Early 2023 FTC Consumer Protection Enforcement Matters of Interest to Digital Marketers

February 2023 has been a busy couple of months at the Federal Trade Commission.  High-profile consumer protection actions and announcements span a broad spectrum of digital advertising and marketing.  From “review hijacking, health product-related claim substantiation issues and lead generation, to the first Health Breach Notification Rule case and a reminder that willful blindness is not a defense for service providers that turn a blind-eye to third-party conduct.  The FTC also announced a new office to keep pace with digital marketplace developments, and issues a Criminal Liaison Unit Report.

First Law Enforcement Action “Review Hijacking”

According to the Commission, a marketer of vitamins and other supplements, called The Bountiful Company, abused a feature of Amazon.com to mislead consumers into thinking that its newly introduced supplements had more product ratings and reviews, higher average ratings, and “#1 Best Seller” and “Amazon’s Choice” badges.  The agency alleges that Bountiful carried out this tactic by merging its new products on Amazon with different well-established products that had more ratings, reviews, and badges.

“Boosting your products by hijacking another product’s ratings or reviews is a relatively new tactic, but is still plain old false advertising,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection.  “The Bountiful Company is paying back $600,000 for manipulating product pages and deceiving consumers.”

Bountiful, based in Bohemia, New York, manufactures vitamin, mineral, and other nutritional supplements.  Its brands include Nature’s Bounty and Sundown.  As alleged by the FTC, Bountiful sells its supplements to Amazon, which then sells them to consumers on Amazon.com.

According to the FTC, Bountiful took advantage of an Amazon feature that allows vendors to create or request the creation of “variation” relationships between some products that are similar but differ only in narrow, specific ways – such as color, size, quantity, or flavor.  Products with a variation relationship share the same product detail page on Amazon.com and appear as alternative choices, so shoppers can compare and choose among similar products.

The product detail page of products that are in a variation relationship displays the total number of ratings, the average star rating and the reviews for all of the products in the variation relationship, the FTC said in its complaint.  They also share any “#1 Best Seller” or “Amazon’s Choice” badges.

According to the FTC’s complaint, during 2020 and 2021, Bountiful asked Amazon to create numerous variation relationships for its supplement products with different formulations. The FTC alleges that in one internal Bountiful communication, the company created variations with some new products “to try and ramp them faster as they were NOT selling and we wanted to give them a little boost in R[atings]&R[eviews] to gain visibility and allow them to also borrow the ‘amazon choice’ badge and best seller badge which worked.”

For example, the FTC alleges that in March 2020, the company began selling two new products: Nature’s Bounty Stress Comfort Mood Booster and Nature’s Bounty Stress Comfort Peace of Mind Stress Relief Gummies.  It purportedly requested that Amazon combine the new products in a variation relationship with three of its established products, all with different formulations. “Unfortunately people d[id] not love the [Stress Comfort] product[s],” but sales “spiked the second we variated the pages and they continue to grow,” according to one internal company email the FTC alleges.

The FTC’s complaint alleges that by manipulating product pages, Bountiful misrepresented the reviews, the number of Amazon reviews and the average star ratings of some products, and that some of them were number one best sellers or had earned an Amazon Choice badge.

In addition to requiring that Bountiful pay $600,000 as monetary relief for consumers, the proposed order prohibits Bountiful from making similar types of misrepresentations and bars the company from creating a variation relationship – or using other deceptive review tactics – that distort what consumers think about its products or services.

“Review hijacking,” in which a marketer steals or repurposes reviews of another product, is one of the practices involving reviews on which the Commission sought comment in October 2022 when it announced an advance notice of proposed rulemaking.

The case falls within the purview of and is consistent with the agency’s commitment to policing bogus reviews and misleading testimonials.  Not only is the FTC currently seeking to promulgate rules that come with big civil penalties for such conduct, it has also recently blanketed the digital advertising industry with warning letters.  While the method by which Bountiful allegedly violated FTC legal regulations and/or guidelines may be novel, the regulatory enforcement theory is consistent with agency current agency policy.

