Privacy Laws + Banks + FinTech = New U.S. Guidance on Risk Management for Third-Party Relationships

Three federal agencies jointly issued a guidance that banks are expected to monitor their financial technology partners to ensure compliance with privacy, fair lending, and anti-money laundering laws.

The “Interagency Guidance on Third-Party: Risk Management” was issued jointly by: (1) Board of the Federal Reserve System [OP-1752], (2) Department of the Treasury Office of the Comptroller of the Currency [OCC-2021-0011], and (3) Federal Deposit Insurance Corporation [RIN 3064-ZA26], with a final guidance date of June 6, 2023 (“Guidance”).  The Guidance offers the three U.S. agencies’ views on sound risk management principles for banking organizations when developing and implementing risk management practices for all stages in the life cycle of third-party relationships.

Prior guidance is rescinded and replaced by the Guidance

The Guidance rescinds and replaces the following previously issued guidance by the three federal agencies:

  • Board’s 2013 guidance: SR Letter 13-19/CA Letter 13-21, “Guidance on Managing Outsourcing Risk” (December 5, 2013, updated February 26, 2021)
  • FDIC’s 2008 guidance:  FIL-44-2008, “Guidance for Managing Third-Party Risk” (June 6, 2008)
  • OCC’s 2013 Guidance and its 2020 frequently asked questions: OCC Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance,” and OCC Bulletin 2020-10, “Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013-29.” Additionally, the OCC also issued foreign-based third-party guidance, OCC Bulletin 2002-16, “Bank Use of Foreign-Based Third-Party Service Providers: Risk Management Guidance,” which is not being rescinded but instead supplements the final guidance.

The Guidance seeks to establish a consistent approach which puts the onus on banks to obtain information from and ensure compliance from its third-party fintech relationships.  In other words, banks are responsible for knowing how their fintech partners: (1) are operating and (2) are complying with applicable federal law.

Obligations concerning privacy laws and cross-border flow of information 

The Guidance discusses factors to consider when evaluating whether to enter into a relationship with a third party, including the compliance of privacy laws.  Regarding contracts between a bank and a foreign-based third party, the Guidance notes the importance of:

  • privacy laws
  • cross-border flow of information
  • choice-of law and jurisdictional provisions that provide dispute adjudication

In sum, the 68-page Guidance sets forth a bank’s risk management obligations when contracting with third-party fintech.  As privacy laws and cross-border flow of information continually increase, the Guidance sets forth the criteria to analyze within these contracts.



FTC’s Proposed Click to Cancel Rule for Online Commerce

The Federal Trade Commission’s proposed click to cancel rule requires companies to provide more detailed information and notices about cancelling automatic renewals, subscriptions, and memberships which are prevalent in online commerce.  The proposed rule, titled Negative Option Rule, is at:

The goal of the proposed rule is to combat unfair or deceptive practices that include recurring charges for products or services consumers do not want and cannot cancel without undue difficulty.  The FTC is currently seeking comments on the proposed rule until April 19, 2023.

The proposed rule would require canceling via a negative-option program to be easy and available through the same means as signing up.  For example, if a company offers one-click membership sign-up through its website, then the company must also offer one-click cancellation through the same website.

Other substantive requirements of the proposed rule include annual reminders for customers of programs that do not involve the shipment of physical goods, pre-billing disclosure requirements, express consent for subscription terms separate from the rest of the transaction, and limits on the ability to offer special deals to customers attempting to cancel.

To help comply with this anticipated rule, companies should:

    • Catalog:  Catalog their negative-option marketing offerings under the broad definition provided by the FTC under the proposed rule
    • Representations:  Review the processes associated with these offerings, including representations they make concerning any aspect of a product or service involving negative-option marketing to ensure they are accurate
    • Pre-bill disclosures:  Review pre-billing disclosures to ensure all material terms of a deal are disclosed to consumers before they enter their billing information and that express consent to the subscription is obtained
    • Involve IT:  Communicate with their IT departments to develop a simple cancellation procedure which includes annual notifications for consumers.

Preservation of Ephemeral Messaging for Business Purposes

Ephemeral messaging is short-lived, yet the data preservation and regulatory obligations remain.

Ephemeral messaging apps – like WhatsApp and SnapChat – are a form of digital communication available for a limited time and then deleted.  The two key characteristics of ephemeral messaging are: (1) automated deletion of message content for both the sender and the receiver and (2) end-to-end encryption which enhances privacy by making it more difficult for hackers and others to read the encrypted data while it is in transition between devices.

The three degrees of ephemerality in messaging apps are:

  1. Pure which involves the permanent and automated deletion of messages;
  2. Quasi which permits preservation of messages in certain circumstances; and
  3. Non-ephemeral in which messages usually remain on a source (such as a server) and may not include end-to-end encryption.

