May 2023

The Federal Trade Commission and the Department of Justice will require Amazon to overhaul its deletion practices and implement stringent privacy safeguards to settle charges the company violated the Children’s Online Privacy Protection Act Rule (COPPA Rule) and deceived parents and users of the Alexa voice assistant service about its data deletion practices.  

According to a complaint filed by the Department of Justice on behalf of the FTC, Amazon prevented parents from exercising their deletion rights under the COPPA Rule, kept sensitive voice and geolocation data for years, and used it for its own purposes, while putting data at risk of harm from unnecessary access.

“Amazon’s history of misleading parents, keeping children’s recordings indefinitely, and flouting parents’ deletion requests violated COPPA and sacrificed privacy for profits,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “COPPA does not allow companies to keep children’s data forever for any reason, and certainly not to train their algorithms.”

Under the proposed federal court order also filed by DOJ, Amazon will be required to delete inactive child accounts and certain voice recordings and geolocation information and will be prohibited from using such data to train its algorithms. The proposed order must be approved by the federal court to go into effect.

According to the complaint, Amazon prominently and repeatedly assured its users, including parents, that they could delete voice recordings collected from its Alexa voice assistant and geolocation information collected by the Alexa app. The company, however, failed to follow through on these promises when it kept some of this information for years and used the data it unlawfully retained to help improve its Alexa algorithm, according to the complaint.

Amazon, one of the world’s biggest retailers, collects vast amounts of data about consumers ranging from their geolocation data via the company’s Alexa app to their voice recordings collected by Amazon’s Alexa voice assistant service. The company claims that its Alexa service and Echo devices are “designed to protect your privacy” and that parents and other users can delete geolocation data and voice recordings.

Amazon also offers Alexa-enabled devices and services targeted to children and collects personal data, including voice recordings, from children. Amazon retained children’s recordings indefinitely—unless a parent requested that this information be deleted, according to the complaint. And even when a parent sought to delete that information, the FTC said, Amazon failed to delete transcripts of what kids said from all its databases.

The COPPA Rule requires, among other things, that an operator of a commercial website or online service directed to children under 13 years of age notify parents about the information they collect from children, obtain parents’ consent for the collection of that data, and allow them to delete that information at any time. In addition, such a service is prohibited from retaining the information collected from children under 13 for longer than is reasonably necessary to provide the service.

Amazon claimed it retained children’s voice recordings in order to help it respond to voice commands, allow parents to review them, and to improve Alexa’s speech recognition and processing capabilities, according to the complaint. Children’s speech patterns and accents differ from those of adults, so the unlawfully retained voice recordings provided Amazon with a valuable database for training the Alexa algorithm to understand children, benefitting its bottom line at the expense of children’s privacy.

The FTC said the company failed to put in place an effective system to ensure that it honored users’ data deletion requests and to give parents meaningful notice about deletion. Even when Amazon discovered its failures to delete geolocation data, the FTC said that Amazon repeatedly failed to fix the problems.

Proposed Order

In addition to the data deletion requirement in the proposed order, Amazon will be required to pay a $25 million civil penalty. Other provisions of the proposed order:

• Prohibit Amazon from using geolocation, voice information, and children’s voice information subject to consumers’ deletion requests for the creation or improvement of any data product;
• Require the company to delete inactive Alexa accounts of children;
• Require Amazon to notify users about the FTC-DOJ action against the company;
• Require Amazon to notify users of its retention and deletion practices and controls;
• Prohibit Amazon from misrepresenting its privacy policies related to geolocation, voice and children’s voice information; and
• Mandate the creation and implementation of a privacy program related to the company’s use of geolocation information.

The Commission voted 4-0 to refer the complaint to the Department of Justice for filing. The Commission vote closed on a date prior to Commissioner Christine S. Wilson’s departure from the agency. She issued a concurring statement on the matter before departing the agency. Commissioner Alvaro Bedoya also issued a separate statement, joined by FTC Chair Lina M. Khan and Commissioner Rebecca Kelly Slaughter. 

The Department of Justice filed the complaint and the stipulated order in the U.S. District Court for the Western District of Washington.

NOTE: The Commission authorizes the filing of a complaint when it has “reason to believe” that the named defendant is violating or is about to violate the law and it appears to the Commission that a proceeding is in the public interest. Stipulated orders have the force of law when approved and signed by the District Court judge.

The lead staff attorneys on this matter are Elisa Jillson, Andy Hasty, and Julia Horwitz from the FTC’s Bureau of Consumer Protection.

