Jan 27, 2012
Upromise, a membership rewards service for those trying to save money for college, recently settled with the Federal Trade Commission over charges that it collected consumers’ personal information without adequate disclosures.
Consumers enrolled in the Upromise service received a rebate when they purchased goods or services from Upromise partners. The company’s Web site also offered a “TurboSaver Toolbar” download that highlights partners’ products in consumers’ search results with “Personalized Offers” in order “to provide college savings opportunities tailored to you.” But according to the FTC, the feature in fact tracked consumers’ Internet history and collected “extensive” personal information, such as user names, passwords, search terms, and even credit card and financial account numbers, security codes and expiration dates. Upromise then transmitted the information without encryption.
The agency estimated that at least 150,000 consumers used the Toolbar between 2005 and 2010. Upromise’s privacy statement claimed that, “We understand the need for our customers’ personal information to remain secure and private and have implemented policies and procedures designed to safeguard your information.”
The company also said it encrypted consumers’ sensitive information in transit and was “proud of the innovations we have made to protect your data and personal identity.”
The company’s failure to disclose the extent of the information collected by its Toolbar product as well as its claims to protect data and encrypt it in transmission were deceptive and violated the FTC Act, the agency alleged in its complaint.
The settlement requires Upromise to make clear disclosures about its data collection practices and affirmatively obtain consumers’ consent before installing or enabling toolbar products that collect personal information. The company is also barred from making misrepresentations about its privacy and security practices, and must establish a security program that will be subject to independent security audits for a 20-year period.
Existing data collected through the Toolbar’s “Personalized Offers” feature must be destroyed, and consumers whose information was collected must be notified and informed about how to uninstall Toolbars already on their computers.
To read the complaint in In the Matter of Upromise, click here.
To read the consent order, click here.
Why it matters: The action “is part of the FTC’s ongoing efforts to make sure that companies live up to the promises they make about privacy and data security,” the agency said in a press release. The FTC’s first privacy-related enforcement action in 2012 serves as a reminder that companies must ensure that their disclosures about the collection, retention and use of personal information are clear and conspicuous and that data security policies are accurate and up to date.
back to top
Iovate Health Sciences agreed to pay 10 California counties $1.5 million to settle a suit that the company falsely advertised its diet supplements. The district attorneys alleged that Canadian-based Iovate and its American affiliate, Iovate Health Sciences USA, failed to warn the public that some of its products contain more than one-half of a microgram of lead in violation of the state’s Proposition 65, and also made false and misleading statements about products, including Accelis, nanoSLIM, Cold MD, Germ MD, Allergy MD, and EZ-Swallow.
Prop 65 requires manufacturers to include a warning label on all products with more than one-half of a microgram of lead. Cold MD, for example, had “significantly more” than 0.5 micrograms of lead in a single dose, the DAs said. Cold MD was also an unapproved new drug, the prosecutors alleged, making its sale and distribution in the state illegal.
The DAs said the settlement was the second largest multi-county diet supplement settlement ever in the state, which includes $300,000 for investigative costs and $1.2 million in civil penalties. In addition, the company promised to refrain from unfair, dangerous or deceptive business practices. Under the terms of the settlement – which includes Alameda, Marin, Monterey, Napa, Orange, Santa Clara, Santa Cruz, Shasta, Solano and Sonoma counties – Iovate did not admit fault or liability.
Why it matters: The DAs emphasized their commitment to “protecting the California marketplace” from deceptive advertising for dietary supplements. “State action is necessary in this area because the federal government does not regulate the dietary supplement market,” Alameda County Deputy DA Scott Patton said in a press release.
In the continuing battle over companies requesting consumers’ personal identification information during credit card transactions, two decisions have limited the applicability of California’s Song-Beverly Act.
U.S. District Court Judge Jacqueline H. Nguyen dismissed suits against Microsoft and Redbox Automated Retail, a video rental company, holding that requesting personal information as part of an online or kiosk transaction is permissible.
In the Microsoft case, the plaintiff alleged that the company required his telephone number as a condition of completing an online credit card purchase, in violation of the Song-Beverly Act and the California Supreme Court’s decision in Pineda v. Williams-Sonoma.
But the court disagreed. “[T]he Act prohibits merchants from requiring the cardholder to write personal identification information on the credit card form, requiring the cardholder to provide personal identification information that merchants then write on the credit card form, and utilizing forms with preprinted spaces for personal identification information,” Judge Nguyen wrote. “This language suggests that ‘pen and paper’ transactions are contemplated, rather than the electronic entry of numbers on a keypad or touchscreen, and the Act makes no specific reference to online or kiosk transactions.”
As the Act was intended to prevent improper marketing and solicitation by merchants, the court said, it must be limited to brick-and-mortar transactions.
