The FTC’s Enforcement Priorities & How To Ensure Compliance
In this discussion, we overview some of the latest developments and stated priorities of the FTC concerning marketing and advertising legal compliance as well eCommerce law more broadly with an eye on “where the ball is going” so that businesses can stay ahead of the ever-changing FTC compliance curve.
Endorsements & Testimonials
One of the most active areas of FTC over the last few years has been their enforcement of endorsements and testimonials and ensuring that they are not unfair or deceptive. The FTC has also updated its relevant guides, including as they relate to new developments in influencer marketing and related spaces, such as in the instance of AI-generated influencers. To that end, the updated guides now expressly include such virtual influencers.
The FTC has also gone to great lengths to clarify what is considered an endorsement and testimonial as well as further clarity about what is required in terms of disclosures. For example, the FTC stated that merely “tagging” a brand is deemed to be an endorsement. Further, the FTC broadened the definition of what is considered to be a “material connection” to include early access to a product or service and varying types of incentives, including even just publicity.
On the legal risk front and, in particular, responsibility and, by extension, liability for non-compliance, the FTC noted that advertisers are liable for noncompliance of endorsers, whether it be in regard to non-disclosure or false or misleading claims. Advertising agencies as intermediaries can also be potentially liable for endorsers such as influencers. In light of this broad spectrum of liability all along “the food chain,” it is imperative for brands to monitor their agency partners as well as endorsers as well as also incorporate stringent clauses with consequences for noncompliance in agreements with the same that account for specifics concerning disclosures and “truth in advertising.”
Consumer Reviews
Online reviews from customers are increasingly playing a pivotal role in how consumers make everyday purchasing decisions. Whether it is looking at the overall number and rating of reviews on Amazon for a particular product or seller or reading the substance of a review, the FTC views the regulation of such critical information as squarely within its mandate. One of the recent enforcement actions in this area involved Fashion Nova, an online “fast fashion” retailer. The FTC alleged that Fashion Nova only displayed positive reviews on their website and blocked reviews that were below four stars and were therefore in breach. As a result Fashion Nova agreed to settle the matter for $4.2 million as well as agreeing to post all reviews.
Fashion Nova never approved or posted the hundreds of thousands of lower-starred, more negative reviews.
The FTC In Re: Fashion Nova
Review Hijacking
Another more unique recent enforcement action centers on what has been termed “review hijacking,” a practice that refers to attributing reviews from one product to another in a manner that is “unfair” or “deceptive.” In this instance, The Bountiful Company, which sold supplements, was alleged to have deceptively made it seem as though certain newer products had more reviews via a technical feature available on Amazon.com that allowed reviews from older products to be shown for newer items. The result of this action was a $600,000 settlement.
Recurring Billing & Subscriptions
Recurring billing and other subscription-type offerings are increasingly popular for businesses in practically all sectors as they offer continuous and reliable income. Such billing practices are increasingly getting scrutinized and regulated by a variety of enforcement agencies, including state attorneys general, both under more generalized state laws focused on Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) statutes as well as billing-specific laws, such as is the case with California’s autorenewal law. There are federal laws such as the Restore Online Shoppers’ Confidence Act (ROSCA), too. The FTC is also quite active in the space. In this regard, the FTC published a Notice of Proposed Rulemaking in 2023 of such recurring and subscription billing practices, which is aimed at further regulating the space.
As a general matter, regulators are focusing on ensuring that notice and disclosure of all material terms are clear and prominently displayed and not formulated in a “dark pattern.” Further, affirmative and unambiguous consent is given by a consumer with a strong bias toward a “check the box.”
Even with proper consent to such recurring subscription-type billing, another key area of compliance, as well as increasing enforcement focus, concerns the cancellation of such subscriptions. In particular, the means of cancellation should be as seamless and simple as the manner in which the billing was initiated. To illustrate the focus on this area, the FTC has brought an action against Amazon, alleging the use of dark patterns concerning enrollment and cancellation for Amazon Prime.
As we noted, states are also very active in regulating subscriptions and other similar billing types common in the space, including California, Colorado, Florida, Idaho, and Tennessee.
Artificial Intelligence
These days, it is hard to avoid artificial intelligence (AI). While AI is a powerful technology that will have broad effects on the economy and people’s lives more generally, seemingly overnight, services of all types began touting their “AI features.” The FTC has made clear that it intends to regulate AI when it encroaches on its broad portfolio of regulation. For example, the FTC announced they will be watchful of AI used for online surveillance and AI-enabled voice cloning, as well as claims about AI features more generally that may be “unfair” or “deceptive.”
Dark Patterns
Less quantifiable but an emerging focus area for regulators, including the FTC but also in many privacy laws such as the CPRA, are what has become known as “dark patterns.” Some would argue that what constitutes a dark pattern can be arbitrary, but the FTC defines dark patterns as “any design practices or user interfaces that trick or manipulate consumers into making choices they would otherwise not make” In a 2022 report titled “Bringing Dark Patterns To Light,” the FTC outlined its views and approach to regulating practices that fall within its mandate to regulate. The FTC is signaling a move toward something beyond affirmative consent toward a standard of clarity and unambiguity about what the consent and choice are about. Some of the common areas that would involve a potentially dark pattern include the following: deceptive ad formats, junk or hidden fees (the FTC takes the view that all fees should be shown “up-front”), prechecked boxes, highlighted text, terms in very small print or in a place not obvious, false product quantity or scarcity or other false urgency, false MSRP or discount/savings claims, and multi-window cancellation of subscriptions or “manipulative” retention tactics.
