Consumer Protection Connection

Consumer Protection

TRUSTe Settles COPPA Safe Harbor Enforcement Action with NYAG

Posted in Privacy

TRUSTe has settled allegations by the New York Attorney General that it did not adequately assess whether companies certified under its Children’s Online Privacy Protection Act (COPPA) Safe Harbor seal program allowed third party sites to track children. TRUSTe agreed to pay $100,000 and will be required to adopt new procedures to make its COPPA Safe Harbor certification review process more rigorous.

TRUSTe’s Children’s Privacy Program is an authorized safe harbor scheme that requires TRUSTe to carry out at least one yearly comprehensive evaluation of its customer’s websites to ensure they remain in compliance with COPPA. Under COPPA, companies are required to obtain parental consent before permitting any tracking of children under 13. While TRUSTe carried out electronic scans of seal program participants’ websites for third party tracking technology, the NYAG alleged that TRUSTe failed to perform similar searches of those companies’ child-directed webpages. The NYAG also alleged that TRUSTe failed to provide its customers with complete results of the investigations, including information on the tracking software they uncovered in their scans.

This settlement comes two years after TRUST found itself in hot water with the Federal Trade Commission (FTC) over allegations that the privacy company neglected to re-certify more than 1,000 companies between 2006 and 2013 under the EU-US Safe Harbor program in place at the time.

Government Agencies to be Rated on Cybersecurity Using NIST Framework

Posted in Cybersecurity

The Trump administration has announced that it will impose new metrics on federal agencies related to cybersecurity.  Agencies and departments will be required to comply with the framework developed by the National Institute of Standards and Technology (NIST) and report back to the Department of Homeland Security (DHS), the Office of Management and Budget (OMB), and the White House.

Homeland security advisor Thomas Bossert stated that the President’s budget will include an increase in federal funding to combat cyber threats, and that the administration’s priorities vis-à-vis cybersecurity are to modernize and centralize the existing system. To this end, the Administration intends to partner with business, including Silicon Valley, and state and local governments, on cybersecurity.

In the federal sector, the White House’s March 2017 budget blueprint calls for $1.5 billion for DHS activities to protect federal networks and critical infrastructure from cyberattacks. Additionally, a cybersecurity executive order will reportedly be finalized in the near future.

Plans to impose the NIST cybersecurity framework on federal agencies illustrate the Framework’s increasing importance as a standard for cybersecurity, not just for government agencies, but more broadly throughout the information ecosystem.  With security breaches, state-sponsored cyber-attacks, and ransomware demands increasing, the Framework offers useful guidance on processes and actions designed to enhance data security for government and industry alike.

FTC Takes on “Made in the USA” Claim for Second Time This Year

Posted in Advertising

“Made in the USA” is an attractive selling point for many consumers who want to support homegrown industry, so it is the topic of many advertising claims for a variety of products. But to establish that a product is American-made, manufacturers have to show all its key parts were made here. And if steel tags which proudly state “Made in the USA” were, in fact, manufactured overseas, that’s false advertising.

This is the situation faced by Texas-based Block Division, Inc., a manufacturer of metal pulleys. According to the FTC complaint released on March 8, 2017, Block’s advertising used images as well as explicit wording to reinforce its “Made in the USA” message. Yet, according to the FTC, the company imported integral components of its pulleys from other countries, including, ironically, the imported steel plates that were stamped with the words “Made in USA.”

Under a settlement with the FTC, Block Division is banned from advertising its products as USA-made unless the company can establish “the final assembly or processing of the product occurs in the United States, all significant processing that goes into the product occurs in the United States, and all or virtually all ingredients or components of the product are made and sourced in the United States.” The company can make “qualified” U.S. origin claims only if it clearly and conspicuously “conveys the extent to which the product contains foreign parts, ingredients, and/or processing.”

Acting FTC Chairman Maureen Ohlhausen commented “Consumers have the right to know that they can trust companies to be truthful when it comes to ‘Made in USA’ claims. This is an important issue for American business and their customers, and the FTC will remain vigilant in this area.”