The benefits of ephemeral messaging include:

  • Information governance: Data storage and records preservation/management are reduced by ephemeral messaging.
  • Legal compliance: Encryption and automatic deletion of personal data help reduce exposure if a data breach occurs.
  • Data security: Even if a mobile device is lost, the automatic deletion of data will likely protect against hackers.

The legal risks of ephemeral messaging include: (1) complying with subpoenas and (2) preservation of data when litigation is “reasonably anticipated”.

Subpoenas often define documents and communications broadly to capture all communications, including ephemeral messaging.  Thus, the failure to preserve documents may result in an inability to fully comply with a subpoena and/or a criminal exposure, particularly if the subpoena was issued by the government.

Regarding the preservation of data, legal hold policies may need to be amended to address ephemeral messaging, including when a company is dealing with government regulators.  See e.g., Federal Trade Commission v. Noland, et al., Case No. CV-20-00047-PHX-DWL (D. Ariz. 2021) (sanctioning defendants for installing and using ephemeral messaging after learning they were investigation targets).

Some regulators caution against the use of ephemeral messaging.  For example:

  • The U.S. Securities and Exchange Commission (“SEC”) issued a guidance in 2018 that prohibits business use of apps which permit automatic destruction of messages.
  • The U.S. Department of Justice (“DOJ”) updated its Evaluation of Corporate Compliance Programs in March 2023 which discusses the factors that prosecutors should consider in conducting an investigation of a corporation including the adequacy and effectiveness of the corporation’s compliance program at the time of the offence as well as at the time of the charging decision.

Accordingly, establishing adequate and effective corporate compliance programs are important, including:

  1. establishing a corporate compliance program which is monitored, updated, and works in practice, and
  2. reviewing the company’s document-retention policies and procedures, including whether they address ephemeral messaging and mobile device data.

In sum, although ephemeral messaging is short-lived, the consequences – of failing to comply with data preservation and regulatory obligations – may be long lasting.



Privacy Concerns for Health Apps

Free health apps – often funded by advertising revenue – may result in disclosure of private health information to third parties without permission from consumers.

A company that operates a health app or collects consumer health data should analyze how ad-tracking tools are used within their ecosystem.  In 2021, the Federal Trade Commission (“FTC”) issued a policy statement clarifying mobile health app makers’ obligations to notify consumers if their data is exposed or shared without their permission, and the FTC stated that the policy was meant to fill a “gap” in regulations for health apps which generally are not covered by the Health Insurance Portability and Accountability Act (“HIPPA”).

Failure to fulfil these obligations may result in a government action, such as an action by the FTC which: (1) has authority over businesses that collect health information under the FTC Act and (2) may bring enforcement actions regarding deceptive claims about the use or disclosure of health data.  Recent federal and state enforcement actions include:

  • FTC action: Flo Health Inc. settled FTC allegations that the company shared health information of its users with outside data analytics providers after promising such information would be kept private.  The FTC filed the Complaint against Flo Health asserting that Flo Health: (1) disclosed health data from millions of users of its Flo Period & Ovulation Tracker app to third parties that provided marketing and analytics services to the app, including Facebook’s analytics division and Google’s analytics division, (2) disclosed sensitive health information, such as the fact of a user’s pregnancy, to third parties in the form of “app events,” which is app data transferred to third parties for various reasons and, (3) did not limit how third parties could use this health data.
  • California AG action: Glow Inc. settled a probe by the California Attorney General regarding its fertility-tracking mobile app that stores personal and medical information.  The Attorney General’s Complaint alleged that the app: (1) failed to adequately safeguard health information, (2) allowed access to user’s information without the user’s consent, and (3) had additional security problems with the app’s password change function that could have allowed third parties to reset user account passwords and access information in those accounts without user consent.  Within the settlement, Glow was required to: (1) incorporate privacy and security design principles into its app and (2) obtain affirmative consent from users prior to sharing or disclosing personal, medical, or sensitive information and require the users to revoke previously granted consent.

In sum, a company that operates a health app or collects consumer health data should analyze how ad-tracking tools are used within their ecosystem.

FTC Targets Online Fake Reviews and Endorsements

Fake and deceptive reviews and endorsements – prevalent in online shopping – are a target of the FTC’s proposed rulemaking.  The FTC has authority to promulgate trade regulation rules that define with specificity the acts or practices that are unfair or deceptive in or affecting commerce under 15 U.S.C. 45(a)(1).

