Acting Chairman of the Federal Trade Commission, Maureen Ohlhausen, answered questions about the FTC’s current role in data privacy before a crowded audience at the April 2017 IAPP Global Privacy Summit in D.C. Below are some take-aways we wanted to share from Commissioner Ohlhausen’s talk:
- Even if out of ISP oversight, the FTC is actively engaged in data privacy enforcement through its consumer protection role.
Ohlhausen expressed disappointment that FTC had to step out of ISP oversight in 2015, when the FCC reclassified broadband as a common carrier service (the reclassification means the FCC, no longer the FTC, has authority over privacy and data security enforcement of ISPs). But she said that the FTC is still active through holding companies to their data privacy policies and claims: “We enforce promises. We hold companies to their promises, even in technologically advanced areas.” She noted that FTC enforcement actions derive not only from consumer complaints, but that the FTC is getting cases from computer researchers and marketplace competitors.
- FTC to present positive findings from its enforcement actions.
Ohlhausen and her staff are considering changing up what they present publicly on their investigation findings. Normally, the FTC publishes what it has found companies doing wrong, but Ohlhausen believes the public could benefit from what the FTC has found companies doing right. The FTC therefore may be bolstering its public messages on enforcement actions with this positive twist.
- How FCC and FTC oversight of ISPs differs.
Ohlhausen noted that the FCC has ended up with a different approach to data security oversight. For instances, they have taken a different view on what constitutes sensitive data and on what types of opt-ins and opt-outs are permissible. She expressed concern that, with the Open Internet Order, which revoked FTC Privacy Rules, no one is really watching the hen house. She hopes either Congress or the FCC will reconsider the FTC’s role: The FCC could rescind its reclassification or Congress could rescind the FCC’s common carrier authority of broadband services.
- The Privacy Shield and the FTC’s role in working with Europe.
Ohlhausen noted that the current Administration seems committed to the Privacy Shield. She believes that the Privacy Shield meets Europe’s needs and further that the FTC has an important role to fill in (1) ensuring how information is disseminated and (2) enforcement. For instance, the FTC can provide guidance on how to inform EU consumers on the parameters of the Privacy Shield. Moreover, the FTC will enforce Privacy Shield violations—based on deception for failure to comply. She is optimistic that the Shield will withstand court challenges, in contrast to the Safe Harbor, which was negotiated in a different environment.
- Chinese forays into privacy.
Ohlhausen, who was heading to Beijing the day after her IAPP talk, expressed interest in Chinese developments in privacy regulation: where a communist country’s government controls so much, there still can be a real interest in privacy for the consumer. She noted that some international companies have concerns over whether they will be disadvantaged by Chinese privacy laws.
- Privacy and overlap with other areas of law
When asked whether privacy laws, such as anti-discrimination provisions contained in the GDPR, are carrying more water than just privacy, Ohlhausen noted that there is some overlap, such as with the Fair Credit Reporting Act and Civil Rights Act. She took the discussion as an opportunity to highlight the importance of balancing fear of the unknown against the benefits of innovation: it is good to identify the bad things that can happen. But we also need to weigh that against the good things. While consumer protection is important, we also want a competitive marketplace, and want to encourage innovation.
 A side note on the FCC reclassification: a persistent theme in Ohlhausen’s talk was expressing hope that the FTC would get authority back over ISPs.
Your business booked a large charity event. However, the customer contact turns out to be a nightmare. She complains (during and after the event) that the service was slow, the food looked and tasted like a frozen meal, and the drinks were watered down. She even claims she was overcharged. You reviewed the situation and, while you disagree, you offer her a credit. She declines and instead decides to post scathing reviews on Yelp, TripAdvisor, and several other review sites. She also gets her friends to post similar reviews. You remember, however, that the booking contract this irate customer signed barred her from posting negative reviews and imposes a $200 per negative review penalty. You ring up your attorney and ask her to send Ms. Nasty Customer a demand. Your lawyer tells you there may be a problem with this approach – under a new law signed by President Obama in December, the Consumer Review Fairness Act of 2016 – form contracts restricting reviews or imposing penalties are void.
Exceptions and Carve-Outs
There are several significant exceptions to the new law, offering some protections to organizations. First, individually-negotiated agreements are not covered by the new legislation. Second, Congress carved out employer-employee and independent contractor agreements from the “form contract” definition. Thus, under the new Act, employment provisions barring negative online reviews of an employer are not void. However, the National Labor Relations Board strongly disfavors restrictions on employees’ rights to discuss wages and working conditions in public forum. Further, some states may also seek to bar restrictions on online reviews. California and Maryland already have enacted laws barring non-disparagement clauses in consumer contracts.