Today’s announcement underscores the FTC’s commitment to protecting not only children’s privacy but the privacy of all consumers. Earlier today, the FTC announced an action against Amazon’s subsidiary, Ring, over charges that the home security camera company compromised its customers’ privacy by allowing any employee or contractor to access consumers’ private videos and by failing to implement basic privacy and security protections, enabling hackers to take control of consumers’ accounts, cameras, and videos.

The Federal Trade Commission charged home security camera company Ring with compromising its customers’ privacy by allowing any employee or contractor to access consumers’ private videos and by failing to implement basic privacy and security protections, enabling hackers to take control of consumers’ accounts, cameras, and videos.

Under a proposed order, which must be approved by a federal court before it can go into effect, Ring will be required to delete data products such as data, models, and algorithms derived from videos it unlawfully reviewed. It also will be required to implement a privacy and security program with novel safeguards on human review of videos as well as other stringent security controls, such as multi-factor authentication for both employee and customer accounts.

“Ring’s disregard for privacy and security exposed consumers to spying and harassment,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC’s order makes clear that putting profit over privacy doesn’t pay.”

California-based Ring LLC, which was purchased by Amazon in February 2018, sells internet-connected, video-enabled home security cameras, doorbells, and related accessories and services. The company has marketed its products as offering greater home security and providing its users with peace of mind. For example, in promoting its indoor security cameras, which can be placed in individual rooms, Ring touts the ability of purchasers to “See your home. Away from home” alongside a picture of a Ring camera monitoring a child’s bedroom.

In a complaint, the FTC says Ring deceived its customers by failing to restrict employees’ and contractors’ access to its customers’ videos, using customer videos to train algorithms, among other purposes, without consent, and failing to implement security safeguards.

According to the complaint, these failures amounted to egregious violations of users’ privacy. For example, one employee over several months viewed thousands of video recordings belonging to female users of Ring cameras that surveilled intimate spaces in their homes such as their bathrooms or bedrooms. The employee wasn’t stopped until another employee discovered the misconduct. Even after Ring imposed restrictions on who could access customers’ videos, the company wasn’t able to determine how many other employees inappropriately accessed private videos because Ring failed to implement basic measures to monitor and detect employees’ video access.

The FTC also said Ring failed to take any steps until January 2018 to adequately notify customers or obtain their consent for extensive human review of customers’ private video recordings for various purposes, including training algorithms. Ring buried information in its Terms of Service and Privacy Policy, claiming it had a right to use recordings obtained in connection with its services for “product improvement and development,” according to the complaint.

Security failures

According to the complaint, Ring also failed to implement standard security measures to protect consumers’ information from two well-known online threats—“credential stuffing” and “brute force” attacks—despite warnings from employees, outside security researchers and media reports. Credential stuffing involves the use of credentials, such as usernames and passwords, obtained from a consumer’s breached account to gain access to a consumer’s other accounts. In a brute force attack, a bad actor uses an automated process of password guessing—for example, by cycling through breached credentials or entering well-known passwords—hundreds or thousands of times to gain access to an account.

Despite experiencing multiple credential-stuffing attacks in 2017 and 2018, Ring failed, according to the complaint, to implement common tactics—such as multifactor authentication—until 2019. Even then, Ring’s sloppy implementation of the additional security measures hampered their effectiveness, the FTC said.

As a result, hackers continued to exploit account vulnerabilities to access stored videos, live video streams, and account profiles of approximately 55,000 U.S. customers, according to the complaint. Bad actors not only viewed some customers’ videos but also used Ring cameras’ two-way functionality to harass, threaten, and insult consumers—including elderly individuals and children—whose rooms were monitored by Ring cameras, and to change important device settings, the FTC said. For example, hackers taunted several children with racist slurs, sexually propositioned individuals, and threatened a family with physical harm if they didn’t pay a ransom.

In addition to the mandated privacy and security program, the proposed order requires Ring to pay $5.8 million, which will be used for consumer refunds. The company also will be required to delete any customer videos and face embeddings, data collected from an individual’s face, that it obtained prior to 2018, and delete any work products it derived from these videos. The proposed order also will require Ring to alert the FTC about incidents of unauthorized access or exposure of its customers’ videos and to notify consumers about the FTC’s action.

The Commission voted 3-0 to authorize the staff to file the complaint and stipulated final order. The FTC filed the complaint and final order in the U.S. District Court for the District of the District of Columbia.

NOTE: The Commission files a complaint when it has “reason to believe” that the named defendants are violating or are about to violate the law and it appears to the Commission that a proceeding is in the public interest. Stipulated final orders have the force of law when approved and signed by the District Court judge.

The lead staff attorneys on this matter are Elisa Jillson, Andy Hasty, and Julia Horwitz from the FTC’s Bureau of Consumer Protection.

