Author: jhenderson2

The Federal Trade Commission has denied a motion filed by H&R Block Inc. to disqualify the Administrative Law Judge overseeing the hearing concerning a complaint filed by the Commission against the tax preparation company for certain deceptive and unfair practices.

The vote to issue the order denying the motion was 5-0. Commissioner Melissa Holyoak concurred only in the result. Commissioner Andrew N. Ferguson issued a statement dissenting in part and concurring in the denial of the motion. Chair Lina M. Khan, joined by Commissioner Alvaro M. Bedoya, filed a separate statement.

As the nation braces for another major hurricane, the Federal Trade Commission along with the Department of Justice and the Consumer Financial Protection Bureau are warning consumers about those looking to take advantage of natural disasters by engaging in potential fraud or price gouging.

Scammers quickly exploit weather emergencies and take advantage of people trying to recover or donate to disaster victims. Consumers who may have encountered a scam can report it to the FTC at ReportFraud.ftc.gov.

“As Americans seek safety from natural disasters, we’re hearing troubling reports of price gouging for essentials that are necessary for people to get out of harm’s way—from hotels to groceries to gas,” said FTC Chair Lina M. Khan. “No American should have to worry about being ripped off when fleeing a hurricane. In partnership with state enforcers, the FTC will keep fighting to ensure that Americans can get the relief they need without being preyed on by bad actors exploiting a crisis.”

“Companies are on notice: do not use the hurricane as an excuse to exploit people through illegal behavior,” said Deputy Assistant Attorney General Manish Kumar of the Justice Department’s Antitrust Division. “The Antitrust Division and its law enforcement partners will act quickly to root out anticompetitive behavior and use every tool available to hold wrongdoers accountable.”

“Price gouging during a natural disaster is just plain wrong, and excessive price increases can be unfair under the law,” said CFPB Director Rohit Chopra. “The CFPB will be on the lookout for financial companies that take advantage of natural disasters to rip people off.”

Possible types of natural disaster scams include:

• Fraudulent charities soliciting donations for disaster victims that often imitate the names of charities linked to the disaster.
• Scammers impersonating government officials, offering disaster relief in exchange for personal information or money.
• Scammers promoting non-existent businesses or investment opportunities related to disaster recovery, such as rebuilding or flood-proofing.
• Price gouging for essential goods and services needed by disaster victims.

To avoid scams and frauds while you’re recovering from a hurricane or another natural disaster, remember only scammers will insist you pay for services by wire transfer, gift card, payment app, cryptocurrency or in cash. Avoid anyone who promises they can help you qualify for relief from the Federal Emergency Management Agency (FEMA) ― for a fee. That’s a scam. FEMA will never require you to pay a fee to get disaster relief. Never sign your insurance check over to someone else. Be sure to research contractors and get estimates from more than one before signing a contract for work. Get a written contract for repairs and read it carefully before signing it.

The FTC has additional information for consumers about how to avoid scams as well as how to prepare for and respond to natural disasters. The CFPB’s disaster and emergencies toolkit provides guidance on handling your finances if you are preparing for, recovering from, or rebuilding after a hurricane, tornado, wildfire, or other emergency. Consumers can submit a complaint about a financial product or service at consumerfinance.gov/complaint.

The Federal Trade Commission announced today that the consumer protection agencies of Costa Rica, the Dominican Republic, and Panama have joined an existing agreement that the FTC reached in 2023 with the consumer protection authorities of Chile, Colombia, Mexico, and Peru to promote cooperation among the agencies to protect consumers from cross-border fraud, deception, and other illegal practices.

The 2023 Multilateral Memorandum of Understanding (MMOU) provides a framework and mechanism for information-sharing, investigative assistance, and other types of cooperation on consumer protection enforcement. The addition of agencies from Costa Rica, the Dominican Republic, and Panama expands the reach of the MMOU and sends a wider message of the agencies’ shared commitment to protect consumers from unlawful practices.

Today’s announcement coincides with a three-day conference and meeting of the International Consumer Protection and Enforcement Network (ICPEN) in Washington, D.C. The FTC took over the presidency of ICPEN in July and is gathering more than 250 representatives of consumer protection authorities and organizations from the United States and around the world to discuss important issues that consumers are facing in today’s expanding digital age, including challenges related to online gaming and artificial intelligence, and to exchange good practices for international enforcement cooperation.

At the meeting, ICPEN also unveiled a revamped version of its econsumer.gov website, including an updated complaint form, a more mobile friendly format for consumers to report international scams, and updated guidance on additional steps that consumers can take to resolve their complaints.

The lead staffer on this matter is Angel Martinez from the FTC’s Office of International Affairs.

Today, Federal Trade Commission Chair Lina M. Khan announced that an open meeting of the Commission will be held virtually on Thursday, September 19, 2024. The open meeting will commence at 11 a.m. ET and will begin with time for members of the public to address the Commission.

The following items will be on the tentative agenda for the September 19 Commission meeting:

Business Before the Commission:

Staff Presentation on the Social Media and Video Streaming Services 6(b) Orders: Staff from the Bureau of Consumer Protection’s Division of Privacy and Identity Protection will update the Commission on its findings arising from the 6(b) orders issued in 2020 to study how social media and video streaming services’ data practices impact American consumers. Any report on these findings is subject to a Commission vote.

Staff Presentation on Rule on the Use of Consumer Reviews and Testimonials: Staff from the Bureau of Consumer Protection’s Division of Advertising Practices will provide a presentation on the FTC’s Final Rule on the Use of Consumer Reviews and Testimonials. The rule will help ensure that reviews, upon which consumers often rely to make purchase decisions, are based on real experience with a product or service. 

At the start of the meeting, Chair Khan will offer brief remarks and will then invite members of the public to share feedback on the Commission’s work generally and bring relevant matters to the Commission’s attention. Members of the public must sign up for an opportunity to address the Commission virtually at the September 19 event.

Each commenter will be given two minutes to share their comments. Those who cannot participate during the event may submit written comments or a link to a prerecorded video through a webform. Speaker registration and comment submission will be available through Tuesday, September 17, 2024 at 8 pm ET.

A link to view the meeting will be available on the day of the event, shortly before is starts via FTC.gov. The event will be recorded, and the webcast and any related comments will be available on the Commission’s website after the meeting. The Commission retains discretion to make public comments available following the event on FTC.gov.

Today, Federal Trade Commission Chair Lina M. Khan announced that an open meeting of the Commission will be held virtually on Thursday, August 1, 2024. The open meeting will commence at 10 a.m. ET and will begin with time for members of the public to address the Commission.

The following items will be on the tentative agenda for the August 1 Commission meeting:

Business Before the Commission:

Pharmacy Benefit Managers Report: Staff from the Office of Policy Planning will provide a presentation on the Interim Report on Pharmacy Benefit Managers (PBMs). This Interim Report is part of the Federal Trade Commission’s ongoing study of PBMs and explores their potential impact on access and affordability of medicines and examines how increasing vertical integration and concentration may have enabled PBMs to inflate drug costs and squeeze Main Street pharmacies.

Presentation on Military Consumer Protection: To close out Military Consumer Month, staff from the Bureau of Consumer Protection’s Division of Consumer and Business Education will provide a presentation on the FTC’s work to protect servicemembers, veterans, and their families. It will address the FTC’s consumer outreach and education efforts, network of partnerships with military organizations, and recent enforcement work.   

At the start of the meeting, Chair Khan will offer brief remarks and will then invite members of the public to share feedback on the Commission’s work generally and bring relevant matters to the Commission’s attention. Members of the public must sign up for an opportunity to address the Commission virtually at the August 1 event.

Each commenter will be given two minutes to share their comments. Those who cannot participate during the event may submit written comments or a link to a prerecorded video through a webform. Speaker registration and comment submission will be available through Tuesday, July 30, 2024 at 8 pm ET.

A link to view the meeting will be available on the day of the event, shortly before is starts via FTC.gov. The event will be recorded, and the webcast and any related comments will be available on the Commission’s website after the meeting. The Commission retains discretion to make public comments available following the event on FTC.gov.

The Federal Trade Commission issued orders to eight companies offering surveillance pricing products and services that incorporate data about consumers’ characteristics and behavior. The orders seek information about the potential impact these practices have on privacy, competition, and consumer protection.

The orders are aimed at helping the FTC better understand the opaque market for products by third-party intermediaries that claim to use advanced algorithms, artificial intelligence and other technologies, along with personal information about consumers—such as their location, demographics, credit history, and browsing or shopping history—to categorize individuals and set a targeted price for a product or service. The study is aimed at helping the FTC better understand how surveillance pricing is affecting consumers, especially when the pricing is based on surveillance of an individual’s personal characteristics and behavior.

“Firms that harvest Americans’ personal data can put people’s privacy at risk. Now firms could be exploiting this vast trove of personal information to charge people higher prices,” said FTC Chair Lina M. Khan. “Americans deserve to know whether businesses are using detailed consumer data to deploy surveillance pricing, and the FTC’s inquiry will shed light on this shadowy ecosystem of pricing middlemen.”

The FTC is using its 6(b) authority, which authorizes the Commission to conduct wide-ranging studies that do not have a specific law enforcement purpose, to obtain information from eight firms that advertise their use of AI and other technologies along with historical and real-time customer information to target prices for individual consumers. The orders were sent to: Mastercard, Revionics, Bloomreach, JPMorgan Chase, Task Software, PROS, Accenture, and McKinsey & Co.

The orders are seeking information on four major areas:

• Types of products and services being offered: The types of surveillance pricing products and services that each company has produced, developed, or licensed to a third party, as well as details about the technical implementation and current and intended uses of this technology;
• Data collection and inputs: Information on the data sources used for each product or service, including the data collection methods for each data source, the platforms and methods that were used to collect such data, and whether that data is collected by other parties (such as other companies or other third parties);
• Customer and sales information: Information about whom the products and services were offered to and what those customers planned to do with those products or services; and
• Impacts on consumers and prices: Information on the potential impact of these products and services on surveilled consumers including the prices they pay.

The FTC has long been on the front lines of documenting and investigating the hidden ecosystem of data brokers, digital platforms, and other intermediaries that specialize in monitoring and selling user data. The FTC’s 6(b) orders aim to shed light on how the current data ecosystem may facilitate the ability to target consumers with individual prices.

The Commission voted 5-0 to issue the 6(b) orders to the eight companies. Commissioners Melissa Holyoak and Andrew N. Ferguson issued concurring statements.

The Federal Trade Commission and two international consumer protection networks announced the results of a review of selected websites and apps that showed a large percentage of the websites and mobile apps examined may use dark patterns, digital design techniques that may manipulate consumers into buying products or services or giving up their privacy. These techniques can steer consumers to take actions they would not otherwise have taken.

The International Consumer Protection and Enforcement Network’s (ICPEN) annual review, which took place January 29-February 2, 2024, examined the use of possible dark patterns by 642 websites and mobile apps that offered subscription services from companies across the globe and in multiple languages. Officials from 27 authorities in 26 countries participated. Nearly 76% of the sites and apps examined as part of the review employed at least one possible dark pattern, and nearly 67% used multiple possible dark patterns. It was not reported whether these identified practices were used in an unlawful way or violated the laws of the affected countries.

Participants examined several types of dark patterns, using descriptions of the practices as set out by the Organization for Economic Cooperation and Development. The potential dark patterns most often encountered during the review were sneaking practices, which involve hiding or delaying the disclosure of information that might affect a consumer’s purchase decision, and interface interference, techniques such as obscuring important information or preselecting options that frame information in a way that steers consumers toward making decisions more favorable for the business.

ICPEN coordinated its review with the Global Privacy Enforcement Network (GPEN), a network of more than 80 privacy enforcement authorities. GPEN’s review—in which the FTC also participated—focused on websites and apps using design patterns that may encourage individuals to provide more personal information than they intended. Like the ICPEN review, the 26 privacy authorities participating in the GPEN review of sites operating in various countries found that the majority of websites and apps examined used at least one potential dark pattern. While there were no findings as to whether any of these instances rose to the level of law violations, the collaboration underscores the ways dark pattern techniques may impact not just consumers’ wallets but also their privacy choices.

Today’s announcement coincides with the FTC officially assuming the 2024-2025 presidency of ICPEN, an international network of consumer protection authorities from more than 70 countries that protects consumers around the world by sharing information and encouraging global enforcement cooperation among consumer protection authorities.

The FTC has worked for many years to identify and crack down on businesses that deploy deceptive and unlawful dark patterns. In 2022, the FTC released a staff report, Bringing Dark Patterns to Light, which detailed a wide range of dark patterns.

The Federal Trade Commission today testified before the House Energy and Commerce Subcommittee on Innovation, Data and Commerce on the agency’s fiscal year 2025 budget and work to promote competition and protect consumers.

In her testimony FTC Chair Lina M. Khan discussed the FTC’s work to protect privacy and data security; fight fraud, junk fees, and related harms affecting consumers; combat opioid recovery fraud and other health fraud; stand up for all consumers, including older adults, servicemembers, and historically underserved communities; and ensure that domestic manufacturers, independent repairers, and other small businesses have a chance to compete fairly.

On the competition side, Chair Khan highlighted the FTC’s recent rule to ban noncompete clauses in employment contracts, which the Commission estimates affect one in five U.S. workers. Chair Khan highlighted the fact that the vast majority of public comments submitted by Americans were in support of the FTC’s rule. She also discussed the Commission’s work to prevent unlawful consolidation and to identify and stop anticompetitive conduct.

While describing some of the agency’s many accomplishments, she noted that the FTC’s work requires resources and highlighted the value the agency provides to the American people. In FY 2023, every $1 of the FTC’s costs returned an estimated $14 in benefits to Americans through the Commission’s consumer protection and competition law enforcement efforts.

Chair Khan was joined at the hearing by Commissioners Rebecca Kelly Slaughter, Alvaro Bedoya, Melissa Holyoak and Andrew N. Ferguson.

The Federal Trade Commission and the Los Angeles District Attorney’s Office are taking action against NGL Labs, LLC and two of its co-founders, Raj Vir and Joao Figueiredo, for a host of law violations related to their anonymous messaging app, including unfairly marketing the service to children and teens. The defendants will pay $5 million to settle the lawsuit, and will be banned from offering their “NGL: ask me anything” app to anyone under the age of 18.

In their complaint, the FTC and Los Angeles DA’s Office allege that NGL and its co-founders not only actively marketed their service to children and teens, but that they also falsely claimed that its AI content moderation program filtered out cyberbullying and other harmful messages. In addition, the complaint alleges that the defendants sent fake messages that appeared to come from real people and tricked users into signing up for their paid subscription by falsely promising that doing so would reveal the identity of the senders of messages.

“NGL marketed its app to kids and teens despite knowing that it was exposing them to cyberbullying and harassment,” said FTC Chair Lina M. Khan. “In light of NGL’s reckless disregard for kids’ safety, the FTC’s order would ban NGL from marketing or offering its app to those under 18. We will keep cracking down on businesses that unlawfully exploit kids for profit.”

“The consequences of these actions can be severe. The anonymity provided by the app can facilitate rampant cyberbullying among teens, causing untold harm to our young people,” Los Angeles District Attorney George Gascón said. “We cannot tolerate such behavior, nor can we allow companies to profit at the expense of our children’s safety and well-being. Today’s charges send a clear message that deceptive practices and targeting vulnerable populations will not be tolerated.”

California-based NGL was launched in 2021 as an anonymous messaging service that allows people to receive anonymous messages from their friends and social media followers. NGL and its operators marketed the app as a “safe space for teens” and claimed it uses “world class AI content moderation” including “deep learning and pattern matching algorithms” to combat cyberbullying and other harms.

In their complaint, however, the FTC and the Los Angeles DA’s office allege that NGL and its operators actively marketed their service to kids despite being aware of the harms from similar services; made false claims about their AI content moderation program; deceived users with fake messages and other tactics aimed at driving up the number of paid users; failed to clearly disclose and obtain consent for recurring charges for its NGL Pro service; and violated the Children’s Online Privacy Protection Act Rule (COPPA Rule).

After consumers downloaded the NGL app, they could share a link on their social media accounts urging their social media followers to respond to prompts such as “If you could change anything about me, what would it be?” Followers who clicked on this link were then taken to the NGL app, where they could write an anonymous message that would be sent to the consumer.

After failing to generate much interest in its app, NGL in 2022 began automatically sending consumers fake computer-generated messages that appeared to be from real people. When a consumer posted a prompt inviting anonymous messages, they would receive computer-generated fake messages such as “are you straight?” or “I know what you did.” NGL used fake, computer-generated messages like these or others—such as messages regarding stalking—in an effort to trick consumers into believing that their friends and social media contacts were engaging with them through the NGL App.

