Consumer Protection Connection

Consumer Protection

Online Talent Company Settles with FTC Over Alleged COPPA Violations

Posted in Data Security, Privacy

Online talent search company Explore Talent just landed in the spotlight of the Federal Trade Commission (FTC). The Vegas-based company was charged with violating the Children’s Online Privacy Protection Act (COPPA), which requires that companies collecting information online must obtain informed, verifiable parental consent before collecting any information from a child under 13. The company also allegedly violated the FTC Act by deceiving paying customers into thinking they were getting access to specific roles and casting agents when they weren’t.

Explore Talent – aka Prime Sites, Inc. – promotes itself as the world’s largest talent resource, claiming to provide actors, models, and other performers with information on auditions and access to casting agencies. The site contends to have over 10 million members – more than one hundred thousand of whom are registered as children under the age of 13. Per the FTC, the site violated COPPA on several grounds:

  • To use the site, customers, including children under age 13, were required to create an account by submitting personal information including names, photos, email addresses, telephone numbers, and mailing addresses. This information was made publicly available, including to adults registered on the site (who could then send private messages to children) as well as to non-registered adult users, without parents’ knowledge or consent.
  • Explore Talent had a privacy policy available by a hyperlink buried in fine print at the bottom of its homepage. The policy stated that children under 13 must have their profile created by a legal guardian, but the company took no steps to verify who submitted children’s profiles.
  • Despite Explore Talent’s assurance that it did not knowingly collect personal information from children under the age of 13, the site “disclosed children’s personal information without accurately describing its collection, use, or disclosure practices, and without notifying or obtaining consent from the children’s parents.”

Acting FTC Chair Maureen Ohlhausen said “Explore Talent collected the personal information of more than 100,000 children, but failed to adhere to the safeguards required by law. Today’s settlement provides strong relief for consumers and will help ensure children are protected going forward.”

In addition, the FTC alleged that Explore Talent misled customers over its “pro membership” benefits in violation of the FTC Act. Although initial membership to the site was free, access to specific jobs and casting calls required an upgrade to “pro membership” costing $39.99 a month. And, according to the FTC, the advertised jobs did not, in fact, exist.

The settlement with the FTC requires Explore Talent to pay a $500,000 civil penalty, to be suspended upon payment of $235,000. The company is required to abide by COPPA, is prohibited from using or disclosing children’s personal information, and must delete the information it has collected from children. The company is also forbidden from making false representations about its services, including telling customers they have been chosen for a role in an upcoming film or that they have attracted the interest of casting directors.

The FTC recently updated its COPPA compliance guidance, which offers advice on COPPA-compliant privacy policies, how to get verifiable consent from parents in different circumstances, and exceptions to the COPPA rules. Following on the heels of the FTC’s settlement with Vtech, this is the second COPPA compliance action to date in 2018. Any online service provider who deals with kids need to ensure they understand and comply with COPPA, or they may find it’s lights, camera, FTC action!

European Court of Justice Throws Out Class Action in Latest Schrems Battle

Posted in Data Security, Privacy

In the latest round of the ongoing battle between Austrian privacy activist Max Schrems and Facebook, the European Court of Justice (CJEU) ruled that Schrems did not have standing to bring claims on behalf of Austrian consumers over Facebook’s alleged violations of users’ privacy rights. The court did, however, allow for Schrems to continue with the lawsuit as an individual.

In 2014, Schrems sued Facebook in local court in Vienna over alleged consumer privacy violations. He brought the complaint both as an individual and as a collective action on behalf of 25,000 Facebook users worldwide. Facebook’s global headquarters are based in Ireland, and the company argued against Schrems’ standing to sue on two grounds: (1) Schrems, who uses Facebook to promote his books and events, has a professional interest in the case therefore cannot be regarded as a “consumer” under European consumer protection law; and (2) Facebook is not located in Schrems’ home country. These questions were referred to the European Court of Justice by the Supreme Court of Austria.

The CJEU’s decision on the first issue follows the Advocate General’s opinion in November 2017. On the second point, however, the CJEU ruled that consumer privilege applies “only to an action brought by a consumer against the other party to the contract,” so Facebook users cannot assign their claims to other citizens outside their home countries.

Although the European Commission recommended in 2013 that member states introduce a collective redress mechanism, nine countries have yet to do so. However, this will change in May, when the new General Data Protection Regulation (GDPR) takes effect. Article 80 of the GDPR states that data subjects “shall have the right to mandate a not-for-profit body, organisation or association …. to lodge the complaint on his or her behalf.” It is no surprise that Max Schrems has already founded his own NGO specifically for this purpose. In addition, EU Justice Commissioner Vera Jourova announced at a conference last September that the Commission will be proposing new legislation in March 2018 (now expected in April) to provide collective redress.

While the Schrems challenge now returns to the Supreme Court of Austria, the EU data privacy landscape may soon become more litigious.

ICC Launches Free E-Course on Responsible Marketing and Advertising

Posted in Advertising

The International Chamber of Commerce (ICC) Commission on Marketing and Advertising has launched a free, two-hour interactive ethical marketing and advertising course designed to help companies and other stakeholders apply the fundamental principles of the ICC Marketing Code. Created in conjunction with the ICC Academy and modeled on a program developed by international business school INSEAD, the course aims to provide participants with practical guidance on producing responsible marketing communications.

The ICC code was developed in broad consultation with industry and marketing experts and is the global gold standard for ethical communications. It is used by more than 35 countries worldwide to create self-regulatory marketing programs and is updated regularly. The e-course provides a grounding in ICC basics of responsible advertising, and offers case studies and best practices in online marketing and advertising.

Marketing communications touch many areas of business communications. In an increasingly global marketing environment, a harmonized global code of marketing communication practice helps to enhance consumer trust and reduce regulatory differences. In addition to helping build brand loyalty, marketing communications that adhere to the ICC’s ethical marketing standards can reduce compliance and reputational risk at the same time.

Senate Bill Would Give FTC Enforcement Power Over Credit Bureaus

Posted in Data Security

In response to the Equifax data breach last September, when hackers gained access to the personal information of 143 million consumers, Senators Elizabeth Warren (D-MA) and Mark Warner (D-VA) have introduced a bill, The Data Breach Prevention and Compensation Act of 2018, that would ultimately impose security obligations on credit reporting agencies (CRAs).  The bill would expand the Federal Trade Commission (FTC)’s authority, establishing a new Director and Office of Cybersecurity with power to promulgate cybersecurity regulations and conduct cybersecurity investigations at CRAs that earn more than $7 million a year from the sale of consumer information. The Equifax breach prompted a flurry of legislation, but if passed, this bill would be the first to create data security standards for the credit reporting industry.

Both Warren and Warner have been active in attempting to rein in CRAs since the Equifax hack. Warner, a former tech executive who is vice chairman of the Senate Select Intelligence Committee, issued a statement in the wake of the Equifax breach in which he questioned “whether Congress should not only create a uniform data breach notification standard, but also whether Congress needs to rethink data protection policies.” Warner also wrote a letter to the FTC in September 2017, asking for an investigation into Equifax’s cybersecurity practices. Warren, who helped establish the Consumer Financial Protection Bureau, introduced (ultimately unsuccessful) legislation that would allow consumers to freeze their credit on demand and at no cost.

One of the most notable aspects of the bill is the power it gives to the FTC to impose massive fines for security breaches and reporting violations. CRAs would be subject to mandatory strict liability penalties for breaches involving consumer data. Violators would be required to pay $100 per consumer for data security breaches plus $50 for each piece of personal information compromised. This amount would be doubled and the maximum penalty increased to 75% of the CRA’s gross revenue for particularly egregious security lapses, failure to comply with the FTC’s data security standards, or failure to timely notify the agency of a breach. In addition, the bill requires the FTC to use 50% of each fine to compensate consumers.

The bill also contains stringent reporting requirements for CRAs, including a mandate to report breaches to the FTC within 10 days. CRAs would also be obligated to share detailed information concerning their security practices with the Commission, including their asset management, network management, and monitoring. A CRA must further create and maintain documentation demonstrating that it “is employing reasonable technical measures and corporate governance processes for continuous monitoring of data, intrusion detection, and continuous evaluation” of its security processes.

The FTC has initiated many enforcement actions for security failures under its existing authority, and multiple agencies, including the National Institute of Standards and Technology (NIST) have focused on developing risk management approaches to manage security. The bill itself appears to acknowledge the absence of any current generally recognized measures for evaluating, testing, and measuring the data security practices of CRAs, as it calls for a consultation on this point.  The legislation appears unlikely to advance in the Senate.

CPSC Nominations Update

Posted in Product Safety, Regulations

President Trump resubmitted the nominations of Ann Marie Buerkle as chair and a second term as commissioner, and Dana Baiocco as commissioner (replacing Marietta Robinson (D)) of the Consumer Product Safety Commission (CPSC). The Senate received the nominations on January 8, 2018.