A federal court sided with the Federal Trade Commission, ruling that James D. Noland, Jr. illegally owned and operated two pyramid schemes—Success By Health (SBH) and VOZ Travel—in violation of the FTC Act and that Noland violated a previous federal court order barring him from pyramid schemes and from misrepresenting multilevel marketing participants’ income potential.

The FTC sued Noland (also known as Jay Noland, J.D. Noland, and J. Noland), his wife Lina Noland, Scott Harris, and Thomas Sacca, in connection with SBH in January 2020 and added charges related to VOZ Travel in September 2020. The FTC alleged that they operated the businesses as pyramid schemes, making outlandish claims that “the masses” could be making more than $1 million each month by following Noland’s system, when in fact very few consumers made any money, and most lost significant sums. 

In its ruling, the U.S. District Court for the District of Arizona found that the Nolands, Harris, and Sacca violated the FTC Act by operating SBH and VOZ Travel as pyramid schemes and using false promises of “financial freedom.” In addition, the court found Harris and Sacca were aware of the order against Noland stemming from a prior FTC case, and thus, they and Noland were in contempt of that order. In its ruling, the court cited the “sheer volume of deceptive tactics and statements associated with” both SBH and VOZ Travel.

“The court’s order holding these defendants in contempt and barring them from the multilevel marketing business should send a strong message that FTC orders should not be ignored,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC will not hesitate to act with the full force of the law to protect the American public and hold recidivists accountable.”

The court also noted that Harris told an audience at one private SBH marketing event, “Is this one of those pyramid things? Hell, yeah it is. If it wasn’t, I wouldn’t be doing it. Do I look dumb enough to go get a job again?”

In addition, the court ruled that the defendants’ false claims about Noland’s own wealth in selling the pyramid schemes were “outrageous.” Noland, for example, told SBH and VOZ Travel members, “I’ve been financially free, completely time and money free since I was 36.”  In fact, as the court found, at the age of 36, Noland “was living (or was about to start living) off credit cards.” 

Additionally, although Noland told SBH and VOZ members he was a multi-millionaire, the court explained that “[i]n his January 2020 sworn financial statement, Noland reported he had a negative net worth.” Similarly, at a deposition in this case, “Noland was unable to identify a time he ever had a positive net worth.”

The defendants used these and other false claims to boost their promises that SBH affiliates would achieve their own financial freedom, like becoming millionaires, or having an income stream of $20,000 per month. Instead, the court found “the great majority of SBH affiliates were net losers” of money, and “the few who may have eked out a net positive outcome did not obtain anything close to the ‘financial freedom’ that was being offered.”  The court, for example, found that one “top retailer” in SBH earned less from those sales “than what an individual would earn from a full-time minimum wage job.”

The court’s ruling permanently bans Noland, his wife Lina Noland, Harris and Sacca from any participation in multi-level marketing. In its ruling, the court said they “…have found themselves to be utterly incapable of operating an MLM business in a lawful manner.”

The ruling also imposes a $7.3 million judgment on Noland, Harris, and Sacca, the full amount sought by the FTC. Any amount recovered by the FTC will be used to redress consumers. The court also found that the defendants committed multiple “acts of dishonesty,” including “destroying evidence, violating court orders, giving false under-oath testimony, and taking no accountability for the misconduct after being caught.”

The FTC’s suit against SBH and VOZ Travel also named a number of corporate entities behind the two pyramid schemes; the case against those entities is ongoing. The FTC has extensive information and guidance for consumers about multi-level marketing and pyramid schemes on its website, as well as guidance for businesses.

The Federal Trade Commission has obtained an order against education technology provider Edmodo for collecting personal data from children without obtaining their parent’s consent and using that data for advertising, in violation of the Children’s Online Privacy Protection Act Rule (COPPA Rule), and for unlawfully outsourcing its COPPA compliance responsibilities to schools. 

Under the proposed order, filed by the Department of Justice on behalf of the FTC, Edmodo, Inc. will be prohibited from requiring students to hand over more personal data than is necessary in order to participate in an online educational activity. This is a first for an FTC order and is in line with a policy statement the FTC issued in May 2022 that warned education technology companies about forcing parents and schools to provide personal data about children in order to participate in online education. During the course of the FTC’s investigation, Edmodo suspended operations in the United States. The order, if approved by the court, will bind the company, including if it resumes U.S. operations.

“This order makes clear that ed tech providers cannot outsource compliance responsibilities to schools, or force students to choose between their privacy and education,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Other ed tech providers should carefully examine their practices to ensure they’re not compromising students’ privacy.”

