As a result of a lawsuit filed by the Federal Trade Commission and the Utah Division of Consumer Protection (DCP), the principals of a Utah-based real estate investment training company will pay $15 million and be banned from selling money-making opportunities under a court order they have agreed to. In addition, two of the primary real estate celebrities who endorsed the training have agreed to orders that require them to pay $1.7 million.

According to the complaint filed by the FTC and the Utah DCP against Response Marketing Group, LLC and its principals, Response Marketing used false promises to sell consumers a series of expensive real estate investment training programs. The complaint also named two real estate celebrities as defendants – Scott Yancey, who was the star of the home-flipping show Flipping Vegas on A&E, and Dean R. Graziosi, the author of Millionaire Success Habits. Yancey and Graziosi promoted the training programs and were involved in efforts to bury online customer complaints that said Response Marketing failed to deliver on its promises or was a scam.

“Today’s order against Response Marketing and its owners permanently bans them from the wealth creation business and returns $15 million to consumers, on top of the $1.7 million already secured through this litigation,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “We are grateful to the Utah Division of Consumer Protection for their partnership in obtaining this strong relief, and we will continue cracking down on deceptive moneymaking opportunities and unlawful endorsement practices.”

“This is the largest consumer protection division settlement in Utah’s history and holds Nudge and its affiliates accountable for the serious financial harm to consumers across the country,” said Utah Department of Commerce Executive Director Margaret Busse. “Utah businesses that seek to take advantage of consumers should be put on notice.”

Busse also thanks the FTC and the Utah Attorney General’s Office for the robust partnership that brought about this successful consumer protection settlement. “This partnership gave us the reach to go after these bad actors who thought they could skirt Utah’s laws.”

Response Marketing attracted consumers to free events around the country through infomercials and social media advertisements in which real estate celebrities promised to share their investing techniques. At these events, Response Marketing enticed consumers to purchase three-day workshops for around $1,000 by falsely representing that it would provide consumers with access to special tools that would enable them to become successful real estate investors. At the three-day workshops, Response Marketing deceptively pitched additional training programs that cost tens of thousands of dollars, according to the complaint.

Response Marketing then upsold consumers by pitching a purported coaching program through telemarketing that could cost as much as an additional $30,000. The program was marketed as exclusive “Inner Circle” training that supposedly had limited spots and would allow consumers to work one-on-one with a purported real estate expert. The complaint alleged that the vast majority of consumers who purchased Response Marketing’s products and services did not become successful real estate investors and did not even recoup the money they spent on Response Marketing’s training programs.

In a June 2022 opinion, which partially granted the FTC’s motion for summary judgment, the district court judge hearing the case found that many of Response Marketing’s claims were false or misleading, including Response Marketing’s claims that: its customers got special access to a purported funding network to allow them to do real estate deals without any of their own money; students would get access to letters that would supposedly allow them to make cash offers for properties and thereby get them at a discount; that Response Marketing had buyers lined up who would purchase homes that students wanted to flip; and there were limited spots in Response Marketing’s “Inner Circle” program.

Response Marketing sold its training programs under a variety of names, including Affluence Edu, Cash Flow Edu, Flip for Life, OnWealth, Renovate to Rent, and Visionary Events. The company’s predecessor began selling real estate investment training packages in the early 2010s. In December 2019, Response Marketing agreed to stop selling these packages following the filing of the initial complaint in this case by the FTC and the Utah DCP.

Two of Response Marketing’s affiliates—Nudge, LLC and BuyPD, LLC—are also part of the settlement, along with the four individuals who the complaint alleges were the actual owners of Response Marketing: Brandon B. Lewis, Ryan C. Poelman, Phillip W. Smith, and Shawn L. Finnegan. Under the settlement, these three companies, the four owners, and Response Marketing’s President, Clint R. Sanderson, are banned from selling “wealth creation” products and services anywhere in the country. They are also required to pay $15 million, which will be used to provide redress to consumers. If these payments are not made, these parties will be liable for an additional $15 million in civil penalties that will be payable to the Utah DCP.

