Photo of Sheila A. MillarPhoto of Tracy P. Marshall

The proliferation of mobile devices and digital media allows consumers to take, post, and store more photos and videos than ever before. Since 2015, app developer Everalbum has operated the mobile app, Ever, which offers a means for users to store photos and videos on the company’s cloud servers. Everalbum told users they could deactivate their accounts at any time and the company would delete their images. According to a complaint from the Federal Trade Commission (FTC), however, despite assurances to the contrary, the company retained users’ photos and videos after they deactivated their accounts. In addition, Everalbum did more with users’ photos and videos than store them; it used them to create facial recognition technology without permission. The FTC alleged that these practices constituted unfair or deceptive acts or practices, in violation of Section 5(a) of the FTC Act.

Everalbum launched a feature called “Friends” that uses facial recognition technology to tag people in group photos. The app sent pop-up messages to Ever users in Texas, Illinois, Washington, and the European Union – jurisdictions with biometric laws in place – and provided an option to use facial recognition. For users who did not affirmatively consent, Everalbum disabled the “Friends” facial recognition feature. Users in other jurisdictions had no way to disable the facial recognition tool, which was activated by default.

Everalbum also assured users that it would delete their images if they deactivated their accounts. But according to the FTC, until at least October 2019, the company failed to do so. In addition, between September 2017 and August 2019, Everalbum allegedly combined the photos and videos it retained with millions of photos obtained from public sources and used the resulting datasets to develop facial recognition services, which it sold to its business customers and used to develop the Ever app.

Under the terms of the proposed agreement containing consent order with the FTC, Everalbum must delete (1) all photos and videos of Ever customers who deactivated their accounts, (2) all data developed from images of Ever users who did not consent to use of their images for facial recognition purposes, and (3) any facial recognition models or algorithms developed from Ever users’ photos or videos without explicit consent.

The Commission voted 5-0 to issue the proposed administrative complaint and accept the consent agreement. Commissioner Rohit Chopra issued a separate statement in which he voiced concerns over the use of facial recognition technology, believing it to be “fundamentally flawed.” He stressed the importance of state biometric laws, noting that “Everalbum took greater care when it came to these individuals in these states. The company’s deception targeted Americans who live in states with no specific state law protections. With the tsunami of data being collected on individuals, we need all hands on deck to keep these companies in check.”

The Everalbum settlement signals that the FTC is keeping close watch on how companies that use biometric technology handle consumer data.

Photo of Sheila A. Millar

Artificial Intelligence (AI), Machine Learning (ML), and related technologies have the potential to dramatically change the nature of consumer products, and a variety of agencies are considering the implications of these technologies. The Consumer Product Safety Commission (CPSC) staff has announced plans to hold a public webinar on Tuesday, March 2, 2021, from 9am to 4pm, Eastern Standard Time (EST) to discuss the ramifications of AI and related technologies on consumer products from a consumer safety perspective.

CPSC staff is interested in exploring the best way to provide guidance to manufacturers and importers of consumer products that use AI and ML. Questions and issues to be discussed include:

  • Determining the presence of AI and ML in consumer products.
  • Does the product have AI and ML components?
  • Differentiating what AI and ML functionality exists.
  • What are the AI and ML capabilities?
  • Discerning how AI and ML dependencies affect consumers.
  • Do AI and ML affect consumer product safety?
  • Distinguishing when AI and ML evolve and how this transformation changes outcomes.
  • When do products evolve/transform, and do the evolutions/transformations affect product safety?
  • Relevant voluntary standards.

Those who wish to attend the forum should register by February 15, 2021. The link for registration is here.


Photo of Sheila A. MillarPhoto of Tracy P. Marshall

Tapjoy, Inc., the operator of a mobile advertising platform that appears in certain mobile gaming applications, has settled Federal Trade Commission (FTC) allegations that the company deceived consumers by failing to provide them with promised rewards. Tapjoy’s platform allows mobile app users to interact with third-party advertisers and gain rewards, such as virtual currency, for completing certain tasks. In some cases, consumers pay real money and divulge personal information to earn the rewards.

In its complaint, the FTC not only charged that Tapjoy did not deliver the promised rewards, but also alleged that the company discouraged consumer complaints about the failure to pay rewards and did not respond to complaints. The FTC complaint refers to internal emails in which the company acknowledged that consumer complaints about unreceived rewards – in the hundreds of thousands – were “out of control.” In fact, the volume of complaints was so massive that, in 2017, Tapjoy allegedly made it difficult for consumers to submit complaints by blocking complaint submissions 24 hours after completion of an offer. In addition, until at least 2018, consumers who submitted complaints about not receiving virtual currency only had 72 hours to respond with proof that they had completed an offer or their complaint would be closed. Nonetheless, according to the FTC, Tapjoy continued to advertise prominently and falsely, without any qualification, that it would pay virtual rewards in exchange for the performance of advertised tasks.

Under the terms of the proposed Agreement Containing Consent Order, Tapjoy must clearly and conspicuously display the terms for receiving rewards. The Consent Agreement bars the company from expressly or implicitly misleading users about receiving rewards, including the requirements to receive rewards, when consumers will receive rewards, and any other material facts. In addition, the company must ensure that its third-party advertisers provide the promised rewards, investigate consumer complaints regarding nonpayment of rewards, and take action against advertisers that deceive consumers.

The vote to issue the proposed administrative complaint and to accept the Consent Agreement was 5-0. Commissioners Rohit Chopra and Rebecca Kelly Slaughter issued a joint statement in which they noted that mobile gaming is a fast-growing market in which revenues derive mainly from in-app purchases (including loot boxes, which they characterize as an “addictive phenomenon” that turn videogames into virtual casinos) and advertising. Against this background, advertising middlemen such as Tapjoy are “gatekeepers” that must be closely watched. Chopra and Slaughter commend the proposed settlement as reasonable to address Tapjoy’s practices, but they warn that “when it comes to addressing the deeper structural problems in this marketplace that threaten both gamers and developers, the Commission will need to use all of its tools – competition, consumer protection, and data protection – to combat middlemen mischief, including by the largest gaming gatekeepers.”

Photo of Sheila A. MillarPhoto of Jean-Cyril Walker

On December 22, 2020, the Federal Trade Commission’s (FTC) announced adoption of a final rule requiring the use of the EnergyGuide labels on portable air conditioners (ACs). Effective October 1, 2022, portable AC manufacturers must attach yellow EnergyGuide labels on the principal display panel of their packaging and include an image of the required label on websites and catalogs advertising the product.

The FTC initially proposed that the labeling requirement would go into effect on January 10, 2025, the same day as new portable AC DOE efficiency standards. Given that these products are increasingly common in the marketplace, exhibit a wide range of energy efficiency and energy costs across similarly sized units, and sometimes consume more energy than currently labeled room air conditioners, the FTC decided that consumers would benefit from moving the effective date up to October 1, 2022.

The final amendments also update the energy efficiency ratings used at 10 C.F.R. Part 305 for central AC units from “Seasonal Energy Efficiency Ratio (SEER)” to “Seasonal Energy Efficiency Ratio 2 (SEER2).” A new ratings methodology goes into effect on January 1, 2023, and Part 305 will be consistent with this change. Manufacturers may begin to use the new terminology before then provided that the represented energy efficiencies comply with the minimum requirements going into effect in 2023.

The Commission considered but ultimately decided not to pursue broader changes to the Energy Label rule, such as a transition to electronic labeling, at this time. The FTC may seek further input on such changes on a later date after having had an opportunity to gather information sufficient to support significant changes to the entire rule. In the interim, the vote in favor of publishing the notice in the Federal Register was 4-1. Commissioner Christine S. Wilson voted no and issued a dissenting statement in which she expressed concern that the final changes to the Rule do not remove prescriptive aspects that she believed were an impediment to competition. Wilson called for a full review of the Rule “to consider removing all dated and prescriptive provisions, and to consider the recent comments suggesting changes. Nothing prevents the Commission from conducting this review now – we do not have to wait until the 10-year anniversary.”

Commissioner Rohit Chopra also issued a separate statement in which he commended the Commission for “finalizing a rule that will help to reduce the long-term burden of high energy bills on low-income families, promote greater energy efficiency, reduce carbon emissions from residential housing,” and for moving up the compliance date, which he believes would result in significant consumer savings in energy costs.

Photo of Sheila A. MillarPhoto of Tracy P. Marshall

Third-party service providers are vital to many companies and they handle a wide range of business activities essential for companies to deliver their own offerings. But a company is not adequately protecting consumers if it fails to perform proper due diligence on service providers and contractually require them to employ appropriate security measures to protect sensitive personal information, as Ascension Data & Analytics, LLC (Ascension) discovered. Ascension, a data analytics company serving the mortgage industry, recently settled with the Federal Trade Commission (FTC) over charges that it violated the Gramm-Leach-Bliley (GLB) Act Safeguards Rule, as well as its own policies, when it neglected to vet the data security practices of a service provider and require the vendor to adequately protect personal information of mortgage holders. While the settlement involves a financial institution subject to the GLB Act, it is instructive for all businesses that maintain consumers’ personal information and share it with third parties.

The GLB Act governs a range of business activities by “financial institutions” (a term that is broadly defined to include many types of companies), including lending, stockbroking and investing, banking, insuring, and providing financial advisory services. Under the GLB Act Safeguards Rule, all covered entities must develop, implement, and maintain a comprehensive, written information security program that contains administrative, technical, and physical safeguards appropriate to the size, complexity, nature, and scope of the company and the sensitivity of the personal information collected. In addition, they are required to ensure that third-party service providers can maintain appropriate safeguards to protect consumers’ personal information and are contractually bound to do so.

The FTC’s complaint alleged that Ascension hired a vendor, OpticsML, to process tens of thousands of  mortgage documents that contained personal information of more than 60,000 consumers, including names, dates of birth, Social Security numbers, loan information, credit and debit account numbers, drivers’ license numbers, credit files, and other financial information. According to the complaint, Ascension failed to review OpticsML’s security practices before providing OpticsML with documents containing sensitive personal information, which OpticsML stored on a cloud-based server without adequate security measures. As a result of such failure, sensitive personal information was accessible by unauthorized persons for about one year.

The proposed settlement requires Ascension to establish, implement, and maintain a comprehensive data security program overseen by a designated employee, undergo biennial security assessments by an independent entity, and provide an annual certification by a senior executive that the company is complying with the FTC’s order. The settlement serves as a reminder for businesses in all industries, and not just financial institutions, of the importance of (1) implementing and maintaining written security programs, (2) regularly reviewing the procedures and ensuring that appropriate personnel are aware of the requirements, and (3) ensuring that service providers have appropriate security programs and measures in place before sharing personal information with them. All businesses should keep abreast of the rapidly developing privacy and data security landscape and their obligations under federal and state laws.

Photo of Sheila A. MillarPhoto of Jean-Cyril Walker

For the second time since 2016, glue producer Chemence, Inc. (Chemence) has found itself adverse to the Federal Trade Commission (FTC) for making allegedly deceptive claims that its products are American made. And this time it cost them $1.2 million – the highest settlement amount ever paid in a “Made in USA” case.

In 2016, the FTC charged Chemence, among several other glue manufacturers,[1] with making unqualified, deceptive country-of-origin claims about their cyanoacrylate superglue products such as Kwifix, Krylex, and Hammer Tite, including labeling them “Made in USA,” “Proudly Made in USA,” and using images of the American flag on product packaging. According to the 2016 FTC complaint, a significant proportion of the costs of the chemical components in the glues came from imported chemicals. Further, the FTC alleged that Chemence induced sellers to deceive unwitting consumers by providing them with “Made in USA” promotional materials for the products. The Stipulated Court Order against Chemence fined the company $220,000 and prohibited it from representing, expressly or by implication (including in labelling and advertising) that its products were USA made unless it could show that the product’s final assembly or processing occurred in the United States, that all significant processing occurred in the United States, and that all or virtually all ingredients or components of the product were made and sourced in the United States. Otherwise, Chemence was required to make a “clear and conspicuous qualification [which] appears immediately adjacent to the representation that accurately conveys the extent to which the product contains foreign parts, ingredients, and/or processing.” The order also required the company to submit a compliance report to the FTC one year after the order.

But according to the FTC’s 2020 complaint, Chemence and its president, James Cooke, continued to sell the company’s glue products with “Made in USA” labels using the same foreign-sourced ingredients with no qualifying language, in violation of the 2016 Order. The FTC also asserts that in 2017 Cooke falsely claimed in the company’s annual compliance report that the company had relabeled its glue products to reflect that they are made with globally sourced materials.

The terms of the 2020 proposed settlement agreement bar Chemence and Cooke from making country-of-origin claims they cannot substantiate. Moreover, the agreement bans them from making any unqualified “Made in USA” claims unless they can show that the product’s final assembly and all significant processing occurs in the U.S. and that all or virtually all ingredients or components of the product are made and sourced in the United States. Qualified “Made in USA” claims must clearly and conspicuously disclose how much of a product contains foreign parts, ingredients or components, and/or processing. To support claims that a product is assembled in the U.S., they must demonstrate that the product is substantially transformed in the United States, with its principal assembly in the United States, and substantial U.S. assembly operations. The company must submit yearly compliance reports and inform all sellers that purchased the company’s glue products labeled as USA-made that the products contain imported materials.

The Commission vote to issue the complaint and accept the proposed consent order was 5-0. Commissioner Rohit Chopra issued a statement in which he applauded the Commission’s sanctions against Chemence and its president as “real consequences” and “another step forward in protecting the Made in USA brand and restoring the Commission’s law enforcement credibility.”

Many customers who want to support domestic industries look for “American Made” claims or symbols. Knowing this, the FTC continues to pursue “Made in USA” claims aggressively, and has a pending rulemaking on the topic. Those who are caught once making false U.S. origin claims and continue to make them face significant consequences, as the record-breaking penalty imposed on Chemence and Cooke demonstrates.

Many companies find the difference between country-of-origin rules imposed by Customs and Border Control and the FTC’s “Made in USA” guidance to be confusing, and, as we have previously noted, the landscape is complicated still more because of California’s law on U.S. origin claims.[2] But businesses wishing to advertise their products as American made would be well advised to familiarize themselves with the FTC’s Enforcement Policy Statement on U.S. Origin Claims guidance to avoid their “Made in USA” claims from coming unglued.

[1] See

[2] Cal. Bus. & Prof. Code § 17533.7

Photo of Sheila A. MillarPhoto of Tracy P. Marshall

Online opinions – and not just from celebrities – are big business. Consumer reviews can be highly influential in convincing other shoppers to buy a product. In fact, the founder and CEO of Sunday Riley Modern Skincare LLC (Sunday Riley Skincare) was so convinced about the power of those starred reviews on cosmetics chain Sephora’s website that she allegedly asked her employees to make up a few to boost the company’s ratings. The result? A complaint from the Federal Trade Commission (FTC) for false advertising.

The FTC’s complaint asserts that between November 2015 and August 2017, the company’s CEO, Sunday Riley, and her managers directed staff to post reviews of Sunday Riley Skincare products on Sephora’s website using false accounts. When Sephora caught on to the fake reviews and pulled them down, the company obtained a VPN IP address to mask its employees’ real identity from Sephora. The complaint goes on to assert that the CEO sent staff an email in which she told everyone to “create 3 accounts on, registered as different identities.” She then gave explicit instructions on how to set up the fake accounts and leave reviews, even going so far as to coach employees on how to make the reviews convincing. The FTC charged Sunday Riley Skincare and Sunday Riley individually with making false or misleading claims and with failure to disclose a material connection with endorsers, in violation of Section 5 of the FTC Act.

In a 3-2 vote, the FTC approved a final settlement with the company that bars it and the company’s CEO from misrepresenting the status of anyone reviewing the company’s products, including implying that employees of the company are ordinary customers. The company must also clearly and conspicuously disclose any unexpected material connection between endorsers and the company or CEO, and the order provides specific details on how to do so in various media.

Commissioners Rohit Chopra and Rebecca Kelly Slaughter voted no. Commissioner Chopra, joined by Commissioner Slaughter, published a statement in which he argues that Sunday Riley Skincare should be subject to monetary fines because of “egregious fake review fraud.” He also recommended that the FTC publish a Policy Statement on Equitable Monetary Remedies, restate legal precedent into rules, seek civil penalties against violators, and designate specific misconduct as penalty offenses under FTC authority.

FTC Chairman Joseph Simons and Commissioners Noah Phillips and Christine Wilson, voting yes, also issued a statement. Regarding the failure to impose monetary penalties, they note that “the expenditure of resources needed to develop an adequate evidentiary basis reasonably to approximate ill-gotten gains may substantially outweigh any benefits to consumers and the market.” Instead, they contend that the order is a sufficient deterrent against future unlawful behavior by the company and its CEO because it “holds Ms. Riley personally liable, prohibits both Ms. Riley and Sunday Riley Modern Skincare from making future misrepresentations (including through fake reviews), and requires them to instruct employees and agents about their legal responsibilities. Each violation of the order could result in a civil penalty of up to $42,530.”

Settlement agreements with the FTC – even where no monetary penalties are assessed – have real consequences for businesses. The Sunday Riley Skincare agreement is no exception, binding both the company and its CEO to adhere to specific requirements for 20 years, with the potential for fines for future violations. The company in this case was not simply careless in dealing with endorsers, but actively urged employees to post fake reviews and “dislike” negative reviews in an effort to get them removed. The Sunday Riley Skincare settlement demonstrates that fake reviews come with real legal consequences.


Photo of Sheila A. MillarPhoto of Tracy P. Marshall

The EU-U.S. Privacy Shield Framework, which provided a mechanism to legally transfer personal information from the EU to the United States, was invalidated on July 16, 2020, but the Federal Trade Commission (FTC) has made it clear that companies that claimed to be participants must still make good on their word. A case in point is the FTC’s recent settlement with NTT Global Data Centers Americas, Inc. (NTT) over charges that the company misrepresented its participation in the EU-U.S. Privacy Shield Framework after its certification had lapsed in January 2018. Businesses that transfer personal information from the EU to the United States rely on representations by service providers such as NTT that they comply with established privacy principles and that an approved adequacy mechanism is in place to facilitate such transfers.

The settlement terms bar NTT from misrepresenting in any way its participation in or adherence to any privacy or data security program. They also require NTT to apply Privacy Shield or equivalent protections to all personal information the company collected during its membership in the framework or return or delete that information. The FTC has taken similar action against other companies over the years, and this decision reaffirms the importance of ensuring that claims about participation in the Privacy Shield, or any other privacy program, are made only when an application has been approved and a certification is current. All references to certification must be promptly deleted from privacy policies and other materials if a certification has lapsed.

The Commission vote to finalize the settlement with NTT was 3-1-1. Commissioner Rebecca Kelly Slaughter did not take part, and Commissioner Rohit Chopra voted no and issued a statement in which he pressed the Commission to impose monetary fines on companies that mislead consumers about their participation in privacy programs.

Whether the FTC imposes heavier sanctions down the road or not, damage to reputation can cost a company dearly. The FTC’s settlement with NTT is also a reminder of the importance of “trust but verify.” The U.S. Department of Commerce’s Privacy Shield list provides a way to double check that an organization’s representations about compliance are true. The vast majority of Privacy Shield participants take their obligations seriously. The FTC’s focus on the few organizations that do not remain current in their Privacy Shield commitments enhances the reliability of the Privacy Shield even as discussions continue on possible alternative adequacy mechanisms to address data transfers from the EU to the United States.

Photo of Sheila A. MillarPhoto of Tracy P. Marshall

The Federal Trade Commission (FTC) recently announced settlements with two online companies for allegedly misleading customers about automatic membership renewal costs. On September 2, 2020, the FTC announced that Age of Learning, Inc., d/b/a ABCmouse, will pay $10 million to settle charges that the company enrolled thousands of consumers in a negative option scheme to which they did not consent, and also misrepresented its cancellation process. Fewer than three weeks later, on September 22, the FTC announced that online supplement manufacturer NutraClick LLC and two of its individual officers settled with the FTC for $1.04 million over allegations the company violated an earlier consent order that required it to fully disclose the terms of its negative option membership program to customers.

The FTC charged both companies (and the individual defendants in the NutraClick case) with violating two laws: (1) Section 5 of the FTC Act, which prohibits misleading or deceptive statements; and (2) Section 4 of the Restore Online Shoppers’ Confidence Act (ROSCA), which bans online negative options unless the seller (a) clearly discloses all material terms of the deal before obtaining a consumer’s billing information, (b) gets the consumer’s express informed consent before making the charge, and (c) provides a simple mechanism for stopping recurring charges. The FTC also charged NutraClick with violating the Telemarketing Sales Rule, which prohibits deceptive telemarketing acts (the company advertised its “free trials” via text as well as online).

ABCmouse is a membership-based online educational company that offers reading, math, and other scholastic content for children two to eight. According to the FTC’s complaint, from 2015 through at least 2018, the company failed to adequately disclose key terms of its membership program, as required by ROSCA. The company also allegedly neglected to inform customers that their yearly membership, priced at $59.95, would automatically renew for another year at the same price unless users cancelled. And, while the company promised “easy cancellation” in its ads, the reality was anything but. Not only was the cancellation process overly complicated, hundreds of thousands of consumers who had purchased a membership and attempted to cancel later learned they were still enrolled.

The FTC 2020 complaint against NutraClick alleged that the company violated a 2016 order that required the company to disclose the material terms of its membership programs to customers. According to the FTC’s 2016 complaint, NutraClick advertised “free” samples of beauty products and nutritional supplements, but by ordering these samples, customers were unwittingly enrolled in a membership program and charged recurring monthly fees ranging from $29.99 to $79.99 unless they cancelled within 18 days. The FTC claimed that while NutraClick’s websites did contain statements about the monthly membership fee, the statements were not “clear and conspicuous,” as required by ROSCA. Because it was not upfront with its customers about its billing practices, more than 70,000 consumers reportedly complained about NutraClick’s practices.

In addition to the $10 million monetary judgment, the ABCmouse stipulated final order requires the company to disclose all information related to its negative option plans and clearly explain key terms, obtain consumers’ informed consent before enrolling them in automatic billing, and provide an easy means of cancellation. The stipulated final order against NutraClick permanently bans the company from engaging in any negative option marketing. NutraClick was also ordered to pay $1.04 million in a separate proposed contempt order.

The Commission voted 4-0-1 to authorize staff to file the complaint and proposed order against ABCmouse. Commissioner Rebecca Slaughter did not participate, and Commissioner Chopra issued a separate statement in which he pointed to ABCmouse’s “unlawful dark patterns” of deceptive negative options and “unethical” and “illegal” behavior, characterizing the company as a “roach motel.” Commissioner Chopra mentioned a number of tools at the FTC’s disposal to “root out the kinds of tricks and traps” employed by ABCmouse, including ROSCA, the FTC Act, and the CAN-SPAM Act, which prohibits deceptive headers and requires marketers to give consumers an easy way to opt out of future emails.

The FTC continues to pay close attention to online negative option schemes. Brands should be careful to adhere to the terms of ROSCA before enrolling customers in membership programs and charging recurring membership fees.

Photo of Sheila A. Millar

Interested in environmental marketing? Do you make and sell plastic products? Partner Sheila Millar and Counsel Boaz Green discuss a bill likely to become law in California that further restricts environmental marketing claims for plastic products sold in California. AB 2287 would expand restrictions on plastic degradability claims by effectively banning marine degradable claims. Read the full article.