In a complaint, also filed by DOJ, the FTC says Edmodo violated the COPPA Rule by failing to provide information about the company’s data collection practices to schools and teachers, and failing to obtain verifiable parental consent. The COPPA Rule requires online services and websites directed to children under 13 to notify parents about the personal information they collect and obtain verifiable parental consent for the collection and use of that information.

Until approximately September 2022, California-based Edmodo offered an online platform and mobile app with virtual class spaces to host discussions, share materials and other online resources for teachers and schools in the United States via a free and subscription-based service. The company collected personal information about students including their name, email address, date of birth and phone number as well as persistent identifiers, which it used to provide ads.

Under the COPPA Rule, schools can authorize collection of children’s personal information on behalf of parents. But a website operator must provide notice to the school of the operator’s collection, use and disclosure practices, and the school can only authorize collection and use of personal information for an educational purpose.

Edmodo required schools and teachers to authorize data collection on behalf of parents or to notify parents about Edmodo’s data collection practices and obtain their consent to that collection. Edmodo, however, failed to provide schools and teachers with the information they would need to comply in either scenario as required by the COPPA Rule, according to the complaint. For example, during the signup process for Edmodo’s free service, Edmodo provided minimal information about the COPPA Rule to teachers—providing only a link to the company’s terms of service and privacy policy, which teachers were not required to review before signing up for the company’s service.

Those teachers and schools that did read Edmodo’s terms of service were falsely told that they were “solely” responsible for complying with the COPPA Rule. The terms of service also failed to adequately disclose what personal information the company actually collects or indicate how schools or teachers should go about obtaining parental consent. These failures led to the illegal collection of personal information from children, according to the complaint.

In addition, Edmodo could not rely on schools to authorize collection on behalf of parents because the company used the personal information it collected from children for a non-educational purpose—to serve advertising. For such commercial uses, the COPPA Rule required Edmodo to obtain consent directly from parents. 

Edmodo also violated the COPPA Rule by retaining personal information indefinitely until at least 2020 when it put in place a policy to delete the data after two years, according to the complaint. COPPA prohibits retaining personal information about children for longer than is reasonably necessary to fulfill the purpose for which it was collected.

In addition to violating the COPPA Rule, the FTC says Edmodo violated the FTC Act’s prohibition on unfair practices by relying on schools to obtain verifiable parental consent. Specifically, the FTC says that Edmodo outsourced its COPPA compliance responsibilities to schools and teachers while providing confusing and inaccurate information about obtaining consent. This is the first time the FTC has alleged an unfair trade practice in the context of an operator’s interaction with schools.

Proposed Order

The proposed order with Edmodo includes a $6 million monetary penalty, which will be suspended due to the company’s inability to pay. Other order provisions, which will provide protections for children’s data should Edmodo resume operations in the United States, include:

• prohibiting Edmodo from conditioning a child’s participation in an activity on the child disclosing more information than is reasonably necessary to participate in such activity;
• requiring the company to complete several requirements before obtaining school authorization to collect information from a child;
• prohibiting the company from using children’s information for non-educational purposes such as advertising or building user profiles;
• banning the company from using schools as intermediaries in the parental consent process;
• requiring the company to implement and adhere to a retention schedule that details what information it collects, what the data is used for and a time frame for deleting it; and
• requiring Edmodo to delete models or algorithms developed using personal information collected from children without verifiable parental consent or school authorization.

The Commission voted 3-0 to refer the civil penalty complaint and proposed federal order to the Department of Justice. The DOJ filed the complaint and stipulated order in the U.S. District Court for the Northern District of California.

NOTE: The Commission authorizes the filing of a complaint when it has “reason to believe” that the named defendant is violating or is about to violate the law and it appears to the Commission that a proceeding is in the public interest. Stipulated orders have the force of law when approved and signed by the District Court judge.

The lead FTC attorneys on this matter are Gorana Neskovic and Peder Magee from the FTC’s Bureau of Consumer protection.

The Federal Trade Commission is sending payments totaling more than $557,000 to consumers who paid money to GDP Network, LLC (YF Solution), a Florida-based telemarketing company that promised credit card interest rate reductions and regularly failed to deliver.

The FTC is sending checks to 611 consumers. Recipients should cash their checks within 90 days as indicated on the check. Consumers who have questions about their payment should call the refund administrator, JND Legal Administration, at 844-633-0708, or visit the FTC website to view frequently asked questions about the refund process. The Commission never requires people to pay money or provide account information to get a refund.

The FTC and the State of Florida sued GDP Network and its owners in July 2020, alleging that they charged consumers as much as $3,995 for their debt relief services, making claims that they were affiliated with major credit card companies and could save consumers thousands of dollars by securing reduced interest rates. In fact, according to the lawsuit, consumers rarely, if ever, saw any benefit from the company’s supposed services and were ultimately left with more debt and worse credit. The scam’s operators agreed to settlements that the court entered in November 2021 that permanently banned them from the debt relief industry and required them to surrender assets.

