The FTC hosted an online privacy workshop that brought together researchers, academics and industry representatives to discuss trends related to consumer privacy and data security. The agency has announced a lawsuit against an education technology vendor for allegedly lax data security practices that exposed sensitive information about millions of customers and employees. The agency also announced a settlement with a major telecommunications company over alleged junk fees and dark pattern practices. These stories and more after the jump.
Monday, October 31, 2022
Consumer Protection Bureau: Security and Privacy
- The Federal Trade Commission has announced that it is taking action against Chegg Inc. (“Chegg”), an education technology provider, for allegedly failing to address data security issues that exposed sensitive information about millions of its customers and employees through four data breaches. since 2017. According to the complaint, Chegg failed to implement basic security measures, such as requiring employees to use multi-factor authentication to log into its third-party databases. Chegg also allegedly insecurely stored personal data in its cloud storage databases, storing it in plain text and using outdated and weak encryption to protect user passwords until at least 2018. The commission also alleged that the company failed to provide adequate safety training for employees and contractors. and implement a written security policy by January 2021. Chegg’s actions allegedly violated Section 5(a) of the US Federal Trade Act. The FTC’s proposed order requires the company to strengthen its data security, limit the data the company can collect and store, offer users multi-factor authentication to protect their accounts, and allow users to access and delete their data.
Tuesday, November 1, 2022
- On November 1, 2022, the FTC held PrivacyCon 2022. The online event discussed the latest research and trends in consumer privacy and data security. Panel topics included consumer tracking, automated decision-making systems, children’s privacy, augmented/virtual reality, interfaces and dark patterns, and advertising technology. FTC Chairwoman Lina Hahn gave opening remarks in which she emphasized that the FTC “prioritizes the use of creative ideas from academia in our agricultural work” to, among other things, create “a better means of reflecting what’s really happening on the ground.” .
FTC Warning Letters: Unapproved and Mislabeled Products Related to COVID-19
- The FTC and the US Food and Drug Administration (FDA) have issued a warning letter to Alternative Health Distribution LLC (d/b/a CannaAid), which sells various cannabis products. According to the letter, CannaAid’s website offers cannabinoid products, including cannabidiol (CBD) products, that are intended to mitigate, prevent, treat, diagnose or treat COVID-19. The letter states that these products are unauthorized new drugs marketed in violation of Section 505(a) of the Federal Food, Drug, and Cosmetic Act (the Food, Drug, and Cosmetic Act) and misbranded drugs under Section 502 of the Act about FD&C. Alleged violations on the CannaAid website include, but are not limited to, “CBD blocks Sars-CoV2 from multiplying in the lungs. . .” and “Cannabis compounds prevent coronavirus – Oregon State University study. . .”. The FTC and FDA require CannaAid to take immediate action to stop the sale of any unapproved and unauthorized products for the mitigation, prevention, treatment, diagnosis or treatment of COVID-19. Failure to comply with this requirement may subject CannaAid to a civil penalty of up to $46,517 per violation, as well as consumer refunds or other relief under Section 19(b) of the FTC Act.
Thursday, November 3, 2022
Bureau of Consumer Protection: Telecommunications Advertising and Marketing
- The FTC announced a settlement with Vonage, the telecommunications company, ending allegations that the company imposed junk fees and created obstacles (such as dark templates) for customers trying to cancel their service. Specifically, the complaint alleged that Vonage harmed consumers in the following ways: (1) eliminated cancellation options, such as an online cancellation method; (2) made the cancellation process more difficult; (3) surprised customers with expensive garbage fees when they tried to cancel; and (4) continued to charge customers after they canceled their services. Vonage’s actions allegedly violated Section 5(a) of the Federal Trade Act and the Restoring Online Consumer Confidence Act (ROSCA). Under the proposed injunction, which Vonage agreed to, Vonage must pay $100 million in restitution to consumers and change some of its sales practices. For example, Vonage is required, among other things, to obtain consumers’ express informed consent before charging them, and it is prohibited from using dark pattern practices to thwart consumers’ attempts to cancel orders.
Bureau of Consumer Protection: Educational Advertising and Marketing
- The FTC announced that it is sending payments totaling more than $830,300 to 1,376 consumers who began their enrollment at St. James Medical School (“the Medical School”) between fall 2016 and summer 2021. According to the Commission, the medical school and its Illinois operators lured students with false guarantees of success both when taking standardized tests in medical school and during residency training after graduation. The complaint alleged that the defendants deceived consumers by falsely claiming very high standardized test pass rates for the United States Step 1 Medical Licensing Examination, when the actual pass rate was 35%. The complaint also alleged that the percentage of students enrolled in residency programs was “the same” as in American medical schools. However, they were about 20% lower than advertised. The parties’ actions allegedly violated Section 5(a) of the Federal Trade Act, the Telemarketing Sales Rule, the Owner Rule, and the Credit Practices Rule. The final order requires the School of Medicine and its operators to provide restitution and cancel certain debts to students affected by their marketing efforts. Parties are also prohibited from misrepresenting their test pass rate or residency eligibility, or making any other unsubstantiated claims.