When a user would receive a reply to a prompt—whether it was from a real consumer or a fake message—consumers saw advertising encouraging them to buy the NGL Pro service to find out the identity of the sender. The complaint alleges, however, that consumers who signed up for the service, which cost as much as $9.99 a week, did not receive the name of the sender. Instead, paying users only received useless “hints” such as the time the message was sent, whether the sender had an Android or iPhone device, and the sender’s general location. NGL’s bait-and-switch tactic prompted many consumers to complain, which NGL executives laughed off, dismissing such users as “suckers.”

In addition, the complaint alleges that NGL violated the Restore Online Shoppers’ Confidence Act by failing to adequately disclose and obtain consumers’ consent for such recurring charges. Many users who signed up for NGL Pro were unaware that it was a recurring weekly charge, according to the complaint.

NGL Targeted Kids and Teens

The FTC and Los Angeles DA also say that NGL and its operators aggressively marketed its service to children and teens even though they were aware of the dangers of cyberbullying on anonymous messaging apps. Company executives told employees to reach out to high school kids directly. Figueiredo urged employees to get “kids who are popular to post and get their friends to post” and noted that the “best way is to reach out on [Instagram] by finding popular girls on high school cheer [Instagram] pages,” according to the complaint.

The complaint says the company falsely claimed that its AI-powered system would filter out cyberbullying and other harmful messages. In fact, users complained that NGL failed to prevent rampant cyberbullying and threats against children and teens. One consumer reported that their friend had attempted suicide because of the NGL app, according to the complaint.

In addition to failing to crack down on cyberbullying, the FTC and Los Angeles DA say NGL also violated the COPPA Rule, which requires apps and other online services that are directed to or knowingly being used by children under 13 to inform their parents about the personal information they collect from children and obtain verifiable parental consent from their parents. According to the complaint, the company was aware that numerous children used the app and made no attempt to verify the age of its users, failed to obtain parental consent to collect and use personal data collected from children under 13, failed to honor parents’ request to delete their children’s personal data, and retained children’s data longer than reasonably necessary to fulfill the purpose for which the data was collected.

Proposed Order

In addition to the ban on marketing anonymous messaging apps to kids and teens under 18, the proposed order also requires NGL, Vir, and Figueiredo to pay $4.5 million, which will be used to provide redress to consumers, and a $500,000 civil penalty to the Los Angeles DA’s office. Under the proposed order, which must be approved by a federal court before it can go into effect, NGL and its operators also will be:

• Required to implement a neutral age gate that prevents new and current users from accessing the app if they indicate that they are under 18 and to delete all personal information that is associated with the user of any messaging app unless the user indicates they are over 13 or NGL’s operators obtain parental consent to retain such data;
• Prohibited from making misrepresentations about the sender of messages on any app and making similar false claims as outlined in the complaint;
• Prohibited from making misrepresentations about the capabilities of any artificial intelligence technology, and its ability to filter out cyberbullying;
• Prohibited from making misrepresentations related to negative options and required to disclose all details related to recurring charges; and
• Required to obtain express informed consent from consumers prior to billing them for a negative option subscription, provide a simple mechanism for cancelling any negative option subscriptions, and to send reminders to consumers about negative option charges.

The Commission vote authorizing the staff to file the complaint and stipulated final order was 5-0. The FTC filed the complaint and final order in the U.S. District Court for the Central District of California. Commissioners Melissa Holyoak and Andrew N. Ferguson issued separate statements.

NOTE: The Commission files a complaint when it has “reason to believe” that the named defendants are violating or are about to violate the law and it appears to the Commission that a proceeding is in the public interest. Stipulated final orders have the force of law when approved and signed by the District Court judge.

The lead attorneys on this matter are Miles Freeman, Siobhan Amin, Carla Cheung, and John Jacobs from the FTC’s Western Region Los Angeles office.

The FTC received invaluable assistance from Fairplay and social media reform advocate Kristin Bride. 

The Federal Trade Commission is taking action against gig work company Arise Virtual Solutions for misleading consumers about the money they could make on Arise’s platform and marketing its business opportunity without complying with the FTC’s Business Opportunity Rule, including the requirement to truthfully disclose the basis for earnings claims to consumers.

Under the proposed settlement, Arise would be required to pay $7 million, which will be refunded to consumers harmed by its misconduct, and must be able to back up any earnings claims it makes in the future.

“Arise lured in workers with false promises about what they could earn while requiring them to pay out-of-pocket for essential equipment, training, and other expenses,” said FTC Chair Lina M. Khan. “Operating in the ‘gig’ economy is no license for evading the law, and the FTC will continue using all its tools to protect Americans from unlawful business practice.”

In its complaint against Arise, the FTC charges that the company regularly used misleading advertisements saying that consumers who signed up on their platform would have access to jobs that paid “up to $18/hour” doing remote customer service work for major companies. The company heavily promoted this business opportunity online, targeting stay-at-home mothers and others who might be looking for opportunities to support their families by working from home. Most of the gig workers Arise recruited were Black, and almost all of them were women. 

According to the complaint, when Arise begin citing the $18/hour figure in 2020, its own internal documents showed that the average pay for jobs on its gig work platform was just $12/hour. In fact, from 2019 to 2022, 99.9% of the consumers who joined the Arise platform made less than $18/hour in hourly base pay. The overinflated earnings claims were effective in drawing consumers in; Arise’s market testing showed more consumers responded to these specific claims than those simply advertising “extra income.”

Arise continued running ads touting earnings of up to $18/hour even after receiving a Notice of Penalty Offenses from the FTC regarding false and unsubstantiated earnings claims in money-making opportunities in 2022.

In addition to the fact that consumers’ pay was nearly always below the levels Arise advertised, the complaint alleges that the company’s earnings claims did not factor in the substantial fees consumers faced when joining and using the Arise platform.

According to the complaint, consumers who join the Arise platform are required to make hundreds of dollars in equipment purchases like computers and headsets, including some equipment that is purchased from and financed by Arise. In addition, until July 2022, Arise charged consumers as much as $250 for training programs that were required before consumers could begin money-earning jobs, and only stopped charging for that training after learning of the FTC’s investigation.

Arise also has failed to provide the documents and disclosures required by the FTC’s Business Opportunity Rule. This is the first case where the Commission has charged a company in the gig economy with violating the Business Opportunity Rule, which requires that prospective workers receive key disclosures about earnings claims and other important information before they decide to invest their time and money in a business opportunity.

Beyond the startup costs, Arise also charges workers on its platform nearly $40 each month in mandatory fees, which further reduced consumers’ effective earnings. When consumers left the Arise platform after discovering that their pay was not sufficient or equal to what Arise promised, their expenses were not refunded.

In addition to the $7 million payment, Arise will be permanently prohibited from making any earnings claims to consumers without being able to substantiate those claims as part of the proposed settlement. In addition, Arise will be prohibited from making any false or misleading claims generally and will be required to provide the disclosures mandated by the Business Opportunity Rule.

The Commission vote authorizing the staff to file the complaint and stipulated final order was 5-0. The FTC filed the complaint and final order in the U.S. District Court for the Southern District of Florida. Chair Lina M. Khan and Commissioners Melissa Holyoak and Andrew Ferguson issued statements.

Arise also faces concurrent litigation with the U.S. Department of Labor in the U.S. District Court for the Southern District of Florida over separate allegations that it misclassified its workers as independent contractors.

The FTC thanks the U.S. Department of Labor, the Better Business Bureau Serving Southeast Florida and the Caribbean and the Office of the District of Columbia Attorney General for their assistance with this matter.

NOTE: The Commission files a complaint when it has “reason to believe” that the named defendants are violating or are about to violate the law and it appears to the Commission that a proceeding is in the public interest. Stipulated final orders have the force of law when approved and signed by the District Court judge.

The staff attorneys on this matter were James Davis, Nathan Nash, and Taylor Arana of the FTC’s Midwest Region.

The Federal Trade Commission has finalized an order banning software provider Avast from selling, disclosing, or licensing any web browsing data for advertising purposes to settle charges the company and its subsidiaries sold such information after promising that its products would protect consumers from online tracking. The company also must pay $16.5 million, which is expected to be used to provide redress to consumers.

In a complaint, first announced in February, the FTC alleged that UK-based Avast Limited via its Czech subsidiary, unfairly collected consumers’ browsing information through the company’s browser extensions and antivirus software, stored it indefinitely, and sold it without adequate notice and without consumer consent. The FTC also charged that Avast deceived users by claiming that the software would protect consumers’ privacy by blocking third party tracking, but it failed to adequately inform consumers that it would sell their detailed, re-identifiable browsing data. The FTC alleged Avast sold that data to more than 100 third parties through its subsidiary, Jumpshot.

Under the order, Avast and its subsidiaries also must delete the web browsing information transferred to Jumpshot and any products or algorithms derived from that data; must obtain affirmative express consent from consumers before selling or licensing browsing data from non-Avast products to third parties for advertising purposes; notify consumers whose browsing information was sold to third parties without their consent about the FTC’s actions against the company; and implement a comprehensive privacy program that addresses the misconduct highlighted by the FTC.

After receiving two comments, the Commission voted 3-0-2 to give final approval to the settlement. Commissioners Melissa Holyoak and Andrew N. Ferguson did not participate.

The Federal Trade Commission has finalized an order against Blackbaud Inc. settling allegations that its lax security practices allowed a hacker to breach the company’s network and access the personal data of millions of consumers including Social Security and bank account numbers.

In a complaint first announced in February 2024, the FTC charged that the South Carolina firm, which provides data services and financial, fundraising, and administrative software services to companies, nonprofits and others, failed to implement appropriate safeguards to secure and protect the vast amounts of personal data it collects. As a result of these failures, a hacker in early 2020 exploited weaknesses in Blackbaud’s networks, which went undetected for three months, allowing the hacker to remove massive amounts of unencrypted sensitive consumer data belonging to Blackbaud’s customers. The company waited nearly two months to notify its customers about the breach and then misled consumers about the extent of the data that was stolen, according to the complaint.

Under the order, Blackbaud is required to delete data that it no longer needs to provide its products or services and is prohibited from misrepresenting its data security and data retention policies. The order also requires Blackbaud to develop a comprehensive information security program that would address the issues highlighted by the FTC’s complaint and put in place a data retention schedule outlining its data deletion practices. It also requires Blackbaud to notify the FTC if it experiences a future data breach that it is required to report to any other local, state, or federal agency.

After receiving two comments, the Commission voted 3-0-2 to give final approval to the settlement. Commissioner Andrew Ferguson did not participate and Commissioner Melissa Holyoak was recused.

Today, Federal Trade Commission Chair Lina M. Khan announced that an open meeting of the Commission will be held virtually on Thursday, May 23, 2024. The open meeting will commence at 1 pm ET and will begin with time for members of the public to address the Commission.

The following items will be on the tentative agenda for the May 23 Commission meeting:

Business Before the Commission:

Presentation on Final Rule on Government and Businesses Impersonation:

Staff from the Bureau of Consumer Protection’s Division of Marketing Practices will provide a presentation on the Commission’s Final Rule Concerning Government and Business Impersonation. The Rule, which went into effect last month, gives the agency stronger tools to combat scammers who impersonate businesses or government agencies, enabling the FTC to directly file federal court cases aimed at forcing scammers to return the money they made from government or business impersonation scams and seek civil penalties for their conduct.

Staff Presentation on Roll-Up RFI: 

Staff from the Bureau of Competition will provide a presentation on the Commission’s Request for Information for public comment on corporate consolidation through serial acquisitions and roll-up strategies. The RFI seeks information from the general public on serial acquisitions across all sectors and industries in the U.S. economy, particularly those acquisitions that do not require review by antitrust agencies, and their effects on competition, consumers, workers, suppliers, and other stakeholders.

Voice Cloning Challenge Winners Presentation: 

Representatives from the Division of Marketing Practices and the Office of Technology will provide a presentation on the Voice Cloning Challenge winners and their ideas for protecting consumers from AI-enabled voice cloning harms, such as fraud, and the broader misuse of biometric data and creative content.

At the start of the meeting, Chair Khan will offer brief remarks and will then invite members of the public to share feedback on the Commission’s work generally and bring relevant matters to the Commission’s attention. Members of the public must sign up for an opportunity to address the Commission virtually at the May 23 event.

Each commenter will be given two minutes to share their comments. Those who cannot participate during the event may submit written comments or a link to a prerecorded video through a webform. Speaker registration and comment submission will be available through Tuesday, May 21, 2024 at 8 pm ET.

A link to the event will be available on the day of the event, shortly before the meeting starts via FTC.gov. The event will be recorded, and the webcast and any related comments will be available on the Commission’s website after the meeting. The Commission retains discretion to make public comments available following the event on ftc.gov.

Federal Trade Commission Chair Lina M. Khan today appeared before the House Appropriations Subcommittee on Financial Services and General Government to discuss the agency’s FY 2025 budget request and ongoing work to promote open, competitive markets and protect American consumers and businesses from fraud.

In her testimony, Chair Khan detailed how the agency is using its current funding and noted the value it provides to the American people. In FY 2023, every $1 of the FTC’s costs returned an estimated $14 in benefits to American consumers through its consumer protection and competition law enforcement efforts.

As the nation’s primary consumer protection agency, the FTC works to fight fraud, junk fees, and related harms affecting consumers; combat opioid recovery fraud and other health fraud; stand up for all consumers, including older adults, servicemembers, and historically underserved communities; protect privacy and data security; and ensure that domestic manufacturers, independent repairers, and other small businesses have a chance to compete fairly. On the competition side, the agency has prioritized its limited resources to target the root causes of anticompetitive conduct and tackle the most significant harms across markets, particularly by dominant firms whose business practices affect many Americans.

For FY 2025, the Commission has requested $535 million. This increase would help fund mandatory FY 2024 and anticipated FY 2025 pay increases and other inflationary non-pay expenses, as well as critical IT investments needed for the Commission to continue its enforcement work in an era of big data.

The Federal Trade Commission finalized a settlement with digital marketing and data aggregator InMarket Media over allegations the company unlawfully collected and used consumers’ location data for advertising and marketing.

In a complaint announced in January 2024, the FTC alleged that InMarket collects location information about consumers from a variety of sources, including its own apps and from third-party apps that incorporate its software development kit (SDK). InMarket combines this location information with other data to help target advertising based on consumers’ behavior. The FTC charged that InMarket failed to fully inform consumers about how their location data—which can include sensitive information about where they live, work and worship—would be used and that it would be combined with other data about those users for targeted advertising. It also failed to ensure that third-party apps that use its SDK obtained informed consent from consumers.

Under the order with InMarket, the company  will be prohibited from selling, sharing or licensing any precise location data and any product or service that categorizes or targets consumers based on sensitive location data. Other provisions require the company to: delete or destroy all the location data it previously collected and any products produced from this data unless it obtains consumer consent or ensures the data has been deidentified; provide a simple and easy-to-find way for consumers to withdraw their consent for the collection and use of their location data for InMarket apps and a mechanism to request deletion of any location data that InMarket previously collected; and create a sensitive location data program and privacy program.

After receiving one comment, the Commission voted 3-0-2 to finalize the settlement with InMarket. Commissioners Melissa Holyoak and Andrew N. Ferguson did not vote on the matter.

The Federal Trade Commission and the Federal Communications Commission (FCC) have signed a Memorandum of Understanding (MOU) reiterating the agencies’ ongoing cooperation on consumer protection matters in response to the FCC’s decision last week to restore net neutrality by reclassifying broadband service as a Title II telecommunications service.

“The FTC is squarely focused on protecting Americans from illegal business tactics, from tackling AI-enabled voice cloning fraud to fighting the scourge of robocalls. We look forward to continuing to work in close partnership with the FCC,” said FTC Chair Lina M. Khan. “Effective law enforcement requires targeting the upstream actors enabling unlawful conduct, and having the FCC as a partner here will be critical.”

“Consumers do not want their broadband provider cutting sweetheart deals, with fast lanes for some services and slow lanes for others. They do not want their providers engaging in blocking, throttling, and paid prioritization,” said FCC Chairwoman Jessica Rosenworcel. “If consumers have problems, they expect the Nation’s expert authority on communications to be able to respond. Now we can. In partnership with our colleagues at the FTC, we will protect consumers and ensure internet openness, defend national security, and monitor network resiliency and reliability. I thank Chair Khan and her team for their leadership and cooperation in protecting consumers.”

The MOU formalizes the existing cooperation between the agencies, outlining how the FTC and FCC will coordinate consumer protection efforts. The memorandum details methods by which the agencies will coordinate and share information and recognizes the agencies’ expertise in their respective jurisdictions.

The MOU reiterates that the FTC would continue to have jurisdiction over non-common carrier activities carried out by common carriers and clarifies that the FCC order does not impact the FTC’s jurisdiction over Voice Over Internet Providers.

The agencies have followed a similar MOU related to telemarketing enforcement issues since 2015. The MOU announced today will go into effect when the FCC’s net neutrality goes into effect.