The Commission’s interactive dashboards for refund data provide a state-by-state breakdown of refunds in FTC cases. In 2022, Commission actions led to more than $392 million in refunds to consumers across the country.

The Federal Trade Commission filed a brief arguing that the Children’s Online Privacy Protection Act (COPPA) does not preempt state privacy laws that are consistent with COPPA. The brief was filed in support of a federal appeals court’s ruling in Jones v. Google, a case in which a group of children allege that Google collected data and surreptitiously tracked their online activity in violation of state laws.

The FTC had previously alleged that Google and YouTube engaged in similar conduct in violation of COPPA. The companies agreed to pay $170 million as part of a settlement in 2019 with the FTC and the state of New York.

The FTC enforces COPPA, which was enacted in 1998, and requires websites and other online services targeted to children under 13 to notify parents and obtain their verifiable consent before collecting personal information from children. The COPPA statute includes a preemption clause that restricts states from imposing liability for regulated activities—for example, online data collection from children—that is inconsistent with COPPA’s treatment of those activities.

A federal district court initially found that COPPA preempted the state law claims, and the plaintiffs appealed to the U.S. Court of Appeals for the Ninth Circuit. On appeal, Google argued that all state-law claims involving children’s online privacy—including those brought by state-government enforcers like the California Attorney General—are “inconsistent” with COPPA’s framework and therefore barred by COPPA’s preemption clause.

The appeals court found that COPPA did not preempt plaintiffs’ state law claims, either expressly or through application of conflict preemption principles. The panel noted that in considering previous preemption claims, courts have said that state laws that “supplement” or “require the same thing” as a federal statute are not inconsistent with relevant federal laws.

Google has asked the full Ninth Circuit to review that ruling; the court then asked the FTC to weigh in on “whether the preemption clause [in COPPA] preempts fully stand-alone state-law causes of action by private citizens that concern data-collection activities that also violate COPPA but are not predicated on a claim under COPPA.”

In its amicus brief, the Commission said the panel properly rejected Google’s interpretation, which would preempt a wide swath of traditional state laws. The Commission argued that nothing in COPPA’s text, purpose, or legislative history supports the sweeping preemption that Google claimed. The Commission agreed with the appeals court panel that COPPA’s preemption clause only applies to state laws that are “inconsistent” with COPPA, and that plaintiffs’ claims here were consistent with the statute.  

The Commission voted 3-0 to authorize staff to file the amicus brief.

As a result of a lawsuit filed by the Federal Trade Commission and the Utah Division of Consumer Protection (DCP), the principals of a Utah-based real estate investment training company will pay $15 million and be banned from selling money-making opportunities under a court order they have agreed to. In addition, two of the primary real estate celebrities who endorsed the training have agreed to orders that require them to pay $1.7 million.

According to the complaint filed by the FTC and the Utah DCP against Response Marketing Group, LLC and its principals, Response Marketing used false promises to sell consumers a series of expensive real estate investment training programs. The complaint also named two real estate celebrities as defendants – Scott Yancey, who was the star of the home-flipping show Flipping Vegas on A&E, and Dean R. Graziosi, the author of Millionaire Success Habits. Yancey and Graziosi promoted the training programs and were involved in efforts to bury online customer complaints that said Response Marketing failed to deliver on its promises or was a scam.

“Today’s order against Response Marketing and its owners permanently bans them from the wealth creation business and returns $15 million to consumers, on top of the $1.7 million already secured through this litigation,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “We are grateful to the Utah Division of Consumer Protection for their partnership in obtaining this strong relief, and we will continue cracking down on deceptive moneymaking opportunities and unlawful endorsement practices.”

“This is the largest consumer protection division settlement in Utah’s history and holds Nudge and its affiliates accountable for the serious financial harm to consumers across the country,” said Utah Department of Commerce Executive Director Margaret Busse. “Utah businesses that seek to take advantage of consumers should be put on notice.”

Busse also thanks the FTC and the Utah Attorney General’s Office for the robust partnership that brought about this successful consumer protection settlement. “This partnership gave us the reach to go after these bad actors who thought they could skirt Utah’s laws.”

Response Marketing attracted consumers to free events around the country through infomercials and social media advertisements in which real estate celebrities promised to share their investing techniques. At these events, Response Marketing enticed consumers to purchase three-day workshops for around $1,000 by falsely representing that it would provide consumers with access to special tools that would enable them to become successful real estate investors. At the three-day workshops, Response Marketing deceptively pitched additional training programs that cost tens of thousands of dollars, according to the complaint.

