This article has an unclear citation style .(April 2010) |
In re Gateway Learning Corp, 138 F.T.C. 443 File No. 042-3047, was an investigatory action by the Federal Trade Commission (FTC) of the Gateway Learning Corporation, distributor of Hooked on Phonics. [1] In its complaint, the FTC alleged that Gateway had committed both unfair and deceptive trade practices by violating the terms of its own privacy policy and making retroactive changes to its privacy policy without notifying its customers. [2] Gateway reached a settlement with the FTC, entering into a consent decree in July 2004, before formal charges were filed. [3]
The core regulatory mission of the FTC, is to promote and ensure consumer protection and to prevent anti-competitive business practices. The consumer protection authority the FTC relied on in this action against Gateway Learning Corp was derived from Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive trade practices. [4] These two specific prohibitions, unfairness and deception, represent two distinct prongs of the FTC's consumer protection authority under Section 5. [5] Historically, the FTC has tended to allege deception in its consumer protection actions. [6] This action against Gateway is notable in that the FTC alleges both deception and unfairness. [7]
Gateway Learning Corp. is better known as the company that markets and sells the popular children's reading product "Hooked on Phonics". [8] Gateway had been selling Hooked on Phonics to teachers and parents on its website, www.hop.com, since as early as 2000. [8] Through the website, Gateway had been collecting personal information from visitors and customers. [9] This information included "the parent’s first and last name, billing address, shipping address, phone number, email address, purchase history, and his or her child’s age and gender". [9]
Gateway's privacy policy at the time, which described, amongst other things, how the company uses the information it collects from customers, had been in place since at least 2000 and remained unchanged until July 2003. [10] In pertinent part, this initial policy made the following representations:
Our Promise of Privacy [...] We at Gateway Learning Corporation are committed to protecting the privacy of our visitors, and we treat any information you share with discretion, care and respect. This notice describes our privacy policy for the Hooked on Phonics Web site [...].
Do we share your personally identifiable information with third parties? We do not sell, rent or loan any personally identifiable information regarding our consumers with any third party unless we receive a customer’s explicit consent. We do share information with third parties that help us run our operations or provide services to customers (e.g., credit card processing and shipping companies), but only to the extent necessary to provide these services.
What about children’s privacy? The Site does not sell products for purchase by children; we sell children’s products for purchase by adults. Children under 13 years of age may not submit personal information without the consent of their parents. We do not provide any personally identifiable information about children under 13 years of age to any third party for any purpose whatsoever.
Will this policy change? If at some future time there is a material change to our information usage practices that affect your personally identifiable information, we will notify you of the relevant changes on this Site or by e-mail. You will then be able to opt-out of this information usage by sending an e-mail to: [omitted] You should also check this privacy policy for changes. [11]
In short, the privacy policy claimed: [11]
Despite the representations in the privacy policy, however, in April 2003 Gateway begin selling access to the personal information it had collected. [12] The third parties that purchased the information were marketers and direct advertisers seeking to sell products that might be of interest to parents with young children. [12] This act on Gateway's part constituted the first of the violations that the FTC would eventually allege. [13] Gateway had expressly told its customers and website visitors that it would not sell their personal information without first receiving their consent, but in fact the company proceeded to do precisely that. Gateway's failure to abide by its own stated policies in this regard was perhaps the principle trigger for the FTC's deceptive trade practice allegation.
There was at least one other representation in the privacy policy that Gateway failed to honor, and which the FTC considered equally deceptive. [14] Specifically Gateway had claimed that it would notify users if the privacy policy were to undergo significant changes in the future. [14] But, as discussed further below, in July 2003 Gateway did precisely what it had agreed not to do. [15] It introduced significant changes to its privacy policy, and it did so without notifying its customers and site visitors, thus again violating the terms of its privacy policy. [15] The FTC complaint referred to this specific act as "false or misleading". [16] The FTC's use of the word "misleading" indicates that it was prepared to characterize this act as a deceptive practice, as the first element of a deception allegation is that "there must be a representation, omission or practice that is likely to mislead the consumer". [17]
The modification of the privacy policy in July 2003 also provided the foundation for the FTC's unfairness allegation. [18] Presumably after Gateway realized that its practice of selling customer information was in direct conflict with the representation it had made in its privacy policy, the company introduced updates to the privacy policy, which, amongst other things, made more transparent that the company would in fact release users’ personal information without consent. [19] In pertinent part, one specific section of the privacy policy was changed to read as follows:
Do we share your personally identifiable information with third parties? From time to time, we may provide your name, address and phone number (not your e-mail address) to reputable companies whose products or services you may find of interest. If you do not want us to share this information with these companies, please write to us at: Gateway Learning Corporation, 2900 South Harbor Blvd., Suite 202, Santa Ana, CA 92704, call 1-800-544-7323 or e-mail us at [omitted] with the word do-not-share in the subject line. [19]
Not only did Gateway fail to give notice about this change, but it also treated the changed policy as applying retroactively to personal information it had collected in the past, under the previous policy terms. [18] That is, Gateway proceeded to use existing customer data, collected under the terms of the former policy, as if that data had been collected under the terms of the new policy.
This act specifically caught the attention of the Federal Trade Commission. [6] Whether or not it considered the mere introduction of the new policy to be deceptive, the FTC clearly found the retroactive application of the new policy to be unfair. [18] In the words of Jessica Rich, an assistant director at the FTC's' Bureau of Consumer Protection, "The unfairness […] was changing the policy and applying the new policy to information that had already been collected. We wanted to make clear that that practice in and of itself is something that is specifically wrong and illegal. It is separate from the other [deception] violation." [6]
The FTC's complaint itself articulated the unfairness allegation as follows: "Respondent’s retroactive application of its revised privacy policy caused or is likely to cause substantial injury to consumers that is not outweighed by countervailing benefits to consumers or competition and is not reasonably avoidable by consumers. The practice was, and is, an unfair act or practice." [18]
On July 7, 2004, Gateway settled the complaint with the FTC by entering into a Consent Decree that required Gateway to surrender certain profits to the U.S. Treasury and placed various restrictions upon Gateway that would remain in effect for twenty years. [20] No formal charges were ever filed against Gateway in federal, state, or administrative court. [21] And Gateway was not required to admit any fault as part of the settlement. [21] All five Commissioners of the FTC supported the Consent Decree. [22]
As part of the first order of the Consent Decree, Gateway agreed that it would immediately cease, and refrain from, misrepresenting its practice of renting, selling, and loaning the personal information it had collected from customers and site visitors. [23] As part of this same order, Gateway also agreed not to misrepresent the manner by which it will notify consumers of changes in the privacy policy. [23] Note that this order did not flatly prohibit Gateway from engaging in renting, selling, and loaning personal information. It only prohibited Gateway from misleading its users about those practices, as it had done in its initial privacy policy.
Order II of the Decree prohibited Gateway from selling, renting, trading, or disclosing any personal information it had collected from consumers under its initial privacy policy, unless and until the company obtain express affirmative consent from the individual consumers. [24] Order III forbade retroactive application of new privacy policy terms to data collected under previous policies. [25] Order IV required Gateway to convey $4,608 to the United States Treasury, that is, the profits the companies had received through the alleged unfair and deceptive practices. [26] The Order characterized this conveyance as a disgorgement. [26]
Orders V through VIII established a number of additional administrative and procedural compliance requirements for Gateway. Order V required the company to "make available to the Federal Trade Commission for inspection […] all documents demonstrating [the company's] compliance with the terms and provisions of [the Consent Decree]. [27] Order VI required Gateway to deliver copies of the Decision and Order to all "current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities with respect to the subject matter of [the] Order." [28] Gateway was also required, under Order VII, to notify the FTC of all future changes in the corporation that might in some way affect it compliance with the requirements of the Consent Decree. [29] And finally, Order VIII required that Gateway would submit ongoing detailed reports to the FTC, at the FTC's request and discretion, demonstrating the manner of the company's compliance with the Consent Decree. [30]
At a very basic level, the Gateway investigation provided important insights for U.S. companies about the FTC's position on privacy policy violations, particularly violations pertaining to the disclosure of customer information. Had there been any doubt, the Gateway case announced that the FTC viewed consumer privacy protection as part of its mandate. The FTC made clear that companies were, in fact, bound by the terms they expressed in their privacy policies, and that retroactive applications of new privacy policies, without proper notification, would be considered an inherently unfair act.
Jessica Rich, an assistant director at the FTC's Bureau of Consumer Protection, made the following comment on the case, "[i]f you have a privacy policy and people give their information under those promises in your privacy policy, you can't then change the policy and use the information you already collected consistent with the new policy." [6] She continued, "[y]ou have to keep the promises you made when you collected the information. Until now, the FTC certainly hasn't been on record and I don't think anyone else has challenged this practice and made it very clear that it's illegal". [6] In the words of Howard Beales, then Director of the FTC's Bureau of Consumer Protection "It's simple – if you collect information and promise not to share, you can't share unless the consumer agrees [...] You can change the rules but not after the game has been played." [22]
As mentioned above, The Gateway investigation is also notable as the first FTC case in which the agency alleged both deceptive and unfair practices in response to material changes in a privacy policy. [7] The deception claim had been commonplace in prior FTC investigations, but the unfairness claim was something different. Said Rich, "[t]he unfairness [in Gateway] was changing the policy and applying the new policy to information that had already been collected. We wanted to make clear that that practice in and of itself is something that is specifically wrong and illegal. It is separate from the other violation." [6]
But the FTC has played down, to some extent, the significance of the unfairness allegation. "There are two prongs to our authority in this area and we can use either one. We just have tended to use deception more frequently because that's what happened. [Citing unfair practices] is not unprecedented," said Rich. [6] "All our cases are an interpretation of what is unfair or deceptive and in violation of the FTC Act [...] Just as in any case law, whenever a case comes out, it enunciates a new interpretation of what the law requires. But alleging unfairness doesn't uniquely establish new policy in a way that deception doesn't." [6]
Some commentators have also expressed skepticism about the seemingly paltry sum of money that Gateway was required to pay as disgorgement for its ill-gained profits. Indeed, the $4,608 payment to Treasury was not regarded by anyone as a hefty fine. To some the small fine is indicative of the FTC's inability to effectively enforce and regulate consumer privacy matters in the marketplace. [31] The other requirements imposed upon Gateway, however, seem to tell a different story. [32] The administrative compliance and reporting requirements alone, articulated above in the discussion about the Consent Decree are decidedly burdensome on Gateway. The fact that some of the orders will be in effect until the year 2024 speaks further to this point. Presumably these aspects of the Consent Decree, not the monetary fine, were the aspects that the FTC intended as a deterrent against similar violations by other companies in the future.
The Federal Trade Commission Act of 1914 is a United States federal law which established the Federal Trade Commission. The Act was signed into law by US President Woodrow Wilson in 1914 and outlaws unfair methods of competition and unfair acts or practices that affect commerce.
The Federal Trade Commission (FTC) is an independent agency of the United States government whose principal mission is the enforcement of civil (non-criminal) antitrust law and the promotion of consumer protection. The FTC shares jurisdiction over federal civil antitrust law enforcement with the Department of Justice Antitrust Division. The agency is headquartered in the Federal Trade Commission Building in Washington, DC.
False advertising is the act of publishing, transmitting, distributing, or otherwise publicly circulating an advertisement containing a false claim, or statement, made intentionally to promote the sale of property, goods, or services. A false advertisement can be classified as deceptive if the advertiser deliberately misleads the consumer, rather than making an unintentional mistake. A number of governments use regulations or other laws and methods to limit false advertising.
A privacy policy is a statement or legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. Personal information can be anything that can be used to identify an individual, not limited to the person's name, address, date of birth, marital status, contact information, ID issue, and expiry date, financial records, credit information, medical history, where one travels, and intentions to acquire goods and services. In the case of a business, it is often a statement that declares a party's policy on how it collects, stores, and releases personal information it collects. It informs the client what specific information is collected, and whether it is kept confidential, shared with partners, or sold to other firms or enterprises. Privacy policies typically represent a broader, more generalized treatment, as opposed to data use statements, which tend to be more detailed and specific.
BBB National Programs, an independent non-profit organization that oversees more than a dozen national industry self-regulation programs that provide third-party accountability and dispute resolution services to companies, including outside and in-house counsel, consumers, and others in arenas such as privacy, advertising, data collection, child-directed marketing, and more. The Center for Industry Self-Regulation (CISR) is BBB National Programs' 501(c)(3) non-profit foundation. CISR supports responsible business leaders in developing fair, future-proof best practices, and the education of the public on the conditions necessary for industry self-regulation.
Movieland, also known as Movieland.com, Moviepass.tv and Popcorn.net, was a subscription-based movie download service that has been the subject of thousands of complaints to the Federal Trade Commission, the Washington State Attorney General's Office, the Better Business Bureau, and other agencies by consumers who said they were held hostage by its repeated pop-up windows and demands for payment, triggered after a free 3-day trial period. Many said they had never even heard of Movieland until they saw their first pop-up. Movieland advertised that the service had "no spyware", and that no personal information would need to be filled out to begin the free trial.
Consumer protection is the practice of safeguarding buyers of goods and services, and the public, against unfair practices in the marketplace. Consumer protection measures are often established by law. Such laws are intended to prevent businesses from engaging in fraud or specified unfair practices to gain an advantage over competitors or to mislead consumers. They may also provide additional protection for the general public which may be impacted by a product even when they are not the direct purchaser or consumer of that product. For example, government regulations may require businesses to disclose detailed information about their products—particularly in areas where public health or safety is an issue, such as with food or automobiles.
Federal Trade Commission v. Sperry & Hutchinson Trading Stamp Co., 405 U.S. 233 (1972), is a decision of the United States Supreme Court holding that the Federal Trade Commission (FTC) may act against a company's “unfair” business practices even though the practice is none of the following: an antitrust violation, an incipient antitrust violation, a violation of the “spirit” of the antitrust laws, or a deceptive practice. This legal theory is termed the "unfairness doctrine."
The United States Commission's fair information practice principles (FIPPs) are guidelines that represent widely accepted concepts concerning fair information practice in an electronic marketplace.
In the middle of 2009 the Federal Trade Commission filed a complaint against Sears Holdings Management Corporation (SHMC) for unfair or deceptive acts or practices affecting commerce. SHMC operates the sears.com and kmart.com retail websites for Sears Holdings Corporation. As part of a marketing effort, some users of sears.com and kmart.com were invited to download an application developed for SHMC that ran in the background on users' computers collecting information on nearly all internet activity. The tracking aspects of the program were only disclosed in legalese in the middle of the End User License Agreement. The FTC found this was insufficient disclosure given consumers expectations and the detailed information being collected. On September 9, 2009 the FTC approved a consent decree with SHMC requiring full disclosure of its activities and destruction of previously obtained information.
This report is the result of a student task force exploration of the Federal Trade Commission (FTC), completed over the course of a summer job led by Ralph Nader. The seven law student volunteers began their evaluation of the FTC in June 1968, and published a revised and expanded version of the report as a book in January 1969.
David C. Vladeck is an American lawyer and the former director of the Bureau of Consumer Protection of the Federal Trade Commission, an independent agency of the United States government. He was appointed by the chairman of the FTC, Jon Leibowitz, on April 14, 2009, shortly after Leibowitz became chairman.
The Telemarketing and Consumer Fraud and Abuse Prevention Act is a federal law in the United States aimed at protecting consumers from telemarketing deception and abuse. The act is enforced by the Federal Trade Commission. The act expanded controls over telemarketing and gave more control to prescribe rules to the Federal Trade Commission. After the passage of the act, the Federal Trade Commission is required to (1) define and prohibit deceptive telemarketing practices; (2) keep telemarketers from practices a reasonable consumer would see as being coercive or invasions of privacy; (3) set restrictions on the time of day and night that unsolicited calls can be made to consumers; (4) to require the nature of the call to be disclosed at the start of any unsolicited call that is made with the purpose of trying to sell something.
