The Federal Trade Commission (“FTC”) continued a flurry of activity to put companies on notice of future enforcement activities and safeguard consumer financial information. All businesses that advertise to consumers and that have an online presence should be aware of the FTC’s initiatives.

False Money-Making Claims

On October 26, 2021, the FTC sent a Notice of Penalty Offenses Containing Money-Making Opportunities and Endorsements and Testimonials (the “Notice”) to over 1,100 companies. These companies encompass a wide variety of industries and cover everything from financial services, cleaning systems, food delivery, franchise opportunities, coaching and business opportunities.

The Notice states that companies could incur civil penalties of up to $43,792 per violation for engaging in unfair or deceptive practices to make a false, misleading or deceptive representation concerning profits or earning that may be anticipated by a participant in a money-making opportunity. This includes representations that participants will make a profit or that represented profits are typical.

The Notice also describes other practices that the FTC has determined to be unfair or deceptive, such as falsely telling consumers they do not need experience to earn income or that they must act immediately to participate. The Notice includes descriptions of past FTC actions against companies for these types of practices.

The FTC voted unanimously 5-0 to send this Notice.

“Negative Option” Subscription Enforcement Policy Announced

On October 28, 2021, the FTC announced a new enforcement policy statement regarding “negative option marketing.” 

Negative option offers are offers that contain a term or condition under which the seller may interpret a consumer’s silence or failure to take affirmative action to reject a good or service or to cancel the agreement as acceptance or continuing acceptance of the offer. These include automatic renewals, continuity plans, free-to-pay or fee-to-pay conversions, and prenotification plans.

Under the policy, businesses must:

• Disclose clearly and conspicuously all material terms of the product or service (i.e., how much it costs, deadlines by which the consumer must act to stop further charges, the amount and frequency of such charges, how to cancel and information about the product or service itself).
• Obtain the consumer’s express informed consent before charging them for a product or services. This includes obtaining the consumer’s acceptance of the negative option feature separately from other portions of the entire transaction, not including information that interferes with, detracts from, contradicts or otherwise undermines the consumer’s ability to provide their express informed consent.
• Provide easy and simple cancellation to the consumer. Marketers should provide cancellation mechanisms that are at least as easy to use as the method the consumer used to buy the product or service in the first place.

The FTC voted 3-1 to issue the policy. 

Revisions to the Safeguards Rule for Financial Data

On October 27, 2021, the FTC announced that it was updating its Safeguards Rule. The Safeguards Rule requires non-banking financial institutions, such as mortgage brokers, motor vehicle dealers and payday lenders, to develop, implement and maintain a comprehensive security system to keep their customers’ information safe.

According to the FTC, the changes to the Safeguards Rule “include more specific criteria for what safeguards financial institutions must implement as part of their information security program, such as limiting who can access consumer data and using encryption to secure the data. Under the updated Safeguards Rule, institutions must also explain their information sharing practices, specifically the administrative, technical and physical safeguards the financial institutions use to access, collect, distribute, process, protect, store, use, transmit, dispose of or otherwise handle customers’ secure information. In addition, financial institutions will be required to designate a single qualified individual to oversee their information security program and report periodically to an organization’s board of directors, or a senior officer in charge of information security.”

In March of 2019, the FTC sought public comment on proposed amendments to this rule.

The FTC voted 5-0 to publish the final revisions to update the FTC’s jurisdiction under Dodd-Frank and the supplemental notice of proposed rulemaking to the Safeguards Rule in the Federal Register. The FTC voted 3-2 to publish the revisions to the Safeguards Rule in the Federal Register. The dissenting commissioners expressed concern that the “new prescriptive requirements could weaken data security by diverting finite resources towards a check-the-box compliance exercise and away from risk management tailored to address the unique security needs of individual financial institutions.”