Response Marketing then upsold consumers by pitching a purported coaching program through telemarketing that could cost as much as an additional $30,000. The program was marketed as exclusive “Inner Circle” training that supposedly had limited spots and would allow consumers to work one-on-one with a purported real estate expert. The complaint alleged that the vast majority of consumers who purchased Response Marketing’s products and services did not become successful real estate investors and did not even recoup the money they spent on Response Marketing’s training programs.

In a June 2022 opinion, which partially granted the FTC’s motion for summary judgment, the district court judge hearing the case found that many of Response Marketing’s claims were false or misleading, including Response Marketing’s claims that: its customers got special access to a purported funding network to allow them to do real estate deals without any of their own money; students would get access to letters that would supposedly allow them to make cash offers for properties and thereby get them at a discount; that Response Marketing had buyers lined up who would purchase homes that students wanted to flip; and there were limited spots in Response Marketing’s “Inner Circle” program.

Response Marketing sold its training programs under a variety of names, including Affluence Edu, Cash Flow Edu, Flip for Life, OnWealth, Renovate to Rent, and Visionary Events. The company’s predecessor began selling real estate investment training packages in the early 2010s. In December 2019, Response Marketing agreed to stop selling these packages following the filing of the initial complaint in this case by the FTC and the Utah DCP.

Two of Response Marketing’s affiliates—Nudge, LLC and BuyPD, LLC—are also part of the settlement, along with the four individuals who the complaint alleges were the actual owners of Response Marketing: Brandon B. Lewis, Ryan C. Poelman, Phillip W. Smith, and Shawn L. Finnegan. Under the settlement, these three companies, the four owners, and Response Marketing’s President, Clint R. Sanderson, are banned from selling “wealth creation” products and services anywhere in the country. They are also required to pay $15 million, which will be used to provide redress to consumers. If these payments are not made, these parties will be liable for an additional $15 million in civil penalties that will be payable to the Utah DCP.

The settlements with Graziosi and Yancey are the FTC’s first monetary settlements with celebrity endorsers. Under their settlements, Graziosi will pay $1.25 million, and Yancey will pay $450,000.

The settlements being announced today resolve all of the claims against all of the defendants in the complaint filed by the FTC and the Utah DCP, which alleges violations of the FTC Act, the Telemarketing Sales Rule, and several Utah statutes.

The Commission vote approving the stipulated final orders was 3-0. The U.S. District Court for the District of Utah approved the Graziosi and Yancey settlements on April 24, 2023, and the settlement with the other parties was approved on May 18, 2023.

The Federal Trade Commission is seeking comment on proposed changes to the Health Breach Notification Rule (HBNR) that include clarifying the rule’s applicability to health apps and other similar technologies.

Since the rule’s issuance, health apps and other direct-to-consumer health technologies, such as fitness trackers, have become commonplace. The proposed changes to the rule come as business practices and technological developments increase both the amount of health data collected from consumers, and the incentive for companies to use or disclose that sensitive data for marketing and other purposes. 

“We are witnessing an explosion of health apps and connected devices, many of which aren’t covered by HIPAA, collecting vast amounts of sensitive consumer health information. When this information is breached, it is more vital than ever that mobile health app developers and others covered by the Health Breach Notification Rule provide consumers and the FTC with timely notice about what happened,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The proposed amendments to the rule will allow it to keep up with marketplace trends, and respond to developments and changes in technology.”

The rule requires vendors of personal health records (PHR) and related entities that are not covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals, the FTC, and, in some cases, the media of a breach of unsecured personally identifiable health data. It also requires third party service providers to vendors of PHRs and PHR-related entities to provide notification to such vendors and PHR-related entities following the discovery of a breach. 

Protecting the privacy and security of personal health data is a high priority for the FTC, which has brought several cases in recent years involving the misuse of consumers personal health data, including two enforcement actions that alleged HBNR violations.

Earlier this week, the FTC announced a proposed order settling allegations that fertility app Premom violated the HBNR. In February 2023, the FTC announced its first enforcement action under the HBNR against telehealth and prescription drug discount provider GoodRx Holdings Inc. The FTC says GoodRx and Premom each violated the rule by failing to notify users about the companies’ unauthorized disclosure of users’ personally identifiable health information to third parties.

As part of a regular review of Commission rules, the FTC in 2020 sought comment on whether changes were needed to the HBNR. In September 2021, the FTC issued a policy statement affirming that health apps and connected devices that collect or use consumers’ health information must comply with the Health Breach Notification Rule.