Third, the Act does not bar an organization or individual from suing for defamation, libel, or slander. Thus, companies may still file suit for reviews containing false statements (and presumably include a clause in a form agreement or terms and conditions addressing such statements). Fourth, the law preserves any confidentiality required by law – such as HIPPA. Fifth, the Act expressly allows a party to remove or to refuse to display on a website/webpage operated by that party the content of a “covered communication” : (1) that contains personal information or the likeness of another person; (2) is libelous, harassing, abusive, obscene, vulgar, sexually explicit “or is inappropriate with respect to race, gender, sexuality, ethnicity or other “intrinsic characteristic”; or (3) that is false or misleading. Thus, companies that host their own webpages for customer comments and interactions may remove customer reviews meeting these standards. It would also appear lawful to advise customers in company terms and conditions or form contracts that such content may be reviewed.
Congress further created a carve-out from the Act’s consumer review protections for trade secrets or commercial or financial information considered privileged or confidential, personnel and medical files where disclosure would result in an invasion of personal privacy, records compiled for law enforcement purposes, content that is unlawful, and content containing computer viruses, worms, or other damaging code.
Federal Trade Commission Enforcement
The Federal Trade Commission (“FTC”) will enforce the Consumer Review Fairness Act of 2016. State Attorney Generals may also bring a civil action in federal court to obtain relief for their residents. The new law requires the FTC (within 60 days) to conduct education and outreach to businesses, including non-binding “best practices” for complying with the Act. Companies get 90 days (until March 14, 2017) before their contracts containing the now-proscribed practices are considered void.
The FTC may target a few “brand name” organizations in early enforcement actions to garner industry attention. Companies should be aware, however, that they retain the right to object to assessments that are exempted, including those that disclose confidential or personal information, or that are defamatory, misleading, obscene, vulgar, or unrelated to the products and services offered on the company’s webpage. So, while consumers cannot be penalized through a form contract by posting reviews, their rights to post are not unfettered. Contrary to the popular adage, as the Union Street Guest House learned, not all press is good press – and companies may still address false or defamatory reviews and those reviews containing other exempted content.
The Federal Trade Commission (“FTC”) recently released a data breach guide for businesses, along with a video and blog to help companies following the immediate aftermath of a data breach. The FTC also provides a model data breach letter to notify individuals of a breach. The agency – which views itself as the nation’s primary “privacy police” has faced scrutiny from private parties and courts for allegedly enforcing privacy and data security standards without promulgating specific rules. The agency instead favors outreach efforts, such its blogs, guides and roundtables to educate industry and the public regarding what it views as best practices.
In this vein, the Guide and the model letter are not a “safe harbor” but offer suggestions on important steps that organizations can follow once they discover data breaches. The FTC emphasizes that the Guide does not pertain to the actual protection of personal information or prevention of breaches, because the agency has already issued separate guidance documents on those subjects. In fact, the FTC also recently updated its guide on protecting personal information.
Following a data breach, the Guide suggests key steps organizations can take, which include:
- Mobilizing the company’s breach response team to prevent further data loss – the team may include legal, information security, IT, human resources, communications, investor relations, and management; companies may consider hiring an independent forensics team;
- Securing physical areas – lock any physical areas affected by a breach; consider changing access codes;
- Taking affected equipment offline immediately – monitor all entry and exit points, and update authorized users’ credentials and passwords;
- Removing improperly posted information from the company’s website, for instance in a situation where personal information affected by the breach is posted on the company’s website. The FTC also advises companies to search the Internet to see if breached information has been posted on other websites and to contact the owners of those websites;
- Protecting evidence – the FTC reminds companies to retain forensic evidence (e. do not destroy it);
- Documenting the investigation, including interviewing people who discovered the breach and making sure employees (such as customer service representatives) know where to forward information that might assist the company in its investigation;
- Examining service provider relationships, to determine if providers have access to personal information and whether provider access privileges should be changed;
- Determining whether data was encrypted at the time of the breach (note: encryption may obviate the need for data breach reporting in many states);
- Implementing a communications plan that explains the data breach to employees, customers, investors, partners, and others such as the press. The FTC recommends “plain English” answers on a company’s website;
- Following legal requirements – such as state data breach notifications and notifying law enforcement;
- Offering at least a year of free credit monitoring – while not required, free monitoring has become standard and most regulators and consumers expect to see the offer in data breach notifications.
