Online diploma mills, which require little or no coursework to complete a degree have recently garnered much attention within the online education realm. Websites which offer questionable diplomas for hundreds of dollars target vulnerable consumers seeking a degree to improve their life prospects, while simultaneously casting a shadow over legitimate online educational institutions which offer accredited programs and a complete educational experience including coursework, teacher interaction, and grading. In the latest crackdown on online diploma mills, the Federal Trade Commission obtained a temporary restraining order against Diversified Educational Resources, LLC and Motivational Management & Development Services, Ltd., companies which generated millions of dollars by selling worthless high school diplomas to thousands of consumers.
According to the allegations of the FTC’s complaint, the defendants have been operating purported online education sites since 2006, under the names Jefferson High School Online and Enterprise High School Online. The FTC alleges that the websites misleadingly represent that these are accredited schools by saying that the defendants “[p]rovide a respected and recognized high school diploma equivalency program,” that students completing the program will be “high school graduates,” and that the schools are registered with the Florida Department of Education. While the latter statement is technically true, the websites do not reveal that registering with Florida’s School Choice Program does not mean that the programs are accredited but rather, according to the complaint, registration is merely a “ministerial act, based solely on their own self-reported answers to Florida’s annual private school survey” which the Florida Department of Education does not verify. The truth of the accreditation status can only be found buried in dense paragraphs of text, in which the defendants note that they are “actively pursuing accreditation options” although they have not applied for any yet.
Consumers paid $200 to $300 to register on the websites. Those fees did not entitle them to any coursework, education, or test preparation. Rather, customers were immediately prompted to take a “test,” which was nearly impossible to fail because the websites provided hints to ensure that customers passed. After passing the test, customers received diplomas bearing the name “Jefferson High School Online” or “Enterprise High School Online.”
The “diplomas” that the defendants issued to customers were useless, according to the FTC. Many customers learned that their diplomas were invalid after unsuccessfully attempting to use them to apply to jobs, enroll in college, or join the military. Further, unsatisfied customers who sought a refund were refused, according to the FTC. Through this scam, the complaint says, the defendants collected over $11 million since 2009 without providing a real education product or service.
The U.S. District Court for the Southern District of Florida issued a temporary restraining order and asset freeze in response to these allegations, suspending the domain names and prohibiting any material misrepresentations regarding online education. The case remains pending in the Southern District of Florida and the defendants’ responsive pleadings are due in October.
A great way to make money is to develop a product or service that responds to a consumer want or demand, and then to stay ahead of prospective competitors by offering better pricing or quality. A not-so-great way to make money is to convince consumers to buy a product or service that they don’t really want or need, at inflated rates. A highly dubious way to make money is to trick consumers into paying for something they didn’t want and didn’t mean to buy.
Businesses operating in this third category, which may include a scareware marketer or two, have to consider risk versus reward. Is the reward of temporary profits worth the risk of legal action; what is the likelihood of legal action; and what is the potential cost of such action?
Someone who operates on tricks over treats, or by pure scareware tactics, may expect business to dry up as consumers learn to avoid their traps. Such an operator must also face the looming threat of consumer legal action, government intervention, or run-ins with credit card companies alarmed by high chargeback rates.
For these types of businesses in the mobile marketing space, the cost of potential government intervention is going up. A recent settlement between the Federal Trade Commission and Jesta Digital LLC points to the severe penalties a business may face for operating on the sidelines of fair play. The consequences include a hefty fine, consumer refunds, restricted billing practices and stringent compliance measures for years to come.
Jesta (which also does business as Jamster) is known mostly for its marketplace of ringtones, photos, videos and apps. Starting in 2011, it ran a scareware campaign, purportedly for anti-virus software, that the FTC asserts crossed the line into deceptive advertising. The ads ran on the free version of the Angry Birds app for Android. Using a graphic that looks like the Android robot logo, the banner ad displayed a warning that viruses had been detected on the device – even though no virus scan was conducted. According to the FTC, when the consumers clicked on the “remove [virus]” button, or similar “warning” buttons, Jesta directed them through a number of pages about virus protection that left to very fine print a monthly service fee for ringtones and other content.
