by a privacy group against the Federal Trade Commission, arguing that the FTC has failed to enforce the terms of a settlement agreement it reached with Google last year after the FTC accused Google of violating privacy regulations in the launch of Google Buzz.
Last year, Google and the FTC agreed on a settlement stemming from allegations that Google violated its own privacy promises to consumers when it launched its social network, Google Buzz. That investigation began with a complaint filed by the Electronic Privacy Information Center (EPIC), the same group that is the plaintiff in this current case. EPIC is not suing Google and was not a party to the settlement reached between Google and the FTC. At the time of the settlement, the FTC said it “bars the company from future privacy misrepresentations, requires it to implement a comprehensive privacy program and calls for regular, independent privacy audits for the next 20 years.”
On February 17, the FTC filed a memorandum in opposition to the EPIC suit and a motion to dismiss it. The agency asserted that EPIC has no legal ground for its attempt to compel it to enforce the settlement and that the lawsuit “seeks to deprive the Commission of the discretion to exercise its enforcement authority.”
Earlier this week, more than 30 state attorneys general wrote to Google CEO Larry Page saying that the new Google policy forces consumers to allow information to be shared across several forums without the ability to opt out or choose their preferences for how their personal information is used. The letter also points out that Google has become known as a company that put a premium on the offering users choice in the use of their information, but now that information is being “held hostage.”
EPIC alleged in its complaint that Google has misrepresented its intention to use combined data for behavioral advertising. EPIC also alleges that the agreement gives the FTC the power to stop Google from making the planned privacy changes and that Google’s new policy requires the users’ consent. A key issue in the protests against the new policy had been that account holders will not be able to opt out of it.
A key issue in this case will be whether EPIC, a non-party to the agreement, can force the FTC to take action against Google. EPIC did not bring this action under the Federal Trade Commission Act, which is the source of the vast majority of FTC enforcement actions. Instead, this suit was brought under a section of the Administrative Procedures Act allowing challenges to agency action that is “unlawfully withheld.”
There may be strong precedent against EPIC in this case. The Supreme Court stated in 1985 in Heckler v. Chaney that “an agency decision not to enforce often involves a complicated balancing of a number of factors which are peculiarly within its expertise . . . The agency is far better equipped that the courts to deal with the many variable involved in the proper ordering of its priorities.”
Although EPIC brings an interesting argument, it is not likely to prevail. However, with the ability of Google to unilaterally enforce its privacy changes against users and Congress and the FTC failing to take action to protect consumers, it becomes unclear who will stand up to protect privacy interests of consumers. We will continue to follow any new developments in this case.
The Congressmen’s letter is in response to the recent Path address book fiasco in which Path acknowledged – and apologized for – its collection of consumer address book information without notifying users. News surrounding Path’s activities led to Congressional concerns over the extent to which consumer data, especially contact information, is being collected and stored for future harvesting, all without the consumer’s knowledge or permission. The Waxman-Butterfield letter quotes the Guardian: “there’s a quiet understanding among many iOS app developers that it is acceptable to send a user’s entire address book, without their permission, to remote servers and then store it for future reference. It’s common practice, and many companies likely have your address book stored in their database.”
The congressmen called for Apple to address how its app policies and practices protect consumer privacy. Apple was swift to respond, and within the day vowed to release a software update to prevent data collection that would violate the company’s privacy policies.
On the heels of the Waxman-Butterfield letter (but in the works well beforehand) comes a report by the FTC: “Mobile Apps for Kids: Current Privacy Disclosures Are Disappointing.” The report title pretty much says it all. The FTC surveyed some 960 kid-based apps sold through Apple and Android to determine, from the various app’s promotion pages and websites, the extent to which the developers disclose what [child] consumer data is collected and how it is used. The FTC reported that it was disappointed with the results – that disclosures were scant or nonexistent.
Tying its authority over mobile apps with its authority to enforce children’s privacy protections online through the Children’s Online Privacy Protection Act (COPPA), the FTC warned that it will be reviewing more mobile apps directed at children over the next six months, but this time, it will be enforcing– not just surveying – COPPA compliance. COPPA requires operators of online services directed to children under age 13 to provide notice and obtain parental consent before collecting items of “personal information” from children.
Several times in the FTC report the agency suggested the need for clear, concise, consistent and timely information on data collection and usage. That means disclosures of how the app (or third party advertisers) will/may use the consumer data should be upfront and precede download so that parents can determine whether or not to allow their children to use the app. Disclosures should include any connections to other social media.
The FTC report also identified (several times) the types of data that could be collected – from contact information, to location information, to call data, as well as in-app data. App developers and third party advertisers should take into account the importance of full disclosure.
Perhaps most importantly, the FTC report and the Waxman-Butterfield letter demonstrate that the government views Apple and Android (and other app stores) not just as the marketplace for app sales, but also as the gatekeepers. The FTC report pointed to Apple and Android as providing the architecture for disclosures and suggested that app stores could incorporate icons to make disclosures more easily identifiable. The Congressmen’s letter all but accuses Apple for its app’s failings.
We have been seeing increasing backdoor regulation by the government through major online presences in a couple of places, including here and here. Since government regulators acknowledge the difficulties in keeping up with developments in new technologies, it’s fair to assume they will look to major online presences to have a hand in helping keep them up to speed and keeping advertisers and developers under wraps.
The new policy will consolidate and streamline some 60 disparate policies of Google products and services. In the overview it has provided to users, Google says that it has tried to keep the policy as simple as possible. And it is an easy-to-read, relatively brief statement that is much more user-friendly than the agreements that we regularly click through in haste to access some enticing new service.
As a part of the new policy, Google will aggregate data it collects on users across its products (with the exception of Google Wallet and Google Books) and develop a “mega-profile” on each user. That data collection includes a user’s Google searches, Gmail messages content, YouTube favorites, and contacts. It also includes location tracking.
Google touts the benefits of its new policy as creating “a beautifully simple, intuitive user experience across Google.” For instance, if you search for pizza, the Google location tracker will look for a nearby pizza place. The Google calendar combination will provide reminders, based on your location, if you’re going to be late for a meeting.
But lest we forget, the reality is that Google has acknowledged that it is collecting massive amounts of data on its users. Regardless of the usefulness and efficacy of some of its new features, users are beholden to Google (1) to securely store and (2) to defend their personal data.
This inability to opt out is one of the prime reasons that members of Congress have had questions about the new policy. Several members sent a letter to Google CEO Larry Page, asking for detail on what would be collected, how it would be used, and what could come of that data. Google representatives ended up in a closed-door briefing with Congressional members on February 2. From initial reports, it does not appear that the members’ concerns were satisfactorily addressed in the briefing. This gives reason to question what could become of individual user’s “mega-profiles.”
Google’s new policy, and all the accompanying noise, serves as a good reminder that, in the age of new technologies, we are constantly waiving our privacy rights. How often do we click through a user agreement in haste so we can have access to a cool app? How often do we reflect on whether the benefits of the new technology truly outweigh the costs?
Compare the controversy over Google’s new policy with the recent Supreme Court holding in United States v. Jones that warrantless GPS tracking of a criminal suspect violated the Fourth Amendment. Justice Samuel Alito’s concurring opinion in the case hinted at lowering privacy expectations with new technologies: “The availability and use of these and other new devices will continue to shape the average person’s expectations about the privacy of his or her daily movements.” As we press forward in an age in which it is ever easier to get the who, what, when and why of each of us, based upon our own preference for convenience and coolness, we must face the consequences: Privacy will suffer, unless Congress does something about it.