FTC Order to Bar Marketer from Making Alleged Deceptive Health Marketing Claims

In early February, the Federal Trade Commission announced an order settling a 2020 federal lawsuit against defendants ZyCal Bioceuticals Healthcare Company, Inc. and its president, that charged them with deceptively claiming that their products grow bone and cartilage and relieve joint pain.

The FTC’s February 2020 complaint alleged the ZyCal defendants marketed oral products containing the ingredient Cyplexinol, which they touted was a stem cell activator that could grow bone and cartilage in users and relieve joint pain, including for people with osteoporosis and osteoarthritis.  The FTC further alleged that they also claimed that these health benefits were clinically or scientifically proven.  The ZyCal defendants marketed Cyplexinol products directly to consumers under the brand name Ostinol, and indirectly through health practitioners and third-party distributors.

The complaint further alleged that the ZyCal defendants supplied a company, Excellent Marketing Results, Inc. (EMR), with the means and instrumentalities to deceptively market a copycat Cyplexinol product called StimTein.  While the Commission announced a settlement with the EMR defendants when the complaint was announced in early 2020, litigation continued against the ZyCal defendants.  The consent order announced in early February resolved the agency’s complaint against ZyCal and Scaffidi.

“The Commission sued these defendants to halt bogus claims that their products grow bone and cartilage and relieve joint pain,” said the FTC.  “This settlement is an important reminder that health-related advertising claims require rigorous substantiation in the form of competent and reliable scientific evidence …”

The settlement bars the ZyCal defendants from making bone and cartilage growth and joint pain claims for any food, drug, or dietary supplement, unless they are not misleading and are substantiated by competent and reliable scientific evidence, including randomized clinical trials. It also prohibits them from making other health benefit claims for the same products unless they are supported by reliable scientific evidence.

Finally, the order prohibits the defendants from misrepresenting that bone and cartilage growth claims, pain claims, and related claims are clinically or scientifically proven; from misrepresenting the existence, contents, or results of any scientific test or study; and from providing anyone else with the means to make false or misleading statements.  ZyCal was also required to send a notice of the settlement with the FTC to a number of consumers, health practitioners, and other purchasers who bought Cyplexinol products from the company on or after January 1, 2018.

In December 2022, the FTC Announced new guidance for marketers and sellers of health products.  The Guidance is the agency’s first revision in this area in nearly 25 years.  It represents a substantial update to the staff’s 1998 guide, Dietary Supplements: An Advertising Guide For Industry.  Since that guide was issued, the FTC has brought more than 200 cases challenging false or misleading advertising claims for dietary supplements, foods, over-the-counter drugs, and other health-related products.

There are major revisions in the new Guidance.

For example, the guidance covering dietary supplements has been extended to all health-related products.  It also reflects updates to other FTC guidance documents, including the guidance on endorsements and testimonials and the enforcement policy statement on homeopathic drugs.  The Guidance also includes a much more detailed discussion of the amount and type of evidence needed to substantiate health-related claims, with more emphasis on the fact that the FTC, as a general rule, expects high quality randomized, controlled human clinical trials.

HomeAdvisor to Pay up to $7.2 Million for Alleged Deceptive Marketing of Home Improvement Project Leads

In January, the FTC announced that it had issued a proposed order requiring Denver-based HomeAdvisor, Inc. – a company affiliated with Angi, formerly known as “Angie’s List” – to pay up to $7.2 million for allegedly using a wide range of deceptive and misleading tactics in selling home improvement project leads to service providers, including small businesses operating in the “gig” economy.

The administrative order also bars HomeAdvisor from the purported conduct detailed in the Commission’s complaint, which allegedly occurred over many years, and sets up two redress funds to provide money to defrauded service providers.  The administrative order will be subject to public comment after which the Commission will decide whether to make the order final.

“Today’s order requires HomeAdvisor to refund home service providers millions of dollars and stop misleading them about the quality of its leads,” said Mr. Levine.  “Even as the nature of work and the economy change, the FTC will continue to combat dishonest commercial practices aimed at consumers, workers, and small businesses.”

This action was the first announced since the Commission issued its Policy Statement on Enforcement Related to Gig Work, which committed the agency to rooting out unfair, deceptive, or anticompetitive practices in the gig economy.  It builds on other efforts to protect gig workers and small businesses, including the Commission’s Notice of Penalty Offenses on Money-Making Opportunities, and ANPR on Earnings Claims.