On December 21, 2017, the United States Senate returned some 120 nominations to President Trump. Under Senate Rules, nominations not acted on (neither confirmed nor rejected) during the yearlong Senate session in which the President submitted them are to be returned to the President. While this rule is typically suspended, as the Senate finished its business for the 2017 session, some senators refused consent for particular nominations, thus requiring resubmittal of them.

While both Buerkle and Baiocco must be approved by the Senate Committee on Commerce, Science, and Transportation for a second time, neither nominee will be required to go through a hearing again. Until the nominations are voted on, Democrats retain a 3-to-1 majority on the Commission.

FTC and FCC Enter into MOU For Broadband Enforcement

Posted in Uncategorized

In furtherance of the Restoring Internet Freedom Order that was adopted by the Federal Communications Commission (FCC) on December 14, 2017, the Federal Trade Commission (FTC) and FCC have entered into a Memorandum of Understanding (MOU) that lays out how the agencies will coordinate consumer protection efforts and manage enforcement actions. The MOU will take effect on the effective date of the Restoring Internet Freedom Order.

The Restoring Internet Freedom Order, which was approved by a vote of 3-2 along party lines, repeals the FCC’s 2015 Open Internet Order and reclassifies high speed Internet access service as an “information service” rather than a “common carrier.” The Order eliminates the “general conduct standard” that established comprehensive FCC oversight of the business practices of Internet Services Providers, and confirms the FTC’s role in consumer protection matters.

Under the terms of the MOU, the FCC will monitor the broadband market, identify barriers to entry, and take enforcement actions against ISPs that fail to comply with disclosure requirements, and the FTC will investigate and take enforcement against ISPs for unfair or deceptive acts or practices, including those related to the accuracy of disclosures. The MOU establishes a plan for the agencies to coordinate efforts to prevent duplicative or inconsistent actions, but also provides that neither agency is bound by the other’s actions.


Learning From Facebook’s WhatsApp EU Privacy Challenges

Posted in Privacy

Nearly one year after it was first warned its privacy practices were inadequate under European law, popular messaging platform WhatsApp has been cited with privacy deficiencies for a second time. The Article 29 Data Protection Working Party (WP29), which is made up of data regulators from EU Member States and the Commission, sent a letter to the messaging app’s CEO on October 24, 2017 alleging that the company’s consent mechanism for sharing personal data of EU users remains “seriously deficient” and announcing the formation of a taskforce to implement a resolution. This action comes just months before the new EU General Data Protection Regulation (GDPR) takes effect on May 25, 2018, and reinforces the need for companies that process personal data of EU residents and individuals residing in the EU to carefully assess their privacy practices and take steps to align them with the new requirements.


WhatsApp, a popular messaging app that was purchased by Facebook in February 2014, issued an updated Terms of Service and Privacy Policy in 2016 that allowed it to share personal data collected from users with Facebook and its other companies (including Instagram and Facebook Messenger). WhatsApp notified users about the privacy changes through the app, and gave them 30 days to consent or opt out using pre-checked boxes. The WP29 expressed concern that the notice was not sufficient for users to give informed consent in a manner that complies with EU law. That prompted a subsequent letter to WhatsApp on October 24, 2017.

Other European data privacy regulators have questioned the privacy practices of Facebook and other U.S.-based companies in recent years.  Areas of focus have included online tracking of users without their knowledge and the use of user data for advertising purposes without consent. Against that backdrop is a significant decision by the Irish High Court in October that referred the case of Data Protection Commissioner v. Facebook Ireland Limited & Maximilian Schrems, which concerns the validity of standard contractual clauses as a permissible mechanism for transferring personal data from the EU to the United States, to the Court of Justice of the European Union (ECJ). These actions are instructive for all companies involved in the processing of data of EU users as they seek to implement the GDPR and assess appropriate data transfer mechanisms that will survive legal challenge.

The EU Consent Requirement

The WP29’s actions against WhatsApp focus on the way the social media platform obtains consent from users to share their data with third parties. Consent is one of the lawful bases for processing personal data under EU law. The concept of consent as a lawful basis for processing data is grounded in the 1995 Data Protection Directive (95/46), and has been expanded upon in WP29 Opinions and the GDPR (2016/679).  Directive 95/46/EC established that consent must be unambiguous, freely given, specific, and informed, and the GDPR goes a step further and requires that consent: consist of a statement or clear affirmative action; be demonstrable, clearly distinguishable, intelligible, and easily accessible; use clear language; and be capable of being withdrawn.