The FTC alleges that consumers were even charged at the instant of pressing a “Protect Your Android Today” button. Through the use of Wireless Access Protocol (WAP) billing, the company was able to charge consumers through their cell phone numbers without needing to obtain express authorization. (It may be that the use of the billing practice actually spurred the FTC into action as wireless carriers initiated their own penalties against Jesta for the large number of consumers demanding refunds.) The FTC also alleges that the anti-virus software often failed at download (apparently at one point, only 372 people out of 100,000 subscribers actually received some sort of anti-virus app download link).
The FTC describes numerous deceptive practices: mimicking the Android logo to confuse consumers into believing the virus warnings were credible, charging consumers without their knowledge or consent, failing to provide services charged for. The company apparently was aware that its scareware tactics crossed the line, as an email correspondence among company executives noted that the chief marketing officer was “anxious to move our business out of being a scam and more into a valued service.”
So now the company must pay the FTC a $1.2 million penalty and offer to refund consumers. The process of identifying and notifying consumers of their refund options and tracking all this to show to the FTC will be a costly undertaking. Another major cost will be the stringent and detailed billing practices that the company – and all participants, including principals and agents – must adhere to, disclosures it must make, and compliance monitoring and recordkeeping requirements it must adhere to, for 20 years. The settlement agreement is far more than a hand slap; its terms keep Jesta (and its principals!) beholden to the FTC for the foreseeable future.
Mobile marketers who may calculate risk versus reward and decide that a get-rich-quick scheme is worth the risk should think again. The FTC is making deceptive marketing tactics, like many scareware campaigns, a priority. We have seen strong action from the agency in the recent past, including hefty penalties for the company Innovative Marketing and its principal Marc D’Souza. Moreover, the newly-appointed head of consumer protection at the FTC, Jessica Rich, has noted that the FTC is expanding digital enforcement, increasing the risk of getting caught in the agency’s cross-hairs.
On October 3, 2013, the Consumer Financial Protection Bureau announced it had filed a complaint in federal district court in Washington state against a leading debt-settlement payment processor, Meracord LLC, and its CEO. The CFPB contends that Meracord helped third parties collect millions of dollars in illegal upfront fees from consumers.
The complaint alleged violations of the Federal Trade Commission’s Telemarketing Sales Rule (TSR) and the Consumer Financial Protection Act of 2010. The CFPB contended that Meracord maintained accounts and processed payments for consumers who had contracted with providers of debt-relief servicers and mortgage assistance relief services. As is often the case, when consumers enroll in a debt-relief program, they also enter into a separate agreement with a payment processor, which establishes and maintains a “dedicated account” for the consumer. At the time of enrollment, the debt-relief service provider instructs the consumer to stop paying his or her unsecured debts and, instead, to make monthly payments to the payment processor. The processor can later pay renegotiated debts to the creditor and also pay the debt-relief servicers’ fees.
The CFPB alleged that, since October 27, 2010, Meracord processed payments for more than 250,000 consumers receiving debt-relief services from more than 250 debt-relief service servicers. According to the agency, consumers paid debt-relief service providers before any debts were settled. The Telemarketing Sales Rule has special requirements for debt reduction services. In particular, providers are not allowed to request or take fees for services before providing debt-relief services resulting in actual renegotiation or other settlement of a consumer’s debt and a payment by the consumer to a creditor. The FTC asserted that Meracord processed payments for debt reduction services which routinely charged advanced fees to consumers in violation of the TSR.