The FTC states that it is concerned that some platforms may have mixed incentives to deal effectively with the problematic reviews and, despite some platforms purporting to take enforcement of problematic reviews seriously, fake and deceptive reviews continue to flourish on those very platforms.  The sheer number of people engaged in fraudulent or deceptive reviews and endorsements makes them even more difficult to combat, especially given such content is often created by individuals or small companies, some of whom are located abroad.

The FTC is considering civil penalty remedies as a potent deterrent.  The FTC is considering initiating a Magnuson-Moss rulemaking to address certain types of clear Section 5 violations involving reviews and endorsements.  The FTC also noted that it reviewed many comments to the Use of Endorsements and Testimonials in Advertising, 16 CFR part 255.

The FTC has a long history of challenging reviews and endorsements, including, for example, that the FTC has challenged:

  • Fabricated consumer reviews. See, e.g., Complaint 9-17, FTC Roomster Corp., No. 1:22-CV-07389 (S.D.N.Y. Aug. 30, 2022) (purchase and sale of fake app store and other reviews for room and roommate finder app and platform); Complaint at 2-4, Sunday Riley Modern Skincare, LLC, No. C-4729 (Nov. 6, 2020) (company personnel created fake accounts to write fake reviews of company’s products on third-party retailer’s website); Complaint at 12-13, 15-16, Shop Tutors, Inc., No. C-4719 (Feb. 3, 2020) (reviews of LendEDU were fabricated by its employees, other associates, or their friends and published on a third-party website); Complaint at 20, FTC v. Cure Encapsulations, Inc., No. 1:19-cv-00982 (E.D.N.Y. Feb. 26, 2019) (Amazon reviews of defendants’ product were fabricated by one or more third parties whom defendants had paid to generate reviews). It has similarly challenged fictitious endorsements. See, e.g., Complaint at 14, 19, FTC v. A.S. Resch., LLC (Synovia), No. 1:19-cv-3423 (D. Colo. Dec 5, 2019) (fake consumer testimonials); Complaint at 20-22, 31, Global Cmty. Innovations LLC, No. 5:19-CV-00788 (N.D. Ohio Apr. 10, 2019) (fake consumer testimonials); Complaint at 27-28, 43, Jason Cardiff (Redwood Sci. Techs., Inc.), No. ED 18-cv-02104 SJO (C.D. Cal. Oct. 24, 2018) (testimonials in infomercial were paid actors who had not used defendants’ product); Complaint at 12-3, 20, FTC v. Mktg. Architects, Inc., No. 2:18-cv-00050-NT (D. Me. Feb. 5, 2018) (fake testimonials); Complaint at 14, 21, FTC v. Health Rsch. Labs., LLC, No. 2:17-cv-00467-JDL (D. Me. Nov. 30, 2017) (fake consumer testimonials and expert endorsements); Complaint at 13, 18, 28, XXL Impressions LLC, No. 1:17-cv-00067-NT (D. Me. Feb. 22, 2017) (defendants do not know whether consumer endorsers of their products who appeared in their ads actually exist); Complaint at 5, 7, 12-13, FTC v. Anthony Dill, No. 2:16-cv-00023-GZS (D. Me. Jan. 19, 2016) (fake testimonials); Amended Complaint at 38-39, 43-44, FTC v. Lisa Levey, No. 03-4670 GAF (C.D. Cal. Mar. 8, 2004) (fictitious expert endorsements). It has also challenged false claims that specific celebrities endorsed specific products, services, or businesses. See, e.g., Complaint at 15, 19-20, 30-31, Global Cmty. Innovations LLC, No. 5:19-CV-00788 (N.D. Ohio Apr. 10, 2019); Complaint at 5, 18-20, 22-23, 36, FTC v. Tarr, Inc., No. 3:17-cv-02024-LAB-KSC (S.D. Cal. Oct. 3, 2017); Complaint at 13-15, 18, Sales Slash, LLC, No CV15-03107 (C.D. Cal. Apr. 27, 2015); Complaint at 2, 4-5, Norm Thompson Outfitters, Inc., No. C-4495 (Sept. 29, 2014); The Raymond Lee Org., Inc., 92 F.T.C. 489 (1978) (use of the names, photographs and words of public officials, including members of the Congress, misled consumers that the officials recommended or endorsed the business). It has similarly challenged false claims of endorsements by specific entities. See, e.g., Complaint at 15-16, 18, FTC v., LLC, No. 1:16-cv-04282 (N.D. Ill. Apr. 13, 2016) (misrepresentation the FDA endorsed the use of indoor tanning systems as safe); Mytinger & Casselberry, Inc., 57 F.T.C. 717, 743-46 (1960) (misrepresentation that a consent decree restraining respondents from making certain claims was an endorsement by the U.S. government of its product); Trade Union Courier Publ’g Corp., 51 F.T.C. 1275, 1300-03 (1955) (misrepresentation that newspaper was endorsed by the American Federation of Labor when it was only endorsed by some unions within the AFL); Ar-Ex Cosms., Inc., 48 F.T.C. 800, 806 (1952) (misrepresentation that lipstick had been recommended by Consumers’ Research); A. P. W. Paper Co., Inc., 38 F.T.C. 1, 15-17 (1944) (misrepresentation that product was endorsed by the American Red Cross); Wilbert W. Haase Co., Inc., 33 F.T.C. 662, 681-83 (1941) (misrepresentation that insurance company had endorsed burial