As to data breach notification letters, in addition to following the requirements of state laws, the FTC urges companies to advise people what steps they can take, based on the information exposed. When a breach compromises social security numbers, individuals should be directed to contact the credit bureaus to request fraud alerts or credit freezes. Since some scammers pounce on data breach victims, the FTC counsels organizations to tell consumers how they will be contacted going forward. For instance, if the company will never contact individuals by phone, the company should tell consumers that – so individuals can detect telephonic phishing schemes.
The FTC encourages businesses to use the Guide and its accompanying materials to educate employees and customers, such as through newsletters and websites. However, when facing an enforcement action or a lawsuit, will a company’s compliance with the Guide offer any relief from FTC or state Attorney General penalties or assist organizations in their defense in private data breach lawsuits? Ultimately, the crux of breach liability usually relates to how it occurred, but taking swift, corrective actions following a breach should aid an organization when dealing with regulators and third parties by showing good faith actions to prevent further damages. Conversely, a company that fails to take corrective actions can exacerbate a breach and further negatively impact affected individuals and the organization.
The FTC’s Guide and accompanying materials are helpful references, particularly for smaller businesses. As a practical matter, the words of advice I give companies facing a possible data breach is to first, take the time to determine what happened, how it happened, whether the breach continues, and what you can do to prevent it in the future. While several states require reporting within a set number of days (e.g., 45), the laws allow organizations time to conduct factual inquiries, take corrective measures, and prepare to notify affected individuals. Organizations should not rush through these key steps. Second, communication is key. A company facing a breach should develop a clear, consistent statement regarding the breach, the steps being taken and a single contact point. The lack of a communication plan or a consistent message can cause a huge loss of customer and employee confidence and raise regulators’ interest. Third, when preparing data breach notifications, organizations should note that it is likely that the letter will become public due to some states’ open records laws. Numerous websites exist that track and publicize data breaches, based upon information in the notifications – often including copies of the actual letters. Companies should not assume that regulators and consumers simply file the letters away. While your organization cannot prevent the publicity, having a clear, concise data breach notification that meets each state’s requirements without providing excess data will help the company through the process and associated publicity.
In March 2015, I wrote about the ongoing dispute between the FTC and LabMD, an Atlanta-based cancer screening laboratory, and looked at whether the FTC has the authority to take enforcement action over data-security practices alleged to be insufficient and therefore “unfair” under section 5(n) of the Federal Trade Commission Act (“FTCA”). On November 13, 2015, an administrative law judge ruled that the FTC had failed to prove its case.
In 2013, the FTC filed an administrative complaint against LabMD, alleging it had failed to secure personal, patient-sensitive information on its computer networks. The FTC alleged that LabMD lacked a comprehensive information-security program, and had therefore failed to (i) implement measures to prevent or detect unauthorized access to the company’s computer networks, (ii) restrict employee access to patient data, and (iii) test for common security risks.
The FTC linked this absence of protocol to two security breaches. First, an insurance aging report containing personal information about thousands of LabMD customers was leaked from the billing manager’s computer onto peer-to-peer file-sharing platform LimeWire, where it was available for download for at least eleven months. Second, Sacramento police reportedly discovered hard copies of LabMD records in the hands of unauthorized individuals. They were charged with identity theft in an unrelated case of fraudulent billing and pleaded no contest.
Incriminating as it all might seem, Administrative Law Judge D. Michael Chappell dismissed the FTC’s complaint entirely, citing a failure to show that LabMD’s practices had caused substantial consumer injury in either incident.
Section 5(n) of the FTCA requires the FTC to show that LabMD’s acts or practices caused, or were likely to cause, substantial injury to consumers. The ALJ held that “substantial injury” means financial harm or unwarranted risks to health and safety. It does not cover embarrassment, stigma, or emotional suffering. As for “likely to cause,” the ALJ held that the FTC was required to prove “probable” harm, not simply “possible” or speculative harm. The ALJ noted that the statute authorizes the FTC’s regulation of future harm (assuming all statutory criteria are met), but that unfairness liability, in practice, applies only to cases involving actual harm.