The settlements with Graziosi and Yancey are the FTC’s first monetary settlements with celebrity endorsers. Under their settlements, Graziosi will pay $1.25 million, and Yancey will pay $450,000.

The settlements being announced today resolve all of the claims against all of the defendants in the complaint filed by the FTC and the Utah DCP, which alleges violations of the FTC Act, the Telemarketing Sales Rule, and several Utah statutes.

The Commission vote approving the stipulated final orders was 3-0. The U.S. District Court for the District of Utah approved the Graziosi and Yancey settlements on April 24, 2023, and the settlement with the other parties was approved on May 18, 2023.

The Federal Trade Commission is seeking comment on proposed changes to the Health Breach Notification Rule (HBNR) that include clarifying the rule’s applicability to health apps and other similar technologies.

Since the rule’s issuance, health apps and other direct-to-consumer health technologies, such as fitness trackers, have become commonplace. The proposed changes to the rule come as business practices and technological developments increase both the amount of health data collected from consumers, and the incentive for companies to use or disclose that sensitive data for marketing and other purposes. 

“We are witnessing an explosion of health apps and connected devices, many of which aren’t covered by HIPAA, collecting vast amounts of sensitive consumer health information. When this information is breached, it is more vital than ever that mobile health app developers and others covered by the Health Breach Notification Rule provide consumers and the FTC with timely notice about what happened,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The proposed amendments to the rule will allow it to keep up with marketplace trends, and respond to developments and changes in technology.”

The rule requires vendors of personal health records (PHR) and related entities that are not covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals, the FTC, and, in some cases, the media of a breach of unsecured personally identifiable health data. It also requires third party service providers to vendors of PHRs and PHR-related entities to provide notification to such vendors and PHR-related entities following the discovery of a breach. 

Protecting the privacy and security of personal health data is a high priority for the FTC, which has brought several cases in recent years involving the misuse of consumers personal health data, including two enforcement actions that alleged HBNR violations.

Earlier this week, the FTC announced a proposed order settling allegations that fertility app Premom violated the HBNR. In February 2023, the FTC announced its first enforcement action under the HBNR against telehealth and prescription drug discount provider GoodRx Holdings Inc. The FTC says GoodRx and Premom each violated the rule by failing to notify users about the companies’ unauthorized disclosure of users’ personally identifiable health information to third parties.

As part of a regular review of Commission rules, the FTC in 2020 sought comment on whether changes were needed to the HBNR. In September 2021, the FTC issued a policy statement affirming that health apps and connected devices that collect or use consumers’ health information must comply with the Health Breach Notification Rule.

After reviewing the public comments and consistent with the policy statement, the Commission has proposed the following changes to the HBNR:

• Revising several definitions to clarify the rule’s application to health apps and similar technologies not covered by HIPAA. This includes modifying the definition of “PHR identifiable health information” and adding two new definitions for “health care provider” and “health care services or supplies”; 
• Clarifying that a “breach of security” under the rule includes an unauthorized acquisition of identifiable health information that occurs as a result of a data security breach or an unauthorized disclosure;
• Revising the definition of “PHR related entity” in two ways that pertain to the rule’s scope. For example, it makes clear that only entities that access or send unsecured PHR identifiable health information to a personal health record — rather than entities that access or send any information to a personal health record — qualify as PHR related entities;
• Clarifying what it means for a personal health record to draw PHR identifiable health information from multiple sources;
• Authorizing the expanded use of email and other electronic means of providing clear and effective notice of a breach to consumers;
• Expanding the required content that should be provided in the notice to consumers. For example, the notice would be required to include information about the potential harm stemming from the breach and the names of any third parties who might have acquired any unsecured personally identifiable health information; and
• Adding changes to improve the rule’s readability and promote compliance.

The public will have 60 days after the notice is published in the Federal Register to submit comments on the proposed changes to the rule. Information on how to submit a comment can be found in the notice. Once processed, the comments will be posted to Regulations.gov.

The Commission voted 3-0 at an open Commission meeting to publish the proposed changes to the HBNR in the Federal Register.