Do Not Track legislation protects Internet users' right to choose whether or not they want to be tracked by third-party websites. It has been called the online version of "Do Not Call". This type of legislation is supported by privacy advocates and opposed by advertisers and services that use tracking information to personalize web content. Do Not Track (DNT) is a formerly official HTTP header field, designed to allow internet users to opt-out of tracking by websites—which includes the collection of data regarding a user's activity across multiple distinct contexts, and the retention, use, or sharing of that data outside its context. Efforts to standardize Do Not Track by the World Wide Web Consortium did not reach their goal and ended in September 2018 due to insufficient deployment and support.
United States v. Google Inc., No. 3:12-cv-04177, is a case in which the United States District Court for the Northern District of California approved a stipulated order for a permanent injunction and a $22.5 million civil penalty judgment, the largest civil penalty the Federal Trade Commission (FTC) has ever won in history. The FTC and Google Inc. consented to the entry of the stipulated order to resolve the dispute which arose from Google's violation of its privacy policy. In this case, the FTC found Google liable for misrepresenting "privacy assurances to users of Apple's Safari Internet browser". It was reached after the FTC considered that through the placement of advertising tracking cookies in the Safari web browser, and while serving targeted advertisements, Google violated the 2011 FTC's administrative order issued in FTC v. Google Inc.
In the Matter of TRENDnet, Inc., F.T.C. File No. 122-3090, is the first legal action taken by the Federal Trade Commission (FTC) against "the marketer of an everyday product with interconnectivity to the Internet and other mobile devices – commonly referred to as the Internet of things." The FTC found that TRENDnet had violated Section 5(a) of the Federal Trade Commission Act by falsely advertising that IP cameras it sold could transmit video on the internet securely. On January 16, 2014 the FTC issued a Decision and Order obliging TRENDnet, among other things, to cease misrepresenting the extent to which its products protect the security of live feeds captured and the personal information that is accessible through those devices.
FTC v. Balls of Kryptonite is an enforcement action brought in 2009 by the U.S. Federal Trade Commission (FTC) in United States District Court for the Central District of California. The defendant was Jaivin Karnani, a Southern California man, his company Balls of Kryptonite LLC, and several other corporate names they did business as. In 2011 the FTC secured a court order barring Karnani and Balls of Kryptonite from engaging in many of the deceptive business practices that had brought him to the agency's attention.
A dark pattern is "a user interface that has been carefully crafted to trick users into doing things, such as buying overpriced insurance with their purchase or signing up for recurring bills". User experience designer Harry Brignull coined the neologism on 28 July 2010 with the registration of darkpatterns.org, a "pattern library with the specific goal of naming and shaming deceptive user interfaces". In 2023 he released the book Deceptive Patterns.
The gathering of personally identifiable information (PII) refers to the collection of public and private personal data that can be used to identify individuals for various purposes, both legal and illegal. PII gathering is often seen as a privacy threat by data owners, while entities such as technology companies, governments, and organizations utilize this data to analyze consumer behavior, political preferences, and personal interests.
Financial privacy laws regulate the manner in which financial institutions handle the nonpublic financial information of consumers. In the United States, financial privacy is regulated through laws enacted at the federal and state level. Federal regulations are primarily represented by the Bank Secrecy Act, Right to Financial Privacy Act, the Gramm-Leach-Bliley Act, and the Fair Credit Reporting Act. Provisions within other laws like the Credit and Debit Card Receipt Clarification Act of 2007 as well as the Electronic Funds Transfer Act also contribute to financial privacy in the United States. State regulations vary from state to state. While each state approaches financial privacy differently, they mostly draw from federal laws and provide more stringent outlines and definitions. Government agencies like the Consumer Financial Protection Bureau and the Federal Trade Commission provide enforcement for financial privacy regulations.