In the case of the insurance aging report, the evidence showed that the file had been downloaded just once—by a company named Tiversa, which did so to pitch its own data-security services to LabMD. As for the hard copy records, their discovery could not be traced to LabMD’s data-security measures, said the ALJ. Indeed, the FTC had not shown that the hard copy records were ever on LabMD’s computer network.
The FTC had not proved—either with respect to the insurance aging report or the hard copy documents—that LabMD’s alleged security practices caused or were likely to cause consumer harm.
The FTC has appealed the ALJ’s decision to a panel of FTC Commissioners who will render the agency’s final decision on the matter. The FTC’s attorneys argue that the ALJ took too narrow a view of harm, and a substantial injury occurs when any act or practice poses a significant risk of concrete harm. According to the FTC’s complaint counsel, LabMD’s data-security measures posed a significant risk of concrete harm to consumers when the billing manager’s files were accessible via LimeWire, and that risk amounts to an actual, substantial consumer injury covered by section 5(n) of the FTCA.
The Commissioners heard oral arguments in early March and will probably issue a decision in the next several months. On March 20th, LabMD filed a related suit in district court seeking declaratory and injunctive relief against the Commission for its “unconstitutional abuse of government power and ultra vires actions.”
On March 15, 2016, national retailer Lord & Taylor agreed to settle FTC charges that it “deceived consumers by paying for native advertisements.” The settlement is the first of its kind following the December 2015 guidance memorandum, Native Advertising: A Guide for Businesses, issued by the FTC. Under the terms of the settlement, Lord & Taylor is prohibited from “misrepresenting that paid ads are from an independent source, and is required to ensure that its influencers clearly disclose when they have been compensated in exchange for their endorsements”.
On the day the settlement was announced, the FTC also published a copy of the underlying complaint. The complaint alleges that Lord & Taylor developed plans to promote a clothing line for women which included a comprehensive social media campaign of blog posts, photos, native-advertising editorials in online fashion magazines, and a team of “influencers” recruited for their fashion sense and audience on social media. The FTC alleged that Lord & Taylor edited, pre-approved, and paid for a favorable Instagram post that was uploaded to the account of a fashion magazine called Nylon. The regulatory agency further alleged that Lord & Taylor reviewed, pre-approved, and paid for a favorable article in Nylon. In both cases, however, Lord & Taylor failed to disclose its commercial arrangement with Nylon. Similarly, the FTC alleged that Lord & Taylor gifted a dress from the clothing line to fifty “influencers” who were paid between $1,000 and $4,000 to post favorable photos and comments about the dress on social media. Again, Lord & Taylor did not disclose or require influencers to disclose that they had been paid for their posts. Based on Lord & Taylor’s alleged misrepresentations and failure to disclose, the FTC accused Lord & Taylor of engaging in unfair or deceptive acts or practices in violation of the Federal Trade Commission Act.
What is Native Advertising?
Native advertising, also known as sponsored content, is designed to fit in with original online content in a seamless, non-intrusive manner. It allows advertisers to directly reach online consumers, without severely interrupting the original content on the publishing website, video game, or mobile app. In the past few years, this advertising has reached all corners of the internet.
FTC Concerns With Native Advertising
As native advertising has grown, so have the FTC’s concerns about the possibility of deceiving consumers. Therefore, at the close of 2015, the FTC released the guidance memorandum, Native Advertising: A Guide for Businesses, which provides details and illustrative examples for businesses that use native advertising as part of their online marketing campaigns.
Native advertising creates a particular challenge for advertisers. Advertisers want to design an advertisement that appears native to the original content, but must do so without potentially confusing the consumer, who may mistake the advertisement for non-advertising content.
To assist advertisers in complying with these rules, the FTC issued its December 2015 guidance memorandum with examples and tips to ensure advertisers remain compliant. Most of the memorandum focuses on seventeen examples of advertising, including on news sites, in videos, through content recommendation widgets, and in video games. These examples illustrate how and why consumers might be confused by certain native advertising tactics. Most of the examples show how a native advertisement might bear too much similarity to the original content, which means the consumer might not understand that what they are viewing is, in fact paid-for, sponsored content.
Complying With FTC Native Advertising Requirements
The take-away from the Lord & Taylor settlement is that advertisers should avoid placing paid ads that appear to be independent editorial content. Put simply, advertisers must choose between control and disclosure. In other words, advertisers who want to make use of native advertising and “influencers” on social media must either relinquish influence or control over the advertising content or disclose the nature of the marketing arrangement. Bottom Line: Paid advertising must be identifiable as advertising.