The Federal Trade Commission today announced it has finalized changes to the Health Breach Notification Rule (HBNR) that will strengthen and modernize the rule by clarifying its applicability to health apps and other similar technologies and expanding the information that covered entities must provide to consumers when notifying them of a breach of their health data.

The HBNR requires vendors of personal health records (PHR) and related entities that are not covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals, the FTC, and, in some cases, the media of a breach of unsecured personally identifiable health data. It also requires third party service providers to vendors of PHRs and PHR related entities to notify such vendors and PHR related entities following the discovery of a breach.

“Protecting consumers’ sensitive health data is a high priority for the FTC,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “With the increasing use of health apps and connected devices, the updated HBNR will ensure it keeps pace with changes in the health marketplace.”

In May 2023, the FTC sought comment on proposed changes to the HBNR. After receiving approximately 120 comments from a broad range of individuals and stakeholders, the Commission has finalized changes to the rule, including:

• Revising definitions: The Commission revised several definitions to underscore the final rule’s application to health apps and similar technologies not covered by HIPAA. This includes modifying the definition of “PHR identifiable health information” and adding two new definitions for “covered health care provider” and “health care services or supplies”;
• Clarifying breach of security: It clarifies that a “breach of security” under the final rule includes an unauthorized acquisition of identifiable health information that occurs as a result of a data security breach or an unauthorized disclosure;
• Revising definition of PHR related entity: The definition of “PHR related entity” has been revised in two ways that pertain to the rule’s scope. The revised definition makes clear that the final rule covers entities that offer products and services through the online services, including mobile applications, of vendors of personal health records. It also makes clear that only entities that access or send unsecured PHR identifiable health information to a personal health record — rather than entities that access or send any information to a personal health record — qualify as PHR related entities;
• Clarifying multiple sources of PHR identifiable health information: The final rule clarifies what it means for a personal health record to draw PHR identifiable health information from multiple sources;
• Expanding use of electronic notification: The final rule authorizes the expanded use of email and other electronic means of providing clear and effective notice to consumers of a breach;
• Expanding consumer notice content: The final rule expands the required content that must be provided in the notice to consumers. For example, the notice would be required to include the name or identity (or, where providing the full name or identity would pose a risk to individuals or the entity providing notice, a description) of any third parties that acquired unsecured PHR identifiable health information as a result of a breach of security;
• Changing timing requirement: The final rule modifies when the FTC must be notified under the rule. For breaches involving 500 or more individuals, covered entities must notify the FTC at the same time they send notices to affected individuals, which must occur without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach of security; and
• Improving readability: The final rule also includes changes to improve the rule’s readability and promote compliance.

The final rule will go into effect 60 days after its publication in the Federal Register.

In addition to amending the HBNR, the FTC has recently taken action against companies for violating the HBNR, including GoodRx and Easy Healthcare (publisher of the Premom app).

The Commission voted 3-2 to approve the publication of the final rule in the Federal Register with Commissioners Melissa Holyoak and Andrew N. Ferguson voting no. Chair Lina M. Khan along with Commissioners Rebecca Kelly Slaughter and Alvaro Bedoya issued a separate statement, while Commissioner Holyoak, joined by Commissioner Ferguson, issued a dissenting statement.

The lead staffers who worked on this rule include Ryan Mehm and Ronnie Solomon with the FTC’s Bureau of Consumer Protection.

The Federal Trade Commission announced the appointment of Dania L. Ayoubi to serve as one of the agency’s Administrative Law Judges, who are responsible for independent adjudicative fact-finding in the agency’s administrative litigation and rulemaking proceedings.

The Commission voted 3-0 in February 2024 to approve Ayoubi’s appointment as an Administrative Law Judge.

Administrative Law Judge Ayoubi joins Chief Administrative Law Judge D. Michael Chappell and Administrative Law Judge Jay L. Himes, who came to the agency in March 2024. The Commission is expanding the number of administrative law judges to help handle an increased workload stemming from FTC rulemakings and enforcement matters as well as reviews of final civil sanctions imposed by the Horseracing Integrity and Safety Authority, a private nonprofit that the FTC oversees. 

Ayoubi most recently served as an administrative law judge for the Maryland Office of Administrative Hearings, where she served with distinction. Ayoubi independently presided over hundreds of cases involving appeals of state administrative agency decisions, including complex matters in consumer protection and antitrust. Prior to that, she worked as senior counsel in the Consumer Financial Protection Bureau’s Office of Regulations and as an attorney advisor in the Federal Communications Commission’s Wireline Competition Bureau.

She also served as a law clerk to the Honorable Eric T. Washington of the District of Columbia Court of Appeals and worked in the litigation practice group at Hughes Hubbard and Reed LLP. Ayoubi earned her undergraduate degree from Georgetown University and law degree from Georgetown University Law Center.

Cerebral, Inc. has agreed to an order that, will restrict how the company can use or disclose sensitive consumer data and require it to provide consumers with a simple way to cancel services to settle Federal Trade Commission charges that the telehealth firm failed to secure and protect sensitive health data.

Under the proposed order, filed by the Department of Justice upon notification and referral from the FTC, Cerebral will also be required to pay more than $7 million over charges that it disclosed consumers’ sensitive personal health information and other sensitive data to third parties for advertising purposes and failed to honor its easy cancellation promises. The order must be approved by the court before it can go into effect.

“As the Commission’s complaint lays out, Cerebral violated its customers’ privacy by revealing their most sensitive mental health conditions across the Internet and in the mail,” said FTC Chair Lina M. Khan. “To address this betrayal, the Commission is ordering a first-of-its-kind prohibition that bans Cerebral from using any health information for most advertising purposes.”

Cerebral provides online mental health and related services on a negative option basis, which means consumers are automatically charged unless they cancel those services. Consumers who sign up and use the company’s services provide detailed personal data including their home and email addresses, birthdates, medical and prescription histories, payment account or driver license numbers, as well as information about their treatment plans, pharmacy and health insurance plans, and other personal data, such as their religious or political beliefs, or sexual orientation.

The complaint charges that Cerebral and its former CEO, Kyle Robertson, repeatedly broke their privacy promises to consumers and misled them about the company’s cancellation policies. The complaint also charges that Cerebral and Robertson violated the Opioid Addiction Recovery Fraud Prevention Act of 2018 (OARFPA) by engaging in unfair and deceptive practices with respect to substance use disorder treatment services.

To get consumers to sign up for the company’s services and provide detailed personal data, the company claimed it offered “safe, secure, and discreet” services and that users’ data would be kept confidential, according to the complaint. The complaint charges that Cerebral failed to clearly disclose that it would be sharing consumers’ sensitive data with third parties for advertising and buried disclaimers about its data sharing practices in dense privacy policies. In fact, according to the complaint, the company claimed in many instances that it would not share users’ data for marketing purposes without obtaining consumers’ consent. The complaint alleges that these practices originated under the direction of its former CEO, Robertson, and continued after his tenure.

Specifically, the complaint charges that Cerebral provided sensitive information of nearly 3.2 million consumers to third parties such as LinkedIn, Snapchat and TikTok by using or integrating tracking tools on its website or apps. These tracking tools collect and send data to third parties so they can provide advertising, data analytics, or other services to the owner of the websites or apps. Through the use of tracking tools, Cerebral gave third parties personal data about its users including names; medical and prescription histories; home and email addresses; phone numbers; birthdates; demographic information; IP addresses; pharmacy and health insurance information; and other health information, according to the complaint.

The complaint says that Cerebral, and Robertson, while he was CEO, also failed to deploy adequate safeguards for the sensitive data collected from consumers and engaged in sloppy security practices. As described in the complaint, Cerebral’s practices included:

• Engaging in Careless Marketing: Cerebral sent out promotional postcards, which were not in envelopes, to over 6,000 patients that included their names and language that appeared to reveal their diagnosis and treatment to anyone who saw the postcards;
• Allowing Former Employees to Access User Data: From May to December 2021, the company failed to block former employees from accessing confidential electronic medical records of Cerebral patients. It also failed to ensure providers only accessed their patients’ records;
• Using Insecure Access Methods: The company used a single sign-on method for accessing its patient portal that in numerous instances exposed confidential medical files and patient information such as diagnoses, medications, email addresses, and phone numbers, to other patients when those users signed onto the portal at the same time; and
• Failing to Implement Adequate Policies and Training: The company failed to restrict access to consumer data to only those employees who needed it, implement proper procedures and training related to the handling of sensitive data, and develop and implement adequate information security standards, policies, and procedures.

In addition to its privacy and data security failures, the complaint alleges that Cerebral also violated the Restore Online Shoppers’ Confidence Act (ROSCA) by failing to clearly disclose all material terms of Cerebral’s cancellation policies before charging consumers. Despite promising that consumers could “cancel anytime,” Cerebral required its clients to navigate a complex, multi-step, and often multi-day process to cancel. The complaint alleges that the company continued to charge consumers while it slow-walked consumers’ cancellation requests, which cost consumers millions in additional charges. When it first implemented an easier cancellation button in April 2020, the company removed it after only two weeks at Robertson’s direction after seeing cancellations rise, according to the complaint.

The proposed order, which must be approved by a federal court before it can go into effect, only applies to Cerebral. Robertson has not agreed to a settlement, and the charges against him will be decided by the court.

Under the proposed order, Cerebral will pay nearly $5.1 million, which will be used to provide partial refunds to consumers impacted by its deceptive cancellation practices, as well as a $10 million civil penalty, which will be suspended after a $2 million penalty payment due to the company’s inability to pay the full amount. The proposed order also will:

• Permanently ban Cerebral from using or disclosing consumers’ personal and health information to third parties for most marketing or advertising purposes, and generally require the company to obtain consumers’ consent before disclosing such information to outside parties;
• Prohibit the company from misrepresenting its privacy and data security practices;
• Require the company to implement a comprehensive privacy and data security program that, among other things, addresses the specific problems outlined in the complaint;
• Require the company to post a notice on its website alerting users to the allegations outlined in the complaint and detail the steps it is required to take under the order;
• Require the company to implement a data retention schedule and to delete most consumer data not used for treatment, payment, or health care operations unless consumers consent to its retention, and provide consumers with a clear mechanism to request that their data be deleted; and
• Prohibit the company from misrepresenting any negative option and cancellation policies or practices and also require it to provide consumers with an easy method to cancel services.

The Commission voted 3-0 to refer the complaint against Cerebral and Robertson and a stipulated final order with Cerebral to the Department of Justice for filing. The DOJ filed the complaint and stipulated order in the U.S. District Court for the Southern District of Florida.

NOTE: The Commission authorizes the filing of a complaint when it has “reason to believe” that the named defendant is violating or is about to violate the law and it appears to the Commission that a proceeding is in the public interest. Stipulated final orders have the force of law when approved and signed by the District Court judge.

FTC’s lead attorneys on this matter are Joshua Millard and Christopher Erickson in the FTC’s Bureau of Consumer Protection.

The Federal Trade Commission has finalized an order prohibiting data broker X-Mode and its successor Outlogic from sharing or selling any sensitive location data to settle allegations that the company sold precise location data that could be used to track people’s visits to sensitive locations such as medical and reproductive health clinics and places of worship.

In a complaint first announced in January 2024, the FTC charged that X-Mode/Outlogic failed until May 2023 to remove sensitive locations from the raw location data it sold and did not implement reasonable or appropriate safeguards against downstream use of the precise location data it sold, putting consumers’ sensitive personal information at risk.

In addition to the ban on selling or sharing sensitive location data, the order also imposes several other requirements on X-Mode/Outlogic including mandating that it create a program to ensure it develops and maintains a comprehensive list of sensitive locations, and ensure it is not sharing, selling or transferring location data about such locations.

It also must delete or destroy all the location data it previously collected and any products developed from this data unless it obtains consumer consent or ensures the data has been deidentified or rendered non-sensitive; develop a supplier assessment program to ensure that companies that provide location data to X-Mode/Outlogic are obtaining informed consent from consumers for the collection, use and sale of the data or stop using such information; implement procedures to ensure that recipients of its location data do not associate the data with locations that provide services to LGBTQ+ people, with locations of public gatherings of individuals at political or social demonstrations or protests, or use location data to determine the identity or location of a specific individual; and establish and implement a comprehensive privacy program that protects the privacy of consumers’ personal information and also create a data retention schedule.

After receiving three comments on the proposed settlement, the Commission voted 3-0-2 to give final approval of the settlement with X-Mode/Outlogic. Commissioners Melissa Holyoak and Andrew N. Ferguson did not participate.

The Federal Trade Commission has taken action against an alcohol addiction treatment service for allegedly disclosing users’ personal health data to third-party advertising platforms, including Meta and Google, for advertising without consumer consent, after promising to keep such information confidential.

As part of a proposed order settling the FTC allegations, New York-based Monument, Inc. will be banned from disclosing health information for advertising and must obtain users’ affirmative consent before sharing health information with third parties for any other purpose.

Despite Monument’s promises to keep users’ personal information private, the complaint, filed by the Department of Justice upon notification and referral from the FTC, alleges that Monument failed to ensure it was complying with its promises and in fact disclosed users’ health information to third-party advertising platforms, including highly sensitive data that revealed that its customers were receiving help to recover from their addiction to alcohol.

“This action continues the FTC’s work to ensure strict limits on how firms handle sensitive health data, rather than putting the onus on consumers to protect themselves,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Following on the heels of actions against GoodRx, BetterHelp, and Premom, the market should be getting the message that consumer health data should be handled with extreme caution.”

New York-based Monument offers users, depending on membership levels that cost from $14.99 to $249 a month, access to online support groups, community forums, online therapy, and access to physicians who can prescribe medications that assist in treating alcohol addiction. The company collects personal information from consumers when they sign up for the service including their name, email addresses, date of birth, phone numbers, addresses, copies of their government issued IDs, and information about their alcohol consumption and medical history, as well as their IP addresses and device IDs when they start using the service.

The complaint says that from 2020-2022, Monument claimed on its website and/or in other communications with consumers that users’ personal information would be “100% confidential” and that the company would not disclose such data to third parties without users’ consent. The company also claimed it complied with the Health Insurance Portability and Accountability Act (HIPAA), which protects health information held by entities covered by HIPAA and their business associates, when in fact an outside assessor hired by the company found that it had not fully complied with HIPAA’s requirements.

According to the complaint, the company contradicted its privacy promises. From 2020-2022, the company allegedly disclosed users’ personal information, including their health information, to numerous third-party advertising platforms via tracking technologies, known as pixels and application programming interfaces (APIs), which Monument integrated into its website. Monument used the information to target ads for its services to both current users who subscribe to the lowest cost memberships and to target new consumers, according to the complaint.

Monument used these pixels and APIs to track “standard” and “custom events,” meaning instances in which consumers interacted with Monument’s website. The FTC says that Monument gave the custom events descriptive titles that revealed details about its users such as “Paid: Weekly Therapy” or “Paid: Med Management,” when a user signed up for a service. Monument disclosed this custom events information to advertising platforms along with users’ email addresses, IP addresses, and other identifiers, which enabled third parties to identify the users and associate the custom events with specific individuals, according to the complaint.

Monument disclosed information of as many as 84,000 users, though it did not have a precise number because it did not adequately track or inventory the personal information it collected and disclosed to third-party advertising platforms like Meta, according to the complaint.

The complaint alleges that these practices violated the FTC Act’s prohibition against unfair and deceptive practices and the Opioid Addiction Recovery Fraud Prevention Act of 2018 (OARFPA), which prohibits deceptive acts or practices with respect to any substance use disorder treatment service or substance use disorder treatment product.

In addition to the ban on sharing data with third parties for advertising, the proposed order with Monument, which must be approved by a federal court before it can go into effect, also prohibits the company from misrepresenting its data collection and disclosure practices and imposes a $2.5 million civil penalty for violating OARFPA, which will be suspended due to the company’s inability to pay. If the company is found to have misrepresented its finances, it will be required to pay the full amount. Other provisions of the proposed order require Monument to:

• Seek deletion of data: Monument must identify all the user data it shared with third parties and direct those third parties to delete the personal data that was shared with them.
• Inform Consumers: Monument must inform consumers who have yet to be notified by the company about the disclosure of their health information to third parties for advertising.
• Implement Mandated Privacy Program: Monument must put in place a comprehensive privacy program that includes strong safeguards to protect consumer data and address the issues the FTC identified in its complaint. The program must include limits on how long Monument can retain personal and health information according to a data retention schedule.

The Commission voted 3-0 to refer the complaint and stipulated final order to the Department of Justice for filing. The DOJ filed the complaint and stipulated order in the U.S. District Court for the District of Columbia.

NOTE: The Commission authorizes the filing of a complaint when it has “reason to believe” that the named defendant is violating or is about to violate the law and it appears to the Commission that a proceeding is in the public interest. Stipulated final orders have the force of law when approved and signed by the District Court judge.

The lead staffers on this matter were Elisa Jillson and Robin Rosen Spector in the FTC’s Bureau of Consumer Protection.