The WP29 determined that WhatsApp’s consent mechanism does not sufficiently allow for user consent that is unambiguous, freely given, specific, and informed, primarily because:

  • Users are not appropriately informed of the intended collection, processing, and use of data, as well as the specific information that is shared with third parties and for what purposes;
  • WhatsApp employs a “take it or leave it” approach whereby users must either consent to the sharing of data or stop using the services;
  • A blanket consent mechanism is insufficiently precise to ensure specific consent for a particular transfer or category of transfers;
  • A pre-checked box is ambiguous and leaves doubt as to the data subject’s intention; and
  • There is no process for consent to be easily withdrawn, as required by the GDPR.

The next step is for the company to work with the newly established taskforce to address the alleged deficiencies.


Having a lawful ground for processing personal data (and adhering to standards for obtaining consent when that is the legal basis of processing) is just one of the many requirements under the GDPR that companies must consider as they work on GDPR compliance strategies.   The GDPR will give regulators the power to fine companies – at present, capped at 1 percent of global profits – up to 4 percent of their global profits or 20 million euros – whichever is higher. So, while Facebook’s latest fine of $1.4 million, is a drop in the bucket for a company that pulled in roughly $27 billion in 2016, it is a fraction of what it could be under the GDPR and the new rules should make everyone nervous.

Sears Seeks to Modify FTC Order on Online Tracking

Posted in Cybersecurity

In 2009, Sears Holding Management settled with the Federal Trade Commission (FTC) over allegations that the company’s online tracking activity exceeded what they told consumers. Now, Sears has submitted a petition requesting that the FTC reopen and modify its settlement order, arguing that changing technology since 2009 has made the order’s definition of “tracking applications” too broad and has put them at a competitive disadvantage.

The 2009 FTC complaint charged that Sears “failed to disclose adequately the scope of consumers’ personal information it collected via a downloadable software application, telling consumers that the software would track their “online browsing,” without telling them that it also collected information from third-party websites consumers visited such as their shopping cart information, online bank statements, and drug prescription records. Sears was required to stop collecting data from participating consumers and to destroy what they’d collected.

Sears now argues that the definition of “tracking application” in the FTC’s order now applies to most software on nearly all platforms, making them “out of step with current market practices without a corresponding benefit in combatting threats to consumer privacy.” The definition of tracking applications is so broad, Sears claims, that it “encompasses all of Sears’ current mobile apps, forcing Sears to handle disclosures differently than other companies with mobile apps and disadvantaging Sears in the marketplace.” Sears claims that modification of the order would allow the retailer to align with current tracking practices used by their competitors.

Public comments may be submitted here until December 8, 2017.

Court Rules on Spectrum Challenge to CPSC Civil Penalty Authority

Posted in Product Safety

The U.S. Consumer Product Safety Commission (CPSC) dispute with Spectrum Brands was resolved in court on September 29, 2017, with both sides able to claim victories of sorts. On the one hand, CPSC was able to obtain a civil penalty for Spectrum’s failure to report and sale of recalled products. On the other, that civil penalty was substantially reduced.

The case arose after Spectrum’s predecessor-in-interest failed to report coffeemaker defects in a timely fashion and sold recalled products in violation of the law. The company’s former subsidiary, Applica Consumer Products, recalled the coffeemakers jointly with the CPSC in 2012. In United States v. Spectrum Brands, Inc., federal district Judge William Conley assessed a civil penalty of $1,936,675 and imposed an injunction on Spectrum requiring it to implement a compliance program to ensure conformance to the Consumer Product Safety Act (CPSA).

The court’s decision relied on a detailed analysis of factors in terms of the timeliness of reporting, the post-recall sale of products, and the imposition of compliance programs. Based on the timing of the failure to report and post-recall sales, the court found that the maximum civil penalty possible was $30.30 million. The company argued that the failure to report had arisen before the Consumer Product Safety Improvement Act of 2008 (CPSIA) increased penalty amounts, but the court earlier concluded that the failure continued until the company reported, and thus found that CPSIA’s civil penalty maximum increase applied.