Judge Nguyen reached a similar conclusion in a second suit against Redbox, which operates self-serve video rental kiosks and requires a zip code and e-mail address to complete a transaction. “[A] legitimate need – fraud prevention – existed to justify the request of plaintiff’s zip code in order to complete the transaction,” she wrote, adding that her decision was consistent with the rationale behind Pineda, which expressed concern about the use of personally identifiable information for marketing purposes.
Because a salesperson can verify a customer’s identity by examining a driver’s license in a brick-and-mortar setting, it is unnecessary to provide a zip code or other personal information at that time. “By contrast, collection of personal information in an online or unattended kiosk may be the only means of verifying a customer’s identity in order to prevent credit card fraud. Given the Act’s focus on preventing unnecessary use of personal identification information, the language cannot reasonably be read to encompass online transactions, where recording such information is necessary for a legitimate purpose.”
To read the court’s order in Salmonson v. Microsoft Corp., click here.
To read the court’s order in Mehrens v. Redbox Automated Retail, click here.
To read the plaintiff’s motion for reconsideration in Salmonson, click here.
Why it matters: Although Judge Nguyen dismissed both suits with prejudice, the plaintiff in Salmonson has already filed a motion to reconsider. The motion contends that recent amendments to the Act “make it unmistakably clear [that] the Act has at all times applied to all credit card transactions, including those transacted in person, those done with an automated cashier, or computed, and those done remotely, such as fax, mail, or Internet.” Further, the plaintiff directed the court to recent decisions in California state court, where trial court judges overruled demurrers in three Song-Beverly Act cases involving Internet transactions. All three defendants sought to overturn the judgments, and in all three cases the California Court of Appeal summarily denied the petitions. Implicit in the denials “is that the Court of Appeal believes that the Act applies to Internet-based transactions” or else it would have granted the appeals and ordered the trial court to reverse itself, Salmonson argued. Retailers should continue to follow the battle over the issue of requesting consumer information during credit card transactions, as lawsuits continue to be filed in the wake of Pineda and courts continue to wade through the myriad of legal issues.
The Federal Trade Commission has settled with another marketer of acai berry supplements over charges of deceptive advertising and unfair billing, this time for $1.5 million. Central Coast Nutraceuticals and related individuals agreed to a ban on negative option sales as well as future false and misleading health claims.
The defendants claimed their products – including the Colotox colon cleanser and the Acai Pure supplement – could prevent colon cancer and would result in rapid and substantial weight loss, the FTC said.
Acai Pure, for example, made claims such as: “WARNING! Acai Pure Is Fast Weight Loss That Works. It Was Not Created For Those People Who Only Want To Lose A Few Measly Pounds. Acai Pure was created to help you achieve the incredible body you have always wanted…USE WITH CAUTION! Major weight loss in short periods of time may occur.”
The defendants also made unauthorized charges to consumers’ bank accounts after claiming that consumers could receive a free trial for a nominal fee and a full refund upon request. However, consumers were charged $39.95 to $59.95 as part of the negative option sales plan when consumers failed to cancel their recurring shipments, the agency said.
Under the terms of the settlement, the defendants must monitor the activities of any affiliate marketers selling products or services on their behalf – even reviewing marketing materials to ensure their compliance with the order. They are also banned from using fake celebrity endorsements and consumer testimonials must reflect typical experiences.
Deceptive statements about trial purchases or refunds, as well as the failure to make adequate disclosures about material terms and conditions, are also prohibited. In addition, the defendants may not make any claims that a product can diagnose, cure, mitigate, treat, or prevent any disease without approval by the Food and Drug Administration.
The $1.5 million will be used for consumer refunds, the agency said. An original $80 million judgment – the total amount of consumer injury the FTC said was caused by the defendants’ deceptive behavior – was suspended.
To read the stipulated order in FTC v. Central Coast Nutraceuticals, click here.
To read the complaint, click here.
Why it matters: The settlement is yet another by the agency against the marketers of acai berry supplements after the FTC announced a law enforcement sweep last year against both manufacturers and their affiliate marketers of the weight-loss products.
Linda A. GoldsteinPartnerEmail212.790.4544
Jeffrey S. EdelsteinPartnerEmail212.790.4533
Manatt’s Webinar Learning Series in Privacy and Data Security
July 14, 2015Topic/Speaker: Midyear Regulatory and Legislative Update in Privacy and Data SecurityLinda Goldstein
WebinarFor more information
Proceed with Caution: Navigating Safely Through the Intersection of TCPA and HIPAA
July 23, 2015Speakers: Marc Roth, Christine Reilly, Anne O'Hagen Karl
WebinarFor more information
Named 2015 “Law Firm of the Year” for Advertising Law
Recognized for Excellence in the areas of Advertising, Marketing and Media
Ranked Nationally for Marketing & Advertising 2009–2015
© 2015 Manatt, Phelps & Phillips, LLP. All rights reserved.