Two FTC documents, Complying with the Made in USA Standard and Enforcement Policy Statement on U.S. Origin Claims, outline fundamental requirements to comply with FTC enforcement guidelines and to substantiate “Made in the USA” claims:

  • All significant parts and processing that go into the product are of U.S. origin (the “virtually all” standard);
  • Competent and reliable evidence exists to back up the claim that the product in question is made in the U.S.

Block Division and the iSpring Water Systems settlement last month are the latest in a line of complaints the FTC has brought in recent years against companies that deceptively promote “Made the USA” advertising. These cases indicate the ongoing seriousness with which the Commission will treat such claims in future.

Comments on the proposed settlement will be accepted online until April 7, 2017.

FCC Takes Initial Step to Give Privacy, Security Authority Back to FTC

Posted in Privacy

On March 1, the Federal Communications Commission (FCC) granted a temporary stay of one of the broadband privacy rules adopted in October of last year. That rule, which pertains to data security, would otherwise take effect on March 2. Newly installed FCC Chairman Ajit Pai and Federal Trade Commission (FTC) Acting Chair Maureen Ohlhausen issued a joint statement in support of the stay, which will allow the FCC to consider petitions for reconsideration of the October 2016 Report and Order before the data security and other new requirements for broadband internet service providers (ISPs) take effect. The Chairmen expressed their goal of “harmonizing the FCC’s privacy rules for broadband providers with the FTC’s standards for other companies in the digital economy.”

The FCC’s 2016 Report and Order established a comprehensive set of rules for protecting the confidentiality and security of information that ISPs acquire from their customers. Pai was one of two FCC Commissioners who issued a strong dissent. The recent stay, approved by the FCC in a 2-to-1 vote along party lines, follows Pai’s statement on February 24, 2017 that he would seek to reconsider elements of the Obama-era FCC’s privacy rules that were inconsistent with the FTC’s rules.

The moves by the FCC presage the likely withdrawal of the prescriptive broadband privacy rules, which rely on a determination by the FCC that ISPs are common carriers under its jurisdiction. This would return ISPs’ treatment of consumer privacy to the FTC, which has more experience enforcing privacy and data security laws in a technology-neutral manner.

Sealed: Three IT Companies Settle FTC Deceptive APEC Privacy Claims

Posted in Advertising, Privacy

If a business advertises it is a member of a privacy program, even a voluntary one, it had better be, according to the Federal Trade Commission (FTC). In separate but related complaints, the FTC alleged that three businesses – software provider Sentinel Labs Inc., private messaging app developer SpyChatter Inc., and cybersecurity software company Vir2us Inc. – represented that they were members of the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) when they were not.

The CBPR is a voluntary, cross-border privacy regime designed “to protect data that flows between the regions.” Its system is based on nine data privacy principles: preventing harm, notice, collection limitation, use choice, integrity, security safeguards, access, correction, and accountability.

Although membership is voluntary, false representations about participation are enforceable. Furthermore, participation isn’t simply a matter of saying you support the principles; participants must undergo a review by an APEC-recognized accountability agent, which certifies companies that meet CBPR standards. Despite assertions in their online privacy policies that they were CBPR members, Sentinel, SpyChatter, and Vir2us Inc. had never been certified by an APEC agent.

FTC Acting Chair Maureen Ohlhausen commented that “Cross-border commerce is an important driver of economic growth, and our cross-border privacy commitments help enable U.S. companies to compete around the world. Companies, however, must live up to the promises they make to protect consumer data.” Ohlhausen’s comments indicate the seriousness with which the FTC continues to approach deceptive advertising related to privacy.

Under their settlement with the FTC, the three companies are barred from making any misleading assertions about their “participation, membership or certification in any privacy or security program sponsored by a government or self-regulatory or standard-setting organization.”

Public comments may be submitted electronically on the Sentinel Labs, Inc., SpyChatter, Inc., and Vir2us, Inc. agreements through March 24, 2017.