The lead staff attorneys on this matter are Ryan Mehm, Ronnie Solomon, and Elisa Jillson of the FTC’s Bureau of Consumer Protection.

The Federal Trade Commission today issued a warning that the increasing use of consumers’ biometric information and related technologies, including those powered by machine learning, raises significant consumer privacy and data security concerns and the potential for bias and discrimination.

Biometric information refers to data that depict or describe physical, biological, or behavioral traits, characteristics, or measurements of or relating to an identified or identifiable person’s body.

“In recent years, biometric surveillance has grown more sophisticated and pervasive, posing new threats to privacy and civil rights,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Today’s policy statement makes clear that companies must comply with the law regardless of the technology they are using.”

In a policy statement, the Commission said the agency is committed to combatting unfair or deceptive acts and practices related to the collection and use of consumers’ biometric information and the marketing and use of biometric information technologies.

Recent years have seen a proliferation of biometric information technologies. For instance, facial, iris, or fingerprint recognition technologies collect and process biometric information to identify individuals. Other biometric information technologies use or claim to use biometric information in order to determine characteristics of individuals, ranging from the individuals’ age, gender, or race to the individuals’ personality traits, aptitudes, or demeanor.

Consumers face new and increasing risks associated with the collection and use of biometric information. For example, using biometric information technologies to identify consumers in certain locations could reveal sensitive personal information about them such as whether they accessed particular types of healthcare, attended religious services, or attended political or union meetings. Large databases of biometric information could also be attractive targets for malicious actors who could misuse such information. Additionally, some technologies using biometric information, such as facial recognition technology, may have higher rates of error for certain populations than for others.

In recent years, the FTC has brought enforcement actions against photo app maker Everalbum and Facebook, charging they misrepresented their uses of facial recognition technology. The FTC also issued a report about facial recognition in 2012 that recommended best practices to protect consumers’ privacy.

Today’s policy statement warns that false or unsubstantiated claims about the accuracy or efficacy of biometric information technologies or about the collection and use of biometric information may violate the FTC Act. The policy statement also notes that it will consider several factors in determining whether a business’s use of biometric information or biometric information technology could be unfair in violation of the FTC Act including:

• Failing to assess foreseeable harms to consumers before collecting biometric information;
• Failing to promptly address known or foreseeable risks and identify and implement tools for reducing or eliminating those risks;
• Engaging in surreptitious and unexpected collection or use of biometric information;
• Failing to evaluate the practices and capabilities of third parties, including affiliates, vendors, and end users, who will be given access to consumers’ biometric information or will be charged with operating biometric information technologies;
• Failing to provide appropriate training for employees and contractors whose job duties involve interacting with biometric information or technologies that use such information; and
• Failing to conduct ongoing monitoring of technologies that the business develops, offers for sale, or uses, in connection with biometric information to ensure that the technologies are functioning as anticipated and that the technologies are not likely to harm consumers

The Commission voted 3-0 during an open Commission meeting to adopt the policy statement.

FTC staff who worked on this matter include Robin Wetherill and Amanda Koulousias.

The Federal Trade Commission charged that the developer of the fertility app Premom deceived users by sharing their sensitive personal information with third parties, including two China-based firms, disclosed users’ sensitive health data to AppsFlyer and Google, and failed to notify consumers of these unauthorized disclosures in violation of the Health Breach Notification Rule (HBNR).

“Premom broke its promises and compromised consumers’ privacy,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “We will vigorously enforce the Health Breach Notification Rule to defend consumer’s health data from exploitation. Companies collecting this information should be aware that the FTC will not tolerate health privacy abuses.”

This is the FTC’s second enforcement action involving the Health Breach Notification Rule following a settlement announced in February with telehealth and prescription drug discount provider GoodRx Holdings Inc. The FTC charged that GoodRx violated the rule by failing to notify users’about the company’s unauthorized disclosure of their personally identifiable health information to Facebook, Google and others.

As part of a proposed order filed by the Department of Justice on behalf of the FTC, Illinois-based Easy Healthcare Corporation, which operates the Premom app, would be barred from sharing users’ personal health data with third parties for advertising, required to obtain users’ consent before sharing health data for any other purpose, and must tell consumers how their personal data will be used. The proposed order must be approved by the federal court to go into effect.