The FTC’s December 2015 memorandum provides a variety of tips on how to appropriately disclose native advertising. The disclosures should be three things: (1) placed near the advertising; (2) prominent; and (3) clear. By ensuring that native advertising follows these disclosure guidelines, companies will avoid misleading consumers into thinking their native advertisement is non-sponsored, publisher content.
Finally, the memorandum specifically notes who is affected by these disclosure rules. The enforcement is not limited to just the sponsoring advertiser. Advertising agencies and operators of affiliate advertising networks are also obligated to adhere to the FTC’s disclosure requirements.
Put simply, if a reasonable consumer might see your native advertising and believe it to be non-advertising content, the FTC will likely take issue with your native advertising tactics. This is exactly what we saw in the Lord & Taylor settlement.
Every e-mail user receives them, some days in numbers hitting the triple digit mark – those targeted, often annoying and unsolicited e-mails that clog our inboxes, originating from any of a multitude of establishments, including retailers, service establishments, and even our own social media. Regulation over unwanted e-mails has been limited mostly to the federal Can Spam Act of 2003, which doesn’t prohibit the deluge of e-mails, but rather protects against misleading and deceptive ones and requires the sender to comply with certain requirements, including offering a clear opt-out. A private consumer has limited retribution to enforce the Act, however, and must rely on the FTC, as well as other government entities and Internet service providers, to bring suit to stop the unwanted e-mails. It seems that consumers in recent years are ever more fed up and frustrated with “spam” messages and desire change. However, as evidenced by a recent class action lawsuit by certain LinkedIn members against the social media giant, consumers may utilize other legal maneuvers to get relief from new marketing tactics employing spam.
LinkedIn is often referred to as the “Facebook of the Professional World.” With over 300 million+ users, LinkedIn has become the world’s largest professional network since it launched in 2003. One feature of the network allows a member to import his or her e-mail contacts list and send invitations to connect with others on LinkedIn. A user is prompted by LinkedIn to click an “Add Connections” link, which then allows LinkedIn to import the list from external e-mail accounts. LinkedIn uses this feature to grow its number of members.
According to the class action lawsuit filed against LinkedIn, if a connection invitation was not accepted within a certain period of time, up to two “reminder’ spam e-mail messages would be sent to the prospects, without the LinkedIn member’s consent to do so. In Perkins v. LinkedIn Corp., the federal district court in the Northern District of California determined that the motion to dismiss filed by LinkedIn would be granted in part and denied in part, thereby allowing the suit to move forward. In its partial denial of the motion to dismiss, the court reasoned that although the members consented to importing their contacts and sending the invitation to connect, they did not consent to sending the reminder messages on their behalf. In her Order, Judge Lucy Koh explains,
“Nothing in LinkedIn’s disclosures alerts users to the possibility that their contacts will receive not just one invitation, but three. In fact, by stating a mere three screens before the disclosure regarding the first invitation that ‘We will not . . . email anyone without your permission,’ LinkedIn may have actively led users astray.”
(Order Granting in Part and Denying in Part Defendant’s Motion to Dismiss with Leave to Amend *30). The plaintiffs also contended that LinkedIn members did not consent to the use of their names and likenesses in the reminder e-mails and were embarrassed and felt that the unwanted e-mails sent to personal contacts affected their professional reputations.
Following the court’s Order, the parties agreed to settle the suit. The settlement requires the social media giant to pay at least $13 million, as well as $2.25 million in legal fees, to LinkedIn members who had accounts between Sept. 17, 2011 and Oct. 31, 2014 and sent e-mails through the Add Connections feature. Although LinkedIn did not admit any wrongdoing in the settlement, it agreed to revise its disclosures and clarify that the reminder e-mails would be sent as part of the “Add Connections” service. LinkedIn also indicated its intent to provide an option to cancel the connection invitation, and thereby the reminders, by the end of the calendar year.
Interestingly, with perhaps the fear of a lawsuit on the horizon, Mark Zuckerberg preemptively announced at a recent town hall meeting held in Delhi, India, that Facebook will be reducing the number of invitations it sends to outside contacts of players of the game Candy Crush Saga. Facebook often sends the invitations to contacts who have never used a game and never played games on Facebook, suggesting that they join their friends in a Candy Crush Saga game. Zuckerberg noted that reducing the number of invitations received was the most upvoted question in an online thread, and he has promised to reduce the number of these unwanted requests. After the recent LinkedIn settlement, we advise Mr. Zuckerberg to take action swiftly or we may see other unhappy consumers following suit. . . . with their own suit!
