October 2022

The Federal Trade Commission is taking action against education technology provider Chegg Inc. for its lax data security practices that exposed sensitive information about millions of its customers and employees, including Social Security numbers, email addresses and passwords. Chegg allegedly failed to fix problems with its data security despite experiencing four security breaches since 2017. The FTC’s proposed order requires the company to bolster its data security, limit the data the company can collect and retain, offer users multifactor authentication to secure their accounts, and allow users to access and delete their data.

“Chegg took shortcuts with millions of students’ sensitive information,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Today’s order requires the company to strengthen security safeguards, offer consumers an easy way to delete their data, and limit information collection on the front end. The Commission will continue to act aggressively to protect personal data.”

The California-based company has sold educational products and services targeted to high school and college students, including online tutoring and a college scholarship search service. Chegg collects a variety of personal information about its users. For example, as part of its scholarship search service, Chegg has collected information about users’ religious denominations, heritage, dates of birth, sexual orientation, and disabilities. It also has collected and stored sensitive personal information about its employees, including dates of birth, Social Security numbers, and financial and medical data.

In a complaint, the FTC alleged that Chegg failed to protect the personal information it has collected from its users and employees. As a result, the company experienced four data breaches that exposed that personal information. The first occurred in September 2017, when multiple Chegg employees fell for a phishing attack that allowed a hacker to gain access to employees’ direct deposit information. Less than a year later, a former Chegg contractor used login information the company shared with employees and outside contractors to access one of Chegg’s third-party cloud databases containing personal information of approximately 40 million customers. The exposed personal information included names, email addresses, passwords, and for certain users, sensitive scholarship data such as dates of birth, parents’ income range, sexual orientation, and disabilities. In the next two years, Chegg experienced two more data breaches involving phishing attacks that successfully targeted Chegg employees. These attacks exposed sensitive data about Chegg’s employees including medical and financial information.

The FTC’s complaint alleges that these data breaches stemmed from Chegg’s poor data security practices, which included:

• Failing to implement basic security measures: The FTC alleged that despite its promises, Chegg failed to use “commercially reasonable security measures” to protect personal information it collected and stored. For example, at various times throughout the relevant time period, it did not require employees to use multifactor authentication measures to log into its third-party databases, allowed employees and contractors to use a single login to access those databases, and failed to monitor its network and databases for threats.
• Storing information insecurely: Chegg stored personal data on its cloud storage databases in plain text and used until at least 2018 outdated and weak encryption to protect user passwords.
• Failing to Develop Adequate Security Policies and Training: Even after experiencing three phishing attacks, the company failed to provide adequate security training to employees and contractors and implement a written security policy until January 2021.

As a result of these failures, some of the data about Chegg’s 40 million customers stolen by its former contractor was later found for sale online. Chegg’s failure to protect its employees’ medical and financial data was particularly problematic since this information is valuable on the open market and is used to commit identity theft and fraud, according to the complaint.

As part of the proposed order, Chegg will be required to take several steps to address the problems outlined in the FTC’s complaint including:

• Detail and Limit Data Collection:Chegg must document and follow a schedule that sets out what personal information the company collects, why it collects the information, and when it will delete the information.
• Provide Consumer Access to Data: Chegg must provide its customers access to data collected about them and allow them to request that the company delete that data.
• Implement Multifactor Authentication:Chegg must provide multifactor authentication or another authentication method to its customers and employees to help protect their accounts.
• Implement Security Program: Chegg must implement a comprehensive information security program that addresses the flaws in the company’s data security practices including encrypting consumer data and providing security training to its employees.

The action against Chegg is part of the FTC’s aggressive efforts to ensure education technology companies protect and secure personal data they collect and do not collect more information than is necessary. In May 2022, the Commission issued a policy statement warning education technologies against illegally collecting personal information from children under 13 in violation of the Children’s Online Privacy Protection Act, which also requires companies to secure the data they collect. The Commission also is taking steps to bolster security market-wide, including initiating  an advance notice of proposed rulemaking on commercial surveillance and lax data security practices. And the FTC continues to hold companies accountable for failing to secure consumer data. Earlier this month, the FTC announced an order with the online alcohol delivery marketplace Drizly and its CEO for its lax data security practices.

