Mailing List

Popular Articles

Recent Articles

Follow Us

Archive for 'FTC Regulation'

Recent FTC Enforcement Actions Should Serve as Warning to Software Industry about Privacy Practices

Written by on Wednesday, March 8th, 2017

If your software company is like most, you have probably spent little or no time contemplating what needs to be in your company’s privacy policy.  In fact,  what your company is currently calling its privacy policy was likely copied from a third party website years ago and never given much thought since.  Meanwhile, your company is likely collecting and aggregating user data and looking for new opportunities to monetize it.  Sound familiar?

Well, if this is your company’s situation, you may want to rethink how you are operating in light of recent enforcement action by the FTC on corporate data collection practices.

On February 6, 2017, the FTC announced that VIZIO, Inc. had agreed to pay $2.2 million to settle charges by the FTC and Office of the New Jersey Attorney General that it installed software on its TVs to collect data regarding consumer viewing without their knowledge or consent.  In its complaint against VIZIO, the FTC alleged that VIZIO had manufactured televisions that continuously tracked consumer viewing on the television and transmitted this information back to VIZIO, and also had remotely installed the same proprietary software on previously sold televisions.  In addition to collecting information about consumer viewing, the FTC alleged in its complaint that the software had collected information about the television, IP address, wired and wireless MAC addresses, WiFi signal strength, and nearby WiFi access points.  The FTC further alleged in its complaint that VIZIO had then entered into third party contracts to sell the data collected to third parties for the purpose of measuring the audience, analyzing advertising effectiveness, and targeting advertising to particular consumers.  While VIZIO’s contracts had provided only aggregate data to the third parties, those contracts did provide segmented demographic information by sex, age, income marital status, household size, education, home information, and household value.  According to the FTC Complaint, VIZIO did make a privacy policy available on its website, but the only onscreen notifications provided to consumers were vague and timed out after 30 seconds, never sufficiently informing consumers as to VIZIO’s data collection practices with the software installed on their televisions.   The FTC alleged that VIZIO’s actions in deceptively omitting material facts constituted deceptive acts or unfair practices prohibited by Section 5(a) of the FTC Act.

In the stipulated order, VIZIO was ordered to take all the following actions before collecting any further data from consumers:

  • Prominently disclose to consumers “separate and apart” from the privacy policy specifics on the data to be collected, what would be shared with third parties, the categories of third parties who would receive the data, and the purpose for which the third parties would receive the data.
  • Obtain affirmative express consent from consumers at the time of disclosure and upon any material changes.
  • Provide instructions at the time of obtaining consent to how consumers may revoke consent.

The stipulated order then gave specific guidelines on what would constitute “prominent” disclosure

The stipulated order also required the destruction of the previously collected data, the mandated creation of an internal privacy program meeting certain requirements, and third party oversight going forward regarding the privacy controls in place at the company.

Clearly, the FTC intended to send a message to the software industry about the collection of consumer data in the case of this particular enforcement action.

However, the FTC’s recent enforcement activities against software companies did not end with VIZIO.  In a separate statement, the FTC announced settlements with three other companies in the industry over allegations that they had made deceptive statements in their privacy policies about their participation in an international privacy program.  The companies charged in those cases were, Sentinel Labs, Inc., a software company providing endpoint protection software to enterprise customers; SpyChatter, Inc., a company marketing a private messaging app; and Vir2us, Inc., a distributor of cybersecurity software.  The FTC alleged in each complaint that the companies violated the FTC Act by making deceptive statements about their participation in privacy programs.  Attached are the complaints against Sentinel Labs, SpyChatter, and Vir2us.   In these cases, the proposed settlements merely prohibited the companies from making further misrepresentations about their participation in third party privacy or security programs, but are not final orders and still subject to possible amendment.

What conclusions should you as a software company take away from the FTC’s recent enforcement activities against software companies?  Clearly, the FTC is cognizant of the trends in the software industry to monetize data collected from software, to adopt privacy policies without actually customizing them to the practices of their particular company, and to bury privacy notices on websites without actually obtaining clear end user consent to actual business data collection practices.  So, if your company is like most in this space, you are on notice that your practices need to change.  Your privacy policy needs to be customized to the business practices of your particular company, which means that you actually need to take the time to consider each and every piece of information that you are collecting from the public and disclose what you are doing with it.  If your customers expect you to be a part of an international privacy program before they do business with you, you need to actually take the steps requirement to receive the appropriate certification from that organization before you advise consumers and the public that you are a member.  And if your software collects information, you need to make sure that not only your customers but also the parties from whom the information is collected have given their clear consent to your collection practices.  A privacy policy buried in your website is probably not sufficient to cover you legally.

If you do not change your privacy practices, you are on notice that you may soon be hearing from the FTC.

Share On Facebook
Share On Twitter
Share On Google Plus
Share On Linkedin

Category: FTC Regulation  |  Comments Off on Recent FTC Enforcement Actions Should Serve as Warning to Software Industry about Privacy Practices

FTC Announces Approval of Final Order in Deceptive App Case Against Vulcan

Written by on Wednesday, May 11th, 2016

The Federal Trade Commission has today announced the approval of its final order resolving its complaint against the San Francisco-based software company Vulcan on deceptive and misleading conduct allegations that Vulcan had purchased a browser extension game and replaced it with a program that caused the automatic installation of applications on the game users’ mobile devices without their permission.  According to the Federal Trade Commission (“FTC”), Vulcan’s unfair and deceptive acts and practices in replacing a legitimate game with the new program severely disrupted the ability of the 200,000 users of the game to subsequently use their mobile devices and put their sensitive information stored on the device at risk. The FTC’s complaint also contained a false claims allegation over the inaccurate promotional and advertising claims made by the replacement program.   The original FTC complaint filed against Vulcan can be viewed here.

In its Order, the FTC prohibits Vulcan from offering “a product or service or materially change a Covered Product or Service” unless the company has  disclosed “clearly and conspicuously” in advance of any downloading or installation the types of information the product or service will access and how the information will be used to perform related services, and the nature of any material change to a covered product or service.  Also, the FTC expressly prohibits Vulcan from making a number of specific deceptive advertising claims. The FTC Order has been made available for viewing here.

The Vulcan enforcement action by the FTC makes a clear statement to software companies that the government is monitoring the nature of the software being distributed to consumers as well as the advertising claims made in connection with such software for any conduct that may rise to the level of an unfair and deceptive trade practice.  Any software company contemplating the replacement of an app previously installed by users with their permission with another an unauthorized app are on notice that the FTC does not approve of the practice and will exercise its enforcement authority against you once your conduct is brought to its attention.

 

Share On Facebook
Share On Twitter
Share On Google Plus
Share On Linkedin

Category: FTC Regulation  |  Comments Off on FTC Announces Approval of Final Order in Deceptive App Case Against Vulcan

Lumos Labs Case Signals to Health Software Industry an Intention by the FTC to Police Industry’s Advertising Claims

Written by on Saturday, January 16th, 2016

The Federal Trade Commission’s pursuit of Lumos Labs over advertising claims made about its Luminosity brain training software programs has sent a clear cautionary signal to the health software industry that the FTC intends to exercise regulatory authority over advertising in the space to monitor companies’ health-related advertising claims for deceptive advertising issues.

The FTC reached a settlement this week with Lumos Labs on its deceptive advertising claims against the company.  A copy of the FTC’s press release on the settlement is attached here.

The FTC’s complaint attached here alleged that the company’s claims about the health benefits of training with Luminosity’s mobile apps and subscription-based software services were not substantiated by science at the time that the claims were made, in violation of Sections 5(a) and 12 of the FTC Act, 15 U.S.C. § 45(a).  Also, the complaint alleged that testimonials about the benefits of the program were solicited in conjunction with a contest with prizes–a fact which was not disclosed in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).  The FTC alleged these violations caused consumers to suffer substantial injury and unjustly enriched Lumos Labs.

As part of the settlement, Lumos Labs has agreed to pay a fine of Two Million Dollars ($2 Million) to the FTC.  In addition, Lumos Labs agreed to turn over its customer list and to provide email and subscription-based notices to consumers notifying them of the settlement and giving them visible notice of their rights to end their subscriptions when they renew.  The FTC agreed to lift a $50 million judgment against Lumos Labs conditioned upon the accuracy, completeness, and truthfulness of the financial statements provided by the company to the FTC.  A copy of the full order is attached hereThe Washington Post reports that the FTC anticipates spending the majority of the fine on consumer refunds.

The FTC action against Lumos Labs highlights the increased popularity of software in the health technology space and provides a clear signal that the FTC intends to exercise its regulatory powers against software companies making health claims for advertising purposes that have not been scientifically proven.  Indeed, the FTC recently posted to its website some general guidelines for companies making health claims, in which it advised software companies procure clinical studies to support their health claims about their software products.  A quick search of “health claims” on the FTC’s website underscores the apparent seriousness in which the FTC is taking the issue of regulating product health advertising claims.