The Federal Trade Commission has chosen four winning submissions for its Voice Cloning Challenge to promote the development of ideas to protect consumers from the misuse of artificial intelligence-enabled voice cloning for fraud and other harms.

“Tapping American ingenuity is critical to solving big abuses like deceptive voice cloning,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “When it comes to AI-driven fraud, the FTC will continue using every tool to deter harmful practices, shut down bad actors, and spur innovative proposals to help protect consumers.”

“We’re recognizing people who are pushing science forward and proposing different options to ensure a robust landscape of solutions,” said Stephanie T. Nguyen, the FTC’s Chief Technologist. “These exciting solutions show that a multi-disciplinary approach is necessary to prevent the harms posed by voice cloning.”

The panel of judges—Princeton Computer Science Professor Arvind Narayanan, Britt Paris, assistant professor at Rutgers University’s School of Communication & Information, and Beau Woods, CEO of Stratigos Security and a Cyber Safety Innovation Fellow with the Atlantic Council—chose three top submissions from individuals and small organizations, who will split a total of $35,000 in prize money. They are:

• AI Detect: The submission from David Przygoda and Dr. Carol Espy-Wilson from the small organization OmniSpeech is aimed at consumer and enterprise apps and devices and would use AI to detect AI. It utilizes AI algorithms to distinguish the subtle differences between genuine and synthetic voice patterns.
• DeFake: Submitted by Ning Zhang, an Assistant Professor in the Department of Computer Science and Engineering at Washington University in St. Louis, this proposal uses a form of watermarking. Given that voice cloning relies on the use of pre-existing speech samples to clone a voice, which are generally collected from social media and other platforms, the proposal calls for adding carefully crafted distortions to voice samples that are imperceptible to the human ear, but that make it more difficult to accurately clone.
• OriginStory: Submitted by Dr. Visar Berisha, Drena Kusari, Dr. Daniel W. Bliss, and Dr. Julie M. Liss of the small organization OriginStory, this technology aims to authenticate the human origin of voice recordings at the point of creation. It uses off-the-shelf sensors already integrated into many devices to simultaneously measure speech acoustics and the co-occurring biosignals in the throat and mouth that a person uses when speaking to validate the human origin and embed this authentication as a type of watermark into the audio stream.

The fourth winning submission is from a large organization, Pindrop Security, which received the Recognition Award. The Pindrop team was comprised of Elie Khoury, Anthony Stankus, Ketuman Sardesai, and Amanda Braun. Pindrop’s Voice Cloning Detection technology detects voice clones and audio deepfakes in real time. The technology evaluates each incoming phone call or digital audio in two-second chunks and flags those that are potential deep fakes. (Large organizations were not eligible for monetary prizes.)

The four winning submissions demonstrate the potential for cutting edge technology to help mitigate risks of voice cloning in the marketplace. They promote innovative approaches on which key consumer protections can be built. At the same time, the results of the challenge highlight that there is no single solution to this problem. Given this, in addition to the Voice Cloning Challenge, the FTC also has proposed a comprehensive ban on impersonation fraud, and has affirmed that the Telemarketing Sales Rule applies to AI-enabled scam calls. 

This is the sixth challenge the FTC has launched under the America COMPETES Act aimed at spurring the development of innovative solutions to complex consumer protection issues. Voice cloning technology offers potential benefits by, for example, providing new ways for those who have impaired speech to communicate in their own voice with the help of technology. But it also poses significant risks to consumers and has been utilized by scammers to impersonate others. For example, scammers have used voice cloning technology to impersonate business executives in order to fraudulently obtain money or valuable information.

The lead FTC staffers on this matter are James Evans and Christine Barker from the FTC’s Bureau of Consumer Protection and Amritha Jayanti and Ben Swartz from the FTC’s Office of Technology.

The Federal Trade Commission has denied an application, without prejudice, by the Entertainment Software Rating Board, Yoti, and SuperAwesome for Commission approval of a new mechanism for obtaining parental consent under the Children’s Online Privacy Protection Rule (COPPA Rule).

The applicants in 2023 requested approval for the use of “Privacy-Protective Facial Age Estimation” technology, which analyzes the geometry of a user’s face to confirm that they are an adult.

Under the COPPA Rule, online sites and services directed to children under 13, and those that have actual knowledge they are collecting personal information from children under 13, must obtain parental consent before collecting, using, or disclosing personal information from a child. The rule lays out a number of acceptable methods for gaining parental consent but also includes a provision allowing interested parties to submit new verifiable parental consent methods to the Commission for approval.

After receiving more than 350 comments, the Commission voted 4-0 to deny the application without prejudice to the applicants filing in the future, when the Commission anticipates that additional information will be available to assist the Commission and the public in better understanding age verification technologies and the application. In declining the application at this time, the Commission is taking no position on the merits of the application.

The Federal Trade Commission released its Privacy and Data Security Update for 2023 that highlights the FTC’s work to protect consumer privacy and respond to the evolving ways that companies use consumer data such as in the development of artificial intelligence models and misuse of health data.

“The FTC is taking bold actions to challenge the indiscriminate collection and monetization of consumers’ data,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “We are securing meaningful remedies to protect consumers’ information, rather than placing the burden on consumers to protect themselves.”

The publication highlights the FTC’s privacy and data security work in the last few years. Through 2023, the FTC has brought 97 privacy cases and 169 Telemarketing Sales Rule and CAN-SPAM cases since 1999, as well as 89 data security cases. In addition to its law enforcement work, the agency also has engaged in rulemaking and policy work to push companies to bolster privacy protections for consumers and implement safeguards to secure consumer data.

Between 2021 and 2023, the FTC has taken action to address privacy and security threats in several key areas including:

• Artificial Intelligence: The FTC has brought a number of enforcement actions related to the collection, retention, or use of consumers’ personal information to develop or deploy machine learning or similar algorithms. For example, the FTC alleged that Amazon Alexa violated the Children’s Online Privacy Protection Act (COPPA) by indefinitely retaining children’s voice recordings, which it used to improve its speech recognition algorithm. Last year, the agency also brought a case against Rite Aid over charges it failed to take reasonable steps to ensure that the AI facial recognition technology it deployed in its retail stores did not erroneously flag people as shoplifters or other wrongdoers.
• Health Privacy: Protecting the privacy and security of consumers’ sensitive health information has long been a top FTC priority. Last year, the FTC gave final approval to an order banning BetterHelp, an online counseling service, from sharing sensitive health data for advertising with Facebook and other third parties and requiring it to pay $7.8 million to provide partial refunds to consumers. Also in 2023, the FTC banned GoodRx from sharing sensitive health data with applicable third parties for advertising and also required the company to pay a civil penalty for violating the Health Breach Notification Rule, the agency’s first action under the rule.
• Children’s privacy: The FTC also has worked vigorously to protect children’s privacy through its enforcement of COPPA. In addition to the FTC’s action against Amazon, the agency has brought several other COPPA-related actions including cases involving major gaming companies and education technology providers. For example, the FTC obtained a record $275 million penalty against Fortnite maker Epic Games, which also was required to adopt strong privacy default settings for both children and teens and other protections, and brought an action against ed tech provider Edmodo for using children’s personal information for advertising in violation of COPPA and outsourcing its responsibilities under COPPA to schools. In late 2023, the FTC also proposed key changes to strengthen and update the COPPA Rule that would further limit the ability of companies to condition access to services on monetizing children’s data.
• Geolocation Data: As with health data, location data can reveal highly sensitive information about people by tracking their visits to such places as reproductive health clinics, houses of worship, and domestic violence shelters. Given this, the FTC has taken action to protect such data. In 2022, the FTC sued data broker Kochava Inc. for selling geolocation data from hundreds of millions of mobile devices that can be used to trace the movements of individuals to and from sensitive locations.

The FTC also has remained active in targeting companies that fail to implement reasonable data security measures to protect consumer data. In 2022 and 2023 alone, the FTC announced or finalized enforcement actions against Global Tel*Link, Drizly, Chegg, and CafePress for data security failures.

The agency also has worked to ensure companies comply with the Fair Credit Reporting Act, which sets out requirements for companies that use data to determine creditworthiness, insurance eligibility, suitability for employment, and to screen tenants. The FTC has brought 117 FCRA cases and obtained more than $137 million in civil penalties. This includes a 2023 action that the FTC and Consumer Financial Protection Bureau brought against Trans Union LLC and a subsidiary for failing to ensure the accuracy of tenant screening reports by including inaccurate and incomplete eviction records about consumers, hampering their ability to obtain housing.

In addition to vigorous enforcement, the FTC has engaged in rulemaking and other policy work to establish baseline standards that protect consumers’ privacy. In the past few years, the Commission has proposed rules to clarify the applicability of the Health Breach Notification Rule to health apps, and strengthen COPPA. It has also issued an advanced notice of proposed rulemaking to explore rules that would crack down on harmful surveillance and lax data security, and published a policy statement that makes clear that is against the law for companies to force parents and schools to surrender their children’s privacy rights to be able to learn remotely.

The lead staffer on this update was Katherine McCarron in the FTC’s Bureau of Consumer Protection.

As it celebrates Fraud Prevention Month, the Federal Trade Commission is joining with consumer protection and law enforcement agencies from the United States and Canada to engage in public outreach aimed at combatting fraud.

The agencies make up a working group of law enforcement agencies, known as the Quebec Strategic Partnership, who partner to identify and combat cross-border fraud, such as imposter, investment, and prize winnings scams. The partnership’s collaboration includes sharing intelligence, complaints, and other relevant material, and providing investigative assistance.

Along with the FTC, the partnership also includes the Canada Competition Bureau, the partnership’s current chair, as well as the U.S. Postal Inspection Service, U.S. Secret Service, Canadian Anti-Fraud Centre, Canada Post, Canada Revenue Agency, and several local police departments in Quebec.

In addition to cooperating on enforcement, the partnership’s participants are coordinating on initiatives and consumer education aimed at preventing consumers from being scammed. This includes boosting outreach to local community groups such as those that serve immigrants and small businesses on how to spot and protect against fraud and using a variety of media platforms to promote ways to avoid investment, tax and package delivery scams.  

“The Federal Trade Commission values its cross-border partnerships with Canada and welcomes this month’s efforts to help the public avoid scams, protect against identity theft, and report fraud,” said Maria Coppola, Director of the FTC’s Office of International Affairs. “We highlight our guidance for all communities including our new help in multiple languages and resources for new immigrants and refugees.”

“Fraud continues to reach unprecedented levels in Canada. With more than a billion dollars in losses reported to the Canadian Anti-Fraud Centre (CAFC) over the past two years, it is safe to say that the social and financial harms caused by these cyber-enabled frauds pose a significant threat to Canadians and the economic integrity of Canada,” said Jeff Thomson, Acting Officer in Charge of the Canadian Anti-Fraud Centre. “As technology advances and new forms of fraud emerge, it is crucial for Canadians to train themselves and exercise fraud safety in order to adopt best practices for protecting themselves against fraud. Throughout the month of March, the CAFC will be promoting awareness on the evolution of fraud and providing support to Canadians to develop good habits so they can Recognize, Reject and Report Fraud.”

“The U.S. Postal Inspection Service is proud to be a member of the Quebec Strategic Partnership and of all the collaborative work the partnership has done and will accomplish in the future,” said Chief Postal Inspector, Gary Barksdale, United States Postal Inspection Service.

In 2023, Canadian consumers submitted the second highest number of reports to the FTC from outside the United States about fraud. These include complaints about online shopping, investment scams and business imposters including tech support scams.

Last year, the FTC announced a new initiative allowing consumers to submit reports via phone about fraud or other consumer problems in multiple languages. The agency also provides consumer advice in about a dozen different languages including French, which along with English are the two official languages of Canada.

Today, Federal Trade Commission Chair Lina M. Khan announced that an open meeting of the Commission will be held virtually on Thursday, March 21, 2024. The open meeting will commence at 11am ET and will begin with time for members of the public to address the Commission.

The following items will be on the tentative agenda for the March 21 Commission meeting:

Business Before the Commission:

Presentation on the Telemarketing Sales Rule Amendments:

Staff of the Division of Marketing Practices will give a presentation on the Commission’s finalization of an amendment to the Telemarketing Sales Rule (TSR), prohibiting misrepresentations in business-to-business telemarketing calls and requiring more robust record-keeping, and the Commission’s decision to issue a notice of proposed rulemaking seeking to amend the TSR to apply its protections to inbound telemarketing calls selling technology support services. 

Supply Chain Report:

The Commission will discuss a report on the causes behind supply chain disruptions. The report will summarize FTC staff findings concerning how supply chain disruptions are affecting consumer goods suppliers and retailers, with a focus on whether disruptions disproportionately affect smaller retailers and other areas of competitive interest. The report stems from orders the FTC issued in late 2021 to nine large retailers, wholesalers, and consumer good suppliers.

At the start of the meeting, Chair Khan will offer brief remarks and will then invite members of the public to share feedback on the Commission’s work generally and bring relevant matters to the Commission’s attention. Members of the public must sign up for an opportunity to address the Commission virtually at the March 21 event.

Each commenter will be given two minutes to share their comments. Those who cannot participate during the event may submit written comments or a link to a prerecorded video through a webform. Speaker registration and comment submission will be available through Tuesday, March 19, 2023 at 8 pm ET.

A link to the event will be available on the day of the event, shortly before the meeting starts via FTC.gov. The event will be recorded, and the webcast and any related comments will be available on the Commission’s website after the meeting. The Commission retains discretion to make public comments available following the event on ftc.gov.

The Federal Trade Commission and the Department of Justice’s Antitrust Division (DOJ) have submitted a comment to the U.S. Copyright Office to advocate for regulations that would facilitate consumers’ and businesses’ right to repair their own products.

The FTC-DOJ submitted the comment as the Copyright Office considers whether to recommend that the Librarian of Congress renew and expand temporary exemptions to the Digital Millennium Copyright Act’s (DMCA) prohibition against the circumvention of technology protection measures that control access to copyrighted content.

In their comment , the FTC and DOJ said that renewing and expanding repair-related exemptions would promote competition in markets for replacement parts, repair, and maintenance services, as well as facilitate competition in markets for repairable products. Promoting competition in repair markets benefits consumers and businesses by making it easier and cheaper to fix things they own. Expanding repair exemptions can also remove barriers that limit the ability of independent service providers—including small businesses and entrepreneurs—to provide repair services.

Manufacturers use technology protection measures to protect copyrighted works from theft and infringing uses, but these software locks can also be used to prevent non-infringing third-party repair, according to the FTC-DOJ comment. For example, such measures can restrict access to computer maintenance hardware and software programs, leaving only original equipment manufacturers able to do maintenance and repair work. In their comment, the FTC and DOJ say that by limiting access to the data and software needed for independent repair and maintenance, these technology protection measures can be used to squash competition for replacement parts, repair, and maintenance, which ultimately limits consumers’ and businesses’ choices and raises costs.

The FTC has been active in opposing repair restrictions for decades going back to its early support for the Magnuson Moss Warranty Act, which bars manufacturers from voiding warranties if consumers use third-party replacement parts or independent repair shops. More recently, the FTC held a Nixing the Fix workshop in 2019 that focused on repair restrictions, issued a report in 2021 based on input provided at the workshop, and released a policy statement in mid-2021 pledging to vigorously enforce the law to combat repair restrictions that violate antitrust and consumer protection laws. The FTC also secured settlements in 2022 making it easier and cheaper to repair grills, motorcycles, and outdoor power equipment. In addition, the agency has voiced support for state efforts to ensure consumers can repair their own products including testifying before state legislatures in California and Colorado.

Some manufacturers claim repair restrictions are necessary to protect repair workers and consumers or reduce cybersecurity risks. In its Nixing the Fix report, however, the FTC found little evidence to support such claims.

In their joint comment, the FTC and DOJ expressed support for renewing, expanding, and adding some specific DMCA exemptions. The agencies support renewing the current exemption related to computer programs that control devices designed primarily for use by consumers for diagnosis, maintenance, or repair of the device and expanding it to include commercial and industrial equipment. In addition, they also support renewing an exemption related to the repair of motor vehicles and granting a new exemption to allow vehicle owners or independent repair shops to access, store, and share vehicle operational data.

The Commission voted 3-0 to approve filing of the joint comment.

The Federal Trade Commission announced the appointment of Jay L. Himes to serve as one of the agency’s Administrative Law Judges, who are responsible for independent adjudicative fact-finding in the agency’s administrative litigation and rulemaking proceedings.

The Commission voted 3-0 in December 2023 to approve the appointment of Himes as an Administrative Law Judge.

Himes joins Administrative Law Judge D. Michael Chappell. The Commission is expanding the number of administrative law judges to help handle an increased workload stemming from FTC rulemakings and enforcement matters as well as reviews of final civil sanctions imposed by the Horseracing Integrity and Safety Authority, a private nonprofit that the FTC oversees. 