After reviewing the public comments and consistent with the policy statement, the Commission has proposed the following changes to the HBNR:

• Revising several definitions to clarify the rule’s application to health apps and similar technologies not covered by HIPAA. This includes modifying the definition of “PHR identifiable health information” and adding two new definitions for “health care provider” and “health care services or supplies”; 
• Clarifying that a “breach of security” under the rule includes an unauthorized acquisition of identifiable health information that occurs as a result of a data security breach or an unauthorized disclosure;
• Revising the definition of “PHR related entity” in two ways that pertain to the rule’s scope. For example, it makes clear that only entities that access or send unsecured PHR identifiable health information to a personal health record — rather than entities that access or send any information to a personal health record — qualify as PHR related entities;
• Clarifying what it means for a personal health record to draw PHR identifiable health information from multiple sources;
• Authorizing the expanded use of email and other electronic means of providing clear and effective notice of a breach to consumers;
• Expanding the required content that should be provided in the notice to consumers. For example, the notice would be required to include information about the potential harm stemming from the breach and the names of any third parties who might have acquired any unsecured personally identifiable health information; and
• Adding changes to improve the rule’s readability and promote compliance.

The public will have 60 days after the notice is published in the Federal Register to submit comments on the proposed changes to the rule. Information on how to submit a comment can be found in the notice. Once processed, the comments will be posted to Regulations.gov.

The Commission voted 3-0 at an open Commission meeting to publish the proposed changes to the HBNR in the Federal Register.

The lead staff attorneys on this matter are Ryan Mehm, Ronnie Solomon, and Elisa Jillson of the FTC’s Bureau of Consumer Protection.

The Federal Trade Commission today issued a warning that the increasing use of consumers’ biometric information and related technologies, including those powered by machine learning, raises significant consumer privacy and data security concerns and the potential for bias and discrimination.

Biometric information refers to data that depict or describe physical, biological, or behavioral traits, characteristics, or measurements of or relating to an identified or identifiable person’s body.

“In recent years, biometric surveillance has grown more sophisticated and pervasive, posing new threats to privacy and civil rights,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Today’s policy statement makes clear that companies must comply with the law regardless of the technology they are using.”

In a policy statement, the Commission said the agency is committed to combatting unfair or deceptive acts and practices related to the collection and use of consumers’ biometric information and the marketing and use of biometric information technologies.

Recent years have seen a proliferation of biometric information technologies. For instance, facial, iris, or fingerprint recognition technologies collect and process biometric information to identify individuals. Other biometric information technologies use or claim to use biometric information in order to determine characteristics of individuals, ranging from the individuals’ age, gender, or race to the individuals’ personality traits, aptitudes, or demeanor.

Consumers face new and increasing risks associated with the collection and use of biometric information. For example, using biometric information technologies to identify consumers in certain locations could reveal sensitive personal information about them such as whether they accessed particular types of healthcare, attended religious services, or attended political or union meetings. Large databases of biometric information could also be attractive targets for malicious actors who could misuse such information. Additionally, some technologies using biometric information, such as facial recognition technology, may have higher rates of error for certain populations than for others.

In recent years, the FTC has brought enforcement actions against photo app maker Everalbum and Facebook, charging they misrepresented their uses of facial recognition technology. The FTC also issued a report about facial recognition in 2012 that recommended best practices to protect consumers’ privacy.

Today’s policy statement warns that false or unsubstantiated claims about the accuracy or efficacy of biometric information technologies or about the collection and use of biometric information may violate the FTC Act. The policy statement also notes that it will consider several factors in determining whether a business’s use of biometric information or biometric information technology could be unfair in violation of the FTC Act including:

• Failing to assess foreseeable harms to consumers before collecting biometric information;
• Failing to promptly address known or foreseeable risks and identify and implement tools for reducing or eliminating those risks;
• Engaging in surreptitious and unexpected collection or use of biometric information;
• Failing to evaluate the practices and capabilities of third parties, including affiliates, vendors, and end users, who will be given access to consumers’ biometric information or will be charged with operating biometric information technologies;
• Failing to provide appropriate training for employees and contractors whose job duties involve interacting with biometric information or technologies that use such information; and
• Failing to conduct ongoing monitoring of technologies that the business develops, offers for sale, or uses, in connection with biometric information to ensure that the technologies are functioning as anticipated and that the technologies are not likely to harm consumers

The Commission voted 3-0 during an open Commission meeting to adopt the policy statement.

FTC staff who worked on this matter include Robin Wetherill and Amanda Koulousias.

The Federal Trade Commission charged that the developer of the fertility app Premom deceived users by sharing their sensitive personal information with third parties, including two China-based firms, disclosed users’ sensitive health data to AppsFlyer and Google, and failed to notify consumers of these unauthorized disclosures in violation of the Health Breach Notification Rule (HBNR).