The Commission voted 4-0 to issue the proposed administrative complaint and to accept the consent agreement with Chegg.

The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $46,517.

The Federal Trade Commission and State of California are taking action against home improvement financing provider Ygrene Energy Fund Inc. for deceiving consumers about the potential financial impact of its financing, and for unfairly recording liens on consumers’ homes without their consent. The FTC and California allege that Ygrene and its contractors falsely told consumers that the financing wouldn’t interfere with the sale or refinancing of their homes, in many instances relying on high-pressure sales tactics or outright forgery to sign consumers up.

“Ygrene and its sales force deceived consumers about home improvement financing and then stuck consumers with liens that made it difficult to sell their homes,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Our proposed order would require Ygrene to clean up its business practices, monitor its sales force, and help defrauded consumers remove their liens.”

“Ygrene Energy Fund took advantage of hardworking California families, jeopardizing their most valuable asset in the process,” said California Attorney General Rob Bonta. “Today’s settlement holds Ygrene accountable for their misconduct and establishes guardrails to protect property owners from future deception. PACE financing was meant to help families make important home improvements, but the dishonesty of companies like Ygrene has left some homeowners at risk of losing their homes. Before signing a PACE contract, I urge all Californians to familiarize themselves with this program and take the time to understand what it is and, most importantly, what it isn’t.”

A proposed court order would require Ygrene to stop its deceptive practices and meaningfully oversee the contractors who have served as its salesforce. As part of the settlement, Ygrene will be required to dedicate $3 million to provide relief to certain consumers whose homes are subject to the company’s liens.

California-based Ygrene has provided PACE financing, a form of secured home-improvement financing, for clean-energy home improvements in parts of California, Missouri, and Florida. Since 2015, Ygrene has trained home-improvement contractors to market the company’s PACE financing to homeowners as a way to pay for energy upgrades (e.g., solar panels or updated insulation) to consumers’ homes. These sales often happen door-to-door, with contractors approaching consumers in their homes, selling both the energy upgrade and the supposed benefits of Ygrene’s PACE financing.

PACE financing is a relatively new form of financing that relies on the property-tax system to collect payments from consumers. When a consumer uses PACE financing to pay for a clean energy project, a first-priority lien is placed against the consumer’s home, and the payments on the financing are collected through the homeowner’s property-tax bill. Failing to pay could subject a consumer to foreclosure on the property itself.

The FTC and California allege that Ygrene recruited and authorized home-improvement contractors, whom Ygrene did not adequately train or oversee, to sell its financing, leading to many consumers being deceived during the sales process and being unfairly subjected to liens on their homes without their express, informed consent. Specifically, according to the FTC and California, Ygrene and its contractors harmed consumers by:

• Deceiving consumers about PACE’s impact on home sales: The complaint alleges that Ygrene or its contractors provided false or misleading information that the lien placed on their home as a result of PACE financing could simply be transferred with a property when it was sold. In fact, many mortgage lenders will not provide financing to buy a property unless the PACE lien is paid off in full.
• Deceiving consumers about PACE’s impact on refinancing: In many cases, the complaint alleges, Ygrene or its contractors told consumers that the PACE lien would not interfere with their ability to refinance their homes. As with home sales, many lenders will not approve new financing until the PACE lien has been removed.
• Trapping consumers with PACE liens without clear consent: In many cases, Ygrene relies on an electronic signing system for its financing agreements with consumers. In some of these cases, the complaint alleges, Ygrene’s contractor sales practices have prevented consumers from meaningfully reviewing or consenting to key disclosures concerning the PACE lien. Contractors have rushed consumers through the electronic signing of the financing agreement, which appears in small print and is often presented to the consumer on a mobile phone or handheld tablet device – in many cases owned by the contractor – with a small screen that adds difficulty to navigating and understanding the agreement. In other cases, the contractor has forged the consumer’s signature by e-signing the contract without the consumer’s authorization. The complaint notes that even in some instances after Ygrene has received an electronic signature and has called the consumer to explain the terms of the agreement, the company has failed to ensure that it was speaking to the consumer or that the consumer has given clear consent to the lien.

Enforcement Action

Ygrene has agreed to a proposed court order with the FTC and California that would require it to stop violating the FTC Act and the California Unfair Competition and False Advertising Laws. The court order would require Ygrene to:

• Stop deceiving consumers: The order would require Ygrene to stop deceiving consumers about the transferability of the PACE financing obligation to the new owner in the event of a sale, the impact of PACE financing on the sale or refinancing of a home, or whether a home will be used as collateral in PACE financing.
• Closely monitor contractors: Ygrene would be required to create a program to closely monitor the actions of contractors who sell their financing products, to ensure they do not deceive consumers and do not forge consumers’ signatures on finance agreements. The order would also require Ygrene to investigate and act on consumer complaints about its contractors.
• Ensure that it has properly obtained consumer consent: The order would require Ygrene to obtain the consumer’s express, informed consent before causing the consumer’s property to be used as collateral to secure PACE financing.
• Conduct a lien-release process or provide refunds to consumers: The order would require Ygrene to send a survey to consumers with outstanding liens to determine whether the consumer personally signed the financing documents or authorized them to be signed by someone else. Survey responses and Ygrene documentation may be reviewed by a settlement administrator. The order would require Ygrene to establish a $3 million fund that could be used to release the liens placed on consumers’ homes without their consent. If the cost of releasing the liens is less than $3 million, the order would require Ygrene to provide the remaining funds to the FTC to be used to redress consumers harmed by practices alleged in the complaint.

The Commission vote authorizing the staff to file the complaint and stipulated final order was 4-0. The FTC filed the complaint and final order/injunction in the U.S. District Court for the Central District of California.

NOTE: The Commission files a complaint when it has “reason to believe” that the named defendants are violating or are about to violate the law and it appears to the Commission that a proceeding is in the public interest. Stipulated final injunctions/orders have the force of law when approved and signed by the District Court judge.

Following a public comment period, the Federal Trade Commission has finalized a consent order against Electrowarmth Products, LLC and its owner, Daniel W. Grindle, barring them from deceptively claiming the heated fabric mattress pads they sell for truck bunks are made in the USA.

The final order prohibits Grindle and Electrowarmth from making any country-of-origin claim about a product or service unless the claim is not misleading and they have a reasonable basis that substantiates their claim. It also requires the respondents to make certain disclosures about the country of origin of any product subject to the Textile Fiber Products Identification Act, and to provide compliance reports. The order also imposes a suspended $815,809 monetary judgment.

Based in Ohio, Grindle and Electrowarmth sell mattress pads of varying sizes, with wires and thermostats that provide heat. According to the FTC’s complaint, before 2019, Electrowarmth used U.S.-made textiles for mattress pads intended for use in truck bunks. But in a cost-cutting move, they decided to move production to China and stop using U.S.-made textiles, while continuing to market their heated trunk bunk mattress pads as “Made in USA,” “Made in the USA since 1939,” and “made-in-America products.”

The Commission vote approving final order and letters to the commenters of record was 4-0.

After a public comment period, the Federal Trade Commission has approved final orders against motorcycle manufacturer Harley-Davidson Motor Company Group, grill maker Weber-Stephen Products, and the manufacturer of Westinghouse outdoor power equipment, MWE Investments, for illegally restricting customers’ right to repair their purchased products.

In cases announced in June, the FTC alleged that Harley-Davidson and MWE Investments included terms in their warranties that claimed that the warranty would be void if customers used independent repairers or third-party parts, in violation of the Magnuson-Moss Warranty Act and the FTC Act. In addition, Harley-Davidson allegedly failed to properly disclose all warranty terms in a single document, and instead directed consumers to visit a local dealership to fully understand the warranty. In July, the FTC announced a similar case alleging that Weber’s warranty illegally claimed that the use of aftermarket parts would void the company’s warranty on gas and electric grills.

The orders require the companies to take multiple steps to correct their unlawful behavior:

• Prohibit further violations: The companies will be prohibited from further violations of the Warranty Act, and in Harley-Davidson’s case, the Disclosure Rule. They will also be prohibited from telling consumers that their warranties will be void if they use third-party services or parts, or that they should only use branded parts or authorized service providers. If the companies violate these terms, the FTC will be able to seek civil penalties of up to $46,517 per violation in federal court.
• Recognize consumers’ right to repair: Harley-Davidson and MWE Investments will be required to add specific language to their warranties similar to the following: “Taking your product to be serviced by a repair shop that is not affiliated with or an authorized dealer of [Company] will not void this warranty” and/or “using third-party parts will not void this warranty.”  Weber must add to its warranty a statement that “Using third-party parts will not violate this warranty.”
• Come clean with consumers: The companies must send and post notices informing customers that their warranties will remain in effect even if they buy aftermarket parts and/or patronize independent repairers.
• Alert dealers to compete fairly: Harley-Davidson and MWE Investments are being required to direct authorized dealers to remove deceptive display materials, train and monitor employees, and not promote branded parts and dealers over third parties.

The Commission votes to approve the final orders against Weber-Stephen Products and MWE Investments were 5-0. The Commission vote to approve the final order against Harley-Davidson and issue letters to commenters was 4-0.

The Federal Trade Commission released the final agenda for its annual PrivacyCon event, which will take place online on November 1, 2022. This year’s event will feature research presentations on commercial surveillance, automated decision making and a range of other topics.

FTC Chair Lina M. Khan will provide opening remarks to kick off the event. Her remarks will be followed by seven panel discussions on research on such topics as:

• Commercial surveillance
• Automated decision-making systems
• Children’s privacy
• Devices that listen to users
• Augmented reality and virtual reality
• Interfaces and dark patterns, and
• Advertising technology

Information about the panelists and PrivacyCon can be found on the event page. The event will begin at 9 a.m. ET and be live streamed on the FTC’s website, FTC.gov. A link to watch the event will be posted the day of the event. Follow the conversation on Twitter using the hashtag: #PrivacyCon22.

The Federal Trade Commission is taking action against the online alcohol marketplace Drizly and its CEO James Cory Rellas over allegations that the company’s security failures led to a data breach exposing the personal information of about 2.5 million consumers. Drizly and Rellas were alerted to security problems two years prior to the breach yet failed to take steps to protect consumers’ data from hackers. The FTC’s proposed order requires the company to destroy unnecessary data, restricts the data that the company can collect and retain, and binds Rellas to specific data security requirements for his role in presiding over unlawful business practices.

“Our proposed order against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO faces consequences for the company’s carelessness,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “CEOs who take shortcuts on security should take note.”

Boston-based Drizly, a subsidiary of Uber, operates an online marketplace where consumers of legal drinking age can place orders with retailers to buy beer, wine, and alcohol for delivery. The company collects and stores on Amazon Web Services cloud computing service a wide range of personal information from consumers such as email, postal addresses, phone numbers, unique device identifiers, geolocation information and data purchased from third parties.

According to the FTC’s complaint, Drizly and Rellas were alerted to problems with the company’s data security procedures following an earlier security incident. In 2018, a Drizly employee posted company cloud computing account login information on the software development and hosting platform GitHub. As a result of this security breakdown, hackers were able to use Drizly’s servers to mine cryptocurrency until the company changed its login information for its cloud computing account. Drizly failed to take steps to adequately address its security problems while publicly claiming to have appropriate security protections in place. Two years later, a hacker breached an employee account, got access to Drizly’s corporate GitHub login information, hacked into the company’s database, and then stole customers’ information.

In its complaint, the FTC alleges that Drizly and Rellas:

• Failed to implement basic security measures: The FTC alleged that despite statements claiming the company used appropriate security practices to protect consumer data, Drizly and Rellas failed to put in place reasonable safeguards to secure the personal information it collected and stored. It did not require employees to use two-factor authentication for GitHub, limit employee access to personal data, develop adequate written security policies, or train employees on those procedures.

• Stored critical database information on an unsecured platform: According to the FTC’s complaint, Drizly stored login credentials on GitHub contrary to the platform’s own guidance and well-publicized security incidents involving GitHub. For example, in its 2018 complaint against Uber, the FTC specifically publicized and described poor security practices involving the use of Uber’s GitHub account that contributed to a data breach involving the ridesharing app.

• Neglected to monitor network for security threats: The FTC alleged that Drizly did not put a senior executive in charge of ensuring that the company was keeping its data secure, nor did it monitor its network for unauthorized attempts to access or remove personal data.

• Exposed customers to hackers and identity thieves: Following the company’s data breach, personal information that Drizly had collected about consumers was offered for sale on two different publicly accessible sites on the dark web, where criminals post and sell data stolen by hackers. Identity thieves and other malicious actors can use such data to open fraudulent lines of credit or commit other fraud. When unauthorized accounts are opened in their name, consumers can suffer financial harm by incurring debt and damaging their credit, the FTC alleged.

Enforcement Action

The proposed order against Drizly and Rellas includes several requirements aimed at ensuring they take steps to address the problems outlined in the FTC’s complaint. Under the proposed FTC order, Drizly and Rellas are required to:

• Destroy unnecessary data: Drizly is required to destroy any personal data it collected that is not necessary for it to provide products or services to consumers. It must also document and report to the Commission what data it destroyed.

• Limit future data collection: Going forward, Drizly must refrain from collecting or storing personal information unless it is necessary for specific purposes outlined in a retention schedule. It must also must publicly detail on its website the information it collects and why such data collection is necessary.

• Implement an information security program: Drizly is required to implement a comprehensive information security program and establish security safeguards to protect against the security incidents outlined in the complaint. This includes measures such as providing security training for its employees; designating a high-level employee to oversee the information security program; implementing controls on who can access personal data; and requiring employees to use multi-factor authentication to access databases and other assets containing consumer data.

Notably, the order applies personally to Rellas, who presided over Drizly’s lax data security practices as CEO. In the modern economy, corporate executives frequently move from company to company, notwithstanding blemishes on their track record. Recognizing that reality, the Commission’s proposed order will follow Rellas even if he leaves Drizly. Specifically, Rellas will be required to implement an information security program at future companies if he moves to a business collecting consumer information from more than 25,000 individuals, and where he is a majority owner, CEO, or senior officer with information security responsibilities.

This action is part of the FTC’s aggressive efforts to ensure that companies are protecting consumers’ data and that careless CEOs learn from their data security failures. Last year, the Commission secured its first order requiring a firm to minimize data collection and has worked in subsequent orders to ensure companies only collect what they need to conduct their business. The Commission is also taking steps to bolster security market-wide, including by finalizing updates to the Safeguards Rule, issuing a policy statement on the Health Breach Notification Rule, and initiating an advance notice of proposed rulemaking on commercial surveillance and lax data security practices.

The FTC voted 4-0 to issue the proposed administrative complaint and to accept the consent agreement with Drizly and Rellas. Commissioner Christine Wilson voted yes but dissented in part as to the inclusion of Rellas as an individual defendant and issued a separate statement. Chair Lina M. Khan and Commissioner Alvaro Bedoya issued a joint concurring statement and Commissioner Rebecca Kelly Slaughter issued a separate concurring statement.

The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $46,517.

The Federal Trade Commission announced today it is exploring a potential rule to combat deceptive or unfair review and endorsement practices, such as using fake reviews, suppressing negative reviews, and paying for positive reviews. Deceptive and manipulated reviews and endorsements cheat consumers looking for real feedback on a product or service and undercut honest businesses.The FTC’s Advance Notice of Proposed Rulemaking (ANPR) seeks public comment on potential harms stemming from deceptive or unfair review and endorsement practices and whether a rule would help consumers and level the playing field for honest marketers.

“Companies should know by now that fake reviews are illegal, but this scourge persists,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “We’re exploring whether a rule that would trigger stiff civil penalties for violators would make the market fairer for consumers and honest businesses.”

Research shows that many consumers rely on reviews when they’re shopping for a product or service, and that fake reviews drive sales and tend to be associated with low-quality products. The rapid growth of online marketplaces and platforms has made it easier than ever for some companies to create and use fake reviews or endorsements to make themselves look better or their competitors look worse. It can be difficult for anyone—including consumers, competitors, platforms, and researchers—to distinguish real from fake, giving bad actors big incentives to break the law.

The ANPR seeks comment on the costs and benefits of a potential rule, as well as the pervasiveness and potential harms to consumers and competition from certain clearly deceptive or unfair practices involving reviews and endorsements including:

• Fake reviews: These include reviews and endorsements by people who do not exist or have not used the product or service or who lie about their experiences.
• Review reuse fraud: Some sellers hijack or repurpose reviews posted about another product or service.
• Paid reviews: Marketers may pay for positive reviews about their products or negative reviews about competitors’ products.
• Insider reviews: These include reviews written by a company’s executives or solicited from its employees that don’t mention their connections to the company.
• Review suppression: Companies might claim that their websites display all reviews submitted by customers when they suppress negative reviews or attempt to suppress reviews on other platforms by threatening the reviewers.
• Fake review websites: This is when a seller sets up a purportedly independent website or organization to review or endorse its own products.
• Buying followers: This involves buying or selling followers, subscribers, views, or other indicators of social media influence.

The FTC has worked to crack down on purveyors of deceptive reviews and endorsements and has provided guidance to businesses on acceptable practices through the agency’s Endorsements Guides and other public materials. In August 2022, the FTC charged the rental listing platform Roomster and its owners with duping consumers seeking affordable housing by paying for fake reviews. In January 2022, the FTC required online fashion retailer Fashion Nova to pay $4.2 million for suppressing negative customer reviews from being posted to its website.

Case-by-case enforcement without civil penalty authority may not be enough to stem the growth of deceptive reviews and endorsements. The Supreme Court’s decision in the AMG Capital Management LLC v. FTC has hindered the FTC’s ability to seek monetary relief for consumers under the FTC Act. A potential rule that clearly spells out prohibited practices may strengthen deterrence by allowing the agency to impose civil penalties, while simplifying FTC enforcement.

The Commission voted 3-1 at an open meeting to publish the ANPR in the Federal Register. Commissioner Christine S. Wilson voted no and issued a dissenting statement. Chair Lina M. Khan issued a separate statement.

The ANPR will be published in the Federal Register shortly. The public will have 60 days to submit a comment after the notice is published. Information about how to submit a comment is included in the notice. Comments will be published on Regulations.gov after they are submitted.

The Federal Trade Commission is exploring possible steps to strengthen and modernize the Funeral Rule, which requires funeral providers to give in-person visitors price information to make informed decisions. The FTC also released a staff report that found that fewer than 40 percent of the funeral provider websites the agency reviewed provide any prices online.

“For decades, the Funeral Rule has provided crucial rights to grieving families seeking out burial and cremation services,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “We look forward to hearing from the public about how we can modernize the rule to better protect consumers in today’s market.”

The Funeral Rule requires funeral providers to furnish consumers who visit funeral homes in-person with itemized price information. But, because the rule was first issued in the 1980s, it does not require them to provide price information online and via other electronic means like email or text messages.

The agency’s review of funeral providers’ websites – which took place during the height of the COVID-19 pandemic when many people could not or did not feel comfortable visiting a funeral home in person to make arrangements for their loved ones – found that more than 60 percent of the websites reviewed provided little to no information about their prices.  

On February 14, 2020, the Commission initiated a routine review of the rule, which received 785 comments. Several commenters stated that many funeral providers do not provide price information online and asked the Commission to require that funeral providers make price information available on their websites and via other electronic means.

After carefully reviewing all the comments received, the staff report, and the FTC’s enforcement and outreach efforts in the area, the Commission has decided to retain the Funeral Rule and issue an Advance Notice of Proposed Rulemaking concerning potential amendments to the rule, including whether and how funeral providers should be required to display or distribute their price information online and through electronic means.

Information about how to submit comments on the FTC’s Advance Notice of Proposed Rulemaking is included in the Federal Register notice. The deadline for submitting comments will be 60 days after the notice is published in the Federal Register in the coming days. Submitted comments will be posted to Regulations.gov.

The Commission voted 4-0 to publish the notice in the Federal Register and issue the staff report. Chair Lina M. Khan issued a separate statement.

The Federal Trade Commission announced today that it is exploring a rule to crack down on junk fees proliferating throughout the economy. Junk fees are unnecessary, unavoidable, or surprise charges that inflate costs while adding little to no value. Consumers can get hit with junk fees at any stage of the purchase or payment process. Companies often harvest junk fees by imposing them on captive consumers or by deploying digital dark patterns and other tricks to hide or mask them. The agency is seeking public comment on the harms caused by junk fees and the unfair or deceptive tactics companies use to impose them.

“It’s beyond frustrating to end up spending more than you budgeted because of random, arbitrary fees,” said FTC Chair Lina M. Khan. “No one has ever felt that a ‘convenience fee’ was convenient. Companies should compete to provide the best quality at the best price, not to see who can squeeze the most added expenses out of consumers. That’s especially true at a time when families are struggling with the effects of inflation.”

Companies charge junk fees in a wide range of contexts, including cramming in hidden fees to which consumers did not consent, misrepresenting optional services or upgrades as mandatory, and charging for products or services with little or no value. For example, consumers purchasing tickets or booking a hotel room may find a surprise junk fee tacked on at checkout. These junk fees – which add up to tens of billions of dollars each year – can drive up prices, make comparison shopping difficult, and leave consumers feeling powerless and cheated.

The FTC is concerned that junk fees are common in many sectors of the U.S. economy. The advance notice of proposed rulemaking announced today seeks public comment on the harms stemming from junk fees and associated junk fee practices and on whether a new rule would better protect consumers. The types of junk fees the FTC is seeking comment on include:

• Unnecessary charges for worthless, free, or fake products or services: Consumers may be slammed with charges for products or services that cost companies nothing to provide, are available for free, or should be included as part of the purchase price. Companies might also upsell consumers on fake products or services that either have no value or never materialize.
• Unavoidable charges imposed on captive consumers: Consumers may be forced to pay junk fees because they have no way to avoid or opt out of them. They might be dealing with a company with a monopoly or exclusive rights that can extract fees because there is no competing option. Or consumers might get hit with fees after they have already sunk costs into a product or service, and they can’t easily walk away.

• Surprise charges that secretly push up the purchase price: Consumers can experience junk fee shock when companies unexpectedly tack on mystery charges they did not know about, consent to, or factor into the purchase. Companies might hide these fees in the fine print, cram them on at the end of a purchase process, or use digital dark patterns or other deception to collect on them. Some companies might claim that they do not charge any fees and then add on fees after the purchase or sign up.

The FTC has a history of taking action on junk fee practices – they have been the subject of Commission investigations, enforcement actions, workshops, research, and consumer and business education outreach. While the agency has been active in addressing junk fees, it generally lacks the authority to seek penalties against first-time violators or the ability to obtain redress readily for consumers in instances in which fees violate the FTC’s prohibition on unfair or deceptive practices. The FTC can seek such remedies when a company violates a rule promulgated by the agency, which is why the agency is exploring a junk fee rule.

The Commission vote approving publication of the advance notice of proposed rulemaking was 3-1, with Commissioner Christine S. Wilson voting no. Chair Khan and Commissioner Wilson issued separate statements. Once the notice has been published in the Federal Register, consumers can submit comments electronically. Consumers also may submit comments in writing by following the instructions in the “Supplementary Information” section of the Federal Register notice.