Advertising Law

Tech Company Settles With FTC Over Installation of Apps Without Permission

A technology company that allegedly replaced a Web browser game with a program that installed apps on mobile devices without permission has settled charges that it violated the Federal Trade Commission Act.

Vulcun purchased Running Fred, a Google Chrome browser extension game used by more than 200,000 consumers. According to the FTC's complaint, the technology company then replaced the game with its own extension, Weekly Android Apps, without notifying consumers. The Vulcun app claimed to offer unbiased recommendations of Android applications, but actually installed apps directly without consumer permission—or as Jessica Rich, the agency's Director of Consumer Protection said in a statement, "commandeer[ed] people's computers and bombard[ed] them with ads."

Google received "a number" of consumer complaints about the Vulcun app, the FTC alleged, not just about the installation of apps without permission, but also that the extension opened multiple tabs and windows on the browser that advertised various other applications and reset users' browser homepages. Consumers also griped that even when they deleted the unwanted apps, Vulcun reinstalled them.

These actions violated the Section 5 prohibition on unfair practices in the FTC Act, the agency alleged in its complaint. "By bypassing the permissions process in the Android operating system, the apps placed on consumers' mobile devices also could have easily accessed users' address books, photos, location, and device identifiers," the agency said. "Indeed, once installed, the apps could have gained further access to even more sensitive data by using their own malicious code."

Vulcun further misled consumers by claiming its extensions provided "independent and impartial" reviews of apps and also it misrepresented the extent of third-party endorsements and media coverage, the FTC added. The company claimed that its app had 200,000 users and a 4.5 rating—a claim that was true for Running Fred, but not for the Weekly Android Apps, according to the agency.

Under the terms of the settlement, the company and two individual defendants must inform consumers about how the information accessed by a product or service will be used, and must also obtain express affirmative consent for the installation or material change of a product or service. Any built-in permissions notices associated with the product must be displayed prior to consent.

Several types of misrepresentations are banned by the proposed consent order. Vulcan cannot mislead consumers as to how personal information is collected and used or how much control they can exercise over the collection, use, and sharing of their data. It cannot misrepresent that a product has been endorsed by a third party or the efforts Vulcan has made to maintain privacy and security of the information collected from consumers.

To read the complaint and proposed consent order in In the Matter of General Workings, Inc., click here.

Why it matters: The case offers several lessons for advertisers, the FTC noted in a blog post. It reminds marketers to clearly disclose material information before consumers download a product and to obtain express consent prior to download. In addition, even after a product or service is on a consumer device, companies must stay within the confines of the activities that were disclosed to consumers. Finally, the agency emphasized the importance of disclosures to consumers, particularly where a material connection exists between a product and an endorser. The proposed consent order is currently open for public comment.

back to top

Fake News Sites, False Celebrity Endorsements, Spam E-Mails Cost Marketing Company $10M

With up to $10 million available as restitution for consumers, a California marketing company agreed to stop using fake news websites featuring false celebrity endorsements and spam e-mails to market weight loss products.

Last May, the Federal Trade Commission filed suit against Sale Slash and individual defendants over the company's marketing techniques. The agency asserted that the defendants, in order to sell weight loss products, used fake news websites peppered with phony endorsements from celebrities such as Oprah Winfrey, and they also made unsupported efficacy claims with headlines such as "Insider Report: Oprah and Other Celebrities Lose 4lbs/Week of Belly Fat With This Secret Our Readers Can Try Now!"

Millions of illegal spam e-mails were sent to promote the defendants' weight loss supplements, including Pure Garcinia Combogia, Premium White Kidney Bean Extract, and Premium Green Coffee, with messages such as "Breaking news …" or "Hi! Oprah says its excellent" with hyperlinks, the FTC complaint alleged. The e-mails were sent by affiliate marketers using stolen e-mail accounts, so the messages appeared to be from a friend or family member without including information on how to opt-out of future messages.

To settle the charges, the defendants agreed to change their conduct and provide roughly $10 million in restitution, a suspended amount from the $43.4 million judgment.

With regard to their actions, the defendants are prohibited from making or assisting others in making weight loss or health-related product claims, absent competent and reliable scientific evidence (specifically including a human clinical test or study as substantiation) as well as making misrepresentations about the "existence, contents, validity, results, conclusions, or interpretations" of any text, study, or research related to the human clinical test or study used to support their advertising claims.

