On July 9, 2024, the FTC and California Attorney General settled a case against NGL Labs (“NGL”) and two of its co-founders. NGL Labs’ app, “NGL: ask me anything,” allows users to receive anonymous messages from their friends and social media followers. The complaint alleged violations of the FTC Act, the Restore Online Shoppers’ Confidence Act (ROSCA), the Children’s Online Privacy Protection Act (COPPA), and California laws prohibiting deceptive advertising and prohibiting unfair and deceptive business practices.

FTC Act & California Law Violations. The complaint alleged that once a user posted a prompt inviting anonymous messages, they would receive automated messages that appeared to come from their contacts, but in reality, came from NGL itself. The complaint also alleged that the company encouraged users to purchase NGL Pro (a paid version of the app) to learn the identity of the people who sent them anonymous messages, but that once consumers upgraded to NGL Pro, they did not actually learn the senders’ identities. Instead, the complaint alleged that they were sent vague, and sometimes false, hints about the senders’ identities, such as the city the sender may live in or the time the message was sent.

The complaint also alleged that NGL claimed to use “world class AI content moderation” to filter out harmful language and bullying, including by recognizing inappropriate use of emojis. In reality, however, the company was purportedly aware that harmful language and bullying were commonplace on the app and its technology did not filter out such behavior.

COPPA Violations. The FTC alleged that NGL obtained actual knowledge of the age of users under 13 through complaints from parents of children who use the app. NGL allegedly retained the information of users under 13 after such complaints without providing required notices or obtaining consent. Notably, the complaint also alleged that the company was aware that numerous children used the app, however, constructive knowledge is insufficient to establish liability under COPPA.

ROSCA Violations. NGL allegedly (1) failed to clearly disclose that the NGL Pro subscription would charge users on a recurring basis, by disclosing this fact only in small, off-white text that “pro renews for $9.99/week;” and (2) misrepresented what customers would receive by subscribing (i.e., by misleading consumers into thinking they could learn who sent them messages by subscribing). NGL also allegedly failed to obtain users’ express informed consent before charging their financial accounts.

Ordered Relief. The order prohibits the company from misrepresenting the capabilities of its AI technology, including its ability to filter out cyberbullying. The company also may not misrepresent that any message received through their app was sent by a live person or that a user will be able to see the identity of those who send them messages.

Even though COPPA’s requirements apply to users under the age of 13 and there is no requirement to age gate, the order requires as fencing-in relief that NGL implement a neutral age gate that will prevent those under 18 from accessing the app. For existing users, NGL must delete personal information unless the user indicates they are over 13 or NGL obtains parental consent to retain the data.

Additionally, the order incorporates a variety of requirements that the FTC has proposed in the proposed revised Negative Option Rule. For example, the company is prohibited from misrepresenting any material fact related to the transaction, including any fact related to the underlying good or service. As in the proposed Negative Option Rule, the order also requires that NGL disclose all material facts related to the Negative Option Feature immediately adjacent to the means of recording the customer’s consent – with the exception of cancellation instructions, which need not be immediately adjacent. NGL also must obtain express informed consent to the Negative Option Feature separately from any other portion of the transaction, through a check box or substantially similar method. The order also incorporates cancellation requirements, such as that cancellation must be available in the same medium as sign-up, even though the complaint does not allege a violation of ROSCA’s cancellation provision. Furthermore, the company must provide users a confirmation email of the purchase, as well as reminders as to the frequency and amount of the charge and how they may cancel.

Finally, the company must pay $4.5 million to the FTC and $500,000 in civil penalties to the state of California.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.

Photo of Laura Kim Laura Kim

Laura Kim draws upon her experience in senior positions at the Federal Trade Commission to advise clients across industries on complex advertising, privacy, and data security matters. She provides practical compliance advice and represents clients in FTC and State AG investigations. Laura advises on…

Laura Kim draws upon her experience in senior positions at the Federal Trade Commission to advise clients across industries on complex advertising, privacy, and data security matters. She provides practical compliance advice and represents clients in FTC and State AG investigations. Laura advises on a wide range of consumer protection issues, including green claims, influencers, native advertising, claim substantiation, Made in USA claims, children’s privacy, subscription auto-renewal marketing, and other digital advertising matters. In addition, Laura actively practices before the NAD, including recent successful resolution of matters for both challengers and advertisers. She is the Chair of Covington’s Advertising and Consumer Protection Investigations Group and participates in the firm’s Internet of Things Initiative.

Laura re-joined Covington after a twelve-year tenure at the FTC, where she served as Assistant Director in two divisions of the Bureau of Consumer Protection, as well as Chief of Staff in the Bureau of Consumer Protection and Attorney Advisor to former Chairman William E. Kovacic. She worked on key FTC Rules and Guides such as the Green Guides, Jewelry Guides, and the Telemarketing Sales Rule. She supervised these and other rule making proceedings and oversaw dozens of the Commission’s investigations and enforcement actions involving compliance with these rules. Laura also supervised compliance monitoring for companies under federal court or Commission order.

Laura also served as Deputy Chief Enforcement Officer at the U.S. Department of Education, where she helped establish a new Enforcement Office within Federal Student Aid. In this role, she managed investigations of higher education institutions and oversaw issuance of fines and adverse actions for institutions in violation of federal student aid regulations. Laura also supervised the borrower defense to repayment division and the Clery campus safety and security division.

Photo of Alexandra Remick Alexandra Remick

Alexandra Remick is a member of the Advertising and Consumer Protection Investigations Group. Her practice focuses on regulatory and compliance matters related to consumer protection. She has experience advising clients on topics including endorsements, social media influencers, native advertising, automatically renewing subscriptions, consumer…

Alexandra Remick is a member of the Advertising and Consumer Protection Investigations Group. Her practice focuses on regulatory and compliance matters related to consumer protection. She has experience advising clients on topics including endorsements, social media influencers, native advertising, automatically renewing subscriptions, consumer reviews, and claim substantiation in a variety of contexts. She frequently provides advice on specific advertising compliance questions and works with companies on developing internal advertising compliance policies. She has also represented multiple clients in FTC investigations involving consumer protection issues, has conducted regulatory due diligence on multiple transactions, and has drafted comments on multiple rulemakings.

Photo of Priya Leeds Priya Leeds

Priya Sundaresan Leeds is an associate in the firm’s San Francisco office. She is a member of the Privacy and Cybersecurity Practice Group. She also maintains an active pro bono practice with a focus on gun control and criminal justice.