vault business and its vaults). Furthermore, the Commission has challenged advertisements that misrepresent endorsers’ experiences. See, e.g., Complaint at 14, 18, FTC v. A.S. Resch., LLC (Synovia), No. 1:19-cv-3423 (testimonialists had used a prior product formulation that contained substantially different ingredients); Complaint at 22, 25, NextGen Nutritionals, LLC, No. 8:17-cv-2807-T-36AEP (M.D. Fla. Jan. 9, 2018) (testimonials in ads misrepresented the actual experiences of customers); Complaint at 22-24, 27, FTC v. Russel T. Dalbey, No. 1:11-cv-01396-CMA—KLM (D. Colo. May 26, 2011) (testimonials misrepresented earnings from brokering promissory notes using defendants’ system); Computer Bus. Servs., Inc., 123 F.T.C. 75, 78-79 (1997) (testimonials by purchasers of home-based business ventures did not reflect their actual experiences); R. J. Reynolds Tobacco Co., 46 F.T.C. 706, 731-32 (1950) (endorsements communicated endorsers exclusively smoked Camel cigarettes whereas they did not smoke cigarettes, did not smoke Camels exclusively, or could not tell the difference between Camels and other cigarettes).
  • Giving an incentive for a review or endorsement and requiring that it be positive. See, e.g., Complaint at 14, 19-20, FTC A.S. Resch., LLC (Synovia), No. 1:19-cv-3423 (offered consumer endorsers with free product in exchange for “especially positive and inspiring” reviews); Complaint at 5-6, 8, Urthbox, Inc., No. C-4676 (Apr. 3, 2019) (deceptively provided compensation for the posting of positive reviews on the BBB’s website and other third-party websites); Complaint at 2-3, AmeriFreight, Inc., No. C-4518 (Feb. 27, 2015) (every month past customers were encouraged to submit reviews of respondent’s services in order to be eligible for a $100 “Best Monthly Review Award”, given to “the review with the most captivating subject line and best content” and that they should “be creative and try to make your review stand out for viewers to read!”).
  • Sellers who control websites claiming to provide independent opinions of products. See, e.g., Complaint at 2, 8-9, Son Le., C-4619 (May 31, 2020) (respondents operated purportedly independent websites that reviewed their own trampolines); Complaint at 19-20, 28, FTC v. Roca Labs, Inc., No. 8:15-cv-02231-MSS-TBM (M.D. Fla. Sept. 24, 2015) (defendants operated website, a purported independent, objective resource, which endorsed defendants’ products); Complaint at 21-25, 28, FTC v. NourishLife, LLC, No. 1:15-cv-00093 (N.D. Ill. Jan. 7, 2015) (defendants operated Apraxia Research website, a purported independent, objective resource, which endorsed a type of supplement sold only by defendants). It has also challenged sellers who control purportedly independent organizations or entities that reviewed or approved the sellers’ products or services. See, e.g., Complaint at 3-5, Bollman Hat Co., No. C-4643 (Jan. 23, 2018) (respondents created seal misrepresenting that independent organization endorsed their products as made in the United States); Complaint at 18-20, 26, NextGen Nutritionals, LLC, No. 8:17-cv-2807-T-36AEP (M.D. Fla. Jan. 9, 2018) (misrepresentation that sites displaying the Certified Ethical Site Seal were verified by an independent, third-party program); Complaint at 2-4, Moonlight Slumber, LLC, No. C-4634 (Sept. 28, 2017) (respondent misrepresented that baby mattresses had been certified by Green Safety Shield, when in fact the shield was its own designation); Complaint at 4-6, Benjamin Moore & Co., Inc., No. C-4646 (July 11, 2017) (respondent used seal of its own creation to misrepresent that paints had been endorsed or certified by independent third party); Complaint at 2-4, ICP Constr. Inc., No. 4648 (July 11, 2017) (same); Complaint at 2-3, Ecobaby Organics, Inc., No. C-4416 (July 25, 2013) (manufacturer misrepresented seal was awarded by industry association when in fact it created and controlled that association); Complaint at 2-4, Nonprofit Mgmt. LLC, No. C-4315 (Jan. 11, 2011) (respondents misrepresented their seal program was endorsed by two associations when in fact a respondent owned and operated them); Complaint at 34, 37, FTC v. A. Glenn Braswell, No. 2:03-cv-03700-DT-PJW (C.D. Cal. May 27, 2003) (defendants established Council on Natural Nutrition and then misrepresented it was an independent organization of experts who had endorsed defendants’ products).
  • Suppression of customer reviews based upon their negativity. See Complaint at 1-2, Fashion Nova LLC, C-4759 (Mar. 18, 2022). Commission staff has also addressed the issue in a closing letter. See Letter from Serena Viswanathan, Acting Associate Director, Division of Advertising Practices to Amy R. Mudge and Randall M. Shaheen, Counsel for Yotpo, Ltd. (Nov. 17, 2020),​system/​files/​documents/​closing_​letters/​nid/​202_​3039_​yotpo_​closing_​letter.pdf.