The Premom app, which is free to download and used by hundreds of thousands of people, helps users track ovulation, periods, and other health information, and also sells ovulation test kits. The app encourages users to provide information about their menstrual cycles, fertility, and pregnancy as well as to import their data from other apps such as Apple Health.

In a complaint also filed by the Department of Justice, the FTC says that Easy Healthcare repeatedly and deceptively promised users in its privacy policies that it would not share their health information with third parties without users’ consent and that any data it did collect was non-identifiable and only used for its own analytics or advertising. Easy Healthcare failed to take reasonable measures to address the privacy and data security risks created by its use of third-party automated tracking tools known as software development kits (SDKs) and shared health information for advertising purposes without obtaining consumers’ affirmative express consent, according to the FTC.

Premom failed to fully disclose its data sharing practices, and also violated direct promises to users, the FTC says. The data it shared with third parties revealed highly sensitive and private details about Premom’s users and led to the unauthorized disclosure of facts about an individual user’s sexual and reproductive health, parental and pregnancy status, as well as other information about physical health conditions and status.

The FTC says Premom deceived users by disclosing such sensitive and identifiable health information to marketing firm AppsFlyer and Google through the integration of each company’s SDK. An SDK tracks a user’s interactions with an app and other identifiable information and shares that data with third parties.

Premom’s failure to notify users about the company’s unauthorized disclosure of their unsecured individually identifiable health information to third parties violated the FTC’s Health Breach Notification Rule, according to the complaint. The rule requiresa vendor of personal health records to notify users, the FTC, and in some cases the media, when there has been an unauthorized acquisition of unsecured individually identifiable health information.

The FTC also says Premom integrated SDKs from other third parties into the Premom app including from app analytics provider Umeng and analytics provider Jiguang and shared sensitive user data. This included Premom users’ social media account information and precise geolocation information, as well as data about their mobile devices and Wi-Fi network identifiers, which cannot be changed without buying a new device. These non-resettable identifiers can be used to identify individuals, according to the complaint.

In addition to sharing data without user consent, Premom failed to encrypt adequately the data it shared with third parties, including those in China, subjecting this data to potential interception or seizure, and did not limit how third parties could use the data, according to the complaint.

As part of the proposed order, Easy Healthcare will pay a $100,000 civil penalty for violating the Health Breach Notification Rule and will also be:

• Permanently prohibited from sharing user personal health data with third parties for advertising;
• Required to obtain user consent before sharing personal health data with third parties for other purposes;
• Required to retain users’ personal information for only as long as necessary to fulfill the purpose for which it was collected;
• Prohibited from making future misrepresentations about Easy Healthcare’s privacy practices and required to comply with the HBNR notification requirements for any future breach of security;
• Required to seek deletion of data it shared with third parties;
• Required to send and post a consumer notice explaining the FTC’s allegations and the settlement; and
• Required to implement comprehensive security and privacy programs that include strong safeguards to protect consumer data.

As part of a related action, Easy Healthcare also has agreed to pay a total of $100,000 to Connecticut, the District of Columbia and Oregon, which worked with the FTC on this matter, for violating their respective laws.

The Commission voted 3-0 to refer the complaint and stipulated final order to the Department of Justice for filing. The DOJ filed the complaint and stipulated order in the U.S. District Court for the Northern District of Illinois.

NOTE: The Commission authorizes the filing of a complaint when it has “reason to believe” that the named defendant is violating or is about to violate the law and it appears to the Commission that a proceeding is in the public interest. Stipulated final orders have the force of law when approved and signed by the District Court judge.

The lead staff attorneys on this matter were David Walko and Ronnie Solomon of the FTC’s Bureau of Consumer Protection.

The Federal Trade Commission has launched a refund claims process for consumers who bought products from Fashion Nova, an online fashion retailer that blocked negative reviews from being posted on its website, according to an FTC action announced in January 2022.