Himes most recently served as special litigation counsel for the Office of the Attorney General for New York and previously served as chief of the office’s antitrust bureau. Himes also served in private practice including as a partner and co-chair of the antitrust group at Labaton Sucharow LLP, as counsel and associate at Paul, Weiss, Rifkind, Wharton & Garrison, and as a litigation member at Snow, Becker, Kroll, Klaris & Krauss, P.C.

An experienced and highly respected litigator, Himes was selected by Judge William Orrick III of the United States District Court for the Northern District of California as a court-appointed monitor in the successfully challenged anticompetitive merger case of United States v. Bazaarvoice, Inc. Himes earned his undergraduate and law degrees from the University of Wisconsin.

The Federal Trade Commission, the Department of Justice’s (DOJ) Antitrust Division, and the U.S. Department of Health and Human Services (HHS) jointly launched a cross-government public inquiry into private-equity and other corporations’ increasing control over health care.

Private equity firms and other corporate owners are increasingly involved in health care system transactions, and, at times, those transactions may lead to a maximizing of profits at the expense of quality care. The cross-government inquiry seeks to understand how certain health care market transactions may increase consolidation and generate profits for firms while threatening patients’ health, workers’ safety, quality of care, and affordable health care for patients and taxpayers.

The agencies issued a Request for Information (RFI) requesting public comment on deals conducted by health systems, private payers, private equity funds, and other alternative asset managers that involve health care providers, facilities, or ancillary products or services. The RFI also requests information on transactions that would not be reported to the Justice Department or FTC for antitrust review under the Hart-Scott-Rodino Antitrust Improvements Act.

“When private equity firms buy out healthcare facilities only to slash staffing and cut quality, patients lose out,” said FTC Chair Lina M. Khan. “Through this inquiry the FTC will continue scrutinizing private equity roll-ups, strip-and-flip tactics, and other financial plays that can enrich executives but leave the American public worse off.”

“Preserving competition in health care markets is a priority for the Department of Justice because of its important impact on the health and well-being of Americans,” said Assistant Attorney General Jonathan Kanter of the Justice Department’s Antitrust Division. “This RFI will enable the agencies to accurately understand the modern market realities of the health care industry and forcefully enforce the law against unlawful deals. Hearing from patients, workers, and market participants will be critical in developing future enforcement and policy efforts relating to consolidation in the health care sector.”

“Increasing competition in health care markets gives people more choices. Competition helps ensure patients have access to high-quality, lower cost care, and that health care workers receive higher pay and work under better conditions. And it saves taxpayers money,” said Health and Human Services Secretary Xavier Becerra. “We need to do more to understand the impact of private equity and corporate dealmaking on our policymaking, regulatory decisions and enforcement actions. The Biden-Harris Administration is committed to improving transparency and competition in health care.”

Research has shown that competition in health care provider and payer markets promotes higher quality, lower cost health care, greater access to care, increased innovation, higher wages, and better benefits for health care workers. Comments submitted in response to the joint RFI will inform the agencies’ enforcement priorities and future action, including potential regulations aimed at promoting and protecting competition in health care markets and ensuring appropriate access to quality, affordable health care items and services.

The agencies’ RFI builds upon the Centers for Medicare & Medicaid Services’ recent RFI on Medicare Advantage and a RFI issued by the FTC and HHS on how pharmaceutical middleman groups may be contributing to drug shortages. The RFI issued today stems from a December 2023 announcement outlining efforts by the DOJ, FTC and HHS to lower health care and drug costs, while promoting competition to benefit patients and health care workers.

In addition to the launch of the RFI, all three agencies will also be participating today in a virtual public workshop that will explore the impact of private equity in health care and will discuss what the federal government is doing to address any harmful effects.

All market participants—including patients, consumer advocates, doctors, nurses, health care providers and administrators, employers, insurers, and more—are invited to share their comments in response to the RFI. The agencies seek comments on a variety of transactions, including those involving dialysis clinics, nursing homes, hospice providers, primary care providers, hospitals, home health agencies, home- and community-based services providers, behavioral health providers, as well as billing and collections services.

The public will have 60 days to submit comments at Regulations.gov, no later than May 6, 2024. Once submitted, comments will be posted to Regulations.gov.

The Federal Trade Commission, the Department of Justice’s (DOJ) Antitrust Division, and the U.S. Department of Health and Human Services (HHS) jointly launched a cross-government public inquiry into private-equity and other corporations’ increasing control over health care.

Private equity firms and other corporate owners are increasingly involved in health care system transactions, and, at times, those transactions may lead to a maximizing of profits at the expense of quality care. The cross-government inquiry seeks to understand how certain health care market transactions may increase consolidation and generate profits for firms while threatening patients’ health, workers’ safety, quality of care, and affordable health care for patients and taxpayers.

The agencies issued a Request for Information (RFI) requesting public comment on deals conducted by health systems, private payers, private equity funds, and other alternative asset managers that involve health care providers, facilities, or ancillary products or services. The RFI also requests information on transactions that would not be reported to the Justice Department or FTC for antitrust review under the Hart-Scott-Rodino Antitrust Improvements Act.

“When private equity firms buy out healthcare facilities only to slash staffing and cut quality, patients lose out,” said FTC Chair Lina M. Khan. “Through this inquiry the FTC will continue scrutinizing private equity roll-ups, strip-and-flip tactics, and other financial plays that can enrich executives but leave the American public worse off.”

“Preserving competition in health care markets is a priority for the Department of Justice because of its important impact on the health and well-being of Americans,” said Assistant Attorney General Jonathan Kanter of the Justice Department’s Antitrust Division. “This RFI will enable the agencies to accurately understand the modern market realities of the health care industry and forcefully enforce the law against unlawful deals. Hearing from patients, workers, and market participants will be critical in developing future enforcement and policy efforts relating to consolidation in the health care sector.”

“Increasing competition in health care markets gives people more choices. Competition helps ensure patients have access to high-quality, lower cost care, and that health care workers receive higher pay and work under better conditions. And it saves taxpayers money,” said Health and Human Services Secretary Xavier Becerra. “We need to do more to understand the impact of private equity and corporate dealmaking on our policymaking, regulatory decisions and enforcement actions. The Biden-Harris Administration is committed to improving transparency and competition in health care.”

Research has shown that competition in health care provider and payer markets promotes higher quality, lower cost health care, greater access to care, increased innovation, higher wages, and better benefits for health care workers. Comments submitted in response to the joint RFI will inform the agencies’ enforcement priorities and future action, including potential regulations aimed at promoting and protecting competition in health care markets and ensuring appropriate access to quality, affordable health care items and services.

The agencies’ RFI builds upon the Centers for Medicare & Medicaid Services’ recent RFI on Medicare Advantage and a RFI issued by the FTC and HHS on how pharmaceutical middleman groups may be contributing to drug shortages. The RFI issued today stems from a December 2023 announcement outlining efforts by the DOJ, FTC and HHS to lower health care and drug costs, while promoting competition to benefit patients and health care workers.

In addition to the launch of the RFI, all three agencies will also be participating today in a virtual public workshop that will explore the impact of private equity in health care and will discuss what the federal government is doing to address any harmful effects.

All market participants—including patients, consumer advocates, doctors, nurses, health care providers and administrators, employers, insurers, and more—are invited to share their comments in response to the RFI. The agencies seek comments on a variety of transactions, including those involving dialysis clinics, nursing homes, hospice providers, primary care providers, hospitals, home health agencies, home- and community-based services providers, behavioral health providers, as well as billing and collections services.

The public will have 60 days to submit comments at Regulations.gov, no later than May 6, 2024. Once submitted, comments will be posted to Regulations.gov.

The Federal Trade Commission today appeared before the Colorado General Assembly’s Committee on Business Affairs and Labor in support of proposed legislation that would expand the state’s right-to-repair laws to digital electronic equipment and would address a particular type of repair restriction known as parts pairing.

Manufacturers engage in parts pairing when they require owners and independent repair providers to obtain the manufacturer’s approval before replacement parts can be fully integrated into a device.

Appearing on behalf of the FTC, Christine M. Todaro, an attorney in the Commission’s Bureau of Consumer Protection, outlined the FTC’s work to address repair restrictions, which can drive up the cost to fix items or drive consumers to purchase new items, according to the FTC’s testimony. It also detailed key takeaways from the agency’s May 2021 “Nixing the Fix” report to Congress on repair restrictions. Some of the main types of repair restrictions analyzed in the report include manufacturers’ efforts to impede owners’ and independent repair providers’ access to spare parts, diagnostic tools, and repair instructions—the types of repair restrictions addressed by the Colorado General Assembly’s proposed legislation, HB 24-1121.

Manufacturers often defend repair restrictions—including parts pairing—by claiming that the restrictions are needed to protect consumers and repair workers and prevent cybersecurity risks. The FTC’s Nixing the Fix report debunked such claims, however, finding that there is scant evidence  to support manufacturers’ justifications for repair restrictions

As stated in its testimony, the FTC supports HB 24-1121 because it protects Colorado consumers’ access to cost-effective repairs and advances the numerous benefits that flow from increased competition in repair markets.

The Commission voted 3-0 to approve the testimony before the Colorado General Assembly Committee.

Agency officials have expressed support for other proposed state legislation tackling the issue of parts pairing. Earlier this week, Samuel Levine, Director of the FTC’s Bureau of Consumer Protection and Hannah Garden-Monheit, Director of the FTC’s Office of Policy and Planning, issued a letter supporting proposed right-to-repair legislation in Oregon. 

The Federal Trade Commission today announced the tentative agenda for its annual PrivacyCon event, which will take place virtually on March 6, 2024 and feature discussions on a variety of privacy and data security research.

PrivacyCon 2024 will include remarks from FTC Chair Lina M. Khan and Commissioners Rebecca Kelly Slaughter and Alvaro Bedoya. The event will feature seven panel discussions on research topics including:

• Consumer attitudes and behaviors;
• The economics of privacy;
• Privacy-enhancing technologies and design analysis; 
• Health privacy;
• Artificial intelligence and machine learning;
• Mobile device security; and
• Deepfakes.

Information about the panelists and PrivacyCon can be found on the event page. The event will begin at 9 a.m. ET and be live streamed on the FTC’s website, FTC.gov. A link to watch the event will be posted the morning of the event. Follow the conversation on Twitter/X using the hashtag: #PrivacyCon24.

The Federal Trade Commission has finalized an order with prison communications provider Global Tel*Link Corp. and two of its subsidiaries settling charges they failed to secure sensitive data of hundreds of thousands of users and failed to alert all those affected by the incident.

In a complaint first announced in November 2023, the FTC says that Virginia-based Global Tel*Link and two of its subsidiaries failed to implement adequate security safeguards to protect sensitive personal information they collect from users of its services, which enabled bad actors to gain access to unencrypted personal information stored in the cloud and used for testing. Global Tel*Link waited approximately nine months to notify affected customers and only contacted 45,000 users—even though the breach may have affected hundreds of thousands of additional customers—that their personal data may have been compromised as a result of the data breach.

Under the FTC’s order, Global Tel*Link and its two subsidiaries are prohibited from misrepresenting their data security practices and will be required to implement a comprehensive data security program that includes several requirements such as the deployment of “change management” measures to all of its systems to help reduce the risk of human error, use of multifactor authentication, and procedures to minimize the amount of data it collects and stores. Other provisions of the order include a requirement that Global Tel*Link notify users affected by the data breach who did not previously receive notice and provide them with credit monitoring and identity protection products. The order also requires Global Tel*Link and its two subsidiaries to notify users of future security incidents that trigger any federal, state, or local breach reporting requirements.

After receiving one comment on the proposed order, the Commission voted 3-0 to finalize the complaint and order and to approve a response to the commenter.

The Federal Trade Commission will require software provider Avast to pay $16.5 million and prohibit the company from selling or licensing any web browsing data for advertising purposes to settle charges that the company and its subsidiaries sold such information to third parties after promising that its products would protect consumers from online tracking.

In its complaint, the FTC says that Avast Limited, based in the United Kingdom, through its Czech subsidiary, unfairly collected consumers’ browsing information through the company’s browser extensions and antivirus software, stored it indefinitely, and sold it without adequate notice and without consumer consent. The FTC also charges that Avast deceived users by claiming that the software would protect consumers’ privacy by blocking third party tracking, but failed to adequately inform consumers that it would sell their detailed, re-identifiable browsing data. The FTC alleged Avast sold that data to more than 100 third parties through its subsidiary, Jumpshot. 

“Avast promised users that its products would protect the privacy of their browsing data but delivered the opposite,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Avast’s bait-and-switch surveillance tactics compromised consumers’ privacy and broke the law.” 

Since at least 2014, the FTC says Avast has been collecting consumers’ browsing information through browser extensions, which can modify or extend the functionality of consumers’ web browsers, and through antivirus software installed on consumers’ computers and mobile devices. This browsing data included information about users’ web searches and the webpages they visited—revealing consumers’ religious beliefs, health concerns, political leanings, location, financial status, visits to child-directed content and other sensitive information.

According to the complaint, not only did Avast fail to inform consumers that it collected and sold their browsing data, the company claimed that its products would decrease tracking on the Internet. For example, when users searched for Avast’s browser extensions, they were told Avast would “block annoying tracking cookies that collect data on your browsing activities” and promised that its desktop software would “shield your privacy. Stop anyone and everyone from getting to your computer.” 

After Avast bought Jumpshot, a competitor antivirus software provider, the company rebranded the firm as an analytics company. From 2014 to 2020, Jumpshot sold browsing information that Avast had collected from consumers to a variety of clients including advertising, marketing and data analytics companies and data brokers, according to the complaint.

The company claimed it used a special algorithm to remove identifying information before transferring the data to its clients. The FTC, however, says the company failed to sufficiently anonymize consumers’ browsing information that it sold in non-aggregate form through various products. For example, its data feeds included a unique identifier for each web browser it collected information from and could include every website visited, precise timestamps, type of device and browser, and the city, state, and country. When Avast did describe its data sharing practices, Avast falsely claimed it would only transfer consumers’ personal information in aggregate and anonymous form, according to the complaint.

The FTC says the company failed to prohibit some of its data buyers from re-identifying Avast users based on data that Jumpshot provided. And, even where Avast’s contracts included such prohibitions, the contracts were worded in a way that enabled data buyers to associate non-personally identifiable information with Avast users’ browsing information. In fact, some of the Jumpshot products were designed to allow clients to track specific users or even to associate specific users—and their browsing histories—with other information those clients had. For example, as alleged in the complaint, Jumpshot entered into a contract with Omnicom, an advertising conglomerate, which stated that Jumpshot would provide Omnicom with an “All Clicks Feed” for 50% of its customers in the United States, United Kingdom, Mexico, Australia, Canada, and Germany. According to the contract, Omnicom was permitted to associate Avast’s data with data brokers’ sources of data, on an individual user basis. 

In addition to paying $16.5 million, which is expected to be used to provide redress to consumers, the proposed order, will prohibit Avast and its subsidiaries from misrepresenting how it uses the data it collects. Other provisions of the proposed order include:

• Prohibition on Selling Browsing Data: Avast will be prohibited from selling or licensing any browsing data from Avast-branded products to third parties for advertising purposes;
• Obtain Affirmative Express Consent: The company must obtain affirmative express consent from consumers before selling or licensing browsing data from non-Avast products to third parties for advertising purposes;
• Data and Model Deletion: Avast must delete the web browsing information transferred to Jumpshot and any products or algorithms Jumpshot derived from that data;
• Notify Consumers: Avast will be required to inform consumers whose browsing information was sold to third parties without their consent about the FTC’s actions against the company; and
• Implement Privacy Program: Avast will be required to implement a comprehensive privacy program that addresses the misconduct highlighted by the FTC.

The Commission voted 3-0 to issue the administrative complaint and to accept the proposed consent agreement. FTC Chair Lina M. Khan joined by Commissioners Rebecca Kelly Slaughter and Alvaro Bedoya issued a statement on this matter.

The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $51,744.

The lead staff attorneys on this matter are Cathlin Tully and Andy Hasty from the FTC’s Bureau of Consumer Protection.

The Federal Trade Commission has obtained a $195 million judgment against Simple Health Plans LLC and its CEO Steven J. Dorfman over charges they duped consumers into signing up for sham health care plans that did not deliver the coverage or benefits they promised and effectively left consumers uninsured and exposed to limitless medical expenses.

In granting the FTC’s motion for summary judgment, the Federal District Court in the Southern District of Florida also banned Simple Health, five related entities and Dorfman from telemarketing and from marketing, promoting, selling or offering any healthcare products.

“Simple Health preyed on consumers by selling them bogus health care insurance that cost them thousands of dollars for ‘benefits’ that in fact left consumers unprotected,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “We are pleased the court recognized this blatant bait and switch and ordered the company and its CEO to turn over the money they bilked from consumers.”