The TSR also makes it unlawful for third parties to assist others in violating the TSR. The CFPB used this section of the TSR against Meracord. Since Meracord collected the payments from consumers and would know whether or not they had been disbursed to creditors, and when they had been disbursed to the debt-relief servicers, Meracord would have knowledge that the debt-relief servicers were violating the TSR by collecting fees prior to delivering debt-relief services that resulted in payments to creditors.
Meracord and its CEO have agreed to settle the case. In the Stipulated Final Judgment and Order, Meracord and its CEO, Linda Remsberg, agree that they will permanently enjoined from providing account-maintenance or payment-processing services to any provider of a debt-relief service or a mortgage assistance relief service. The proposed settlement (which must be approved in court) also provides for a civil money penalty of $1.37 million and compliance reporting and monitoring, as well as ongoing recordkeeping requirements.
The CFPB’s action signals that it will use its authority to reach organizations that it believes provide substantial assistance to others allegedly violating consumer protection laws within its jurisdiction. CFPB Director Richard Cordray said, “By taking a stand against those who facilitate illegal activity, we can root out harmful behavior across the debt-settlement industry and better protect consumers.” Thus, it is not only those companies dealing directly with consumers who need to be cognizant of the CFPB’s reach. In particular, organizations within the “chain” of industries such as debt-settlement and credit repair, should review their compliance with laws and rules the CFPB may enforce (usually shared with other agencies such as the FTC), and which include the Fair Debt Collections Practices Act, the Fair Credit Reporting Act, the Telemarketing Sales Rule, the Business Opportunities Rule, and other consumer financial-related statutes.
It’s quite clear that the Federal Trade Commission and the Federal Communications Commission view existing federal consumer protection and communications statutes as fully applicable to new modes of communication such as texting. One excellent recent example is the FTC’s stipulated settlement, including a payment of $1 million, with a debt collection agency that had sent out text messages in order to collect debts.
The FTC had filed suit under the Fair Debt Collection Practices Act (FDCPA) against National Attorney Collection Services, Inc., National Attorney Services LLC, and Archie Donovan (as an individual). This appears to be the first FTC complaint alleging the illegal use of text messaging to collect consumer debts. In addition, the defendants were also alleged to have violated the FDCPA in more traditional ways by publicly revealing consumer debts to family members and co-workers, sending mailings that had a picture on the envelope of an outstretched arm shaking out an upside-down consumer to empty the money in their pockets, and falsely portraying themselves as law firms or attorneys in phone calls and mailings, as well as in text messages. Of course, the “older” methods of violations were troublesome in and of themselves, but there were two specific points that we see as trend-setting in FTC enforcement.
The first point is the FTC’s emphasis that the medium of text messages does not change disclosure obligations under the FDCPA. The FTC has continued to crack down on illegal behavior that may be carried out by non-traditional means. As Jessica Rich, director of the FTC’s Bureau of Consumer Protection, has said, “No matter how debt collectors communicate with consumers — by mail, by phone, by text or some other way — they have to follow the law.”
The consumer protections in the FDCPA that require the disclosure in initial communications that the company is a debt collector and that any communications may be used to collect a debt apply equally to text messages, even though there may be significant space and size limitations. Likewise, any follow-up text message must state that the communication comes from a debt collector.
The second noteworthy point was the level of consent required by the stipulated order. The stipulated order provides that “express consent” shall mean that prior to sending a text message to a consumer’s mobile telephone: “(i) the Defendants . . . shall have clearly and prominently disclosed that the debtor may receive collection text messages on mobile phone numbers . . . in connection with the transaction that is the subject of the text message; and (ii) the individual has taken an additional affirmative step, including a signature or electronic signature, that indicates their agreement to receive such contacts.”
The FTC appears to have adopted a more stringent definition of consent (similar to the FCC) and is using the stipulated order as a means of notifying companies and consumers of the higher standard. Of course, it is possible to argue that the FTC is only requiring these particular defendants to meet the higher standard because of their alleged prior bad acts. However, we believe it more likely that the FTC is attempting to enforce a standard of express consent similar to that which the FCC has recently promulgated. Consequently, all companies are well advised to meet this higher standard of consent.