These developments should offer welcomed relief for consumers and our busy delete buttons. However, this may be the tip of the iceberg with regard to the use of the courts and unwanted e-mails. Is the broad Can-Spam Act sufficient to deter spammers? Does the Can-Spam Act do enough to filter out unwanted e-mails? New scenarios have arisen since the enactment of the Act in 2003 and consumers seem to desire more regulation to deter the deluge of e-mails. If swift action isn’t taken by Congress and other regulators, it seems that consumers may take to the courts to set precedent in this ever-changing arena.
Exploiting consumers and exploiting consumer data were popular themes in the FTC’s October 30th workshop on lead generation, “Follow the Lead.” The day-long workshop explored the mechanics of lead generation and its role in the online marketplace. With a focus on the lending and education spaces, panelists discussed the many layers of marketing involved in lead generation—and importantly—how those many layers can add confusion to how consumer data gets collected, sold, used … and misused.
Panelists of the five workshop sessions hailed from industry, government, advocacy groups, and research institutions. They offered insights into both the vulnerabilities and opportunities flowing from the extensive “behind the scenes” market of lead generation. But unsurprisingly, the benefits of lead generation were overshadowed largely by attendant concerns: why is so much consumer data collected, what is done with it, and are consumers aware of how their personal information is being traded and used?
The workshop included two “case study” panels on lending and education. For the panel on lead generation in lending, Tim Madsen of PartnerWeekly provided an overview of how the “ping tree” model works. Connecting prospective borrowers with lenders through a reverse auction of borrower leads, the “ping tree” model may be an efficient way of matching borrowers and lenders. However, Pam Dixon, Executive Director of World Privacy Forum, highlighted her concerns that lenders are receiving consumer data that would otherwise be protected under the Equal Credit Opportunity Act and therefore that the online process is circumventing important consumer protection laws. For instance, the online lending process may require certain personal information from borrowers in order filter fraudulent requests. But that personal information (e.g., gender or marital status) otherwise could not be part of the loan application process. Dixon felt the disclosure of protected information was one that needed to be addressed from both a technical and a policy standpoint. And it is an issue she raised on subsequent panels during the conference, indicating a possible pressure point for future regulatory action.
The panel on lead generation in education was highly charged, due to the controversial nature of marketing higher education and due to the negative attention on for-profit education. Despite many people’s assumption that online marketing in education is largely a tool of the for-profit education industry, Amy Sheridan, CEO of Blue Phoenix Media, provided some surprising statistics: state and private institutions represent roughly forty percent of her business in the education vertical. Even renowned schools like Harvard and Yale are employing lead generation to gain students in their programs.
But given the extensive access to federal funds through higher education, consumer advocates highlighted concerns over students being preyed upon by unscrupulous educators. Jeff Appel, Deputy Undersecretary of Education at the Department of Education, attributed the problem in part to the lack of underwriting in federal student loans. [Query: Wouldn’t it make sense to add underwriting to the federal student loan process? Statistically, private student loan repayment fares much better thanks to this preliminary screening.]
In support of responsible advertising for educational programs, Jonathan Gillman, CEO of Omniangle Technologies, identified the need for clear guidance on appropriate marketing tactics, which may better address problems than resorting to law enforcement. He pointed out the adverse consequences of clamping down on educators’ online advertising: educators are now afraid to advertise online and that space is being filled by affiliates who are more apt to cross the line into deceptive advertising.
Appel provided some general guidance for schools working with lead generators. Schools should (1) monitor how lead generators are representing programs and ensure their ads are not deceptive, (2) make sure payment for advertising does not implicate regulations against incentive-based compensation, and (3) be aware that the actions of lead generators may come under the Education Department’s purview if they are providing additional assistance (e.g., processing student applications).
Both Appel and consumer advocates seemed to agree, though, that laws and regulations already in place were sufficient to address consumer protection concerns in the education marketing space. It is only a matter of having the resources to enforce those laws and regulations. Appel also suggested that state regulators could curb issues by better screening schools.