“Premom broke its promises and compromised consumers’ privacy,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “We will vigorously enforce the Health Breach Notification Rule to defend consumer’s health data from exploitation. Companies collecting this information should be aware that the FTC will not tolerate health privacy abuses.”

This is the FTC’s second enforcement action involving the Health Breach Notification Rule following a settlement announced in February with telehealth and prescription drug discount provider GoodRx Holdings Inc. The FTC charged that GoodRx violated the rule by failing to notify users’about the company’s unauthorized disclosure of their personally identifiable health information to Facebook, Google and others.

As part of a proposed order filed by the Department of Justice on behalf of the FTC, Illinois-based Easy Healthcare Corporation, which operates the Premom app, would be barred from sharing users’ personal health data with third parties for advertising, required to obtain users’ consent before sharing health data for any other purpose, and must tell consumers how their personal data will be used. The proposed order must be approved by the federal court to go into effect.

The Premom app, which is free to download and used by hundreds of thousands of people, helps users track ovulation, periods, and other health information, and also sells ovulation test kits. The app encourages users to provide information about their menstrual cycles, fertility, and pregnancy as well as to import their data from other apps such as Apple Health.

In a complaint also filed by the Department of Justice, the FTC says that Easy Healthcare repeatedly and deceptively promised users in its privacy policies that it would not share their health information with third parties without users’ consent and that any data it did collect was non-identifiable and only used for its own analytics or advertising. Easy Healthcare failed to take reasonable measures to address the privacy and data security risks created by its use of third-party automated tracking tools known as software development kits (SDKs) and shared health information for advertising purposes without obtaining consumers’ affirmative express consent, according to the FTC.

Premom failed to fully disclose its data sharing practices, and also violated direct promises to users, the FTC says. The data it shared with third parties revealed highly sensitive and private details about Premom’s users and led to the unauthorized disclosure of facts about an individual user’s sexual and reproductive health, parental and pregnancy status, as well as other information about physical health conditions and status.

The FTC says Premom deceived users by disclosing such sensitive and identifiable health information to marketing firm AppsFlyer and Google through the integration of each company’s SDK. An SDK tracks a user’s interactions with an app and other identifiable information and shares that data with third parties.

Premom’s failure to notify users about the company’s unauthorized disclosure of their unsecured individually identifiable health information to third parties violated the FTC’s Health Breach Notification Rule, according to the complaint. The rule requiresa vendor of personal health records to notify users, the FTC, and in some cases the media, when there has been an unauthorized acquisition of unsecured individually identifiable health information.

The FTC also says Premom integrated SDKs from other third parties into the Premom app including from app analytics provider Umeng and analytics provider Jiguang and shared sensitive user data. This included Premom users’ social media account information and precise geolocation information, as well as data about their mobile devices and Wi-Fi network identifiers, which cannot be changed without buying a new device. These non-resettable identifiers can be used to identify individuals, according to the complaint.

In addition to sharing data without user consent, Premom failed to encrypt adequately the data it shared with third parties, including those in China, subjecting this data to potential interception or seizure, and did not limit how third parties could use the data, according to the complaint.

As part of the proposed order, Easy Healthcare will pay a $100,000 civil penalty for violating the Health Breach Notification Rule and will also be:

• Permanently prohibited from sharing user personal health data with third parties for advertising;
• Required to obtain user consent before sharing personal health data with third parties for other purposes;
• Required to retain users’ personal information for only as long as necessary to fulfill the purpose for which it was collected;
• Prohibited from making future misrepresentations about Easy Healthcare’s privacy practices and required to comply with the HBNR notification requirements for any future breach of security;
• Required to seek deletion of data it shared with third parties;
• Required to send and post a consumer notice explaining the FTC’s allegations and the settlement; and
• Required to implement comprehensive security and privacy programs that include strong safeguards to protect consumer data.

As part of a related action, Easy Healthcare also has agreed to pay a total of $100,000 to Connecticut, the District of Columbia and Oregon, which worked with the FTC on this matter, for violating their respective laws.

The Commission voted 3-0 to refer the complaint and stipulated final order to the Department of Justice for filing. The DOJ filed the complaint and stipulated order in the U.S. District Court for the Northern District of Illinois.

NOTE: The Commission authorizes the filing of a complaint when it has “reason to believe” that the named defendant is violating or is about to violate the law and it appears to the Commission that a proceeding is in the public interest. Stipulated final orders have the force of law when approved and signed by the District Court judge.

The lead staff attorneys on this matter were David Walko and Ronnie Solomon of the FTC’s Bureau of Consumer Protection.