Section 5

On October 22, 2019, the Federal Trade Commission reached a proposed settlement with the developer of three so-called “stalking” apps that enabled purchasers of the app to secretly monitor the mobile devices on which they were installed.  Developer Retina-X Studios, LLC and its owner James N. Johns marketed the three apps—MobileSpy, PhoneSheriff, and TeenShield—as a means to monitor children and employees by sharing detailed information about these individuals’ smart phone activities, including their text messages and GPS locations.  The FTC complaint alleges that the developer failed to ensure that the apps would be used for legitimate and lawful purposes, did not secure personal information collected from children and other users, and misrepresented the extent to which that information would be kept confidential.

While the FTC settlement represents its first case against developers of tracking apps, the complaint’s allegations rely on provisions of the FTC Act that are broadly applicable to companies that collect, store, and/or monitor users’ personal information, as well as the Children’s Online Privacy Protection Act (“COPPA”): 
Continue Reading FTC Reaches Settlement with Developer of Tracking Apps

Last month in  In the Matter of 1-800 Contacts, Inc., the Federal Trade Commission (“FTC”) provided insight into the circumstances under which retail price competition may take place in the 21st century internet economy.  In the Opinion authored by Chairman Joseph J. Simons (“Commission’s Opinion”) the Commission decided that 1-800 Contacts, the country’s largest online retailer of contact lenses, unlawfully entered into anticompetitive agreements with 14 rival online sellers (“Agreements”).  The Agreements, which, in most cases were trademark litigation settlements, required the parties, when bidding as part of search engine advertising auctions, to take measures ensuring their advertisements do not appear in response to searches for the other party’s trademark terms.  According to the Commission’s Opinion, approved 3-1-1, the “decision will affect not only the price that consumers pay for some contact lenses but also the very manner in which substantial parts of price competition will occur throughout consumer markets today and tomorrow.”  This week, 1-800 Contacts filed an application with the FTC for a partial stay pending review by the U.S. Court of Appeals.

The Agreements between 1-800 Contacts and Rival Retailers

By way of background, more than a decade ago, 1-800 Contacts began bringing trademark infringement actions against rival contact retailers, who were selling lenses at lower prices.  The infringement claims were based on the retailers’ online advertisements appearing in response to consumers’ searches for “1-800 Contacts.”  The Agreements, which resulted from the litigation, restricted the parties’ ability to bid on certain “keywords” in search engine auctions.  “Keywords” are words or phrases that trigger the display of a party’s advertisements as “sponsored links” on a search engine when the words or phrases “match” a user’s search.  As relevant here, the Agreements specifically prohibited each party from bidding on keywords that allegedly infringe upon the other party’s trademarks and additionally required the parties to employ “negative” keywords to prevent their advertisements from displaying whenever a search included the other party’s trademarks. 
Continue Reading Sights on Online Search Advertising: FTC Finds Practices by 1-800 Contacts to Unlawfully Harm Competition and Restrict the Availability of Truthful Advertising to Consumers

In a ruling with implications for both net neutrality and privacy, the Ninth Circuit ruled en banc today that the common carrier exemption in Section 5 of the FTC Act is activity-based, reversing a 2016 panel ruling that the exemption was status-based.  Today’s decision bolsters the FTC’s authority to bring consumer protection (including privacy) and competition actions against providers of Internet access service, which the FCC has ruled is not a common carrier service in connection with that agency’s repeal of net neutrality rules.

This appeal arises from the FTC’s lawsuit against AT&T alleging that AT&T’s practice of throttling the speed of customers with unlimited data plans once they reached a certain data usage threshold violated Section 5 of the FTC Act.  AT&T had challenged the FTC’s authority to bring the case, arguing that the company was immune from FTC oversight because it also offers common carrier (e.g., voice telephone) service.  Although the district court sided with the FTC on this question, a 2016 Ninth Circuit panel went the other way and, in doing so, created what the FTC and FCC agreed was a potential ‘gap’ in authority in which neither agency would have the right to police many actions by telecommunications companies. 
Continue Reading Ninth Circuit Decision Provides Critical Win to FTC in its Authority over Internet Service Providers

Representative Marsha Blackburn (R-TN) has introduced a bill, the “Balancing the Rights of Web Surfers Equally and Responsibly Act of 2017” (“BROWSER Act,” H.R. 2520) that would  create new online privacy requirements.  The BROWSER Act would require both ISPs and edge providers (essentially any service provided over the Internet) to provide users with notice of their privacy policies, obtain opt-in consent for sensitive data, and opt-out consent for non-sensitive data.  In its current form, the BROWSER Act would define sensitive data more broadly than in existing FTC guidelines—mirroring the since-repealed privacy rules that the FCC adopted last year for ISPs, but applying those standards to ISPs and edge providers alike.