However, in assessing the penalties, the factors that the court found most persuasive were generally in the company’s favor:

  • The CPSC failed to provide admissible evidence on several points, such as the risk of severe injury, the nature of the defect, and defendant’s actions, sincerity and motives in addressing non-compliance. This reduced the civil penalty amount relative to the maximum.
  • The defendant’s failure to report on time gave rise to per-complaint penalties that the judge increased every six months that the company failed to report. This increased the civil penalty amount.
  • The company’s failure to stop post-recall sales – compounded by a litany of missed opportunities – were particularly egregious, in the court’s view. Thus, the judge levied penalties of $1,000 to $2,000 per unit sold.

In addition, there was lack of evidence that new compliance measures were adopted that would prevent recurrence of the reporting failures, giving the court reason to impose CPSC’s requested injunction.

Very few court decisions reach this stage, so this case will be invaluable in analyzing and preparing for any negotiations with CPSC. The decision reflects one of the very few instances where courts have assessed civil penalties under the CPSA. The assessment of civil penalties indicates that Spectrum was unsuccessful in persuading the court that the failures to report and post-recall sales were minor. At the same time, the relatively low level of penalties, compared with other CPSC penalties that have reached over $15 million, demonstrates that CPSC could not show the judge that the violations were as egregious as it claimed. It also suggests that the agency may not be successful in future if it seeks to pursue higher penalties in courts. The lower penalties here were in part based on the CPSC’s failure to provide key evidence on several points, undermining its case, and that may lead to more specific requests for information from the CPSC legal team in civil penalty cases.

California Legislature Passes Cleaning Product Right to Know Act

Posted in Product Safety

The California legislature passed the Cleaning Product Right to Know Act 2017 (SB 258) (the CPRTK Act), which was presented to Governor Jerry Brown on September 19, 2017, after the legislative session adjourned on September 15, 2017. Governor Brown now has until October 15, 2017, to sign or veto the bill. The Act requires manufacturers of cleaning products (defined as products “used primarily for commercial, domestic, or institutional cleaning purposes”) to disclose chemical ingredients and other information on both product labels and product websites, subjecting cleaning supplies to the same transparency requirements of cosmetics and food products. The chemicals required to be listed are intentionally added chemicals that are included on designated lists or, certain fragrance allergens designed under EU regulations. Listings of chemicals on the Proposition 65 are not required until January 1, 2023.

Manufacturers of consumer and institutional air care, automotive, general cleaning, polish and floor maintenance products are already required under the Federal Hazardous Substances Act (FHSA) to provide warnings about hazards, such as flammability, combustibility, or toxicity (dermal, ingestion and inhalation toxicity). Required warnings include statements of principal hazard, which must appear on principal display panels (PDPs), as well as recommended emergency and medical care, and typically requires disclosure of the principal ingredients that may result in a hazard. However, the FHSA does not require a full list of chemical ingredients. California is not the first state with a right-to-know statute. New Jersey passed a similar law in 2013, but required only disclosure of primary ingredients above certain concentrations in the workplace. The CPRTK Act goes further, requiring makers of designated products to list chemicals of concern and most other ingredients on both product labels and websites. And, for the first time, the presence of fragrance allergens must also be disclosed. In addition to the burden the CPRTK Act would place on manufacturers, employers would be required to make safety data sheets available disclosing the contents of workplace cleaning products.

Some major manufacturers have come out in favor of the bill, although others are concerned that mandatory listing of chemical ingredients might undermine basic product safety and risk avoidance information required under the FHSA related to hazards that might be more significant to consumers based on actual use patterns. Several industry groups initially expressed concern over protecting trade secret formulas. Now, the bill does not force manufacturers to list intentionally-added ingredients-including fragrance ingredients-that are protected as confidential business information (CBI). Such protected CBI includes any intentionally-added ingredient that the U.S. Environmental Protection Agency (EPA) has approved for inclusion on the Toxic Substances Control Act (TSCA) Confidential Inventory, or that the manufacturer (or its supplier) claims protection for under the Uniform Trade Secrets Act.

Existing requirements under the Occupational Health and Safety Act (OSH Act) already require employers to share information through safety data sheets on substances in the workplace. This bill would require employers already covered by such requirements to make certain information about designated chemicals available in similar fashion.
The bill has been presented to Governor Jerry Brown for signature, who is expected to sign. If he does not sign or veto by October 15, 2017, it will become law. Once the bill becomes law, manufacturer websites must be updated by January 1, 2020, and product labels by January 1, 2021.


Consumer Protection Connection

We and our analytics and advertising providers may use cookies and similar technologies to enhance the browsing experience, facilitate sharing of content, and generate statistics about use of the website. For more information or to change your preferences, click here.

I Agree