It is important to note that there are a growing number of privacy “seal” programs, and some organizations offer a variety of such programs. Whether ads involve compliance with the EU-U.S. Privacy Shield, APEC, or programs under the Health Information Portability and Accountability Act (HIPAA) or Children’s Online Privacy Protection Act (COPPA), to minimize risk, businesses need to ensure that claims accurately reflect the specific program they joined. And, of course, they should only advertise participation while their membership or seal status is current and their policies and practices remain in compliance.

Elliot Kaye Steps Down as CPSC Chair

Posted in Regulations

In line with the chairs of other U.S. government agencies and commissions, U.S. Consumer Product Safety Commission (CPSC) Chairman Elliot F. Kaye has resigned his seat as chairman, according to internal sources. Pursuant to the commissioners’ unanimous vote on January 19, 2017, Vice Chair Ann Marie Buerkle assumes the role of Acting Chair until a permanent replacement is appointed by President Trump and confirmed by the Senate.

Acting Chair Buerkle is a proponent of reducing testing burdens faced by manufacturers and working closely with the stakeholder community. She has opposed the recent increase in CPSC’s civil penalty settlements and criticized a lack of transparency in the civil penalty process.

Kaye was nominated by President Barack Obama on March 31, 2014, and was confirmed by the U.S. Senate on July 28, 2014, to a term set to run until 2020. He had two separate commissions—one as commissioner and one as chairman—and resigning the chairman’s seat does not automatically affect his seat as commissioner.

FTC Finds Water Company Claims Are All Washed Up

Posted in Advertising

The push to “Buy American” aims to encourage consumers and businesses to support homegrown industry.  So, when a water filter maker’s claims of “buil[t] in the U.S.” didn’t hold water, the company quickly found itself in a sea of trouble with the FTC.

Georgia-based iSpring advertised and sold its water filter to consumers on its website as well as via major retailers such as Amazon, Overstock, Sears, Home Depot, and Walmart.  The FTC complaint alleged that iSpring Water Systems misled consumers with “false, misleading, or unsupported claims” that its water filtration systems are “Built in USA.” The problem, FTC alleged, was that the company used substantial components produced overseas.

Under the standard terms of its settlement with the FTC, iSpring is prohibited from making any representation regarding country of origin unless such representation is demonstrably true and cannot describe its products as “Made in USA” unless it can establish that virtually all of its components are sourced and manufactured in the United States. Qualified “Made in USA” claims are, of course, permissible so long as iSpring makes them “include a clear and conspicuous disclosure about the extent to which the product contains foreign parts, ingredients, [or] processing.”

“Supporting American manufacturing is important to many consumers. If a product is advertised or labelled as ‘made’ or ‘built’ in the USA, consumers rightly expect that to be the case when they part with their hard-earned money,” said Acting FTC Chairman Maureen Ohlhausen. “This is an important issue for American business and their customers, and the FTC will remain vigilant in this area.”

Many consumers do look for products made in America.  The decision confirms that the FTC, which has been very active in enforcing against similar products over the past couple of years, will continue to take a close look at such claims.  Public comments on the proposed agreement will be accepted until March 3, 2017, and interested parties can submit comments here.

Smart TV Tracking Without Permission? Not So Clever

Posted in Privacy

Have you ever had the niggling suspicion your television was watching you?  Apparently, if it was made by smart technology manufacturer VIZIO, it very well may have been.  In a $2.2 million settlement with the Federal Trade Commission (FTC) and the New Jersey Attorney General, VIZIO acknowledged that it collected and sold data from 11 million televisions without viewers’ knowledge.

According to the FTC complaint, beginning in February 2014, VIZIO smart televisions covertly recorded continuous data of what viewers watched without their knowledge or consent. The television’s Smart Interactivity feature was advertised simply as way to get program recommendations.  But when the feature was activated, rather than make viewing suggestions, it collected data from cable, on-air broadcasts, dvds, broadband, and streaming devices and sent it back to VIZIO via the company’s embedded, proprietary ACR software.  The data, including a persistent identifier for each television, program and commercial viewed, when it was viewed, how long it was viewed, and what channel it was on, was then sold to third parties for audience measurement, analyzing advertising effectiveness, and behavioral advertising purposes. The complaint asserts that these actions violated Section 5 of the FTC Act and New Jersey consumer protection laws.

Under a stipulated federal court order, VIZIO is required to obtain express consent for its data collection and sharing practices, and must institute a comprehensive data privacy program.  The company is also barred from mispresenting the privacy, security, and confidentiality of consumer information it collects.

FTC Acting Chairman Maureen K. Ohlhausen issued a concurring statement in which she noted that “[e]vidence shows that consumers do not expect televisions to collect and share information about what they watch.”  She went on, however, to caution:

We must determine whether the practice causes substantial injury that is not reasonably avoidable by the consumer and is not outweighed by benefits to competition or consumers. This case demonstrates the need for the FTC to examine more rigorously what constitutes “substantial injury” in the context of information about consumers. In the coming weeks I will launch an effort to examine this important issue further.

Ohlhausen’s statement is consistent with earlier dissenting and concurring statements in other cases suggesting that FTC privacy and data security enforcement actions should focus on instances where business actions resulted in actual harm to consumers. The type of review Ohlhausen describes may result in affirming the importance of all three factors under the Commission’s 1980 Unfairness Policy Statement.  With the Internet of Things exploding, manufacturers of smart products should stay tuned.


NIST Issues New Update to Cybersecurity Framework

Posted in Cybersecurity

On January 10, 2017, the National Institute of Standards and Technology (NIST) released an update to its Cybersecurity Framework, first issued in 2014. The Framework focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes. The new draft provides details on managing cyber supply chain risks, clarifies key terms, and introduces measurement methods for cybersecurity. According to NIST, the new Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 incorporates feedback and suggestions received since 2014, including responses from a December 2015 request for information and comments from attendees of a workshop held in April 2016.

The changes in the latest Framework include a new section on cybersecurity measurement; a more detailed explanation of how to use the Framework for Cyber Supply Chain Risk Management purposes; refinements to better account for authentication, authorization, and identity proofing; and a more thorough explanation of the relationship between Implementation Tiers and Profiles.

NIST is a branch of the U.S. Department of Commerce which provides measurement standards. On February 12, 2013, President Obama issued an Executive Order that called for the development of a risk-based, voluntary set of industry standards and best practices to help organizations manage cybersecurity risks. The Cybersecurity Framework is intended to “help organizations manage cybersecurity risk in the nation’s critical infrastructure, such as bridges and the electric power grid,” and was developed in consultation with industry, academia and government agencies. The Cybersecurity Enhancement Act of 2014 calls for NIST to continue its work on the framework.

Details of the changes can be found in Appendix A of the draft Framework. Comments on the draft will be accepted until April 10, 2017, and should be sent to From ransomware attacks to data breaches at major retailers, health care facilities and others, cybercrime continues to present serious threats to businesses across the supply chain. With these growing risks, it is important for businesses in all sectors to monitor best practices and assess, implement, and re-assess security solutions periodically.

Turn, Inc. Settles with FTC Over Deceptive Consumer Tracking

Posted in Privacy

In 2015, Verizon found itself in hot water over charges it was using a “super cookie” that continued to operate even when users believed they had opted out of mobile phone data tracking. Verizon allegedly then sent the data obtained to a third party for targeted advertising purposes without its customers’ consent. Verizon settled with the FTC in 2015, and now, the third party at the heart of the FTC’s complaint, Turn Inc., has followed suit, agreeing to the terms of a consent order with the FTC on December 20, 2016.

Turn’s demand side platform and data management platform enables sellers to target consumers with digital advertisements. According to the FTC, Turn’s privacy policy indicated that Verizon wireless customers could set their web browser to block targeted advertising or limit cookies, but that web data tracking continued even after customers had taken the appropriate steps to turn it off.

The proposed consent order requires Turn to provide an effective opt-out for consumers who do not want their data used for targeted advertising; place a hyperlink on its homepage to an explanation of what information is collected and used for targeted advertising; and provide an accurate representation of its privacy policy.

Public comments on the proposed agreement will be accepted through January 19, 2017, and interested parties can submit comments here.

Consumer Protection Connection