HomeAdvisor, which also does business as Angi Leads and HomeAdvisor Powered by Angi, recruits service providers, such as general contractors and lawn care businesses, to join the company’s network.  Once service providers join the network, HomeAdvisor sells them leads, which the service providers use to contact potential customers for home repair and maintenance projects.

According to the FTC, service providers that join HomeAdvisor’s network generally pay an annual membership fee, in addition to a separate fee for each lead they receive.  As part of their HomeAdvisor membership package, the FTC alleges, many service providers have also paid additional funds for an optional one-month subscription to a software service to assist with scheduling appointments and processing payments.

The FTC’s March 2022 administrative complaint against HomeAdvisor charged that since at least mid-2014 it has made false, misleading, or unsubstantiated claims about the quality and source of the leads the company sells to service providers that are in search of potential customers.  For example, the complaint alleged that, while HomeAdvisor has represented that service providers only will receive leads matching the types of services they provide and their preferred geographic area, many of them do not.

The complaint also alleged that HomeAdvisor often tells service providers that its leads result in jobs at rates much higher than it can substantiate.  Finally, the complaint alleged that HomeAdvisor’s sales agents misrepresented that the optional one-month subscription was free.

In addition to requiring that HomeAdvisor pay up to $7.2 million for redress, the proposed order prohibits the company from making any false or misleading claims regarding its leads, including that they concern individuals who are ready to hire a service provider or who submitted a request for home services directly to HomeAdvisor.  It also bars HomeAdvisor from misrepresenting its products as free when they are not, or making unsubstantiated claims about the rate at which its leads convert into paying jobs.

The redress program included in the order would administer two separate funds.  The first to  service providers allegedly affected by HomeAdvisor’s misrepresentations about its lead quality, and the second to service providers allegedly told that the first month of the subscription was free.

First Enforcement Action Under the Health Breach Notification Rule

The Federal Trade Commission has taken enforcement action for the first time under its Health Breach Notification Rule against the telehealth and prescription drug discount provider GoodRx Holdings Inc., for allegedly failing to notify consumers and others of its purported unauthorized disclosures of consumers’ personal health information to Facebook, Google, and other companies.

In a first-of-its-kind proposed order, filed by the Department of Justice on behalf of the FTC, GoodRx will be prohibited from sharing user health data with applicable third-parties for advertising purposes, and has agreed to pay a $1.5 million civil penalty for violating the rule. The proposed order must be approved by the federal court to go into effect.

“Digital health companies and mobile apps should not cash in on consumers’ extremely sensitive and personally identifiable health information,” said the FTC.  Data misuse and exploitation is an FTC investigation and enforcement favorite.

California-based GoodRx operates a digital health platform that offers prescription drug discounts, telehealth visits, and other health services.  The company collects personal and health information about its users, including information from users themselves and from pharmacy benefit managers confirming when a consumer purchases a medication using a GoodRx coupon, the FTC alleges.  According to the Commission, since January 2017, more than 55 million consumers visited or used GoodRx’s website or mobile apps.

According to the FTC’s complaint, GoodRx violated the FTC Act by sharing sensitive personal health information for years with advertising companies and platforms—contrary to its privacy promises—and failed to report these unauthorized disclosures as required by the Health Breach Notification Rule.

Specifically, the FTC said GoodRx:

• Shared Personal Health Information with Facebook, Google, Criteo, and Others: Since at least 2017, GoodRx deceptively promised its users that it would never share personal health information with advertisers or other third-parties.  GoodRx repeatedly violated this promise by sharing sensitive personal health information—including its users’ prescription medications and personal health conditions—with third-party advertising companies and advertising platforms like Facebook, Google, and Criteo, and other third parties like Branch and Twilio.

• Used Personal Health Information to Target its Users with Ads: GoodRx monetized its users’ personal health information, and used data it shared with Facebook to target GoodRx’s own users with personalized health- and medication-specific advertisements on Facebook and Instagram.  For example, in August 2019, GoodRx compiled lists of its users who had purchased particular medications such as those used to treat heart disease and blood pressure, and uploaded their email addresses, phone numbers, and mobile advertising IDs to Facebook so it could identify their profiles.  GoodRx then used that information to target these users with health-related advertisements.

