I Spy . . . A Settlement with the FTC
The Federal Trade Commission settled with seven rent-to-own companies and a software design firm which licensed software that defendants used to spy on 420,000 consumers via rented computers.
The software was intended to track the location of rented computers, but when activated by the defendants without renter’s knowledge or consent, it “revealed private, confidential, and personal details about the computer user,” according to one of the complaints filed by the agency.
DesignerWare LLC licensed the software on computers rented to consumers by rent-to-own companies Aaron’s, Aspen Way Enterprises, B. Stamper Enterprises, ColorTyme, Premier Rental Purchase, Showplace, Inc., Watershed Development Corp. and affiliates.
According to the FTC, the “Detective Mode” software captured screenshots, logged computer keystrokes, and even took webcam pictures. Data collected by the defendants included user names and passwords for e-mail accounts, for social media Web sites, and for financial institutions. The software also captured Social Security numbers, medical records, bank and credit card statements, private e-mail messages, webcam pictures of children, and partially undressed individuals engaged in intimate activities at home.
The agency alleged that DesignerWare and the rental companies violated the FTC Act: DesignerWare by providing the means for the companies to use geolocation tracking software without the renters’ knowledge and consent, and the rental companies for illegally collecting renters’ confidential and personal information.
Under the terms of the settlement, the defendants are barred from any spying in the future, from activating location-tracking software without consumer consent and notice, and from deceptively collecting and disclosing information about consumers.
The agreements are open for public comment until October 25.
To read the complaints and proposed agreements in the actions, click here.
Why it matters: “An agreement to rent a computer doesn’t give a company license to access consumers’ private emails, bank account information, and medical records, or, even worse, webcam photos of people in the privacy of their own homes,” Chairman of the FTC Jon Leibowitz said in a statement about the cases. “The FTC orders today will put an end to their cyber spying.”
back to top
POM Suffers Two Losses in One Week
POM had a less than wonderful week. Over the course of just a few days, a federal court judge dismissed the pomegranate product maker’s suit against the Federal Trade Commission and a U.S. district court judge on the opposite side of the country certified a nationwide class in a false advertising suit against the company.
The FTC case has a lengthy history. POM filed suit against the FTC in September 2010 after the agency entered into consent agreements with two other companies that the FTC claimed had overstated their products’ effect on disease prevention, mitigation, and treatment. According to POM, the requirements in the agreements – that all disease-based health representations be preapproved by the Food and Drug Administration and that future health claims required at least two human clinical studies – constituted a new rule.
POM sought a declaratory judgment that the alleged new rule violated statutory and constitutional law. In response, the FTC filed an administrative complaint against POM, alleging that the company engaged in deceptive and false advertising with respect to health claims regarding its pomegranate products.
Earlier this year, an administrative law judge ordered POM to cease and desist making health and benefits claims after finding that it lacked competent and reliable scientific evidence for a number of its ad claims that promised pomegranate juice can treat or prevent heart disease, prostate cancer, and erectile dysfunction. However, the Administrative Law Judge (ALJ) rejected the FTC’s proposed order which would have required that POM obtain FDA preapproval for its health claims. The ALJ also rejected the FTC’s claim that studies must comply with the same double-blind, randomized, placebo-controlled requirements imposed on pharmaceuticals.
Noting that the administrative action against POM is ongoing, U.S. District Court Judge Richard W. Roberts said a number of factors led him to dismiss the declaratory judgment suit.
“Generally, in the interest of judicial efficiency, courts decline to hear declaratory judgment actions that would not fully resolve the parties’ claims. Here, if the court resolved the issues POM raised in its declaratory judgment action, the parties would still have to litigate whether POM’s health claims about its products were false, misleading, and unsubstantiated in violation of the FTC Act,” he wrote.
“POM will have a full opportunity to challenge any FTC final action against it upon the conclusion of the administrative action with a fully developed administrative record available.”