The FTC announced in January 2022 that Fashion Nova agreed to pay $4.2 million to settle charges that the company misled consumers by representing that the reviews on its website reflected the views of all customers who submitted reviews, when in fact it suppressed reviews with ratings lower than four stars out of five. The FTC is using the money paid by Fashion Nova to provide payments to customers affected by Fashion Nova’s conduct.

Fashion Nova customers can apply for a payment from this settlement if they meet all the following criteria:

• they bought products from FashionNova.com before November 21, 2019;
• their purchase decisions were influenced by customer reviews and ratings;
• they were not satisfied with the products; and
• they have not already received a refund for the products.

The claims period will be open until August 15, 2023. Consumers can apply online at www.ftc.gov/FashionNova. Consumers who have questions about the process can call the claims administrator at 855-678-0018 or email info@FashionNovaClaims.com. The FTC will review and validate claims. Payment amounts will depend on several factors, including how many people file claims.

The Federal Trade Commission will hold a public workshop on September 7, 2023 seeking input on proposed changes to the Funeral Rule.

The Commission issued an Advance Notice of Proposed Rule Making on November 2, 2022.  The workshop will explore many of the issues raised in the notice, including whether and how funeral providers should be required to display or distribute their price information online or  through electronic means.

The workshop may cover topics such as:

• online or electronic disclosures of price information;
• new forms of disposition of human remains;
• the general price list mandated by the rule;
• the disclosures required by the rule, including the embalming disclosure;
• whether third-party crematory fees and other third-party fees should be disclosed in the general price list; and
• whether funeral providers should be required or permitted to give out general price lists in languages other than English in certain circumstances.

A detailed agenda will be published at a later date, in advance of the scheduled workshop.

The public can submit a comment on these topics until October 10, 2023. Instructions for filing comments will appear in a notice that will be published in the Federal Register soon. Those interested in participating as a panelist at the workshop can email the FTC at funeralrule@ftc.gov by June 19, 2023. If a proposed panelist or commenter is affiliated with an entity that has provided funding for research, analysis, or commentary on relevant topics, please identify such funding and its source in your comment or in your request for consideration as a speaker.

The Commission voted 3-0 to submit the notice regarding the workshop to the Federal Register.

The workshop, which is free and open to the public, will take place at the Constitution Center, 400 7^th Street SW, Washington, D.C., 20024, and will be webcast live on the FTC’s website. The agenda, directions to the Constitution Center building, and a list of speakers will be available in the future on the event webpage.

The Federal Trade Commission is sending payments totaling more than $3.3 million to customers of Passport Auto, a Washington D.C.-area auto dealer. In October 2022, the FTC charged Passport with adding hundreds, or even thousands, of dollars in illegal junk fees to car prices and for discriminating against Black and Latino consumers by charging them higher fees and financing costs.

The FTC is sending checks to more than 18,000 consumers. Recipients should cash their checks within 90 days, as indicated on the check. Consumers who have questions about their payment should contact the refund administrator, Epiq, at 877-701-3692, or visit the FTC website to view frequently asked questions about the refund process. The Commission never requires people to pay money or provide account information to get a refund.

The FTC’s suit against Passport Auto, its president, Everett Hellmuth, and its vice president, Jay Klein, charged that the defendants’ junk fees caused consumers to pay more than the advertised price or lose any discounts they had negotiated.

The Commission’s interactive dashboards for refund data provide a state-by-state breakdown of refunds in FTC cases. In 2022, Commission actions led to more than $392 million in refunds to consumers across the country.

The Federal Trade Commission was selected as president of the International Consumer Protection and Enforcement Network (ICPEN) for 2024-25 during a meeting this week in Sydney, Australia.

The FTC’s presidency will follow the presidency of Poland’s Office of Competition and Consumer Protection.

The meeting focused on exchanging experiences and identifying effective practices in combating cross-border fraud and promoting consumer protection around the world.

ICPEN is an international network of consumer protection authorities from more than 70 countries that aims to protect consumers’ economic interests around the world by sharing information and encouraging global cooperation among law enforcement agencies.