• Failed to Limit Third-Party Use of Personal Health Information: GoodRx allowed third-parties it shared data with to use that information for their own internal purposes, including for research and development or to improve advertising.  It also falsely claimed that it complied with the Digital Advertising Alliance principles, which require companies to get consent before using health information for advertising.

• Misrepresented its HIPAA Compliance: GoodRx displayed a seal at the bottom of its telehealth services homepage falsely suggesting to consumers that it complied with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a law that sets forth privacy and information security protections for health data.

• Failed to Implement Policies to Protect Personal Health Information: GoodRx failed to maintain sufficient policies or procedures to protect its users’ personal health information.  Until a consumer watchdog publicly revealed GoodRx’s actions in February 2020, GoodRx had no sufficient formal, written, or standard privacy or data sharing policies or compliance programs in place.

According to the FTC complaint, as a vendor of personal health records, GoodRx is subject to the Rule.  The FTC said that GoodRx lets users keep track of their personal health information, including to save, track, and receive alerts about their prescriptions, refills, pricing, and medication purchase history.

The FTC alleges that GoodRx violated the Health Breach Notification Rule by failing to notify consumers, the FTC, and the media about the company’s unauthorized disclosure of individually identifiable health information to Facebook, Google, Criteo, Branch, and Twilio.

The FTC issued a policy statement in September 2021 warning health apps and others that collect or use consumers’ health information that they must comply with the Health Breach Notification Rule.

In addition to the $1.5 million penalty for violating the rule, the proposed federal court order also prohibits GoodRx from engaging in the deceptive practices outlined in the complaint and requires the company to comply with the Health Breach Notification Rule.

To remedy the FTC’s numerous allegations, other provisions of the proposed order against GoodRx also:

• Prohibit the sharing of health data for ads: GoodRx will be permanently prohibited from disclosing user health information with applicable third-parties for advertising purposes.

• Require user consent for any other sharing: The company must obtain users’ affirmative express consent before disclosing user health information with applicable third-parties for other purposes.  The order requires the company to “clearly and conspicuously” detail the categories of health information that it will disclose to third-parties and prohibits the company from using manipulative designs, known as “dark patterns,” to obtain users’ consent to share the information.

• Require company to seek deletion of data: The company must direct third-parties to delete the consumer health data that was shared with them and inform consumers about the breaches and the FTC’s enforcement action against the company.

• Limit Retention of Data: GoodRx will be required to limit how long it can retain personal and health information according to a data retention schedule.  It also must publicly post a retention schedule and detail the information it collects, and why such data collection is necessary.

• Implement Mandated Privacy Program: It must put in place a comprehensive privacy program that includes strong safeguards to protect consumer data.

More information on compliance and reporting breaches under the Health Breach Notification Rule are available at the FTC’s Health Privacy page.

Commissioner Christine S. Wilson issued a concurring statement.

Another Example of Regulatory Enforcement Against a Service Provider That Allegedly Turned a Blind Eye to Third-Party Wrongdoing

More than $115 million in refunds are being sent to consumers nationwide as a result of a 2018 action the Federal Trade Commission and the U.S. Department of Justice initiated against MoneyGram for allegedly failing to crack down on scammers using their payment system.

The 2018 action charged that MoneyGram violated an FTC settlement from 2009, along with a 2012 DOJ agreement in which the company agreed to take proactive steps to reduce scammers’ ability to use their payment system to receive money from consumers.

The matter reminds businesses that facilitate fraud and ignore FTC orders should expect to face similar consequences.

“This distribution of $115.8 million to nearly 40,000 victims—each of whom is being fully compensated for their losses—demonstrates the Department of Justice’s continued commitment to making victims whole,” said Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department’s Criminal Division.  “This is an example of how the Department will use every tool at its disposal, including in corporate criminal matters, to provide justice to victims.”

In the 2009 settlement with the FTC, MoneyGram agreed to put in place a fraud prevention program which, among other things, required the company to promptly investigate, restrict, suspend, and terminate high-fraud agents.  The FTC charged that MoneyGram was aware of continued fraud on their payment network after the settlement, turning a blind eye for years to numerous instances of suspicious payment activity by the company’s agents.

The FTC’s New Office of Technology

The FTC has announced the launch of a new Office of Technology that is intended to strengthen the FTC’s ability to keep pace with technological challenges in the digital marketplace by supporting the agency’s law enforcement and policy work.

The new office will:

• Strengthen and support law enforcement investigations and actions: The office will support FTC investigations into business practices and the technologies underlying them. This includes helping to develop appropriate investigative techniques, assisting in the review and analysis of data and documents received in investigations, and aiding in the creation of effective remedies.
• Advise and engage with staff and the Commission on policy and research initiatives: The office will work with FTC staff and the Commission to provide technological expertise on non-enforcement actions including studies, reports, requests for information, policy statements, congressional briefings, and other initiatives.
• Highlight market trends and emerging technologies that impact the FTC’s work: The office will engage with the public and external stakeholders through workshops, research conferences, and consultations and highlight key trends and best practices.

The creation of the Office of Technology builds on the FTC’s efforts over the years to expand its in-house technological expertise, and it brings the agency in line with other leading antitrust and consumer protection enforcers around the world.

In 2023, the Office is intended to better equip the agency to approach current and future tech threats by building a team of technologists with deep expertise across a range of specialized fields, including data security, software engineering, data science, digital markets, artificial intelligence, machine learning and human-computer interaction design.  This centralized team will be led by the agency’s Chief Technology Officer.

The Office of Technology’s top priority is to work with staff and leadership across the agency to strengthen and support the agency on enforcement investigations and litigated cases.

The FTC has also made clear that it intends to keep a finger on the pulse of business model change, like shifts in digital advertising ecosystems, to help the FTC understand the implications on privacy, competition and consumer protection.

FTC BCP Issues Criminal Liaison Unit Report Detailing Efforts to Ensure Wrongdoers Face Accountability

The Criminal Liaison Unit of the Federal Trade Commission’s Bureau of Consumer Protection (BCP CLU) has issued its 2022 Criminal Liaison Unit Report, describing the history of the BCP CLU, its program operations and major accomplishments over the past five years.  In an effort to ensure criminal prosecution of appropriate consumer fraud cases, the BCP CLU refers cases to partner agencies with criminal jurisdiction, including U.S. Attorney’s Offices across the county, Divisions of the Department of Justice (DOJ) and others.

“For the worst individual and corporate wrongdoers, civil remedies may not be sufficient to protect the public from further harm,” said Mr. Levine.  “Government works best when agencies work together toward a common goal, and we are proud that our partnership with criminal enforcers leads to justice for bad actors and a safer marketplace for us all.”

The FTC, which is not authorized to bring criminal law enforcement actions, established the BCP CLU in 2002 to bring the “worst of the worst” offenders to the attention of prosecutors.  As it grew, the BCP CLU worked to establish relationships with prosecutors and educate them about the Commission’s consumer fraud and deception cases.  Success in initial cases proved that criminal consumer protection cases were not only viable but could result in substantial prison sentences.

Over the past five years, the report notes, BCP CLU referrals have led to criminal charges against 107 new defendants, 145 total convictions, and 181 defendants sentenced for consumer fraud.  The total sentence time for all defendants was 746 years, with the average sentence being 51 months (approximately 4.3 years) of incarceration.

As the BCP CLU has grown over the past 20 years, the program has worked to address prosecutors’ concerns by communicating regularly to understand their priorities and to strategically refer cases most likely to be attractive to them, according to the report.  The result has been an established reputation for presenting prosecutors with solid cases that will make the most of their limited time.

In 2021, because of the importance of this work as well as BCP CLU’s success to date, the Commission issued a Statement Regarding Criminal Referral and Partnership Process, where the agency recommitted itself to a robust program of criminal referrals across both its competition and consumer protection missions.

More information about the BCP CLU can be found here on the FTC’s website.

Richard B. Newman is a digital advertising, internet law, and regulatory compliance and defense attorney at Hinch Newman LLP.  

Informational purposes only. Not legal advice. May be considered attorney advertising.