In the second suit, a California federal court judge certified a nationwide class of plaintiffs that claim the company falsely advertised the health benefits of its pomegranate juice.
Despite POM’s argument that California law could not be applied to consumers nationwide, the court said the company’s ties to the state were strong enough to ensure that California’s consumer protection law could be constitutionally applied.
“POM is headquartered and located solely in California, developed its marketing strategies in California, and produced all of its pomegranate juice products in California,” U.S. District Court Judge Dean D. Pregerson wrote. POM “fails to carry its burden to demonstrate that the interests of any foreign jurisdiction outweigh California’s interest in applying its own consumer protection laws to the facts of this case.”
Judge Pregerson also shot down POM’s contention that because the class members viewed different ads, their reliance and motives for purchase were too individualized for class proceedings.
“The mere fact that POM used several different advertisements to convey its health message is not dispositive,” the court said. “A false or misleading advertising campaign need not ‘consist of a specifically-worded false statement repeated to each and every [member] of the plaintiff class.’ ”
The court certified a nationwide class of persons who purchased a POM juice product between October 2005 and September 2010.
To read the court’s order in POM Wonderful v. FTC, click here.
To read the class certification order in In re: POM Wonderful Marketing and Sales Practices Litigation, click here.
Why it matters: POM’s tough week in court leaves the company facing two legal challenges: its ongoing battle with the FTC as well as a nationwide class action suit, both involving allegations that the company made false and misleading health claims about its pomegranate products.
back to top
FTC Targets “Tech Support” Scams
Announcing a “major, international crackdown” on tech support scams, the Federal Trade Commission filed suit against six defendants who tricked consumers into purchasing fixes for viruses or malware.
Five of the defendants used telemarketing calls to contact consumers, the agency alleged, while the sixth placed ads on Google that would appear when consumers searched for the tech support number of their computer company.
The defendants claimed they were affiliated with companies like McAfee and Norton and told consumers that malware had been detected on their computers. Consumers were directed to the “Event Viewer” in their computer’s utility log where defendants claimed innocuous entries were really evidence of a virus.
For fees ranging from $49 to $450, the defendants offered to “fix” the computer. Consumers were instructed to download software allowing the defendants remote access from which they would remove the malware or virus. In addition, the defendants offered consumers long-term technical support or security services for additional fees.
Targeting consumers not only in the United States but Australia, Canada, Ireland, New Zealand, and the United Kingdom, the defendants used 80 different domain names and 130 different phone numbers, according to the complaint.
The complaints alleged that 14 corporate defendants and 17 individual defendants violated the FTC Act, the Telemarketing Sales Rule, and made illegal calls to numbers on the federal Do Not Call Registry.
A federal court judge in New York already issued an order against the defendants, halting their business operations and freezing their assets.
To read the complaints and the court’s order granting a temporary restraining order, click here.
Why it matters: Tech scams are keeping the agency busy. Just one day prior to the announcement of the international crackdown, the FTC confirmed that a U.S. District Court Judge imposed a $163 million judgment in a case against a “scareware” operation. The defendants in that case also used Internet ads to trick consumers into believing their computers were infected and then sold them software to fix the problem. The judge imposed the penalty after a two-day trial against the remaining defendant in the suit (the other defendants previously settled with the agency; two agreed to pay $8.2 million last year). Finding the sole remaining defendant joint and severally liable, the judge imposed the $163 million penalty, a sum calculated by the FTC to reflect either the amount of consumer redress, or the amount paid by consumers for the defendants’ products, minus any refunds.
back to top
FTC Fines Children’s Fan Site $1M for COPPA Violations
As the agency finalizes changes to its Children’s Online Privacy Protection Act (COPPA), the Federal Trade Commission reached a $1 million settlement with a celebrity fan site operator over allegations it violated the act.
Artist Arena, the operator of fan Web sites for artists like Rihanna, Justin Bieber, and Demi Lovato, violated COPPA by collecting personal information from children under the age of 13 without parental consent, according to the agency’s complaint. Visitors to sites like www.BieberFever.com could create profiles, register to join a fan club, and sign up for newsletters.
Although the site claimed that it would not activate a child’s registration without their parent’s consent, Artist Arena’s procedures were inadequate to comply with COPPA, the FTC said.
In one example, children who registered for the Selena Gomez newsletter were told to provide a parental e-mail address so that an adult could provide the necessary consent. Although the parents received a message with a link to approve the subscription, the company had already registered the child on the site and created a profile, the agency said.
Artist Arena knowingly registered more than 25,000 children under age 13, the FTC alleged, and collected and maintained information from an additional 75,000 children who started but did not complete the registration process. The company collected information including the names, addresses, e-mail addresses, birth dates and gender of the children, according to the complaint.
In addition to the $1 million penalty, Artist Arena agreed to destroy the illegally collected information. The company is also prohibited from future violations of COPPA and agreed to place a link on its Web sites to the FTC’s guide for protecting children’s online privacy.
To read the complaint in U.S. v. Artist Arena, click here.
To read the consent decree, click here.
Why it matters: The settlement reiterates the agency’s focus on COPPA and children’s privacy even as it readies changes to COPPA. Even if the proper procedures are in place – like Artist Arena’s parental e-mail system – companies that market to children under the age of 13 should ensure that their compliance measures are functioning – unlike the defendant’s system that allows registration prior to receiving parental consent. Or, as FTC Chairman Jon Leibowitz said in a press release about the settlement, “Marketers need to know that even a bad case of Bieber Fever doesn’t excuse their legal obligation to get parental consent before collecting personal information from children. The FTC is in the process of updating COPPA to ensure that it continues to protect kids growing up in the digital age.”
back to top
Did Facebook Violate its FTC Agreement?
Consumers groups have sent a letter to the Federal Trade Commission, charging that a new marketing program launched by Facebook violates the terms of the social networking site’s settlement with the agency earlier this year.
In August, the agency finalized a settlement with Facebook over allegations that the company made user information public by default, even though the company promised to keep the information private.
Just one month later, the Electronic Privacy Information Center (EPIC) and Center for Digital Democracy (CDD) sent a letter to the agency seeking an investigation into a new “data-matching” deal the site recently launched with Datalogix.
A data-mining company, Datalogix collects consumer information from offline retailers that includes names, addresses, e-mail addresses, and behavioral information like purchase history. The agreement allows Datalogix to match its database with Facebook user information with the goal of profiling consumer offline commercial activity, according to the letter.
This sharing of information violates the site’s consent decree with the FTC, under which Facebook was required to make “clear and prominent” disclosures and obtain affirmative consent from users prior to the sharing of any user’s nonpublic information, the letter argues. Neither Facebook’s data use policy nor its statement of rights and responsibilities explains that the information is disclosed, and the one reference to Datalogix is difficult to find, the groups argue. The page where it is located “requires at least five actions to reach from the Facebook.com home page and simply directs users to the Datalogix privacy policy.” The failure to notify users constitutes a misrepresentation by omission in violation of the consent agreement, they contend.
In addition, although Facebook said that the data will all be hashed and that no individual user’s information will be shared, the anonymization technique is “vastly overrated,” the groups wrote, expressing concern that the data would not be matched anonymously.
Finally, the opt-out language for the program is “confusing and ineffective,” according to the letter, and “hidden within Datalogix’s long privacy policy.” Opting out also requires an opt-out cookie, the groups said, which users often delete, not realizing they have removed the record of their request to be treated anonymously.
To read the letter to the FTC, click here.
Why it matters: Facebook remains a lightning rod for privacy issues. The social networking site’s agreement with the FTC was barely finalized before EPIC and CDD sent their letter to the agency alleging violations of the agreement. It remains to be seen whether the FTC investigates the data-matching arrangement between Datalogix and Facebook.
back to top