In addition, the defendants are banned from making a host of various misrepresentations related to the advertising and marketing of their products and in emails it sends that are covered by the CAN-SPAM Act (such as sending messages that fail to identify the sender or e-mails that lack a proper opt-out option for recipients). The consent order also includes specific requirements on how the defendants must police the actions of their affiliate marketers.

As for the money, the company and five individual defendants must turn over assets that, when combined with money already secured by a court-appointed receiver, will total almost $10 million. The remainder of the $43.4 million judgment—reflecting the amount of consumer harm caused by the defendants, the FTC said—was suspended.

To read the complaint and stipulated order in FTC v. Sale Slash, click here.

Why it matters: As demonstrated by the enforcement action, affiliate arrangements won't insulate advertisers from liability with the FTC. The action also underscores the FTC's focus on weight loss claims and its efforts to eradicate the use of false endorsements and fake news websites.

back to top

FTC Hits Hardware Maker With Enforcement Action

A computer hardware maker reached a deal with the Federal Trade Commission, settling charges that the defendant had security flaws in its router that put thousands of consumers' home networks at risk and that compromised connected storage devices by using insecure cloud services.

The flaws were present in ASUSTeK Computer, Inc., products despite advertisements touting the security features of the routers with claims that they could "protect computers from any unauthorized access, hacking, and virus attacks" and that they would "protect [the] local network against attacks from hackers."

In actuality, the company was aware of design flaws and bugs in the products, the agency alleged, and failed to take reasonable steps to secure its software. In one example, a malware researcher revealed a bug that allowed hackers to reconfigure vulnerable routers and commandeer consumers' Web traffic. ASUS also set the same default login credentials for every router (with "admin" as both username and password) and permitted users to retain the default credentials instead of requiring a change to increase security.

The cloud storage provided by ASUS similarly failed to pass muster. AiCloud and AiDisk services allowed consumers to plug a USB hard drive into the ASUS router to create their own cloud storage that was accessible from any device. But contrary to the company's claim that the services offered a "private personal cloud for selective file sharing" and a way to "safely secure and access your treasured data through your router," a vulnerability in the service permitted hackers to bypass the login screen and gain access to the storage device without any credentials, the FTC alleged.

Contributing to the insecurity, AiDisk did not encrypt files in transit and the default privacy settings for the service allowed public access to the device. These security flaws resulted in hackers gaining unauthorized access to almost 13,000 consumers connected storage devices in February 2014, the agency said, when ASUS router owners received the following message on their device: "This is an automated message being sent out to everyone affected [sic]. Your Asus router (and your documents) can be accessed by anyone in the world with an Internet connection."

Despite knowledge of the security weaknesses, ASUS neglected to fix the problems in a timely manner and failed to notify consumers about the risks or the availability of security updates. For more than one year a software update tool on the router often told consumers their router was up to date when new software—with critical security updates—was actually available.

The Taiwan-based company reached a deal with the FTC requiring ASUS to establish and maintain a comprehensive security program subject to independent audits for the next 20 years. The company must also notify consumers about updates or other means to protect themselves from security flaws and refrain from misleading consumers about the security of its products, including whether a product is using up-to-date software.

To read the complaint and proposed consent order in In the Matter of ASUSTeK Computer, Inc., click here.

Why it matters: "The Internet of Things is growing by leaps and bounds, with millions of consumers connecting smart devices to their home networks," Jessica Rich, Director of the FTC's Bureau of Consumer Protection, said in a statement. "Routers play a key role in securing those home networks, so it's critical that companies like ASUS put reasonable security in place to protect consumers and their personal information." Comments on the proposed consent order in the case—which the agency noted is part of its "ongoing effort to ensure that companies secure the software and devices that they provide to consumers"—will be accepted until March 24.

back to top

Processor Receives Ban After Enabling Scammer

Halting an alleged telemarketing scheme, the Federal Trade Commission settled charges that payment processor Capital Payments LLC enabled a scammer to process consumer card payments in violation of the Federal Trade Commission Act and the Telemarketing Sales Rule.

The defendants turned a blind eye to the actions of The Tax Club, an entity that the FTC said was engaged in a telemarketing scam that tricked consumers into launching a home-based business. The Independent Sales Organization (ISO) allowed The Tax Club to use merchant accounts to process credit card payments, despite multiple red flags, including a high rate of chargebacks, alerts from financial institutions, and chargeback requests from consumers stating that the charges were unauthorized or fraudulent.