The bottom line: software companies making health claims about their products are on notice that the FTC will be closely watching how you are advertising your product.  So, companies in the health software industry need to make FTC compliance a high priority for their businesses.

 

 

 

Share On Facebook
Share On Twitter
Share On Google Plus
Share On Linkedin

Category: FTC Regulation  |  Comments Off on Lumos Labs Case Signals to Health Software Industry an Intention by the FTC to Police Industry’s Advertising Claims

FTC Settlement with Google to Require Refund of Unauthorized In-App Charges

Written by on Tuesday, September 9th, 2014

The Federal Trade Commission has announced that Google has agreed to refund customers’ unauthorized in-app purchases made by their children in the Google Play Store pursuant to a settlement over a complaint filed by the Commission alleging violations of Section 5(a) of the FTC Act, 15 U.S.C. Section 45(a) prohibiting unfair or defective acts or practices affecting commerce.  Attached is the FTC press release of the settlement.  In particular, the complaint alleged that Google’s practice had been to bill Google account holders for children’s activities in applications without obtaining the prior consent of the Google account holder, and that the refund process to get the unauthorized charges reversed had been difficult.

The total amount of refunds Google is anticipated to make pursuant to this settlement exceeds $19 million.  According to the FTC, Google has also agreed as part of the settlement to procure express, informed consent from customers before charging them for any items sold in a an app going forward.

The move by Google to settle the FTC’s complaint follows a similar move by Apple earlier in the year to settle the complaint initiated  by the FTC  on similar grounds.    Like Google, Apple agreed to refund all unauthorized in-app purchases made by children and to change its billing practices to obtain express, informed consent from customers before charging them for items sold in a mobile app, according to the press release issued by the FTC following its settlement with Apple.   The estimated cost of the refunds in the Apple case was estimated to be at $32.5 million.

In looking at the outcome of these two cases, I can’t help but question whether the Federal Trade Commission’s regulatory involvement in the smartphone app business is a good development for the industry or not.  On one hand, there were clearly a large number of angry Americans who were billed for unauthorized charges through their smartphones and apparently not getting relief from either Google or Apple.  So, clearly from that perspective, the outcome was the right one for consumers.

But isn’t the real problem here the smartphone app platforms themselves for both companies and the fact that neither company was responding to customers who were getting billed for unauthorized changes by fixing the platform?  Should that have required government action to fix?  Shouldn’t the private market have been able to accomplish the same action?

I personally am a little troubled by the fact that the FTC seems to be inserting itself in the digital world to the degree that it seems to be doing.  Even though the outcome was the right one for consumers in this particular case, I wonder if we should all be concerned with the FTC’s continued interference with the digital marketplace.

As for the companies themselves who were the subject of the complaints: clearly the industry has been generating revenues from unintended purchases.  Is that really the way that the industry should be conducting business?  Perhaps the industry itself should step up to the plate and make more of an effort to remedy the way that purchases are made on a smartphone to eliminate accidental purchases altogether.

 

 

 

 

 

Share On Facebook
Share On Twitter
Share On Google Plus
Share On Linkedin

Category: FTC Regulation  |  Comments Off on FTC Settlement with Google to Require Refund of Unauthorized In-App Charges

Federal Court Awards $163 Million Judgment Against “Scareware” Software Company and Founders

Written by on Thursday, October 4th, 2012

The U.S. District Court for the District of Maryland has awarded damages in excess of $163 million in a FTC case against a “scareware” software company,  Innovative Marketing, Inc. and its founders.

The FTC alleged violations of  Sections 5(a) and 13(b) of the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. §§ 45(a) and 53(b) for deceptive conduct in the sale of the software.    To market and sell the software, the defendants misrepresented to victims that they had run scans of their computer and found security or privacy issues, including viruses, spyware, system errors and pornography.  Defendants also placed misleading ads for their software on Internet advertising networks, who started receiving complaints about the company.   The security or privacy issues to be found were pre-determined in advance of the scan run, and the software that was sold to fix the “problem” did nothing.  Apparently more than one million consumers were conned by the scheme.

The court found that the defendants had engaged in unfair or deceptive acts or practices affecting commerce, and held the founders as well as the company itself jointly and severally liable for the damage award. The court also issued a permanent injunction against one of the founders from marketing computer security software and software that interferes with consumers’ computer use.

A copy of the opinion is posted here.  The FTC’s press release on the decision is posted here.