In a complaint filed in 2018, the FTC said that Florida-based Simple Health misled people into thinking they were buying comprehensive health insurance that would cover preexisting medical conditions, prescription drugs, primary and specialty care treatment, inpatient and emergency hospital care, surgical procedures, and medical and laboratory testing. In reality, most consumers who enrolled reported paying as much as $500 per month for what was actually a medical discount program or extremely limited benefit program that did not deliver the promised benefits and often left consumers with thousands of dollars in uncovered medical bills, or worse yet, unable to get necessary healthcare.

The court found that Dorfman and Simple Health, along with Health Benefits One LLC, Health Center Management LLC, Innovative Customer Care LLC, Simple Insurance Leads LLC, and Senior Benefits One LLC violated the FTC Act and the agency’s Telemarketing Sales Rule. 

The court ordered that all of their assets, which have been frozen since November 2018, be liquidated and all the proceeds be turned over to the FTC, which is expected to use the money to provide refunds to consumers. In addition to the banned conduct, the order also prohibits any misrepresentations in the sale of any good or service. The defendants also are prohibited from collecting any money for any healthcare product they previously sold and are required to destroy any personal information they collected about their customers.

Simple Health’s Chief Compliance Officer Candida Girouard agreed in February 2021 to settle the FTC’s charges. As part of that settlement, Girouard is banned from marketing, promoting or selling any healthcare-related products, from making misrepresentations in connection with the sale of any good or service, and from violating the FTC’s Telemarketing Sales Rule.  

The litigation was handled by Elizabeth Scott, Joannie Wei, Purba Mukerjee, and Jim Davis from the FTC’s Midwest Regional office.

South Carolina-based Blackbaud Inc. will be required to delete personal data that it doesn’t need to retain as part of a settlement with the Federal Trade Commission over charges that the company’s lax security allowed a hacker to breach the company’s network and access the personal data of millions of consumers including Social Security and bank account numbers.

In its complaint, the FTC says that Blackbaud, which provides data services and financial, fundraising, and administrative software services to companies, nonprofits, healthcare organizations, and others, failed to implement appropriate safeguards to secure and protect the vast amounts of personal data it maintains as part of the services it provides to its clients.

“Blackbaud’s shoddy security and data retention practices allowed a hacker to obtain sensitive personal data about millions of consumers,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Companies have a responsibility to secure data they maintain and to delete data they no longer need.”

The FTC says that, despite promising customers that it takes “appropriate physical, electronic and procedural safeguards to protect your personal information,” Blackbaud deceived users by failing to put in place such safeguards. For example, the company failed to monitor attempts by hackers to breach its networks, segment data to prevent hackers from easily accessing its networks and databases, ensure data that is no longer needed is deleted, adequately implement multifactor authentication, and test, review and assess its security controls. In addition, the company allowed employees to use default, weak, or identical passwords for their accounts, according to the complaint.

As a result of these failures, a hacker in early 2020 accessed a customer’s Blackbaud-hosted database, according to the complaint. Once logged in, the attacker was able to freely move across multiple Blackbaud-hosted environments by leveraging existing vulnerabilities and local administrator accounts and creating new administrator accounts, according to the complaint. The breach went undetected for three months, allowing the hacker to remove massive amounts of unencrypted sensitive consumer data belonging to Blackbaud’s customers.

In addition to failing to encrypt sensitive data and implement adequate firewalls to help protect it, Blackbaud held onto data far longer than was necessary for the purpose for which it was maintained, including information belonging to former customers, according to the complaint.

Once the company detected the breach, Blackbaud agreed to pay a ransom of 24 Bitcoin, worth about $250,000, after the hacker threatened to expose the stolen data. The company never verified, however, that the hacker actually deleted the stolen data, according to the complaint.

At the same time, the company waited nearly two months to notify its customers about the breach and then misled consumers about the extent of the data that was stolen, telling customers they did not need to take any action in response to the breach, according to the complaint. Even though it knew as early as the end of July 2020 that the hacker had obtained sensitive data including Social Security and bank account information, the company waited another two months before it told its customers about the full scope of the breach. The FTC says this delay harmed consumers who were unable to take steps to protect themselves from potential identity theft and other potential harms resulting from the breach.

In addition to requiring Blackbaud to delete data that it no longer needs to provide products or services to its customers, the proposed order will prohibit the company from misrepresenting its data security and data retention policies. The proposed order also will require Blackbaud to develop a comprehensive information security program that would address the issues highlighted by the FTC’s complaint. In addition, the company will also be required to put in place a data retention schedule that would detail why it maintains personal data and when it will delete such information. The proposed order also requires that Blackbaud notify the FTC if it experiences a future data breach that it is required to report to any other local, state, or federal agency.

The Commission voted 3-0 to issue the administrative complaint and to accept the proposed consent agreement with Blackbaud. FTC Chair Lina M. Khan and Commissioners Rebecca Kelly Slaughter and Alvaro Bedoya issued a joint statement.

The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $51,744. 

The lead staff attorneys on this matter are Cathlin Tully and Kamay Lafalaise from the FTC’s Bureau of Consumer Protection.

The Federal Trade Commission has extended by 60 days the deadline for it to determine whether to approve an application from the Entertainment Software Rating Board (ESRB) and others for a new mechanism for obtaining parental consent under the Children’s Online Privacy Protection Rule. The new deadline is March 29, 2024.

The ESRB along with two companies, Yoti and SuperAwesome, submitted the application in June 2023 for approval for the use of “Privacy-Protective Facial Age Estimation” technology, which analyzes the geometry of a user’s face to confirm that they are an adult. ESRB currently operates a COPPA safe harbor program.

As required by the COPPA Rule, the FTC in July sought comment on the application. After receiving more than 350 comments, the Commission in September issued its first extension of the deadline until January 29.

The Commission voted 3-0 to extend the deadline to determine whether to approve the ESRB application until March 29.

The Federal Trade Commission has issued an Opinion and Final Order that Intuit Inc., the maker of the popular TurboTax tax filing software, engaged in deceptive advertising in violation of the FTC Act and deceived consumers when it ran ads for “free” tax products and services for which many consumers were ineligible.

In its Opinion, the Commission upheld the Chief Administrative Law Judge (ALJ), D. Michael Chappell’s opinion that Intuit has engaged in deceptive advertising in violation of Section 5 of the FTC Act and said that the defenses that Intuit raised lack merit. The Commission ordered Intuit to cease making the deceptive claims as outlined by complaint counsel, who are FTC staff in the Bureau of Consumer Protection.

The Commission’s Final Order prohibits Intuit from advertising or marketing that any good or service is free unless it is free for all consumers or it discloses clearly and conspicuously and in close proximity to the “free” claim the percentage of taxpayers or consumers that qualify for the free product or service. Alternatively, if the good or service is not free for a majority of consumers, it could disclose that a majority of consumers do not qualify.

The order also requires that Intuit disclose clearly and conspicuously all the terms, conditions, and obligations that are required in order to obtain the “free” good or service. If the advertisement is space constrained and not displayed on any TurboTax website, app, email or other company owned or controlled platform, Intuit is not required to include all the terms and conditions in the advertisement itself but must disclose either that a majority of consumers do not qualify for free (if true) or the percentage that do as well as provide a link in such space-constrained online ads that details all the terms and conditions, according to the Commission order.

The order also prohibits Intuit from misrepresenting any material facts about its products or services such as the price, refund policies or consumers’ ability to claim a tax credit or deduction or to file their taxes online accurately without using TurboTax’s paid service.

The Commission voted 3-0 to issue the opinion and order.

Data aggregator InMarket Media will be prohibited from selling or licensing any precise location data to settle Federal Trade Commission charges that the company did not fully inform consumers and obtain their consent before collecting and using their location data for advertising and marketing.

Under the proposed order, InMarket will also be prohibited from selling, licensing, transferring, or sharing any product or service that categorizes or targets consumers based on sensitive location data.

“All too often, Americans are tracked by serial data hoarders that endlessly vacuum up and use personal information. Today’s FTC action makes clear that firms do not have free license to monetize data tracking people’s precise location,” said FTC Chair Lina M. Khan. “We’ll continue to use all our tools to protect Americans from unchecked corporate surveillance.”

Texas-based InMarket collects location information from a variety of sources, including its own apps and from third-party apps that incorporate its software development kit (SDK). InMarket cross-references consumers’ location histories with advertising-related points of interest to identify consumers who have visited those locations and then sorts consumers, based on their visits to these points of interest, into audience segments to which it can target advertising based on their past behavior.

InMarket has maintained nearly 2,000 such audience segment lists that have included such categories as “parents of preschoolers,” “Christian church goers,” and “wealthy and not healthy.” InMarket can display ads based on this information to users of apps that incorporate its SDK and also offers a product that sends ads to consumers based on their location.

In its complaint, the FTC says InMarket failed to obtain informed consent from users of its own apps, shopping rewards app CheckPoints and shopping list app ListEase. For example, when the company requests to use a consumer’s location data, it states that the data will be used for the app’s function, such as to provide shopping reward points or to remind consumers about items on their shopping list, and fails to inform users that the location data will also be combined with other data obtained about those users and used for targeted advertising.

The FTC says that InMarket also failed to ensure that third-party apps that incorporate the company’s SDK have obtained informed consent. In fact, the company failed to tell third party apps that the location data provided through InMarket’s SDK will be combined with other data to create profiles of consumers, according to the complaint.

The FTC also says that the company’s policy of retaining geolocation data for five years was unnecessary to carry out the purposes for which it was collected and increased the risk that this sensitive data could be disclosed, misused, and linked back to the consumer, thereby exposing sensitive information about the consumer.

This is the second case the FTC has brought in recent weeks involving the unfair collection of location data, which can reveal sensitive information about a person’s life. Earlier this month, the FTC announced a settlement with X-Mode Social and its successor Outlogic over allegations the company sold precise location data that could be used to track people’s visits to sensitive locations such as medical and reproductive health clinics, places of religious worship and domestic abuse shelters.

In addition to the ban on selling or licensing precise location data—a first for the FTC—the proposed order also requires InMarket to take several steps to strengthen protections for consumers. Under the proposed order, the company:

• Must delete or destroy all the location data it previously collected and any products produced from this data unless it obtains consumer consent or ensures the data has been deidentified or rendered non-sensitive;
• Must provide a simple and easy-to-find way for consumers to withdraw their consent for the collection and use of their location data for InMarket apps and a mechanism to request deletion of any location data that InMarket previously collected;
• Must notify consumers whose location data was collected through InMarket’s apps about the FTC’s action against the company and provide them with a way to opt out of data collection or request to delete their data;
• Will be limited from collecting or using location data from InMarket apps unless it obtains consumers’ informed consent to the collection of their location data;
• Will be required to create a sensitive location data program to prevent the company from using, selling, licensing, transferring, or otherwise sharing any products or services that categorize or target consumers based on sensitive location data;
• Must develop an SDK supplier assessment program to ensure that companies that provide location data to InMarket via its SDK are obtaining informed consent from consumers for the collection, use and sale of the data or must stop using such information; and
• Establish and implement a comprehensive privacy program that protects the privacy of consumers’ personal information and also create a data retention schedule.

 

The Commission voted 3-0 to issue the administrative complaint and to accept the proposed consent agreement with InMarket.

The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $51,744. 

The lead staff attorneys on this matter are Gorana Neskovic, David Walko and Elizabeth Averill from the FTC’s Bureau of Consumer Protection.

The Federal Trade Commission has agreed to participate in an international multilateral arrangement that will enable the agency to cooperate, provide assistance with investigations and share information with other privacy authorities around the world that participate in the program.

The FTC’s participation in the Global Cooperation Arrangement for Privacy Enforcement (Global CAPE) ensures the agency can keep pace with the increasingly global nature of commerce. The FTC’s participation in the nonbinding Global CAPE will help the agency to cooperate with other members of the organization on privacy and data security related law enforcement issues without having to negotiate a separate memorandum of understanding with each participant.

Global CAPE was created to supplement the Asian Pacific Economic Cooperation Cross-border Privacy Rules (APEC CBPR), which also facilitates cooperation and assistance in privacy and data security investigations among APEC’s Asian Pacific countries. The new arrangement will allow for participation by countries outside the Asia Pacific area.

The Commission voted 3-0 to authorize staff to participate in the Global CAPE.

Today, Federal Trade Commission Chair Lina M. Khan announced that an open meeting of the Commission will be held virtually on Thursday, January 18, 2024. The open meeting will commence at 11 a.m. ET and will begin with time for members of the public to address the Commission.

The following items will be on the tentative agenda for the January 18 Commission meeting:

Business Before the Commission:

Presentation on Proposed Changes to the Children’s Online Privacy Protection Rule:

Staff from the FTC’s Division of Privacy and Identity Protection will provide an overview of the proposed changes to the COPPA Rule, which include requiring a separate opt-in for targeted advertising, increasing accountability for operators using the support for internal operations exception, imposing limits on “nudging” children without parental consent, and strengthening the data security and data retention requirements.

Presentation on Combating Auto Retail Scams Rule (CARS Rule): Staff from the FTC’s Division of Financial Practices will provide an overview of the new CARS Rule, which targets bait-and-switch tactics and junk fees, and includes clear protections for military members. 

At the start of the meeting, Chair Khan will offer brief remarks and will then invite members of the public to share feedback on the Commission’s work generally and bring relevant matters to the Commission’s attention. Members of the public must sign up for an opportunity to address the Commission virtually at the January 18 event.

Each commenter will be given two minutes to share their comments. Those who cannot participate during the event may submit written comments or a link to a prerecorded video through a webform. Speaker registration and comment submission will be available through Tuesday, January 16, 2023 at 8 p.m. ET.

A link to the event will be available on the day of the event, shortly before the meeting starts via FTC.gov. The event will be recorded, and the webcast and any related comments will be available on the Commission’s website after the meeting. The Commission retains discretion to make public comments available following the event on ftc.gov.

The Federal Trade Commission has extended the deadline for Fortnite gamers and their parents or guardians to submit a claim for compensation from the agency’s 2023 settlement with Epic Games over allegations that the video game maker used dark patterns and other deceptive practices to trick players into making unwanted purchases. The new deadline is February 29, 2024.

Epic agreed to pay $245 million, which the FTC will use to pay claims, as part of the settlement. In September and October, the FTC notified more than 37 million people by email that they may be eligible for compensation. The original deadline to submit a claim was January 17, 2024.

The online claim form is available at www.ftc.gov/Fortnite. Those submitting a claim do not need to submit receipts or other documentation at this time, and their Fortnite account will not be affected by their claim. Consumers who have questions about the claims process can contact the administrator by phone at 1-833-915-0880 or by email at [email protected].

Data broker X-Mode Social and its successor Outlogic will be prohibited from sharing or selling any sensitive location data to settle Federal Trade Commission allegations that the company sold precise location data that could be used to track people’s visits to sensitive locations such as medical and reproductive health clinics, places of religious worship and domestic abuse shelters.

In its first settlement with a data broker concerning the collection and sale of sensitive location information, the FTC also charged that Virginia-based X-Mode Social and Outlogic, LLC, the successor firm to which X-Mode transferred most of its operations in 2021, failed to put in place reasonable and appropriate safeguards on the use of such information by third parties. Today’s action underscores the FTC’s strong commitment to restraining the collection, sale, or disclosure of consumer’ sensitive location data.

“Geolocation data can reveal not just where a person lives and whom they spend time with but also, for example, which medical treatments they seek and where they worship. The FTC’s action against X-Mode makes clear that businesses do not have free license to market and sell Americans’ sensitive location data,” said FTC Chair Lina M. Khan. “By securing a first-ever ban on the use and sale of sensitive location data, the FTC is continuing its critical work to protect Americans from intrusive data brokers and unchecked corporate surveillance.”

The raw location data that X-Mode/Outlogic has sold is associated with mobile advertising IDs, which are unique identifiers associated with each mobile device. This raw location data is not anonymized, and is capable of matching an individual consumer’s mobile device with the locations they visited. In fact, some companies offer services that help companies match such data to individual consumers.

X-Mode/Outlogic sells and licenses precise location data that it collects from third-party apps that incorporate its software development kit (SDK) into their apps, from its own mobile apps, and by purchasing location data from other data brokers and aggregators. The company sells consumer location data to hundreds of clients in industries ranging from real estate to finance, as well as private government contractors for their own purposes, such as advertising or brand analytics.

According to the FTC’s complaint, until May 2023, the company did not have any policies in place to remove sensitive locations from the raw location data it sold. The FTC says X-Mode/Outlogic did not implement reasonable or appropriate safeguards against downstream use of the precise location data it sells, putting consumers’ sensitive personal information at risk.

The information revealed through the location data that X-Mode/Outlogic sold not only violated consumers’ privacy but also exposed them to potential discrimination, physical violence, emotional distress, and other harms, according to the complaint.