Throughout the day and across the panels, FTC representatives turned to the concept of “remnant information,” i.e. consumer information that is longer being used. FTC attorney Katherine Worthman asked panelists various questions about what ultimately happens to this information. R. Michael Waller, another FTC attorney and panelist, noted his concern that companies have an economic interest in maintaining and possibly selling remnant information, and that such information is increasingly vulnerable to fraudsters. These FTC attorneys thus pressed about policies on consumer data retention. Aaron Rieke of Upturn supported the FTC concerns and noted that nothing in the company privacy policies (that he’s reviewed) prevents the sale of consumer data: “privacy policies are shockingly permissive when you look at how much information is being provided.”
Another popular issue was whether and to what extent disclosures to consumers are sufficient: are consumers aware of how their information is being traded? The general consensus among panelists was that consumers remained ignorant to the sale and use of the personal information they provide online.
Upshot from the workshop: Lead generators, and the companies using them, should be aware of the growing interest by federal regulators in (1) how consumer data is being collected, retained, and sold and (2) the extent to which people up and down the online marketing supply chain are vetting the buyers and sellers of consumer data. Other takeaways from the conference: Companies should ensure their data collection and retention policies comply with applicable state and federal law. Finally, it is important for companies to ensure their practices comply with both their policies and their disclosures.
If you didn’t know any better, you might have gotten pretty fiery over for-profit education after reading one of the front page stories of Tuesday’s New York Times. The lengthy article titled “For-Profit Colleges Fail Standards, but Get Billions” is all about accusations of greedy institutions bilking taxpayers and taking advantage of students through fraud and other deceptive practices. Why the story ran on page one of the paper is anybody’s guess: the only timely element in the piece appeared toward the end of the article, where the author mentioned the Defense Department’s recent decision to bar the University of Phoenix from its tuition assistance program. By the time you got to that part of the article, you might have cheered the DOD’s decision to cut the educator off, despite the fact that the decision appears premature, based on allegations as opposed to findings (meaning they are meting out punishment before a full investigation or review).
The New York Times piece seems narrowly focused on denigrating an industry that has become the bastard-stepchild of higher education. Ever since U.S. Sen. Tom Harkin decided to take on for-profit education, the industry has been under intense scrutiny from state and federal regulators as well as partisan research and advocacy groups. The article would have readers believe that all the negative attention is the equivalent of substantiated claims that for-profit education is a fraud on federal student loan programs. Thirty-seven state attorneys general, the Securities and Exchange Commission, the Consumer Financial Protection Bureau, the Department of Justice, and the Federal Trade Commission are all investigating for-profit schools. These schools must be horrible, right? But what the article lacks are legal holdings or findings of fact.
That several agencies are investigating industry participants is not tantamount to guilt: it is more reflective of the fact that regulators take their cues from other regulators. Once an industry becomes unpopular, everyone wants to jump in and get their piece of the pie … or the felled lion. For-profit education is now an obvious target. But, again, that does not make the industry per se bad.
Nor does the fact that many for-profit educators have settled with regulators mean they are guilty: people and companies alike perform a cost-benefit analysis when it comes to whether to fight or stand down. It often makes economic sense to settle out with regulators rather than stay the course through potentially lengthy costly litigation.
What is troubling is the undercurrent – and application – of guilt before innocence, both by the New York Times article and by regulators. What is missing is a comparison of how much for-profit education costs per student versus how much other schools cost, or what dropout rates and post-graduation employment rates look like across schools for single parents and the poor (the types of individuals typically enrolled in for-profit colleges). For instance, studies have shown that community colleges are costing taxpayers billions of dollars for uncomfortably high drop out rates. Other studies identify taxpayer subsidies covering significant amounts of college operating costs.
One of the major reasons why for-profit education has high drop-out rates and poor post-grad employment rates is that they are reaching individuals who otherwise may not have access to degree programs, such as single parents or people in economically depressed areas. These individuals have other complications in their lives that can make completing a degree or finding gainful employment more challenging (e.g., scheduling, transportation). These challenges are not the schools’ fault, but a reflection of external factors. Punishing the schools and taking away educational opportunities does not seem like the most thoughtful decision, but it’s the one that partisan groups, partisan journalists, and regulators seem to be angling for.
Instead of celebrating the Defense Department’s decision to cut off the University of Phoenix from its tuition assistance program, we should be troubled that it is doing so before completing an investigation. In a statement, the University noted that: “It is troubling that DoD has used requests for information from other governmental agencies as grounds for placing the university’s DoD MOU in a probationary status.”
