The FTC hosted an online privacy seminar that brought together researchers, academics, and industry representatives to discuss trends related to consumer privacy and data security. The agency announced a lawsuit against an education technology provider for allegedly lax data security practices that exposed sensitive information about millions of customers and employees. The agency also announced a settlement with a major telecommunications company over alleged junk fees and dark pattern practices. These stories and more after the jump.
Monday, October 31, 2022
Bureau of Consumer Protection: Security and Privacy
- The Federal Trade Commission announced that it is taking action against Chegg Inc. (“Chegg”), an education technology provider, for allegedly failing to fix problems with its data security that exposed sensitive information about millions of its customers and employees through four data breaches since 2017. According to the complaint, Chegg failed to implement basic security measures, such as requiring employees to use multifactor authentication to log into its third-party databases. Chegg also allegedly insecurely stored personal data on its cloud storage databases by storing it in plain text and utilizing outdated and weak encryption to protect user passwords until at least 2018. The Commission also alleged that the company failed to provide adequate security training to employees and contractors and to implement a written security policy until January 2021. Chegg’s actions allegedly violated Section 5(a) of the FTC Act. The FTC’s proposed order requires the company to bolster its data security, limit the data the company can collect and retain, offer users multifactor authentication to secure their accounts, and allow users to access and delete their data.
Tuesday, November 1, 2022
- On November 1, 2022, the FTC hosted PrivacyCon 2022. The online event discussed the latest research and trends concerning consumer privacy and data security. Panel topics included consumer surveillance, automated decision-making systems, children’s privacy, augmented/virtual reality, interfaces and dark patterns, and advertising technology. FTC Chair, Lina Khan, provided the opening remarks, which highlighted that the FTC has been “prioritizing the use of creative ideas from academia in our bread-and-butter work” to, among other things, craft “better remedies to reflect what’s really happening on the ground.”
FTC Warning Letters: Unapproved and Misbranded Products Related to COVID-19
- The FTC and the United States Department of Food and Drug Administration (“FDA”) issued a warning letter to Alternative Health Distribution LLC (d/b/a CannaAid), which sells various hemp products. According to the letter, CannaAid’s website offers cannabinoid products, including cannabidiol (CBD) products, that are intended to mitigate, prevent, treat, diagnose, or cure COVID-19. The letter states that these products are unapproved new drugs sold in violation of section 505(a) of the Federal Food, Drug, and Cosmetic Act (FD&C Act) and misbranded drugs under section 502 of the FD&C Act. The alleged violative claims on CannaAid’s website include, but are not limited to, “CBD Blocks the Replication of Sars-CoV2 in the Lungs . . .” and “Cannabis Compounds Prevent Coronavirus – Study of Oregon State University . . .”. The FTC and FDA are requiring that CannaAid take immediate action to cease the sale of any unapproved and unauthorized products for the mitigation, prevention, treatment, diagnosis, or cure of COVID-19. Failing to do so could subject CannaAid to a civil penalty of up to $46,517 per violation and to pay refunds to consumers or provide other relief pursuant to Section 19(b) of the FTC Act.
Thursday, November 3, 2022
Bureau of Consumer Protection: Telecommunications Advertising and Marketing
- The FTC announced a settlement with Vonage, the telecommunications company, resolving allegations that the company imposed junk fees and created obstacles (such as dark patterns) for customers that tried to cancel their services. More specifically, the complaint alleged that Vonage harmed consumers in the following ways: (1) eliminated cancellation options, such as an online cancellation method; (2) made the cancellation process challenging; (3) surprised customers with expensive junk fees when they tried to cancel; and (4) continued to charge customers after they canceled their services. Vonage’s actions allegedly violated Section 5(a) of the FTC Act and the Restore Online Shoppers’ Confidence Act (ROSCA). According to the proposed court order that Vonage has agreed to, Vonage is required to refund $100 million to consumers and change some of its sales practices. For instance, among other things, Vonage is required to obtain express informed consent from consumers before charging them, and it is prohibited from using dark pattern practices to frustrate consumers’ cancellation efforts.
Bureau of Consumer Protection: Education Advertising and Marketing
- The FTC announced that it is sending payments totaling over $830,300 to 1,376 consumers who began their enrollment at Saint James School of Medicine (“the Medical School”) between Fall 2016 and Summer 2021. According to the Commission, the Medical School and its Illinois-based operators lured students with false guarantees of student success, both in passing medical school standardized tests and in matching with a residency program after graduation. The complaint alleged that defendants deceived consumers with false claims of very high standardized test pass rates for the United States Medical Licensing Examination Step 1 Exam, when the actual pass rate was 35%. The complaint also alleged that student match rates to residency programs were “the same” as American medical schools. However, they were approximately 20% lower than advertised. The Parties’ actions allegedly violated Section 5(a) of the FTC Act, the Telemarketing Sales Rule, the Holder Rule, and the Credit Practices Rule. The final order requires the Medical School and its operators to provide refunds and to cancel certain debts for students harmed by their marketing efforts. The parties are also banned from misrepresenting their test pass rate or residency match rate, or making any other unsubstantiated claims.