Federal Trade Commission

As consumers rely more and more on the “independent” reviews of their peers in choosing products and services, advertisers need to remain vigilant that their role (if any) in disseminating such reviews is fairly disclosed, accurate and not misleading.  The pitfalls in this area were recently illustrated by a pair of enforcement actions brought by the Federal Trade Commission and the National Advertising Division of the Better Business Bureau.  These actions, the latest in a series of similar enforcement efforts, confirm that review sites remain a hotbed of enforcement activity, and both actions serve as good reminders of the standards that review sites must observe to avoid similar actions.

The first of these actions is an FTC enforcement against LendEDU, which centered around the “objective,” “honest,” “accurate,” and “unbiased” rankings of financial products that LendEDU posted to its review site.  The FTC alleged that, far from being objective and honest, these rankings were in fact determined based on compensation from the companies being ranked.  In addition, the FTC alleged that over ninety percent of LendEDU’s “unbiased” positive reviews were in fact written by LendEDU employees and their friends and families.
Continue Reading FTC and NAD Actions Highlight Continued Scrutiny of Online Reviews

On May 8, 2020, the Federal Trade Commission (“FTC”) issued a notice soliciting public comment regarding whether changes should be made to its Health Breach Notification Rule (the “Rule”).  The request for comment is part of a periodic review process “to ensure that [FTC rules] are keeping pace with changes in the economy, technology, and business models.”

The Rule, which first went into effect in 2009, applies only to vendors of personal health records (“PHRs”) and other related entities that are not subject to the Health Insurance Portability and Accountability Act (“HIPAA”).  A PHR is an electronic record of individually identifiable health information “that can be drawn from multiple sources and is managed, shared, and controlled by or primarily for the individual.”  See 16 C.F.R. § 318.2(d).  Under the Rule, PHR vendors and related entities must notify individuals, the FTC, and possibly the media within 60 days after discovering a breach of unsecured personally identifiable health information, or within 10 days if more than 500 individuals are affected by the breach.
Continue Reading FTC to Consider Changes to the Health Breach Notification Rule

On April 6, 2020, Tapplock, Inc., a Canadian maker of internet-connected smart locks, entered into a settlement with the Federal Trade Commission (“FTC”) to resolve allegations that the company deceived consumers by falsely claiming that it had implemented reasonable steps to secure user data and that its locks were “unbreakable.”  The FTC alleged that these representations amounted to deceptive conduct under Section 5 of the FTC Act.  In its press release accompanying the settlement, the FTC provided guidance for IoT companies regarding the design and implementation of privacy and security measures for “smart” devices, as discussed further below in this post.
Continue Reading IoT Update: FTC Settles with Smart Lock Manufacturer and Provides Guidance for IoT Companies

The Federal Trade Commission has traditionally responded forcefully to public health and economic crises, and it is doing so again in response to the coronavirus pandemic.  The current crisis does present some additional complications, however, because of its impact on the operations of the agency itself.  Three particular aspects of the FTC’s consumer protection-related response stand out: (1) continuation of the agency’s scrutiny of false and deceptive product claims that seek to capitalize on the fears of consumers, (2) signs that the agency will work with businesses to accommodate the special pressures of the crisis, and (3) continuation but postponement of other, non-enforcement activities.

The FTC’s first consumer protection priority in response to the coronavirus pandemic has been to focus on especially egregious marketing scams that target particularly vulnerable populations.  The FTC has already issued a number of warning letters to sellers of supposed COVID-19 cures ranging from tea to edible silver and to voice over internet protocol (“VoIP”) service providers facilitating illegal coronavirus-related calls.  Fraud reports continue to rise rapidly: the FTC has received 7,800 coronavirus-related complaints this year, and almost half of these were filed in the last week.
Continue Reading The FTC’s Response to the Coronavirus Pandemic: Consumer Protection Priorities and Initial Actions

In response to the COVID-19 outbreak, several U.S. government entities have released warnings about a rise in scams and fraudulent activity connected to the outbreak.  In a recent bulletin, the FBI warned of a rise in phishing emails, counterfeit treatments or equipment for COVID-19 preparedness, and fake emails from the Centers for Disease Control and Prevention (CDC) purporting to provide information about the outbreak.  The FTC, meanwhile, has released not only a general overview of the steps that it is taking to combat scams related to COVID-19, but has also provided a specific list of seven types of COVID-19 scams that it has observed targeting businesses.  More information about these scams, and guidance from the FBI and FTC on how to protect against and respond to some of the most common risks, is below.
Continue Reading COVID-19 Cybersecurity Advice: FTC and FBI Provide Guidance on Cybersecurity Scam Trends and Preventive Measures