For-profit education does have, and has had, its bad actors… as does every industry. But the all-out slam against the sector, the fight for its demise, is unfair and shortsighted. In the end, the greatest losers will be historically underserved populations who will be denied education opportunities.
Car dealerships are notorious for running loud, flashy ads with too-good-to-be-true offers for outrageous deals to buy or lease cars. Some dealerships downplay or even hide the seemingly endless list of qualifications on those offers which render many potential buyers ineligible for the deals, much to the irritation of misled consumers. The FTC has taken action to stop these misleading practices by continuing its effort to crack down on deceptive advertising among automobile dealerships, which began in 2014 with the FTC’s “Operation Steer Clear,” a nationwide sweep of deceptive car dealership advertising. The FTC’s efforts in this area have continued, most recently resulting in settlement with two Las Vegas auto dealerships.
Planet Hyundai and Planet Nissan of Las Vegas were the subject of FTC enforcement actions alleging that the dealers’ ads misrepresented the cost to buy or lease a car by omitting critical information or deceptively hiding it in fine print. For instance, Planet Hyundai advertised a car for sale with “$0 Down Available,” but fine print revealed that a buyer would have to trade in a car worth a minimum of $2,500 or meet other qualifications in order to take advantage of the offer. Planet Nissan’s advertisements ran purportedly reduced prices side by side with former prices which had been struck through (“Was
$12,888, Now $9,997”). However, the ads did not adequately disclose the qualifications which buyers had to meet to get those prices. Similarly, the ads touted that the cars were for “Purchase! Not a lease!,” when in fact many of the cars were leases. In both cases the FTC alleged that the prominently advertised prices are not generally available to consumers. The dealerships both entered into consent agreements in which they did not have to admit guilt or pay any fines or penalties, but were obligated to abide by relevant laws and regulations pertaining to deceptive advertising.
Further automobile enforcement efforts may be on the horizon. In a late July regulatory filing, GM disclosed that it is currently the subject of an ongoing FTC investigation regarding “certified pre-owned vehicle advertising where dealers had certified vehicles allegedly needing recall repairs.” GM and the FTC declined to comment further, so it is not immediately clear whether the individual dealers were following GM corporate policy when certifying the pre-owned cars in need of recall repairs, or specifically how the ads were allegedly deceptive.
While many of the FTC’s enforcement actions focus on lower-cost products with a large national customer base, such as dietary supplements sold over the internet, these cases serve as a reminder that the FTC’s advertising requirements apply equally to big-ticket items sold locally. Merchants and service providers of every type, whether operating online or in brick and mortar shops, must ensure that their advertisements adequately disclose all material terms and conditions in a way that is not misleading or deceptive.
As online gaming companies compete for business, they are offering customers increasingly large incentives to play on their websites, often in the form of deposit bonuses. These deposit bonuses allow players to play with the bonus money as if it’s cash and keep the winnings (although players cannot cash out the bonus itself). However, some players and regulators believe that some of these promotions are misleading, because they allegedly do not clearly and conspicuously disclose all of the material terms of the offer.
The UK’s Advertising Standards Authority (ASA) recently banned an advertisement by online gaming operator Betway which allegedly failed to disclose the material terms of the offer. Betway’s homepage prominently advertised a “£50 Free Bet*.” By clicking on the asterisk, users were taken to a tab listing the bonus terms, which stated that the operator would match new customers’ first deposit, from £10 to £50, with a bonus that must be used within a week from the initial deposit.
The ASA determined that the “£50 Free Bet” advertisement was misleading because it did not disclose the material terms and conditions of the offer in a clear and conspicuous manner. The ASA asserted that the “£50 Free Bet” advertisement would lead the average user to believe that they would receive a truly free bet—not that they had to first pay £50 before they could receive the “free” bet as a deposit bonus.
Gaming companies, like all advertisers, must be vigilant in ensuring that their advertisements fully disclose the terms of any offer up front. This includes information such as how much money the customer will receive (in this case, a matching deposit bonus up to £50), what the customer must do to earn the bonus (make a deposit), when the customer will receive the incentive (whether they receive it in a lump sum immediately upon deposit, or whether additional milestones in play or deposits must be reached), and how long they have to use the bonus funds. In the United States, the Federal Trade Commission and state Attorneys General may bring actions for alleged deceptive advertising offers, and in many states customers may bring suit for the purportedly misleading offers. In operators’ quest to compete for customers and make attractive offers, they should proceed with caution and err on the side of full disclosure in doing so.