Share On Facebook
Share On Twitter
Share On Google Plus
Share On Linkedin

Category: FTC Regulation  |  Comments Off on Federal Court Awards $163 Million Judgment Against “Scareware” Software Company and Founders

FTC Proposing New Rules to Protect Children’s Online Privacy

Written by on Thursday, August 16th, 2012

The FTC has just announced proposed changes to its existing rules protecting children’s online privacy and is currently accepting public comment to the proposed rules through September 10, 2012.  The proposed changes would amend the Children’s Online Privacy Protection Rule (“COPPA”).

In particular, the FTC is seeking to make modifications to the following language:

  • Revise the definitions of “operator” and “website or online service directed to children”  in order to specify that the operator of a child-directed site or service which incorporates into the site or service any plug-ins that collect personal information from visitors to the site  should itself be subject to COPPA.
  • Revise the definition of “website or online service directed to children” to specify that (a) plug-ins or ad-networks are covered by COPPA if they know or have reason to know that they are collecting personal information through a child-directed website or online service;  (b) websites that appeal to both adults and children under 13 years of age may screen all visitors’ ages in order to provide COPPA’s protections only to users under age 13; and (c)  all child-directed sites or services that knowingly target children under 13 or whose content primarily appeals to children under 13 must treat all users as children.
  • Revise the definition of “personal information” to clarify that a persistent identifier will be treated as personal information “where it can be used to recognize a user over time, or across different sites or services, where it is used for purposes other than internal operations,” and revise the definition of “support for internal operations” in order to specify that activities such as “site maintenance and analysis, performing network communications, use of persistent identifiers for authenticating users, maintaining user preferences, serving contextual advertisements, and protecting against fraud and theft” will not constitute as the “collection of personal information,”  provided that the information collected is not used or disclosed to contact a specific individual, including through the use of behaviorally-targeted advertising, or for any other purpose.

The full text of the proposed new rules is attached here.

In all honesty, while I’m all in favor of protecting children on the Internet, I’ve never been a big fan of COPPA.  In my role as counsel to start-ups and small businesses, clients often come to me for advice on COPPA compliance, and the truth of the matter is that the language is cumbersome to read and interpret, and the rules are difficult to implement.  Moreover, I question the practical application of COPPA in this day and age where kids are so wired at a very young age and there is so much quality educational content available to kids.

So, with that being said, I think further clarification of how the FTC is reading the rules on the enforcement end is welcome and long overdue.

However, at the same time, the FTC is clearly trying to expand the reach of COPPA, and if implemented, any expansion is going to pose an additional hardship on affected start-ups and small businesses.   Huffington Post writer Larry Magid argues that the FTC has greatly underestimated the number of businesses that would potentially be affected by these new rules.  I know in my practice alone I’ll have a number of start-up and small business clients who would be affected by any new rules in this space.  Are the changes really going to have the effect of better protecting kids or are they just going to add to the administrative burden already facing start-ups and small businesses in the website and software services space?

The good news is that there is still time to review the proposed language and communicate your thoughts to the FTC, so I would encourage website and software service providers to get involved in the process and voice your opinions while this is still just a proposal.

 


Share On Facebook
Share On Twitter
Share On Google Plus
Share On Linkedin

Category: FTC Regulation  |  Comments Off on FTC Proposing New Rules to Protect Children’s Online Privacy

Copyright 2008-2017 The Prinz Law Office.

The Prinz Law Office | Silicon Valley, CA | Los Angeles, CA | Orange County, CA | San Diego, CA | Atlanta, GA | Tel: 1.800.884.2124

Mailing Address: 117 Bernal Rd., Suite 70-110, San Jose, CA 95119. Silicon Valley Office: 2033 Gateway Place, 5th Floor, San Jose, CA 95110 (408) 884-2854. Los Angeles Office: 3110 Main St., Building C, Santa Monica, CA 90405. (310) 907-9218. Orange County Office: 100 Spectrum Center Drive, 9th Floor, Irvine, CA 92618. (949)236-6777. San Diego Office: 4455 Murphy Canyon Road, Suite 100, San Diego, CA 92123. (619)354-2727. Atlanta Office: 1000 Parkwood Circle, Suite 900 Atlanta, Georgia 30339. (404)479-2470

Serving Silicon Valley, San Jose, San Francisco, Santa Cruz, Los Angeles, Irvine, Anaheim, Orange County, Santa Monica, Silicon Beach, Santa Barbara, San Diego, Sacramento, Atlanta. Licensed in California & Georgia.