The FTC obtained comments to the proposed rulemaking so expect new rulemaking and guidance in 2023.

TCPA Class Action Ruling: Nonprofits Acting With Dual Purposes

The TCPA “nonprofit exemption” may not apply to a nonprofit entity acting: (1) on behalf of a for-profit entity and/or (2) with dual commercial and non-commercial purposes.

In this putative class action, Plaintiff challenges Defendant’s alleged practice of making unsolicited telemarketing calls to individuals who registered their phone numbers on the national Do Not Call registry (“DNC”).  Defendant operates a nonprofit company and “purports to offer credit counseling services and debt management plans on a nonprofit basis.”  Plaintiff asserts that another entity: (1) provides back-office and administration services to Defendant, (2) exerts control over Defendant’s telemarketers, and (3) generates income from Defendant’s telemarketing activities.  Pinn v. Consumer Credit Counseling Foundation, Inc., No. 22-cv-04048, 2023 WL 21278 (N.D. Cal. Jan. 3, 2023).

Plaintiff asserted class action claims under the Telephone Consumer Protection Act, 47 U.S.C. § 227(c)(5) (“TCPA”).  Defendant filed a motion to dismiss because the calls were to promote Defendant’s tax-exempt nonprofit “debt counseling services.”  The District Court denied the motion and permitted the case to proceed by analyzing the dual commercial and non-commercial purpose of a nonprofit entity’s communications:

    • TCPA’s regulation: The TCPA authorizes “[a] person who has received more than one telephone call within any 12-month period by or on behalf of the same entity in violation of the regulations prescribed under this subsection” to bring an action for injunctive relief and/or actual or statutory damages of up to $500 per violation.  47 U.S.C. § 227(c)(5).  The corresponding regulations provide in relevant part that “[n]o person or entity shall initiate any telephone solicitation to … [a] residential telephone subscriber who has registered his or her telephone number on the national do-not-call registry of persons who do not wish to receive telephone solicitations that is maintained by the Federal Government.” 47 C.F.R. § 64.1200(c)(2).  This prohibition also applies to wireless telephone numbers.  47 C.F.R. § 64.1200(e).  A telephone solicitation “does not include a call or message … [b]y or on behalf of a tax-exempt nonprofit organization.”  47 C.F.R. § 64.1200(f)(15)(iii) (emphasis added).
    • 2003 FCC Order: The Federal Communications Commission (“FCC”), in a 2003 order, states concerns about calls made jointly by nonprofit and for-profit organizations,” including that the exemption “frequently has been used to veil what is in reality a commercial venture.”  In Re Rules & Reguls. Implementing the Tel. Consumer Prot. Act of 1991, 18 F.C.C. Rcd. 14014, 14087-88 (2003) (emphasis added).
    • 2005 FCC Order: The FCC, in a 2005 order, states that “[i]n circumstances where telephone calls are initiated by a for-profit entity to offer its own, or another for-profit entity’s products for sale–even if a tax-exempt nonprofit will receive a portion of the sale’s proceeds–such calls are telephone solicitations as defined by the TCPA.”  In the Matter of Rules & Reguls. Implementing the Tel. Consumer Prot. Act of 1991, 20 F.C.C. Rcd. 3788, 3800 (2005).
    • Massaro/PETA ruling: In Massaro v. Beyond Meat, Inc., 3:20-cv-510, 2021 WL 948805, at *6 (S.D. Cal. March 12, 2021), the court ruled that the nonprofit exemption did not apply, at the pleadings stage, to a nonprofit – People for the Ethical Treatment of Animals (“PETA”) – which could be held liable under the TCPA for sending marketing text messages promoting alternative animal food products because the text messages were made with dual commercial and non-commercial purposes.  PETA denied that it received compensation from Beyond Meat for the marketing messages, but the court was obligated to accept the allegations as true for purposes of the motion to dismiss.  See also, Aranda v. Caribbean Cruise Line, Inc., 179 F. Supp. 3d 817, 828 (N.D. Ill. 2016) (analyzing a different TCPA exemption for calls made for a non-commercial purpose).