Only when the FTC (joined by state Attorneys General in Florida and New York) filed suit against The Tax Club in 2013 did Capital terminate its relationship with the company.

For assisting and facilitating the scam, Capital—now known as Bluefin Payment Systems LLC—violated the Telemarketing Sales Rule and engaged in unfair and deceptive conduct in violation of the FTC Act, according to the agency's complaint.

To settle the charges, Capital agreed to cease operating as a payment processor or as an ISO for multiple categories of clients, or from assisting or facilitating any merchant it knows, or should know, is violating the TSR or FTC Act.

Going forward, Capital must screen its prospective clients and monitor their sales activity for potential deceptive conduct and terminate contracts with those who defy the law. A $2.6 million judgment was partially suspended upon payment of $750,000.

To read the complaint and stipulated order in FTC v. Capital Payments LLC, click here.

Why it matters: The stipulated order against Capital set forth very detailed requirements for the company as to what constitutes "reasonable screening" of potential clients. It must gather information, such as the name of all persons with a majority ownership interest in the entity and a list of all business and trade names and Internet websites the prospective client has marketed its goods and services to for the past two years. It must also obtain bank references. Once a client has been accepted, the work doesn't end for Capital, which must monitor existing clients by regularly reviewing their chargeback rates and total return rates and by reviewing the reasons provided for the rates. If the review reveals that the chargebacks and non-credit card return rates exceed a certain percentage of transactions, it must terminate the relationship.

back to top

Goldstein Presents Native Advertising Webinar, Mar. 16

Native advertising has generated a lot of buzz lately as a means for advertisers to break through the clutter and for online publishers to generate revenue. The FTC recently issued updated guidance to ensure that native ads do not deceive. However, since some of the more specific guides may be at odds with today's industry practices, the new requirements present compliance challenges for advertisers and publishers alike. Linda Goldstein, partner and chair of Manatt's Advertising, Marketing and Media practice, will address these challenges and clarify the FTC's detailed recommendations in a complimentary webinar hosted by BNA on Wednesday, March 16.

back to top

Noted and Quoted . . . Wasserman Urges Consumers to Speak Up on "Natural" in New Hope Network and Roth Discusses Mobile Marketing and Security Issues in Advertising Age and Corporate Counsel

Ivan Wasserman, a partner in Manatt's Advertising, Marketing and Media practice, authored an article for the New Hope Network titled "4,744 (Comments) and Counting." The article, published on March 1, encourages readers to contribute to the FDA's discussion of the term "natural," including its definition and its regulation. Read the full article here.

Marc Roth, co-chair of the firm's TCPA Compliance and Class Action Defense practice, authored an article for Advertising Age titled "Make Sure Your Mobile-Marketing Effort Doesn't Land You in Court." The article details steps that marketers can take to avoid violating mobile marketing laws and guidelines. Read the article here.

For Corporate Counsel readers, Roth discussed how monitoring regulatory enforcement actions and heeding data security guidance can help prevent unauthorized attacks. Read "10 Lessons from the FTC Guidance on Data Security" here.

back to top

Most Read Stories

In case you missed any, here are our top 10 most widely read stories in January:

1. "NAD: Advertisers Can Be Responsible for Claims on Third-Party Sites"

2. "California Court Finds Customer Consent to Receive Texts Ends TCPA Suit"

3. "Battle Over Legality of Daily Fantasy Sports Sites Continues"

4. "Manatt Defeats Motion for Class Certification in TCPA Complaint Against Network Telephone Services"

5. "App Developers Violated COPPA With the Use of Persistent Identifiers, FTC Says"

6. "Be Still, My Heart: New Suit Says Fitbits Fail to Track Heartbeats as Promised"

7. "Survey Seeks Information in Advance of SAG-AFTRA Negotiations"

8. "With Big Data Comes Big Responsibility, FTC Report Cautions"

9. "Uber Drives Settlement With NY AG Over Data Breach, Privacy Violations"

10. "Ending Challenge to FTC's Data Security Authority, Wyndham Settles"

back to top



pursuant to New York DR 2-101(f)

© 2024 Manatt, Phelps & Phillips, LLP.

All rights reserved