The Federal Trade Commission sued to stop a Voice over Internet Protocol (VoIP) provider, XCast Labs, Inc., that continued to funnel hundreds of millions of illegal robocalls through its network, even after receiving multiple warnings. The Department of Justice filed the complaint in the Central District of California on the FTC’s behalf.

“XCast Labs played a key role in helping telemarketers flood homes with unlawful robocalls, including robocalls impersonating the Social Security Administration,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “VoIP providers like XCast Labs that bury their heads in the sand when their customers use their services to break the law can expect to hear from the FTC.”      

XCast Labs, headquartered in Los Angeles, California, is a nationwide provider of VoIP technology, providing services that allow its customers to send and receive phone calls, including robocalls (calls that play a prerecorded message), over the Internet. Telemarketers who blast illegal robocalls typically use VoIP service providers like XCast Labs to transmit their calls.

According to the complaint, in January 2020, the FTC sent letters to a number of VoIP providers, including XCast Labs, warning them that assisting and facilitating illegal telemarketing or robocalling was against the law. The complaint also alleges that XCast Labs received dozens of “traceback” inquiries from US Telecom’s Industry Traceback Group regarding suspected illegal calls that originated on XCast Labs’ network, as well as inquiries from law enforcement agencies about transmission of suspected illegal traffic on the XCast Labs network. Even after receiving these direct warnings, the FTC alleges that XCast Labs transmitted illegal robocalls to consumers.

In addition, the FTC discovered that many of these suspect robocalls were part of organized campaigns designed to generate telemarketing leads by, for example, impersonating federal officials from the Social Security Administration. Lead generators sell the information they gather to telemarketers, who then use consumers’ information to pester them with even more unwanted, illegal calls.

The Commission vote authorizing the staff to refer the complaint to the Department of Justice for filing was 4-0, and was taken before Commissioner Christine S. Wilson left the FTC. The DOJ filed the complaint in the U.S. District Court for the Central District of California. Thomas Biesty and Frances Kern of the Bureau of Consumer Protection were the primary FTC staff on this matter.

NOTE: The Commission refers a complaint for civil penalties to the DOJ for filing when it has “reason to believe” that the named defendants are violating or are about to violate the law and that a proceeding is in the public interest. The case will be decided by the court.

Today, Federal Trade Commission Chair Lina M. Khan announced that an open meeting of the Commission will be held virtually on Thursday, May 18, 2023. The open meeting will commence at 11am ET and will begin with time for members of the public to address the Commission.

The following items will be on the tentative agenda for the May 18 Commission meeting:

Business Before the Commission

Policy Statement on Biometric Information and Section 5 of the FTC Act: The Commission will vote to issue a Policy Statement on biometric information and Section 5 of the FTC Act. The Policy Statement will list examples of some of the practices the Commission will scrutinize in determining whether companies collecting and/or using or marketing biometric information technologies are complying with Section 5 of the FTC Act.

Notice of Proposed Rulemaking to Amend the Health Breach Notification Rule: The Commission will vote to issue a Notice of Proposed Rulemaking to amend the Health Breach Notification Rule, which requires vendors of personal health records and related entities to notify consumers of the breach of their unsecured identifiable health information. The proposed amendments would help clarify technologies and entities covered by the Rule, facilitate greater electronic breach notices to consumers, and expand the required content of the notices, among other changes.

At the start of the meeting, Chair Khan will offer brief remarks and will then invite members of the public to share feedback on the Commission’s work generally and bring relevant matters to the Commission’s attention. Members of the public must sign up for an opportunity to address the Commission virtually at the May 18 event.

Each commenter will be given two minutes to share their comments. Those who cannot participate during the event may submit written comments or a link to a prerecorded video through a webform. Speaker registration and comment submission will be available through Tuesday, May 16, 2023 at 8 pm ET.

The FTC’s public meeting agendas will be posted on the Commission’s website at least seven days prior to the Commission’s next monthly meeting. A link to the event will be available on the day of the event, shortly before the meeting starts via FTC.gov. The event will be recorded, and the webcast and any related comments will be available on the Commission’s website after the meeting. The Commission retains discretion to make public comments available following the event on ftc.gov.