“Junk” Fees
As briefly touched on in the previous section discussing “dark patterns,” junk fees and general transparency in pricing are a focus of the FTC. To that effect, the FTC, in October 2023, commenced rulemaking to promulgate a trade regulation rule entitled “Rule on Unfair or Deceptive Fees.” According to the FTC’s announcement, the new proposed rule would prohibit “junk fees.” The FTC states that such fees “…are hidden and bogus fees that can harm consumers and undercut honest businesses.” Further, the FTC estimates that such fees “can cost consumers tens of billions of dollars per year in unexpected costs.” In essence, the proposed rule would require that the total price be displayed (subject to certain exceptions) and disallows the misrepresentation of the nature or purpose of any fees.
Health Claims
While substantiation of claims in advertising is important across the board, it is especially critical for those products and services that have a health or fitness component. The FTC has taken a more stringent approach to health claims and, in particular, to offerings marketing food, over-the-counter drugs, dietary supplements, and other health-related products. In its Health Products Compliance Guidance, which was recently updated, the FTC outlines what is required for compliance in relation to health claims, as well as other nuanced points, such as its coordination with the Food and Drug Administration (FDA). For greater context about the kinds of enforcement the FTC brings in the health and fitness space, view the relevant case history here.
Privacy, Sensitive Data, Data Minimization, & Data Security
Data is increasingly the lifeblood of our global and interconnected economy and, by extension, our daily lives. It is unsurprising, then, that the FTC, in addition to legislators and other regulators that span a broad spectrum, is regulating how data can be collected, used, stored, and otherwise processed.
Sensitive Data
As it relates to the FTC, they are putting particular focus on the processing of sensitive information that includes location data, facial recognition and other biometrics, health data, and children’s data. They are generally taking a strict approach to when sensitive data can be shared with service providers, even when traditional notice and consent procedures are implemented via a Privacy Policy. Rather, when it comes to sharing sensitive data, the FTC is looking for “affirmative express consent,” as was illustrated in the action against BetterHelp, which in part prohibited the use of such health data for behavioral advertising. The FTC defines “affirmative express consent” as “being presented with a clear choice to provide or withhold consent, an affirmative act taken by a consumer communicating specific, informed, and unambiguous authorization to collection and sale, transfer, or disclosure of Covered Information.” In cases of enforcement, the FTC is pursuing aggressive measures, including the destruction of improperly collected data as well as personal liability of involved executives, as was the case in the Drizly settlement.
The sea change in a move from a “notice and consent” regime to one where the FTC deems certain collection and other processing prohibited even with “notice and consent” is illustrated by the Chair of the FTC’s comments as noted below:
Growing recognition of the limits of the “notice and consent” framework prompts us to reconsider more generally the adequacy of procedural protections, which tend to create process requirements while sidestepping more fundamental questions about whether certain types of data collection and processing should be permitted in the first place.
Lina Khan, Chair of the FTC
Data Minimization, Retention, & Data Security
Increasingly, data minimization, retention, and data security are popping up as areas that the FTC is paying attention to. Data minimization generally refers to the concept that only the information necessary to provide the service or product requested should be collected and used but not for any other reason. Concerning data security, the FTC recently settled with CafePress and noted that the settlement “requires the [CafePress] to implement policies to minimize the data it collects, stores, and retains. The CafePress settlement order also requires the company to use secure multifactor authentication methods.”
Facial Recognition
While still a burgeoning technology, regulation of facial recognition and other biometrics is a particularly sensitive area, and the FTC is paying attention to potential areas of non-compliance. For example, a recent enforcement action against Rite Aid alleged the chain’s use of facial recognition was unfair as it did not incorporate “reasonable” safeguards. Specifically, the FTC alleged that Rite Aid failed to take steps to ensure the use of facial recognition did not harm consumers, including via “false positives” that wrongly identified individuals as shoplifters. The resulting settlement banned Rite Aid from using the technology for five years
Face Rec: Alleges Rite Aid’s use of facial recognition was unfair – Failed to take adequate steps to ensure use of technology in stores did not cause harm through false positive matches – More likely to result in false positive matches for Black, Latino, Asian and women consumers Banned from using facial recognition for surveillance purposes for five years.
Children’s Data
Protecting children’s data is another key area for the FTC as the internet continues to play a leading role in even young children’s lives. To that end, in 2023, the FTC proposed revisions to the Children’s Online Privacy Protection Act (COPPA) Rule, which makes it illegal for websites and online services to collect personal information from children under 13 without their parents’ verifiable consent. Among other components, the update would require additional disclosures such as new data retention and security policies, new methods for gaining parental consent, and separate parental consent for disclosure.
A Very Active FTC Requires A Proactive Approach To Compliance
What is apparent from all the activity emanating from the FTC is that prudent companies are going to take a proactive approach to compliance. Regardless of whether there is credence to the claims of an overly aggressive FTC, the reality is that many of the matters within the FTC’s purview are seeing scrutiny via other vectors as well, such as the numerous state comprehensive privacy laws as well as state attorneys general that regulate via UDAAP statutes. It is our view that much legal risk from enforcement action can be mitigated via review and updates to the relevant area of the business’s operations.