The FTC also says the company failed to ensure that users of its own apps, Drunk Mode and Walk Against Humanity, as well as third party apps that used the X-Mode/Outlogic’s SDK were fully informed about how their location data would be used. For example, X-Mode/Outlogic provided third party apps that use the company’s SDK with sample privacy disclosures that did not fully inform consumers about which entities would receive the data and also failed to ensure these third-party apps obtained informed consumer consent to grant X-Mode/Outlogic access to their sensitive location data.

The company also failed to employ the necessary technical safeguards and oversight to ensure that it honored requests by some android users to opt out of tracking and personalized ads, according to the complaint.

The company’s business has also involved creating custom audience segments based on characteristics of consumers. For at least one contract, X-Mode provided a private clinical research company information for marketing and advertising purposes about consumers who had visited certain internal medical facilities and then pharmacies or specialty infusion centers within a certain radius in the Columbus, Ohio area.

The FTC says these practices violate the FTC Act’s prohibition against unfair and deceptive practices.

In addition to the limits on sharing certain sensitive locations, the proposed order requires X-Mode/Outlogic to create a program to ensure it develops and maintains a comprehensive list of sensitive locations, and ensure it is not sharing, selling or transferring location data about such locations. Other provisions of the proposed order require the company to:

• Delete or destroy all the location data it previously collected and any products produced from this data unless it obtains consumer consent or ensures the data has been deidentified or rendered non-sensitive;
• Develop a supplier assessment program to ensure that companies that provide location data to X-Mode/Outlogic are obtaining informed consent from consumers for the collection, use and sale of the data or stop using such information;
• Implement procedures to ensure that recipients of its location data do not associate the data with locations that provide services to LGBTQ+ people such as bars or service organizations, with locations of public gatherings of individuals at political or social demonstrations or protests, or use location data to determine the identity or location of a specific individual;
• Provide a simple and easy-to-find way for consumers to withdraw their consent for the collection and use of their location data and for the deletion of any location data that was previously collected;
• Provide a clear and conspicuous means for consumers to request the identity of any individuals and businesses to whom their personal data has been sold or shared or give consumers a way to delete their personal location data from the commercial databases of all recipients of the data; and
• Establish and implement a comprehensive privacy program that protects the privacy of consumers’ personal information and also create a data retention schedule.

The proposed order also limits the company from collecting or using location data when consumers have opted out of targeted advertising or tracking or if the company cannot verify records showing that consumers have provided consent to the collection of location data.

The Commission voted 3-0 to issue the proposed administrative complaint and to accept the consent agreement. Chair Khan joined by Commissioners Rebecca Kelly Slaughter and Alvaro Bedoya issued a separate statement.

The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $50,120. 

The lead staff attorneys on this matter are Bhavna Changrani and Brian Shull from the FTC’s Bureau of Consumer Protection.

The Federal Trade Commission’s Office of Technology is hosting a virtual tech summit on January 25, 2024 that will bring together a diverse group of stakeholders to discuss key developments in the rapidly evolving field of artificial intelligence (AI), looking across the   layers of technology related to AI.

The summit will bring together representatives from academia, industry, civil society organizations, and government to discuss the state of technology, emerging market trends, and real-world impacts of AI. The discussions will also explore how to cultivate a marketplace that allows both consumers and businesses, including startups and small businesses, to thrive.

FTC Chair Lina M. Khan and Commissioners Rebecca Kelly Slaughter and Alvaro Bedoya will provide remarks at the summit. The event will also feature three panel discussions. These include discussions on the hardware and other key infrastructure that will be needed for AI development; issues related to the data and models used in AI; and AI-powered consumer applications.

The summit will begin at noon and take place online. The tentative agenda is available on the event website. Information on how to participate will also be posted to the event page soon.

The Federal Trade Commission today began accepting submissions for its Voice Cloning Challenge, which is aimed at promoting the development of ideas to protect consumers from the misuse of artificial intelligence-enabled voice cloning for fraud and other harms.

The exploratory challenge, announced in November, is focused on encouraging multidisciplinary approaches—from product to policies to procedures—for preventing, monitoring, and evaluating malicious use of voice cloning technology.

The FTC will accept submissions online until January 12, 2024. Information on how to submit a proposal for the challenge as well as complete rules can be found on the challenge website. The challenge winners will be announced in early 2024.

The FTC  encourages anyone with ideas to go the Voice Cloning Challenge website and share their entries during the open submission period.

The Federal Trade Commission has filed suit against Grand Canyon Education (GCE), Inc., Grand Canyon University (GCU), and Brian Mueller—the CEO of GCE and president of GCU—for deceiving prospective doctoral students about the cost and course requirements of its doctoral programs and about being a nonprofit, while also engaging in deceptive and abusive telemarketing practices.

In a complaint filed in federal court, the FTC says that GCU and GCE told prospective students that the total cost of GCU’s “accelerated” doctoral programs was equal to the cost of just 20 courses (or 60 credits). In reality, the school requires that almost all doctoral students take additional “continuation courses” that add thousands of dollars in costs. The U.S. Department of Education reported that fewer than 2% of GCU doctoral program graduates completed their program within the cost that GCU advertises, and almost 78% of these students take five or more continuation courses.

The FTC’s complaint also says that, despite operating the school for the profit of GCE and its investors, the defendants deceptively marketed the school as a nonprofit. The FTC alleges that GCU has been operated for the profit of GCE and its stockholders, and pays 60% of its revenue to GCE pursuant to an agreement designating GCE as the exclusive provider for most university-related services. Even though he serves as GCU’s president, Mueller also benefits as both CEO and a stockholder of GCE, and receives bonuses tied to GCE’s performance. 

“Grand Canyon deceived students by holding itself out as a non-profit institution and misrepresenting the costs and number of courses required to earn doctoral degrees,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “We will continue to aggressively pursue those who seek to take advantage of students.”

The defendants also used abusive telemarketing calls to try to boost enrollment at GCU, according to the complaint. GCE advertised on websites and social media urging prospective students to submit their contact information on digital forms. GCE telemarketers then used the information to illegally contact people who have specifically requested not to be called, as well as people on the National Do Not Call Registry. GCE has also made illegal calls to numbers it purchased from lead generators.  

The FTC says the defendants’ deceptive claims and abusive telemarketing calls violated the FTC Act and the Telemarketing Sales Rule and asks the court to provide redress to consumers and prohibit the institution from further violations of the law.

The Commission vote authorizing the staff to file the complaint was 3-0. The complaint was filed in the U.S. District Court for the District of Arizona.

NOTE: The Commission files a complaint when it has “reason to believe” that the named defendants are violating or are about to violate the law and it appears to the Commission that a proceeding is in the public interest. The case will be decided by the court.

The lead staff attorneys on this matter are Michael Tankersley, Naomi Takagi, and Brian Berggren of the FTC’s Bureau of Consumer Protection.

In a new report, Federal Trade Commission staff detailed key takeaways from an October 2023 public virtual roundtable that examined how generative artificial intelligence, tools that can generate outputs like text, images, and audio on command, is being used and is affecting professionals in music, filmmaking, software development, and other creative fields.

During the virtual event, working creative professionals representing artists, writers, actors, musicians and other creative fields noted that while there are benefits to AI, such as potentially aiding their own work, they also expressed concerns: 

• Collection without Consent: Creative professionals noted how their past work was being collected and used without their consent or awareness to train generative AI models, including by using expansive interpretations of prior contractual agreements.
• Nondisclosure: Participants also expressed concern that they might not even know that their works are being used because many AI developers do not publicly disclose what works have been included in training data.
• Competing for work with AI: Participants said that generative AI outputs are starting to appear in the venues where creative professionals compete for work, potentially making it more difficult for consumers and potential publishers to find human-made work.
• Style mimicry: Some participants expressed concerns about generative AI tools being used to mimic their own unique styles, brands, voices and likenesses, which could allow strangers and former clients to create knockoffs including synthetic voices and images.
• Fake endorsements: Participants said generative AI has been used to create false depictions of artists selling products that they never endorsed or used by trolls to generate offensive content using their cloned voices.

While some companies have begun allowing artists to opt out of having their work used by AI, participants said this option puts the burden on creators to police a rapidly changing marketplace. They also noted that opt-outs would only address future uses and would be difficult to implement given the lack of transparency by AI developers. Instead, participants urged AI developers to adopt an opt-in approach to using artists work, which would give artists control over whether they want their work to be used for generative AI.

The staff report noted that, although many of the concerns raised at the event lay beyond the scope of the Commission’s jurisdiction, targeted enforcement under the FTC’s existing authority in AI-related markets can help protect fair competition and prevent unfair or deceptive acts or practices. The report stated that the FTC will continue to closely monitor generative AI industry developments and will remain vigilant and ready to use its law enforcement and policy tools to foster fair competition, protect consumers, and help ensure that the public benefits from this transformative technology.

The Commission voted 3-0 to issue the staff report.

The lead staffers on the report are Madeleine Varner, Jessica Colnago, and Stephanie Nguyen.

The Federal Trade Commission has approved an omnibus resolution authorizing the use of compulsory process in nonpublic investigations involving products and services that use or claim to be produced using artificial intelligence (AI) or claim to detect its use.

The omnibus resolution will streamline FTC staff’s ability to issue civil investigative demands (CIDs), which are a form of compulsory process similar to a subpoena, in investigations relating to AI, while retaining the Commission’s authority to determine when CIDs are issued. The FTC issues CIDs to obtain documents, information and testimony that advance FTC consumer protection and competition investigations. The omnibus resolution will be in effect for 10 years.

AI includes, but is not limited to, machine-based systems that can, for a set of defined objectives, make predictions, recommendations, or decisions influencing real or virtual environments. Generative AI can be used to generate synthetic content including images, videos, audio, text, and other digital content that appear to be created by humans. Many companies now offer products and services using AI and generative AI, while others offer products and services that claim to detect content made by generative AI.

Although AI, including generative AI, offers many beneficial uses, it can also be used to engage in fraud, deception, infringements on privacy, and other unfair practices, which may violate the FTC Act and other laws. At the same time, AI can raise competition issues in a variety of ways, including if one or just a few companies control the essential inputs or technologies that underpin AI.

The Commission voted 3-0 to approve the omnibus resolution authorizing compulsory process in investigations related to the use of AI.

The lead FTC staffers on this matter are Nadine Samter and Ben Halpern-Meekin in the FTC’s Northwest Region office.

The Federal Trade Commission will require prison communications provider Global Tel*Link Corp. and two of its subsidiaries to notify consumers of any future data breaches as part of a proposed settlement over charges they failed to secure sensitive data of hundreds of thousands of users stored in a cloud environment and failed to alert all those affected by the incident.

In a complaint, the FTC says that Falls Church, Va.,-based Global Tel*Link and two of its subsidiaries failed to implement adequate security safeguards to protect personal information they collect from users of its services, which enabled bad actors to gain access to unencrypted personal information stored in the cloud and used for testing.

“The FTC is committed to protecting the rights to privacy and security of personal information for all consumers, including incarcerated consumers and their loved ones,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “When consumers have little or no choice about whether to use a business’s products or services, the business has an even greater responsibility to ensure that its practices don’t cause harm.”

Global Tel*Link, which also does business as GTL and ViaPath Technologies, contracts with federal, state, and local jails, prisons, and similar institutions to provide communications services such as phone and video calls and payment services for incarcerated individuals. In the course of providing their services, Global Tel*Link and its subsidiaries collect personal information from consumers including their names, addresses, government identification numbers such as passport numbers or driver’s license numbers, Social Security numbers, and financial account information.

In marketing and other materials, Global Tel*Link touted its security practices by claiming that data security is “the cornerstone of what we do” and that it implemented a security architecture that included many safeguards such as encryption to ensure that its users’ data would not fall into the “wrong hands.”

The FTC says, however, that Global Tel*Link, failed to live up to these claims. In August 2020, as part of an effort to test new search software, the company and a third-party vendor copied a large volume of sensitive, unencrypted personal information about nearly 650,000 real users of its products and services into the cloud but failed to take adequate steps to protect the data. For example, Global Tel*Link stored the data in plain text and failed to deploy a firewall to protect the copied data, implement monitoring software that would have alerted the company if the security settings were changed, and inventory and track the consumer information uploaded to the copied data, according to the complaint. The copied data included individuals’ full names, dates of birth, phone numbers, usernames or email addresses in combination with passwords, Social Security numbers, location information, grievance forms, which can include very sensitive information, and messages exchanged between incarcerated individuals and their friends and family.

As a result of changes made by the company’s third-party vendor to the security settings for the data stored in the cloud, the personal data of many Global Tel*Link customers was left accessible via the internet without any safeguards to prevent unauthorized people from accessing and removing data from the test site—until a security researcher alerted the company about the security holes. A forensic analysis showed that a handful of hackers accessed billions of bytes of the exposed data. In early September, Global Tel*Link was notified again by an identity monitoring company that personal data belonging to Global Tel*Link users was available on the dark web, which is a collection of websites that are used to buy and sell illegally obtained personal data for fraud, identity theft and other nefarious purposes.

Despite this, Global Tel*Link waited approximately nine months to notify affected customers and only contacted 45,000 users—even though the breach may have affected hundreds of thousands of additional customers—that their personal data may have been compromised as a result of the data breach. This nine-month delay harmed users who did not have an opportunity to take actions to protect themselves from identity theft by implementing a credit freeze or other measures, according to the complaint. The company also repeatedly and falsely claimed in marketing materials following the incident that it had never suffered a data breach.

As part of the proposed order with the FTC, Global Tel*Link and two of its subsidiaries are prohibited from misrepresenting their data security practices and will be required, among other things, to:

• implement a comprehensive data security program that includes several requirements such as the deployment of “change management” measures to all of its systems to help reduce the risk of human error, use of multifactor authentication, and procedures to minimize the amount of data it collects and stores;
• notify users of its products affected by the data breach who did not previously receive notice and provide them with credit monitoring and identity protection products;
• notify consumers and facilities within 30 days about future data breaches or security incidents that trigger any federal, state, or local breach reporting requirements and provide information about what data was impacted and how many consumers were affected; and
• notify the FTC within 10 days of reporting a security incident to any local, state or federal authorities.

The Commission voted 3-0 to issue the proposed administrative complaint and to accept the consent agreement with the company.

The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $50,120. 

The lead attorneys on this matter are Robin Wetherill and Manmeet Dhindsa.

The Federal Trade Commission is announcing the Voice Cloning Challenge to help promote the development of ideas to protect consumers from the misuse of artificial intelligence-enabled voice cloning for fraud and other harms.

“We will use every tool to prevent harm to the public stemming from abuses of voice cloning technology,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “We want to address harms before they hit the marketplace, and enforce the law when they do.”

“This exploratory challenge leverages one of our many tools at the FTC,” added Stephanie T. Nguyen, the FTC’s Chief Technology Officer. “The challenge is crafted in a way that ensures companies are responsible for the first- and second-order effects of the products they release.”

Voice cloning technology has grown more sophisticated as text-to-speech AI technology has improved. The technology holds promise for consumers, such as medical assistance for those who may have lost their voices due to accident or illness. At the same time, the FTC has raised concerns about ways that voice cloning technology could be used to harm consumers. For example, it could make it easier for scammers to impersonate family, friends, or business executives; it could also enable fraudsters to deceive consumers by appropriating the voices of creative professionals. Earlier this year, the FTC warned consumers about the use of voice cloning to impersonate others to try to get consumers to give scammers money or personal information. And the FTC held a workshop in early 2020 that examined various issues related to voice cloning technology.

The FTC has and will continue to use its enforcement authority to target companies that misuse technology to harm consumers and competition. The challenge the FTC is launching today is focused on promoting the development of breakthrough ideas aimed at preventing, monitoring, and evaluating malicious use of voice cloning technology, whether it is a product, policy, or procedure.

Challenge submissions must address at least one of these intervention points:

• Prevention or authentication: It must provide a way to limit the use or application of voice cloning software by unauthorized users;
• Real-time detection or monitoring: It must provide a way to detect cloned voices or the use of voice cloning technology; or
• Post-use evaluation: It must provide a way to check if an audio clip contains cloned voices.

The FTC will accept submissions online from January 2 to January 12, 2024. Information on how to submit a proposal for the challenge as well as complete challenge rules can be found on the challenge website. The challenge will offer $25,000 to the winner.

The Voice Cloning Challenge is the FTC fifth challenge issued pursuant to the America Competes act. The goal of these challenges is to spur the development of tools to address consumer problems, including one in 2012 aimed at tackling robocalls and a 2017 challenge focused on addressing security vulnerabilities related to Internet of Things devices.

The lead FTC staffers on this matter are James Evans and Christine Barker from the FTC’s Bureau of Consumer Protection and Amritha Jayanti from the FTC’s Office of Technology.

The Federal Trade Commission has obtained orders with the four remaining individual defendants and their affiliated companies in a mobile cramming scheme that the agency says bilked consumers out of more than $100 million through bogus charges added to their mobile phone bills.

