FTC

Subscribe to FTC via RSS

On April 12, 2018, the Federal Trade Commission (FTC) announced that it was withdrawing its proposed August 2017 privacy and data security settlement with Uber Technologies and issuing a new and expanded proposed settlement.1 According to the FTC, the reason for this extraordinary step was to address additional allegations of misconduct by the ride-sharing company in connection with a data breach it suffered in 2016. The revised complaint includes new factual allegations regarding that breach,2 and the revised consent order includes significant new reporting obligations for the company regarding future breaches, new obligations for the order’s mandated privacy program, and additional reporting and recordkeeping obligations that will last for longer periods of time.3

Those that closely follow the FTC know that any modifications to consumer protection settlements after they have been proposed by the FTC are extremely rare, so it’s worth taking a closer look at what triggered this unusual action and the important new insight it provides into the FTC’s current thinking on what it considers unreasonable security practices. Additionally, the FTC’s revised complaint provides, for the first time, concrete guidance on what it considers “legitimate” uses of a bug bounty program.
Continue Reading What’s Old Is New Again: FTC Takes Rare Step of Withdrawing and Reissuing Expanded Data Security Settlement with Uber in Light of 2016 Data Breach

In a novel interpretation of the Federal Trade Commission (FTC) Act, the U.S. District Court for the District of Delaware recently held in FTC v. Shire ViroPharma that the FTC had failed to plead the facts necessary to invoke its authority to sue for permanent injunction in federal court because it did not allege an ongoing or imminent violation of the FTC Act. This ruling could broadly impact the FTC’s authority to litigate cases in federal court for past violations of the FTC Act and prevent the FTC from seeking permanent injunctive relief in federal court unless the defendant is currently violating, or is about to violate, the act.

Factual Background

The FTC had brought suit against Shire for anti-competitive use of the U.S. Food and Drug Administration’s (FDA’s) citizen petition process to delay generic competition. The FTC alleged that the company exploited the FDA’s petition process to an extraordinary degree, submitting more than 46 regulatory and court filings. The company’s attempts to delay competition were ultimately unsuccessful, as Shire lost its legal challenges to the FDA, and the company was no longer engaged in the practice at the time the FTC’s complaint was filed. Nevertheless, the FTC’s complaint alleged that Shire had succeeded in delaying generic entry at great cost to consumers and demanded relief.
Continue Reading Federal Court Challenges FTC’s Litigation Authority in FTC v Shire ViroPharma

In February 2018, the Federal Trade Commission (FTC) released a report that explores the complexities of the mobile ecosystem and makes recommendations for industry to improve the mobile security update process for consumers.

The report is part of the FTC’s effort to address concerns that mobile devices are not receiving the operating system patches they need to defend against attacks. It begins by highlighting that even though three-quarters of Americans own smartphones and increasingly rely on them to store and transfer sensitive information, many devices are not receiving the updates they need to protect against critical security vulnerabilities. As a result, many consumers’ devices are vulnerable to malicious software attacks like spyware, phishing, and ransomware, all of which put consumers at risk of identity theft, fraudulent charges, and similar financial or other risk. As characterized by former Acting Director of the FTC’s Bureau of Consumer Protection Tom Pahl, “[c]onsumers use their mobile devices for a wide range of activities and want to have confidence that when they use them they will be secure,” but “significant differences in how the industry deploys security updates” must be addressed to “make it easier to ensure their devices are secure.”1Continue Reading New FTC Report Recommends Steps to Improve Mobile Security Updates

The Federal Trade Commission (FTC) recently granted a petition by Sears Holding Management requesting that the FTC reopen and modify a 2009 FTC order settling charges that Sears failed to disclose adequately the scope of consumers’ personal information it collected via a downloadable software app.

Sears’ 2009 Order

On August 31, 2009, the FTC entered a final order in In the Matter of Sears Holdings Management Corporation after determining that from approximately April 2007 to January 2008, Sears disseminated a desktop software application through its websites that collected sensitive information, such as online bank statements, drug prescription records, and video rental records, yet Sears failed to disclose the scope of the application’s data collection. Among other things, the order required Sears to disseminate all future “tracking applications” in a specified manner, including by making certain disclosures and obtaining express opt-in consent using processes stipulated by the order, for a 20-year term.
Continue Reading FTC Grants Sears’ Petition to Reopen and Modify 2009 Order Concerning Online Browsing Tracking

On February 26, 2018, the U.S. Court of Appeals for the Ninth Circuit issued an en banc decision in FTC v. AT&T holding that the Federal Trade Commission (FTC) Act’s “common carrier” exemption is activity-based, reversing the panel’s decision that the exemption is status-based, which would have opened a large enforcement gap for telecommunications companies like AT&T. This is an important decision in terms of FTC jurisdiction: it means that the FTC can and will continue to regulate common carriers to the extent that they provide non-common-carrier services, such as mobile internet services.

Section 5 of the FTC Act gives the commission enforcement authority over unfair and deceptive acts or practices, but exempts “common carriers subject to the Acts to regulate commerce.” Unsurprisingly, the question of whether a company qualifies as a “common carrier” under the exemption is a loaded and complicated one. If an entity falls within the exemption, the FTC cannot bring an enforcement action against it for conduct it considers harmful to consumers. Conversely, companies that fall outside the exemption are subject to FTC regulation, leaving them open to liability for unfair or deceptive conduct, and requiring that they comply with a long list of FTC rules.
Continue Reading “Two Cops on the Beat is Nothing Unusual”: Ninth Circuit Reverses Panel Decision, Rules FTC Act’s “Common Carrier” Exemption is Activity-Based

On February 27, 2018, the Federal Trade Commission (FTC) announced1 that it had reached an agreement with PayPal to settle allegations that its peer-to-peer payment service, Venmo, engaged in deceptive acts and practices and violated the Gramm-Leach-Bliley Act (GLBA)’s Safeguards Rule2 and Privacy Rule.3 Since 2011, Venmo has offered peer-to-peer payment services through an app that consumers can download, link to their external bank accounts, and use to transfer and receive money to and from other users. In its complaint, the FTC alleged that PayPal, through Venmo, failed to adequately disclose that: (1) it could freeze or remove funds credited to a customer’s account; (2) the Default Audience Setting did not ensure that future transactions were visible only to chosen audiences; and (3) the Individual Audience Setting did not ensure that any single transaction was visible only to the chosen audience. The FTC also alleged that PayPal, through Venmo: (1) misrepresented that it protected consumers’ information with “bank-grade security systems;” (2) failed to protect the security, confidentiality, and integrity of customer information in violation of the GLBA’s Safeguards Rule; and (3) failed to send an adequate initial privacy notice to customers detailing its privacy policies and practices in violation of the GLBA’s Privacy Rule.4
Continue Reading FTC Announces Settlement with PayPal for Alleged FTC Act and GLBA Violations by Venmo