In response to the drastic increase of U.S. employees working remotely, the U.S. Federal Trade Commission (“FTC”) and the U.S. National Institute of Standards and Technology (“NIST”) have both issued guidance for employers and employees on best practices for teleworking securely.  In addition, the Cybersecurity and Infrastructure Security Agency (“CISA”) has provided advice on identifying essential workers, including IT and cybersecurity personnel, in critical infrastructure sectors that should maintain normal work schedules if possible.  Each set of guidance is discussed in further detail below.
Continue Reading COVID-19 Cybersecurity Advice: FTC, NIST, and CISA Release Guidance on Secure Teleworking and Critical Infrastructure Jobs

Cardi B might like it, but the Federal Trade Commission (“FTC”) did not.  On March 5, 2020, the agency sent Cardi B and other high-profile influencers warning letters alleging that the influencers made inadequate disclosures in their endorsements of Teami tea.  The letters followed on the heels of the FTC’s proposed order against Teami, LLC for allegedly making deceptive claims about weight loss and other health benefits in their advertisements and failing to adequately instruct influencers about how to comply with the law when endorsing Teami products.
Continue Reading FTC Sends Warning Letters to Teami Tea Influencers

On March 5, Senators Ed Markey (D-MA) and Richard Blumenthal (D-CT) introduced the Kids Internet Design and Safety (KIDS) Act.  The bill, which covers online platforms directed to children and teenagers under 16 years old, aims to curb the time spent by these minors on such platforms and could dramatically affect advertising and influencer content on kids’ channels.

The bill would prohibit platforms directed to minors from implementing features that encourage users to spend more time online, such as “auto-play” settings that automatically load a new video once the selected one finishes playing, push alerts that encourage users to engage with the platform, and the display of positive feedback received from other users.  It would also ban badges or other visual incentives and rewards based on engagement with the platform.

Additionally, the KIDS Act would prohibit platforms from recommending or amplifying certain content involving sexual, violent, or other adult material, including gambling or “other dangerous, abusive, exploitative, or wholly commercial content.”  The bill would require the implementation of a mechanism for users to report suspected violations of content requirements.
Continue Reading New Bill Seeks to Impose Design Restrictions on Kids’ Online Content and Marketing

On February 12, 2020, Senator Kirsten Gillibrand (D-NY) announced a plan to create a new Data Protection Agency through her proposed legislation, the Data Protection Act of 2020 (S.3300).

Under the proposal, the new agency would replace the Federal Trade Commission (FTC) as the “privacy cop on the beat.”  As such, the FTC’s current authority in the privacy space—including its ability to draft guidelines, conduct studies, and issue implementing regulations for certain federal privacy laws, would be transferred to the new agency.

As opposed to the Online Privacy Act, a bill introduced by Representatives Anna Eshoo (D-CA-18) and Zoe Lofgren (D-CA-19) that also would create a new privacy agency, Sen. Gillibrand’s bill would not create a new omnibus federal privacy law.  Instead, it is focused on the creation of the Data Protection Agency and its rulemaking authority.  However, various aspects of the new agency’s authority provide valuable insights into what privacy regulation at the federal level might look like under the bill.
Continue Reading Sen. Kirsten Gillibrand Proposes New Digital Privacy Agency

On January 30, House Rep. Kathy Castor (D-FL) introduced the Protecting the Information of our Vulnerable Children and Youth (“PRIVCY”) Act, a bill that promises to be a significant overhaul of the Children’s Online Privacy Protection Act (“COPPA”).

Currently, COPPA applies only to personal information collected from children under 13 years old.  The PRIVCY Act would greatly expand COPPA’s scope by making any personal information – including biometric, geolocation, and inferred information, whether collected from the child or not – subject to the law’s requirements.  It also brings a new group of “young consumers” – individuals aged 12 to 18 years old – under the law’s umbrella.  The PRIVCY Act would obligate online sites and services that have actual or constructive knowledge that they “process” personal information about children or young consumers to provide notice to, and obtain consent from, those children’s parents or from those young consumers.  The bill also provides for rights to access, correction, and deletion of children’s and young consumers’ personal information, and it imposes limits on the ability of operators to disclose personal information to third parties.

Additionally, the privacy bill would completely repeal COPPA’s safe harbor provision, which enables covered operators to rely on a safe harbor if their privacy practices have been certified by FTC-approved organizations.  Currently, seven safe harbor organizations have been approved by the FTC.
Continue Reading Kids’ Privacy Bill Allowing for Private Suits Introduced in House