In sum, courts will not automatically dismiss a TCPA action against a nonprofit entity and, instead, the court will analyze the commercial and noncommercial purposes of the communications.


FTC Asserts ROSCA Claims Against Vonage Over Process To End Subscriptions & Vonage Settles For $100M

The Federal Trade Commission protects e-commerce consumers from “dark pattern” tactics which prevent consumers from cancelling their services.  Vonage agreed to pay $100 million – a record-breaking settlement amount – to the FTC to settle charges that it created a series of obstacles for its customers – both residential and business consumers – to cancel their service which included hidden termination fees.

In its Complaint filed in the United States District Court for the District of New Jersey on November 3, 2022, the FTC alleged that Vonage made it very easy to sign up but much harder to cancel a subscription contract, including by:

    • Eliminating cancellation options: Since 2017, Vonage allegedly made the decision to force customers to speak with a live “retention agent” in order to cancel service.  In contrast, customers could sign up for services online, over the phone, and through other venues.
    • Making cancellation process difficult:  The company allegedly: (1) made it difficult to find the phone number for the “retention agent” on the website, (2) failed to consistently transfer consumers to that number from the normal customer service number, (3) offered reduced hours the line was available, and (4) failed to provide promised callbacks.
    • Surprising customers with expensive fees when attempting to cancel:  Vonage allegedly charged early termination fees (“ETFs”) that were not clearly disclosed when the customer initially signed up for service.  At times, these ETFs were hundreds of dollars.
    • Charging customers who already cancelled service:  Vonage allegedly continued charging customers and then only provided partial refunds when customers complained.

In its Complaint, the FTC alleged that these actions violated Sections 13(b) and 19 of the Federal Trade Commission Act, 15 §U.S.C. 53(b), 57(b), and Section 5 of the Restore Online Shoppers’ Confidence Act (“ROSCA”), 15 U.S.C. § 8404.

ROSCA was passed and effective in 2010 in order to help promote consumer confidence for online commerce and thus requires the Internet to provide accurate information and give sellers an opportunity to fairly compete with one another for consumers’ business.  Section 2 of ROSCA, 15 U.S.C. § 8401.

Section 4 of ROSCA, 15 U.S.C. § 8403, generally prohibits charging consumers for goods and services sold in transactions effected on the Internet through a negative option feature, as that term is defined in the Commission’s Telemarketing Sales Rule (“TSR”), 16 C.F.R. § 310.2(w), unless the seller, among other things, (1) provides text that clearly and conspicuously discloses all material terms of the transaction before obtaining the consumer’s billing information, (2) obtains the consumer’s express informed consent for the charges, and (3) provides simple mechanisms for a consumer to stop recurring charges.  The TSR defines a negative option feature as a provision in an offer or agreement to sell or provide any goods or services “under which the consumer’s silence or failure to take an affirmative action to reject goods or services or to cancel the agreement is interpreted by the seller as acceptance of the offer.”  16 C.F.R. § 310.2(u).

In the Complaint, the FTC alleged that Vonage violated ROSCA by failing to:

    • provide required disclosures, including disclosing all material transaction terms such as the methods of cancelling services,
    • obtain express informed consent before charging the consumer’s credit card, debit card, bank account, or other financial account for products, and
    • provide a simple mechanism for stopping recurring charges.

Federal Trade Commission v. Vonage Holdings Corp., et al., No. 3:22-cv-06435 (D.N.J. Nov. 3, 2022).  The FTC will use the $100 million settlement to provide refunds to Vonage consumers.

ABCmouse – disclosure membership terms:  Similarly, in an earlier case, the FTC filed a Complaint against Age of Learning, Inc., which operates the children online learning program ABCmouse.  Federal Trade Commission v. Age of Learning, Inc., a corporation also d/b/a ABCmouse and, No. 2:20-cv-7996 (C.D. Cal. Sept. 1, 2020).  In that case, the FTC asserted that Defendant failed to disclose membership terms which led to consumers being charged without their consent, and the FTC settled with Defendant for $10 million.

Swifties and concertgoers – petition against Ticketmaster:  As recently as last week, Taylor Swift fans (a/k/a Swifties) and concertgoers petitioned for an investigation regarding fees charged and processes of the website operated by Ticketmaster.  Stay tuned!

In sum, companies should evaluate their e-commerce disclosures, fee structures, and process for providing/ending service.