The BROWSER Act defines “sensitive user information” to include financial information, health information, children’s data, social security numbers, precise geo-location information, contents of communications, and, most notably, web browsing or app usage histories.  ISPs and edge providers must obtain “opt-in approval” from users prior to using, disclosing, or permitting access to such sensitive information.  For “non-sensitive user information,” the BROWSER Act requires opt-out consent.  And companies may not condition the provision of services, or otherwise refuse services, based on the waiver of privacy rights under the BROWSER Act.
Continue Reading New Republican Privacy Bill Would Expand Scope of “Sensitive” Data

The Ninth Circuit announced today that the full court will rehear the case in which the three-judge panel opinion had dismissed the FTC’s lawsuit against AT&T for allegedly violating Section 5 of the FTC Act due to past “throttling” practices around unlimited data plans.  According to the panel opinion, the FTC lacked jurisdiction over AT&T’s

The FTC announced today that it has reached a settlement with the operators of AshleyMadison.com (Ashley Madison) for alleged data security deficiencies and deceptive trade practices.  According to the FTC, Ashley Madison, a dating website for married individuals, was hacked in July 2015, leading to the release of 36 million users’ account and profile information.  FTC Chairwoman Edith Ramirez referred to the case as “one of the largest data breaches that the FTC has investigated to date.”

According to the FTC’s complaint, despite Ashley Madison’s representations that it was “100% secure” and “risk free,” the website failed to implement reasonable data security practices.  Specifically, the FTC cited several data security failures, including the lack of a written information security policy, reasonable access controls, employee data security training, or oversight over third-party service providers, and a failure to use “readily available security measures” to monitor its systems.  The complaint also alleged that Ashley Madison staff deceptively created fake profiles as a way to attract users, with no way for users to tell real profiles from fake ones.
Continue Reading Ashley Madison Settles Data Security and Deception Charges

Aura Labs, Inc. (Aura) has settled the FTC’s charges that it deceived consumers in relation to its mobile blood pressure app.  The FTC’s complaint alleged that Aura deceptively claimed the app was as accurate as traditional blood pressure cuffs, and also that Aura’s owner posted a 5-star review of the app without disclosing his connection to the company.

The stipulated settlement order, which was signed by the district court on December 9, bars Aura from making similar representations about the accuracy of its blood pressure measurements absent “competent and reliable scientific evidence.”  It also requires Aura to disclose any material connections between the company and people who endorse its products.  And it imposes reporting and compliance audit requirements on Aura for ten years.
Continue Reading Blood-Pressure App Settles FTC Deception Charges

In an order released last week, the Eleventh Circuit temporarily delayed enforcement of the Federal Trade Commission’s (FTC) order in the LabMD case.  As we reported earlier, the FTC ruled in July that LabMD’s data security practices violated the FTC Act, clarifying and expanding upon the FTC’s authority to regulate corporate data security practices.  After the FTC denied LabMD’s request for a stay, the company appealed to the Eleventh Circuit, which granted the stay in a unanimous decision.
Continue Reading Appellate Court Stays Enforcement of FTC’s LabMD Order

By Catlin Meade and Jenny Martin

On August 31, 2016 the FTC posted a blog addressing whether compliance with the NIST Framework for Improving Critical Infrastructure Cybersecurity (“the Framework”) necessarily constitutes compliance with FTC cybersecurity practices.

The FTC answers this question with a resounding “No” and specifically states:  “there’s really no such thing as ‘complying with the Framework[]’” because the “[t]he Framework is not, and isn’t intended to be, a standard or checklist.”  The FTC further explains that the Framework does not provide a one-size-fits-all checklist of security practices; rather, it provides an organized approach and broad guidance, collected from a variety of existing industry standards, guidelines, and best practices, for organizations to follow to identify and manage cyber risk.  
Continue Reading FTC Maps Its Cybersecurity Requirements to NIST Cybersecurity Framework Core Functions

In an opinion released today, the Ninth Circuit dismissed the Federal Trade Commission’s (“FTC”) lawsuit against AT&T for violating Section 5 of the FTC Act due to its throttling practices.  AT&T’s practice of throttling the speed of customers with unlimited data plans once they reached a certain data usage threshold had been challenged by the FTC as both unfair and deceptive under Section 5.  The Ninth Circuit reversed the district court’s prior ruling denying AT&T’s motion to dismiss on the ground that AT&T was a common carrier and therefore exempt from Section 5 of the FTC Act.
Continue Reading Ninth Circuit Dismisses FTC’s Throttling Suit Against AT&T