The FTC has now put the industry on alert to ensure that their text messages comply with any applicable law. The idiosyncrasies of modern methods of communication do not limit the compliance obligation. Ignorance is not a defense, even though Donovan’s attorney said that “the companies are now in compliance,” and that “nobody was intending to violate the law.”
The Federal Trade Commission recently filed another complaint against a company for alleged data security lapses. As readers of this blog know, the FTC has initiated numerous lawsuits against companies in various industries for data security and privacy violations, although it is facing a backlash from Wyndham and large industry organizations for allegedly lacking the appropriate authority to set data security standards in this way.
The FTC’s latest target is LabMD, an Atlanta-based cancer detection laboratory that performs tests on samples obtained from physicians around the country. According to an FTC press release, the FTC’s complaint (which is being withheld while the FTC and LabMD resolve confidentiality issues) alleges that LabMD failed to reasonably protect the security of the personal data (including medical information) of approximately 10,000 consumers, in two separate incidents.
Specifically, according to the FTC, LabMD billing information for over 9,000 consumers was found on a peer-to-peer (P2P) file-sharing network. The information included a spreadsheet containing insurance billing information with Social Security numbers, dates of birth, health insurance provider information, and standardized medical treatment codes.
In the second incident, the Sacramento, California Police Department found LabMD documents in the possession of identity thieves. The documents included names, Social Security numbers, and some bank account information. The FTC states that some of these Social Security numbers were being used by multiple individuals, indicating likely identity theft.
The FTC’s complaint alleges that LabMD did not implement or maintain a comprehensive data security program to protect individuals’ information, that it did not adequately train employees on basic security practices, and that it did not use readily available measures to prevent and detect unauthorized access to personal information, among other alleged failures.
The complaint includes a proposed order against LabMD that would require the company to implement a comprehensive information security program. The program would also require an evaluation every two years for 20 years by an independent certified security professional. LabMD would further be required to provide notice to any consumers whose information it has reason to believe was or could have been accessible to unauthorized persons and to consumers’ health insurance companies.
LabMD has issued a statement challenging the FTC’s authority to regulate data security, and stated that it was the victim of Internet “trolls” who presumably stole the information. This latest complaint is yet another sign that the FTC continues to monitor companies’ data security practices, particularly respecting health, financial, and children’s information. Interestingly, the LabMD data breaches were not huge – with only 10,000 consumers affected. But, the breach of, and potential unauthorized access to, sensitive health information and Social Security numbers tend to raise the FTC’s attention.
While industry awaits the district court’s decision on Wyndham’s motion to dismiss based on the FTC’s alleged lack of authority to set data security standards, companies should review and document their data security practices, particularly when it comes to sensitive personal information. Of course, in addition to the FTC, some states, such as Massachusetts, have their own data security standards, and most states require reporting of data breaches affecting personal information.
Since 2003, online marketers and merchants have been gathering twice a year to take part in the Affiliate Summit Conferences. In recent years, Ifrah Law has become a fixture at these shows, and our associate Rachel Hirsch is not only widely recognized as the face of the Ifrah Law Power Booth station, but also as a well-respected and preferred attorney counseling online advertisers on compliance-related matters and representing them in nationwide litigation.
After Rachel recently returned from this year’s Affiliate Summit East conference in Philadelphia, we interviewed her about new and emerging trends at this conference and in the industry.
Q. What struck you about the crowd at the conference this year?
A. In addition to the new venue, there were plenty of new faces at the conference this year. Surprisingly, however, despite the conference’s name, there weren’t as many affiliates there as there have been in the past. Traditionally, affiliates, sometimes known as “publishers,” are independent third-parties who generate or “publish” leads either directly for an advertiser or through an affiliate network. This year, with a reported crowd of about 4,000 people, the conference included more individuals representing networks, brokers, and online merchants than affiliates. (Official conference statistics bear this out. Only 29 percent of attendees were affiliates.)
Q. What about vendors?
A. According to the organizers, one out of every 10 people there was a vendor. The term “vendor,” however, is something of a misnomer. A vendor can be another term for an online merchant – someone who is actually selling a product on the market – or it can be a generic category for marketers who do not fit into the traditional categories of affiliates, merchants, or networks.
Q. What new industry trends did you notice?
At every conference, one or two markets always seem to have a dominant presence. At the Las Vegas conference in January, there was a large turnout of marketers in the online dating space. This year, two different markets emerged– diet/health and downloads.
Some of the exhibitors this year were manufacturers of neutraceuticals, which can include weight-loss products or testosterone-boosting products. The trend seems to be for online marketers to “white label” or “private label” neutraceuticals from bigger manufacturers. What this means is that online marketers or advertisers actually attach their brand names to a product and product label that they purchase from a manufacturer, either based on their own formulations or based on the manufacturer’s product specifications. Well-known products that would fall into this category include Raspberry Ketone, Green Coffee Bean, and Garcinia Cambogia.
There were also a lot of individuals and companies there in the so-called “download” space. This often means the use of browser plug-ins that the consumer can download himself or herself. These can install targeted advertising (often pop-ups or pop-under ads) on an existing web page.
Q. Are there any risks involved in private labeling?
A. Definitely. If your name is on the label, it doesn’t matter that you didn’t manufacture the product. Your company and your label are subject to FTC scrutiny to the extent that you make claims about the product that you cannot substantiate. And beyond that, the Food and Drug Administration will also flex its enforcement power to the extent you or your manufacturer fail to institute good manufacturing practices, or “GMPs.” While many companies claim that they are GMP-certified, many do not have practices and processes in place to account for defective product batches, serious adverse events resulting from product use, or product recalls.
Q. What are some other hot areas of enforcement by the federal government?
A. Well, how you market your product may be as closely scrutinized as the underlying message. Online marketers who make outbound calls to consumers, or who engage third-party vendors (such as call centers) to make these calls can run afoul of the Telephone Consumer Protection Act. Under the TCPA, anyone who calls customers without their express advance consent, or who hires anyone else to do so, can be hit with a $500 fine for each violation. That adds up, and the TCPA can be enforced by the Federal Communications Commission or by private plaintiffs. Upcoming changes in the TCPA, which will be effective in October 2013, make it even harder to stay on the right side of the law.
Q. How would you put it all together as far as the legal issues?
A. It’s not just the FTC any more. These days, online marketers need to be aware of other agencies with broad enforcement powers, such as the CFPB, the FDA, and the FCC. And don’t forget about the threat of private consumer litigation.
The credit reporting industry – dominated by Experian, Equifax and Transunion – maintains a precarious balance of obligations: On the one hand, these companies bear a responsibility to banks and other businesses at large to retain reliable information to ensure that the credit scores they report are a fair representation of the individual’s credit-worthiness. On the other hand, federal law, including the Fair Credit Reporting Act, imposes an obligation upon the credit reporting agencies and other related companies to conduct reasonable investigations to address disputes about errors in individuals’ credit files. In both instances, the companies bear a weighty responsibility.
For this reason, companies in the credit reporting industry are subject to intensive regulatory scrutiny – historically by the Federal Trade Commission and, more recently, by the Consumer Financial Protection Bureau. Both agencies have issued reports on their studies of the way in which credit reporting companies handle the information entrusted to them, and how they respond to consumer disputes.
This past Sunday, CBS’s 60 Minutes – a show that most people associate with responsible news reporting – ran a segment that unfairly distorted these reports about credit reporting agencies’ compliance with their obligations. The show, which was largely based on an advance copy of an FTC study, relied upon selective interpretation of the data in that study, throwing out snippets of information without being specific on what the data meant.
The vast majority of the story can hardly be viewed as unbiased: interviews with a politically motivated state attorney general, two plaintiffs’ attorneys who spend their careers suing the credit reporting agencies, a handful of dissatisfied consumers, and several disgruntled former call center employees whose role in addressing consumer complaints was never really explained in a meaningful way. The result was a show clearly intended to convey a message that the credit data retained by these companies is riddled with errors, and that the credit reporting agencies fail to comply with their legal obligations to take steps when there is a claim of an inaccuracy.
In fact, as the Consumer Data Industry Association has pointed out, the FTC study shows that 98 percent of credit reports are materially accurate. In this regard, 60 Minutes missed the most critical point in the research – that the measure of accuracy is tied to the question of whether an error has consequences for consumers and not just whether there is an error that has little or no impact on credit scores. The FTC study actually concluded that only 2.2 percent of credit reports have an error that would lead to higher-priced credit for the consumer.
60 Minutes compounded its error by repeatedly asserting that it was “nearly impossible to expunge” an error in a credit report, and providing a forum for a state attorney general and two plaintiffs’ attorneys to assert that the credit reporting companies do not comply with their obligations under federal law. This one-sided treatment does not square with a 2011 study from the Political and Economic Research Council that showed that consumers were satisfied with the resolution of their disputes in 95 percent of the cases. It also does not square with the results of a year-long study of the dispute process by the FTC in which the agency found no violations of law.
It is not hard to understand what motivated 60 Minutes to run this story: Because everyone has a credit score, an inflammatory story about credit scores is likely to get everyone’s attention. But the one-sided and distorted way in which 60 Minutes presented this information was a disservice to the public. And even if credit reporting agencies are not perfect, they deserve better treatment at the hands of those who have the public’s ear.
Manufacturers and marketers know that the more consumer data they have, the more they can tailor and direct their advertising, their products, and their product placement. This helps them to maximize sales and minimize costs. Thanks to the combination of cheap data storage and ubiquitous data capturers (e.g., smart phones, credit cards, the Web), the amount of consumer data out there to mine is astounding. Hence the recently-popularized term, “Big Data.”
But the misuse of data could result in government enforcement actions and, more importantly, serious privacy violations that can affect everyone.
Some of the practical challenges and concerns flowing from the use of big data were addressed recently by FTC Commissioner Julie Brill at the 23rd Computers, Freedom and Privacy conference on June 26. Issues raised include noncompliance with the Fair Credit Reporting Act and consumer privacy matters such as transparency, notice and choice, and deidentification (scrubbing consumer data of personal identifiers).
The FCRA: Those whose business includes data collection or dissemination should determine whether their practices fall within the boundaries of the FCRA. As Brill pointed out, “entities collecting information across multiple sources and providing it to those making employment, credit, insurance and housing decisions must do so in a manner that ensures the information is as accurate as possible and used for appropriate purposes.” If Brill’s comments are any indication of enforcement actions to come, businesses should be aware that the FTC is on the lookout for big data enterprises that don’t adhere to FCRA requirements.
Consumer Privacy: Brill gave some credit to big data giant Acxiom for its recent announcement that it plans to allow consumers to see what information the company holds about them, but she noted that this access is of limited use when consumers have no way of knowing who the data brokers are or how their information is being used. Brill highlighted how consumer data is being (questionably) used by national retailer Target: the somewhat funny yet disturbing news story about Target Stores identifying a teen’s pregnancy. It is a classic example of why consumers ought to have notice of what data is being collected on them and how that information is being used.
Consumers also need to have, as Brill suggested, the opportunity to correct information about themselves. This makes sense. Data collection is imperfect – different individuals’ information may be inaccurately combined; someone’s information may have been hacked; someone could be the victim of cyber-bullying, and other mishaps and errors can occur. Consumers should be able to review and correct information for errors. Finally, Brill highlighted concerns that current efforts to scrub consumer data may be ineffective, as companies are getting better at taking different data points and still being able to accurately identify the individual. “Scrubbed” data in the wrong hands could be as harmful as a direct security breach.
Brill encouraged companies to follow the “privacy by design” recommendations issued by the FTC in order to build more protections into their products and services. She further emphasized her initiative “Reclaim Your Name,” which is set to promote consumer knowledge and access to data collection. Companies that are in the business of data collection, mining and analytics should take note of the FTC’s efforts to empower the consumer against the overuse or misuse of consumer data. If you want to stay on the good side of the FTC – and on the good side of the informed consumer – work with the consumer, and provide meaningful notice, choice and consent.
Following a public comment period, the Federal Trade Commission recently approved a final order settling charges against mobile device manufacturer HTC America, Inc. HTC develops and manufactures mobile devices based on the Android, Windows Mobile, and Windows Phone operating systems. This case, which focuses on device security, is the FTC’s first case against a device manufacturer.
The FTC alleged that HTC failed to take reasonable steps to secure the software it developed for its smartphones and tablet computers. According to the FTC, HTC’s failures introduced various security flaws that placed consumers’ sensitive information at risk. The FTC’s action against HTC signals the agency’s continued focus on data security and data privacy issues and use of its broad “Section 5” authority, which the FTC has repeatedly asserted against various organizations, including its ongoing litigation with Wyndham Hotels. The HTC case also reiterates the agency’s strong interest in securing mobile networks,[link to blog regarding mobile apps], now that mobile phones, which are full of sensitive contact, financial, and other personal information, have become so prevalent.
Companies may be asking what HTC actually did to warrant this FTC action. The FTC claims that HTC, when customizing the software on mobile devices, failed to provide its staff with sufficient security training, failed to review or test the software on its mobile devices for potential security vulnerabilities, failed to follow commonly accepted secure coding practices, and did not have a process for receiving and addressing vulnerability reports from third parties.
In particular, the FTC asserted that HTC devices potentially permitted malicious applications to send text messages, record audio, and install additional malware onto a consumer’s device, without the user’s consent or even knowledge. These malicious applications allegedly could access financial and medical information and other sensitive information such as a user’s geolocation and text message content.
In particular, in the case of Android devices, the FTC claimed that HTC pre-installed a custom application that could download and install applications outside the normal Android installation process. However, HTC did not include an appropriate permission check code to protect the pre-installed application from installation. Consequently, a third party application could command this pre-installed application to download and install any additional applications onto the device without a user’s knowledge or consent.
The FTC further charged that HTC’s actions actually undermined Android consent mechanisms that, but for HTC’s actions, would have prevented unauthorized access and transmission of sensitive information. The FTC’s complaint alleged that the vulnerabilities have been present on approximately 18.3 million HTC devices running Android. The complaint further alleged that HTC could have prevented these vulnerabilities through readily available, low-cost measures, such as adding a few lines of permission check code when programming its pre-installed applications.
In a precedent-setting remedy, the FTC’s final order requires HTC to develop and release software patches within 30 days of service of the FTC’s final order on HTC. The patches must fix vulnerabilities in millions of HTC’s devices, including every covered device having an operating system version released on or after December 2010. HTC must also establish a comprehensive security program designed to address security risks during the development of HTC devices. The FTC requires the program to include consideration of employee training and management; product design, development and research; secure software design and testing; and review, assessment, and response to third party security vulnerability reports.
Further, HTC must undergo independent security assessments every other year for the next 20 years. Among other requirements, the independent, professional assessment must certify that HTC’s security program operates with sufficient effectiveness to provide reasonable assurance that the security of covered device functionality and the security, confidentiality, and integrity of covered information is protected and has operated during the reporting period. HTC is barred from making false or misleading statements about the security and privacy of consumers’ data on HTC devices.
The FTC’s action against HTC has broad application beyond the mobile device and software marketplace. The agency’s action further solidifies the FTC’s role as the leading enforcer of data security standards. Once again the FTC has demonstrated that it is setting data security standards and will continue to monitor and police the marketplace when it believes companies have not incorporated what it believes are commonly accepted security features or when organizations have failed to take steps to prevent vulnerabilities.
While Google is already subject to commitments it made to the FTC regarding the requirement to afford advertisers non-discriminatory access to its search engine, the FTC’s latest guidance makes clear that Google and other search engines must also maintain clear disclosures to the public about sponsored content in search results.
On June 24, 2013, in a series of letters to general search engines such as Google, Yahoo, and Ask.com, as well as to specialized search engines, the FTC issued updated guidance concerning disclosures regarding paid advertisements in search results.
This latest FTC action follows on the heels of the Commission’s recent updates to the Dot Com Disclosures and the updated Endorsements and Testimonials Guides. The FTC’s letters came in response to industry and consumer organizations’ requests to the Commission to update its policies on search engine results, last released in 2002. The FTC also noted that it has observed a decline in search engines’ compliance since 2002.
The FTC’s central concern, first articulated in 2002, remains the problem that consumers may be deceived in violation of Section 5 of the FTC Act unless search engines clearly and prominently distinguish advertising from natural search results.
Consumers assume that search results reflect the most relevant results. When results appear because the advertiser has paid a search engine for, say, prominent placement, that placement could be deceptive to consumers if they are unaware of the commercial relationship between the advertiser and the search engine.
The growth of mobile commerce in particular has spurred the FTC to issue new guidelines. Search results on a mobile phone screens are, by their nature, small, and consumers could be easily confused by paid search results if the “paid” nature of those results is not clear.
In the new guidance, the FTC states that if search engines continue to distinguish advertising results by giving a different background color or shading combined with a text label (such as “sponsored” or “ad”), the search engines should consider multiple factors to ensure that any labels and visual cues are sufficiently “noticeable and understandable” to consumers. The agency clarified that there is no “one size fits all” and that search engines may use various methods, provided the disclosures are noticeable and understandable.
Proper disclosures, according to the FTC, include the following:
• Visual Cues – Search engines must select hues of sufficient luminosity to account for varying monitor types, technology settings, and lighting conditions. The FTC notes that search engines should consider using web pages of different luminosities for mobile devices and desktop computers. Further, the FTC recommends that search engines should use:
o more prominent shading that has a clear outline;
o a prominent border that distinctly sets off advertising from the natural search results; or
o both prominent shading and a border
• Text Labels – The FTC asserts that text labels must be used in addition to the visual cues a search engine may use to distinguish advertising. Text labels must:
o use language that explicitly and unambiguously conveys that a search result is advertising;
o be large and visible enough for consumers to notice it;
o be located near the search results (or group of search results) that it qualifies and where consumers will see it; and
o be placed immediately in front of an advertising result, or in the upper-left hand corner of an ad block, including any grouping of paid specialized results in adequately sized and colored font.
The new guidance also recognizes that technology will continue to evolve, such as voice assistants on mobile devices (e.g., the iPhone’s “Siri”). While technology may change, the new guidance makes clear that the FTC Act’s Section 5 prohibition on deceptive practices remains. Therefore, businesses must make sure that they differentiate advertising from other information. For instance, if a voice interface is used to deliver search results (for example, “find me a Mexican restaurant”) the search engine should disclose audibly any paid advertisements in adequate volume and cadence for ordinary listeners to hear and comprehend.
The FTC continues to be vigilant in monitoring the online marketplace. Search engines and advertisers need to review their practices, keeping in mind that disclosures that may be readily apparent on a desktop may be hidden on a mobile screen. As with the “Dot Com Disclosures,” the agency is providing guidance to businesses; however, FTC enforcement remains vigilant and companies that do not clearly disclose paid advertising in search results could face an FTC investigation.