TCPA Class Action: Website Disclosure and Lead Marketers

The Ninth Circuit reviewed a website disclosure form – for a marketing website that generates leads – to determine when consumers assent to terms through interacting with a website.  The Ninth Circuit analyzed the factors of: (1) reasonably conspicuous notice, (2) manifestation of assent, and (3) use of the word – arbitration – in the notice itself.  Berman v. Freedom Financial LLC, 30 F.4th 849 (9th Cir. 2022).  Many similar federal court rulings concern websites in which the consumer is engaging in a transaction – such as buying a product – so Berman has a different factual basis because the marketing website was giving away free items as a means of obtaining leads for other companies.

In the facts underlying this case, Fluent is a digital marketing company that generates consumer leads for its clients by collecting information about consumers who visit Fluent’s websites.  Fluent offers free items via its websites such as gift cards and free product samples as an enticement to get consumers to provide their contact information and answer survey questions.  Fluent then uses the information it collects in targeted marking campaigns conducted on behalf of its clients.

Fluent asked the first plaintiff to: (1) “confirm her zip code” by clicking a button and then (2) click on a large button stating “this is correct, continue!”  Fluent asked the second plaintiff to: (1) confirm “gender” by clicking a large button and then (2) click the “continue” button.  Significantly, located in between these two buttons were two lines of text – in small gray font which was partially underlined – stating: “I understand and agree to the Terms and Conditions which includes mandatory arbitration and Privacy Policy.”

Defendants used the contact information provided by consumers like plaintiffs to conduct a telemarketing campaign on behalf of defendants.

Plaintiffs filed a TCPA class action on behalf of consumers who received unwanted calls or text messages from defendants during the telemarketing campaign.  Defendants filed a motion to compel arbitration which was denied.  The Ninth Circuit reviewed the denial of the motion.

The Ninth Circuit noted that the Federal Arbitration Act (“FAA”) limits the court’s role to determining whether a valid arbitration agreement exists and, if so, whether the agreement encompasses the dispute at issue.  Plaintiffs did not contest that the arbitration provision on the websites’ terms and conditions encompasses their TCPA claims.  Thus, the only legal issue was whether either plaintiff assented to the terms, including the arbitration agreement.

The Ninth Circuit first discussed whether New York or California law governs, and the result would be the same under either state’s law because both states require mutual consent.  Absent a showing of “actual knowledge” of the contract terms by the consumer-plaintiff, inquiry notice will result in a contract only if: (1) the website provides “reasonably conspicuous” notice and (2) the consumer makes an “unambiguous” manifestation of assent.  The Ninth Circuit ruled that neither condition is satisfied and analyzed:

  • Reasonably conspicuous notice:  Website users are entitled to assume that important provisions – such as those that disclose the existence of contractual terms – will be prominently displayed.  The Ninth Circuit looked at:
    • Font size: the size of the text in the disclosure was smaller than the font in the surrounding website elements
    • Color:  the gray color of the text containing the hyperlink to the full terms and conditions made the disclosure hard to read
    • Phrase:  the specific phrase used on the button that users click to agree to the terms and conditions was generically phrased as “continue”
    • Underlining: the underlining for the hyperlinks to the arbitration agreement did not sufficiently denote the hyperlink
  • Manifestation of assent:  The “continue” button did not indicate to the user what action would constitute assent to those terms and conditions.  Further, the text of the button itself gave no indication that it would bind plaintiffs to a set of terms and conditions.
  • Including “arbitration” in the notice:  Merely because the notice references the word “arbitration” is not enough because the key question is whether the plaintiffs can be deemed to have manifested their assent to the terms.

The Ninth Circuit affirmed the denial of the motion to compel arbitration.

In sum, websites should comply with the three bullet-point analysis – reasonably conspicuous, manifestation of assent, and use of “arbitration” in the notice – to create enforceable contracts via website disclosures.

Biometric Data: Texas AG Sues Google

The Texas Attorney General sued Google for allegedly violating state laws by collecting biometric data on face and voice features without seeking the full consent of users as required under the Texas Capture or Use of Biometric Identifier Act (“CUBI”).  The complaint is another example of the role of individual states in protecting users’ information on the internet.

The Texas Attorney General (“AG”) alleges that:

    • Products:  Since at least 2015, Google collected data from Texans and “used their faces and voices to serve Google’s commercial ends” including features such as Google Photo’s “Face Grouping,” which uses facial-recognition software to group similar faces together to form a folder of photos for a particular person.  The AG also cites to the Nest Hub Max’s “Face Match” and Next products’ “voice-controlled personal assistant” as programs by which Google is able to collect biometric data from Texans.
    • No consent or opt out:  These features violate the CUBI because they do not request consent before use or give users the option to opt out of the software.
    • Storing data:  The AG asserts that Google is using and storing Texans’ information for further development and use.