The proposed settlements with Darcy Michael Wedd and Phwoar, LLC.; Fraser Robert Thompson and Ocean Tactics, LLC; Erdolo Levy Eromo and Erdi Development LLC; and Michael Pajaczkowski, Concise Consulting, Inc., and MMJX Consulting, Inc., resolve the FTC’s charges related to the MDK Media mobile cramming scheme. The FTC in 2015 reached settlements with six other individual defendants and affiliated companies. The FTC’s case against the remaining defendants was then put on hold pending the outcome of related criminal charges brought by the U.S. Attorney’s Office for the Southern District of New York. These actions resulted in criminal sentences against Wedd, Thompson, Eromo, and Pajaczkowski, with the last case resolved in July 2023.

“Putting a stop to unauthorized charges has been a longtime priority of the FTC,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “This case showcases the financial harm these practices cause, and the need to ensure that developing technologies do not become a haven for fraudulent schemes.”

In the complaint first announced in 2014, the FTC charged that the defendants used deceptive practices, including fake websites with bogus offers of “freebies” or gift cards, to trick consumers into providing their mobile phone numbers. The defendants then placed monthly subscription fees for a variety of “services” on consumers’ mobile phone bills without their authorization—a practice known as mobile cramming.

The “services” described in the complaint consisted of subscriptions for text messages sent to consumers’ mobile phones that contained short celebrity gossip alerts, “fun facts,” horoscopes, and other items. The subscriptions typically cost consumers $9.99 or $14.99 per month, which renewed automatically each month. The defendants made it difficult for consumers to dispute charges. Some consumers were crammed for multiple months and, even after significant effort, were unable to obtain a full refund.

Under the proposed settlements, Wedd, Thompson, Eromo, and Pajaczkowski, as well as their related companies are prohibited from placing any charges on any telephone bills, from making any misrepresentations about any product or service, and from engaging in any unfair billing practices. In addition, they are prohibited from using or benefitting in any way from the customer data they collected through this scheme and are required to destroy any remaining customer data.

Many consumers who were impacted by the defendants’ practices received refunds through settlements the FTC and the Consumer Financial Protection Bureau reached with the four major mobile carriers, AT&T, T-Mobile, Sprint and Verizon, related to mobile cramming charges that were placed on customers’ bills without their authorization. The mobile carriers discontinued such third-party billing practices following the actions by the FTC and other state and federal agencies to crack down on cramming.

The Commission vote approving the stipulated final orders with Wedd, Thompson, Eromo, and Pajaczkowski, as well as their affiliated companies, was 3-0. The FTC filed the proposed orders in the U.S. District Court for the Central District of California.

NOTE: Stipulated final orders have the force of law when approved and signed by the District Court judge.

Today, Federal Trade Commission Chair Lina M. Khan announced that an open meeting of the Commission will be held virtually on Thursday, November 16, 2023. The open meeting will commence at 11 a.m. ET and will begin with time for members of the public to address the Commission.

The following items will be on the tentative agenda for the November 16 Commission meeting:

• Voice Cloning Challenge Announcement: FTC staff will announce an exploratory Voice Cloning Challenge to encourage the development of multidisciplinary solutions—from products to procedures—aimed at protecting consumers from artificial intelligence-enabled voice cloning harms, such as fraud and the broader misuse of biometric data and creative content. The challenge complements efforts across the federal government to address and mitigate the risks of AI.

• Presentation on Public Comments on Business Practices of Cloud Computing Providers: FTC Staff will present findings from and ongoing areas of inquiry following the Commission’s Request for Information and public panel discussion on cloud computing. The presentation will address a number of issues raised in the RFI and panel discussion, including competition, security, and generative AI.

At the start of the meeting, Chair Khan will offer brief remarks and will then invite members of the public to share feedback on the Commission’s work generally and bring relevant matters to the Commission’s attention. Members of the public must sign up for an opportunity to address the Commission virtually at the November 16 event.

Each commenter will be given two minutes to share their comments. Those who cannot participate during the event may submit written comments or a link to a prerecorded video through a webform. Speaker registration and comment submission will be available through Tuesday, November 14, 2023 at 8 p.m. ET.

A link to the event will be available on the day of the open meeting, shortly before it starts via FTC.gov. The event will be recorded, and the webcast and any related comments will be available on the Commission’s website after the meeting. The Commission retains discretion to make public comments available following the event on ftc.gov.

The Federal Trade Commission is providing full refunds to consumers who lost money to the NTS IT Care tech support scheme, which tricked consumers into buying expensive and unnecessary tech support services and often claimed to be affiliated with Microsoft, Apple, and other tech companies. According to a complaint, they often targeted older Americans and those unfamiliar with computer security.

The refunds stem from a 2020 settlement the FTC reached with NTS IT Care, Inc., and its CEO, Jagmeet Singh Virk. The FTC’s case against Virk and NTS had been under seal until earlier this year pending the outcome of a criminal case involving Virk and NTS brought by the Department of Justice.

“As a recent report to Congress makes clear, the FTC is committed to taking action to protect older consumers from scams like these that have a disproportionate impact on them,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “And, what’s more, the FTC will keep working with DOJ to ensure criminal prosecutions follow criminal conduct.”

In its complaint, the FTC said that NTS lured consumers through alarming and deceptive pop-up warnings that appeared when consumers browsed the Internet and often disabled their browsers. The pop-ups looked like a security alert from the computer’s operating system and falsely claimed that a consumer’s computer had been compromised by malicious software, such as a virus or spyware. The pop-up further stated that the computer had been “blocked,” and that the consumer’s personal information was being stolen. The pop-ups sometimes falsely claimed to be from Microsoft, Apple, or another legitimate tech company and instructed consumers to immediately call a toll-free number for help.

When consumers called the number, the company’s sales representatives ran bogus diagnostic scans to convince consumers that their computers needed immediate repair and used high-pressure and deceptive sales tactics to push consumers to buy multi-year technical support service packages that cost as much as $499. NTS and Virk made millions of dollars from the scheme.

Now, the FTC is using money obtained as part of the settlement to provide payments totaling more than $255,000 to 272 consumers who provided victim statements in the case against Virk and NTS. The average refund amount is $937. Most consumers will receive their payment by check and will have 90 days to cash their checks. Consumers who have questions about the refunds should contact the refund administrator by phone at 866-441-9746 or by email at [email protected].

The settlement imposed a $4.9 million judgment against NTS and Virk, which was partially suspended due to their inability to pay the full amount. In addition, NTS and Virk are permanently prohibited from selling or marketing any tech support service and from benefitting from any personal data they collected from consumers. They are also permanently banned from engaging in misleading telemarketing practices and from trying to collect payments from customers for technical support services they previously sold.

The Commission vote authorizing staff to file the complaint and stipulated final order was 5-0. The Commission voted on the matter prior to the departure from the FTC of former Chairman Joe Simons as well as former Commissioners Rohit Chopra, Noah Joshua Phillips, and Christine S. Wilson. The FTC filed the complaint and final order in the U.S. District Court for Northern California. The court approved the stipulated final order in December 2020.

The lead FTC staffers on this matter were Ronnie Solomon and Sarah Schroeder from the FTC’s Western Region San Francisco.

 The FTC would like to thank the Department of Justice, FBI, Santa Clara County District Attorney’s Office, the Regional Enforcement Allied Computer Team (REACT Task Force), and the Better Business Bureau of Los Angeles & Silicon Valley for their assistance with this matter.

The Commission’s interactive dashboards for refund data provide a state-by-state breakdown of refunds in FTC cases. In 2022, Commission actions led to more than $392 million in refunds to consumers across the country.

The Federal Trade Commission has approved an amendment to the Safeguards Rule that would require non-banking institutions to report certain data breaches and other security events to the agency.

The FTC’s Safeguards Rule requires non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security program to keep their customers’ information safe. In October 2021, the FTC announced it had finalized changes to the Safeguards Rule to strengthen the data security safeguards that financial institutions are required to put in place to protect their customers’ financial information. The FTC also sought comment on a proposed supplemental amendment to the Safeguards Rule that would require financial institutions to report certain data breaches and other security events to the Commission.

“Companies that are trusted with sensitive financial information need to be transparent if that information has been compromised,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The addition of this disclosure requirement to the Safeguards Rule should provide companies with additional incentive to safeguard consumers’ data.”   

The amendment announced today requires financial institutions to notify the FTC as soon as possible, and no later than 30 days after discovery, of a security breach involving the information of at least 500 consumers. Such an event requires notification if unencrypted customer information has been acquired without the authorization of the individual to which the information pertains. The notice to the FTC must include certain information about the event, such as the number of consumers affected or potentially affected.

The breach notification requirement becomes effective 180 days after publication of the rule in the Federal Register.

The Commission voted 3-0 to publish the notice amending the Safeguards Rule in the Federal Register.

The lead staffers on this matter are David Lincicum and Mark Eichorn in the FTC’s Bureau of Consumer Protection.

The Federal Trade Commission has submitted two reports to Congress detailing the agency’s efforts to combat cross-border fraud through the U.S. SAFE WEB Act and work contributing to the fight against ransomware and other cyber attacks that originate outside the United States.

The first report provides an update on the FTC’s efforts to implement the Undertaking Spam, Spyware, And Fraud Enforcement With Enforcers Beyond Borders Act, or U.S. SAFE WEB Act (SAFE WEB). The second report, which was required by the Reporting Attacks from Nations Selected for Oversight and Monitoring Web Attacks and Ransomware from Enemies Act (RANSOMWARE Act), addresses questions about FTC activities concerning China, Russia, North Korea, and Iran and the FTC’s efforts to combat ransomware—a type of cyber-related attack in which bad actors hold data or computer access hostage until they receive payment— and other types of cyber attacks. 

SAFE WEB, passed by Congress in 2006, provides a framework to engage in cross-border assistance, including information sharing and investigative support. As the report notes, the law has been an indispensable tool in helping the FTC combat cross-border fraud and protect consumers in an increasingly global and digital economy. Thirty years ago, less than 1% of fraud reported to the FTC was cross border, while in 2022 more than 11% of complaints were cross border.

With the authority provided by SAFE WEB, the FTC has pursued and stopped harmful conduct in the United States and successfully defended against challenges to its jurisdictional authority over foreign companies targeting American consumers. The FTC has also worked with numerous foreign enforcers to stop cross-border injury and frauds.

SAFE WEB was reauthorized by Congress in 2020 for seven years. In the new report, the Commission urges Congress to permanently reauthorize SAFE WEB by removing the sunset provision currently set to expire on September 30, 2027, thus preserving the agency’s ability to effectively cooperate with foreign law enforcement to protect consumers. The report also reiterates the FTC’s call for Congress to restore the agency’s ability to get money back to consumers harmed by unlawful conduct and to prevent bad actors from profiting from their misconduct. The FTC’s authority to do so was severely hampered by the Supreme Court’s 2021 AMG decision.

Report on Ransomware and other Cyber Attacks

The second report details the FTC’s work to target ransomware and other cyber attacks. The report notes that one of the key ways the FTC has done this is by implementing a robust data security enforcement program aimed at ensuring companies take appropriate steps to protect personal data they hold from such attacks. The FTC has brought more than 80 enforcement actions involving data security. The agency also has pursued bad actors involved in ransomware-related tech support scams and worked to educate the public and businesses on how to secure and protect data from cyber attacks.

Only a small fraction of the millions of complaints the FTC receives each year involve ransomware and other cyber attacks, and these complaints rarely mention Iran, North Korea or Russia, according to the report. While China is the leading source of complaints about cross-border fraud, they rarely relate to ransomware and other cyber attacks, the report notes. The report details enforcement actions, mostly involving privacy and data security, the FTC has taken involving known or unverified connections to China and Russia.

The report reiterates the importance of SAFE WEB in helping to combat ransomware and other cyber attacks. The Commission also urges Congress to enact privacy and data security legislation, enforceable by the FTC, asserting that such legislation would advance the security of the United States and U.S. companies against ransomware and other cyber attacks.

The Commission votes to approve each report were 3-0.

The lead staffers on both reports are Stacy Procter and Angel Martinez in the FTC’s Office of International Affairs.

The Federal Trade Commission and the Consumer Financial Protection Bureau (CFPB) obtained a settlement that will require credit reporting agency Trans Union LLC and a subsidiary to pay a total of $15 million to settle charges they failed to ensure the accuracy of tenant screening reports by including inaccurate and incomplete eviction records about consumers, hampering their ability to obtain housing.

In a complaint filed in federal court, the FTC and CFPB say that Colorado-based TransUnion Rental Screening Solutions, Inc. (TURSS) and its parent company, Trans Union LLC, based in Chicago and commonly known as TransUnion, violated the Fair Credit Reporting Act (FCRA) by failing to ensure the accuracy of the information included in their tenant background screening reports.

“Consumers struggling to find housing shouldn’t be shut out by tenant screening reports that are ridden with errors and based on data from secret sources,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Protecting consumers looking for housing is critical to a fair economy, and we are proud to partner with the CFPB in obtaining this record-breaking order.”

“Americans across the country were put at risk of wrongful housing denials because TransUnion failed to follow the law,” said CFPB Director Rohit Chopra. “We are ordering TransUnion to cease its yearslong illegal activity, clean up its broken business practices, redress its victims, and pay penalties.”   

TURSS provides background screening reports about consumers to thousands of clients, including rental property owners, property management companies, employers, and other background screening companies, for tenant and employee selection. These reports may include information about consumers’ criminal and eviction records, including the amount sought by a landlord in court, any judgment amount the court may award, and the amounts owed by consumers. Trans Union LLC manages and oversees TURSS’s compliance with the FCRA.

Inaccurate and outdated information in tenant screening reports can significantly hamper consumers’ ability to find housing, costing them time and money by prolonging their search for housing, requiring them to pay additional application fees and spend time correcting errors in their background reports.

TURSS obtains eviction records from third-party provider LexisNexis Risk and Information Analytics Group, Inc. but has failed to take steps to ensure the accuracy of the data it was provided, according to the complaint. The FTC and CFPB say TURSS failed to follow reasonable procedures to: prevent the inclusion of multiple entries for the same eviction case; accurately report the disposition of eviction cases it included in its reports; accurately label the monetary amounts associated with those cases; and prevent the inclusion of sealed eviction records in its background reports.

Until April 2021, TURSS often reported developments in the same eviction proceeding as separate events, making it appear as if a consumer had more than one eviction, according to the complaint. The company took steps to change that practice only after learning of the FTC’s investigation. The company also failed to follow reasonable procedures to accurately report the outcome of evictions, such as reporting an eviction was filed without reporting that it was also dismissed months or years before, or reporting that a landlord was awarded a judgment in an eviction proceeding when the case was actually dismissed.

The company also included inaccurate labels in its reports that mischaracterized the nature of certain information in consumers’ eviction records, according to the complaint. The company labeled money that a landlord claimed a consumer owed as “Judgment Amount,” giving the false impression that this was the amount awarded by a court. The complaint also charges that TURSS failed to put in place reasonable procedures to prevent eviction records that had been sealed, or restricted from public view, by a court from appearing in its reports.

The FTC and CFPB also say that TURSS violated the FCRA by failing in many instances to provide consumers with the names of third-party vendors from whom it received criminal and eviction records included in its tenant screening reports, which made it harder for consumers to correct errors in their background reports.

Under the proposed order, which must be approved by a federal court before it can go into effect, TURSS and Trans Union LLC will be required to pay $11 million, which will be used to compensate consumers, and a $4 million civil penalty, which will go to the CFPB’s civil penalty fund. This is the largest amount ever recovered in an FTC tenant screening matter. In addition, the companies must also take steps to address the allegations of the complaint and help enable consumers to dispute inaccurate information in the future, including:

• Put in place procedures to ensure the accuracy of information they provide about consumers in background screening reports, particularly information related to evictions;
• Design procedures to prevent the inclusion of the types of problematic records detailed in the complaint including sealed records, unresolved eviction cases, multiple filings for a single eviction case, and any monetary amounts other than final judgments;
• Disclose the sources of information in a consumer’s file, including identifying third-party vendors;
• Implement practices and procedures that will help the companies identify future problems with criminal and eviction records and take corrective steps to fix them;

• Provide consumers upon request and at no charge all the information in their file at the time of the request, including any information that TURSS might provide to a landlord or property manager; and
• Make available on TURSS’s website a sample “adverse action notice letter” that landlords can use when they turn down applicants for housing, which will prompt the landlord to share the applicant’s tenant screening report and tell them why they are denying their application.

The Commission vote authorizing the staff to file the complaint and stipulated final order was 3-0. The FTC and CFPB filed the complaint and stipulated final order in the U.S. District Court for the District of Colorado.

NOTE: The Commission files a complaint when it has “reason to believe” that the named defendants are violating or are about to violate the law and it appears to the Commission that a proceeding is in the public interest. Stipulated final orders have the force of law when approved and signed by the District Court judge.

The lead staffers on this matter are Jarad Brown and Whitney Moore in the FTC’s Bureau of Consumer Protection.