    • Inform and consent: The CUBI prohibits companies from collecting voice or face data for commercial purposes without first informing users.  The CUBI prohibits an entity from capturing a biometric identifier for commercial purposes unless the entity: (1) informs the individual before capturing the biometric identifier and (2) receives the individual’s consent to capture the biometric identifier.
    • Definition:  The CUBI defines “biometric identifier” as including: retina or iris scan, fingerprint, a record of hand or face geometry, or voiceprint (the CUBI does not apply to voiceprint data retained by financial institutions per 15 U.S.C. § 6809).
    • Penalty:  The CUBI permits the AG to bring an action.  Each violation is subject to a $25,000 penalty.

The AG’s action against Google is similar to the one brought against Facebook parent Meta earlier this year, also under the CUBI.  Further, Google previously agreed to pay $100 million to settle a class-action lawsuit in Illinois alleging the company’s face-grouping tool which allegedly violated Illinois privacy laws.

TCPA: Consent by “Somebody” Insufficient To Avoid Liability

The “intended recipient” approach is no longer a viable argument when seeking to dismiss a TCPA claim at the initial pleading stage.  Blalack v., 2022 WL 7320045 (C.D. Cal. Oct. 11, 2022).

In Blalack, Defendant is a real estate listing service which markets rent-to-own properties to consumers.  Over a one year period, Defendant sent 108 telemarketing text messages to Plaintiff Jamie Blalack’s cell phone to solicit her to purchase a subscription to Defendant’s services.  Screenshots of text messages read:

    • “Thank You for Signing up for Property Alerts.”
    • “Good morning, Harry. Search for properties in 74063 now.” (Plaintiff’s name is not Harry, and 74063 is not Plaintiff’s zip code).
    • “Reply HELP for HELP – STOP to stop.”

Each text contains a link which led Plaintiff to Defendant’s site to sign up for the service.  Only some texts offer Plaintiff the opportunity to “opt out” of future messages.

Plaintiff asserts that she did not consent to receive the text messages or communications from Defendant and that she uses her cell phone primarily for residential purposes.  Plaintiff registered her cell phone on the Federal Do Not Call Registry (“DNC Registry”).  Plaintiff also sent Defendant a written cease and desist letter, but Defendant continued sending the texts for another month.

In this lawsuit, Plaintiff asserts claims under the Telephone Consumer Protection Act (“TCPA”), 47 U.S.C. § 227(c) seeking $500 per text, treble damages of $1500 per text, and injunctive relief.

Defendant filed a motion to dismiss, and the District Court denied these two arguments:

  • Residential purposes:  Defendant asserted that Plaintiff did not allege in the Complaint that her cell phone was used for residential purposes.  Yet, the District Court discussed:
    • 2003 FCC Order:  In 2003, the Federal Communications Commission’s  (“FCC”) Report and Order permits wireless subscribers  to participate in the DNC Registry.  Commission’s Report and Order, CG Docket No. 02-278, FCC 03-153, “Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991;” 47 C.F.R. § 64.1200(e).
    • DNC Registry Presumption:  In this Circuit, several district courts held that the allegations that a cell phone number is registered on the DNC  Registry is sufficient to establish – at the pleading stage – the presumption that the number is a residential one.
  • Prior express consent:  Defendant asserted that Plaintiff consented to receiving Defendant’s text messages.  There is no liability if the person making the telephone solicitations has obtained the subscriber’s prior express invitation or permission which is evidenced by a signed written agreement between the consumer and seller which states that the consumer agrees to be contacted by this seller and includes the telephone number to which the calls may be placed.  There is no liability if the call or message is to a person with whom the caller has an established business relationship.  Defendant argued that Plaintiff did not elect to opt out of receiving the messages, even though some messages permitted Plaintiff to do so.  Yet, the District Court discussed:
    • FCC Regulation:  To demonstrate “prior express invitation or consent,” the FCC Regulations require evidence of a “signed, written agreement,” and the screenshots do not: (1) constitute such a signed agreement, 47 C.F.R. § 64.1200(c)(ii); or (2) demonstrate a “voluntary two-way communication” between Plaintiff and Defendant that constitutes and “established business relationship,” 47 C.F.R. § 64.1200(f)(5).
    • Jamie, not Harry: The text identifies the recipient by a different name – Harry.  This allegation supports that Plaintiff did not provide her prior permission for the communications.

The District Court denied Defendant’s motion to dismiss and noted that there are fact questions that cannot be resolved on a motion to dismiss and are to be addressed in discovery.

In sum, the “intended recipient” approach is no longer a viable argument when seeking to dismiss a TCPA claim at the initial pleading stage.

© 2009- Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress