A comprehensive review of recent Federal Trade Commission (FTC or Commission) consumer protection actions shows that the FTC continues to be one of Washington’s most aggressive regulators. While the number of enforcement actions at many major federal agencies decreased significantly during the Trump administration, enforcement activity at the Commission held steady. While we expect the FTC to continue at a similar pace in 2019, significant recent leadership changes at the Commission have created some degree of uncertainty. Specifically, all five of the FTC’s current commissioners assumed their positions in 2018. Given this unprecedented level of turnover at the top, companies should closely monitor the FTC’s consumer protection enforcement efforts to see what issues and industries are of particular interest to the new commissioners.
Although these leadership changes may influence FTC direction, it is likely that the FTC will continue to focus on the practices underlying the agency’s top consumer complaints, such as improper debt collection practices, identity theft, imposter scams and unwanted robocalls. The FTC is also likely to continue to focus on practices that harm vulnerable populations, such as the elderly, students and military families.
In terms of specific industries or markets subject to FTC scrutiny, we expect the Commission will continue to focus its enforcement efforts in the following five industries: financial services, web services and emerging technologies, data security and consumer privacy, telecommunications, and health care. Of the 186 consumer protection actions initiated or resolved by the FTC in 2017 and 2018, 163 actions (88 percent) involved one of these five industries.1
Recent enforcement activity and indicators of expected future activity in each of these areas are summarized below.
Financial Services. The financial services industry in particular faced significant FTC scrutiny, with the Commission pursuing the most consumer protection actions in this industry and obtaining among the highest monetary judgments. The Commission initiated or resolved approximately 41 actions in 2017 and 2018 involving products and services such as loan lead generation, debt collection and relief, payment processing, and vehicle financing. Many of these actions alleged violations of Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices. Monetary judgments in resolved cases ranged from approximately $127,000 to $586 million. (In many cases involving financial services, as well as in other industries, some portion of the judgment was suspended due to inability to pay and other factors.)
The FTC has struggled to position itself in the financial services industry given the Consumer Financial Protection Bureau’s (CFPB) strong presence and enhanced enforcement powers. The FTC and CFPB share concurrent jurisdiction over many nonbank financial services companies under various consumer financial protection statutes and regulations. But we expect the FTC to distinguish itself in three key ways going forward, based on our review of recent enforcement actions and public comments from Thomas B. Pahl, who was acting director of the FTC’s Bureau of Consumer Protection until April 2018:
- by targeting fraudulent financial practices, including those in the FTC’s traditional wheelhouse (such as debt collection, debt relief and payday lending), in addition to entities “that support the ecosystem of fraud” (such as money-transfer companies, payment processors and loan lead generators);2
- by pursuing enforcement actions in part based on whether the FTC is the “main federal agency enforcer” (such as under Section 5 of the FTC Act,) and where the FTC has significant enforcement expertise (such as the debt collection and debt relief industries);3 and
- by avoiding pursuing enforcement actions against “larger participants” (based on annual receipts) in certain industries, such as debt collection, where the CFPB can subject such entities to supervision and examination in addition to enforcement actions.4
Web Services and Emerging Technologies. We expect the FTC to continue to position itself as a leader in overseeing web services and emerging technologies. The Commission initiated or resolved approximately 29 actions in this space in 2017 and 2018. Common allegations included that companies made false promises to consumers regarding income they could earn through online businesses and services, operated copycat government websites to obtain consumer data or fees, and misrepresented the legitimacy of online “high school” programs. Monetary judgments in resolved actions ranged from approximately $15,000 to over $318 million.
We expect the FTC to continue to focus on online scams as well as deceptive practices in online advertising and business opportunities that make false earnings claims. The Commission has been particularly focused on consumer confusion in online advertising through the “blending” of advertising with news, entertainment or editorial content. While the FTC will pursue such deceptive advertising across industries, the practice appears to be particularly prevalent in the marketing of web services. We also expect the FTC to focus on fraud in emerging technologies, such as cryptocurrency.
The FTC also is expected to investigate and take enforcement actions against internet service providers (ISP) regarding their broadband services in light of the Federal Communication Commission’s (FCC) Restoring Internet Freedom Order.5 The order — which controversially rolled back the FCC’s net neutrality rules — returns jurisdiction to the FTC to regulate the conduct of ISPs, which the FCC had previously classified as common carriers. The FTC has stated that it will “monitor consumer complaints about ISPs, and will take appropriate action against deceptive ISP advertising or other unfair or deceptive ISP practices.”6
Data Security and Consumer Privacy. The FTC initiated or resolved approximately 29 data security or consumer privacy actions in 2017 and 2018. Common allegations included that companies provided false virus or malware warnings, collected data without consumer knowledge or consent, and failed to take steps to address well-known and preventable security flaws. The Commission also targeted companies that falsely claimed to be certified under certain privacy certification protocols, such as the EU-U.S. Privacy Shield, which allows companies to transfer consumer data from the European Union to the United States. Monetary judgments in resolved cases ranged from approximately $35,000 to over $27 million.
We expect the FTC to continue to investigate privacy practices and data breaches at high-profile companies.7 However, in addition to addressing data security and consumer privacy through its enforcement authority, we also expect the Commission to continue to address these issues through regulatory and education initiatives. Indeed, in a recent comment to the Department of Commerce, the FTC argued that it should “continue to be the primary enforcer of laws related to information flows in markets, whether under the existing privacy and security framework or under a new framework.”8 The FTC also has called for data security and breach notification legislation and federal privacy legislation. In recent testimony, however, the FTC noted that its “deterrent capability” in this area was limited by the lack of civil penalties under Section 5 of the FTC Act.9 The testimony noted as well that the FTC lacks “authority over non-profits and over common carrier activity, even though the acts or practices of these market participants often have serious implications for consumer privacy and data security.” Finally, the testimony noted that the Commission lacks authority to issue implementing rules for privacy and data security generally.10 We expect the FTC to continue to lobby Congress for expanded authority with respect to privacy and data security, and for federal data security/breach notification and privacy legislation enforced by the Commission.
We also expect the FTC to continue to dedicate substantial efforts to gathering information from stakeholders regarding consumer privacy and data security issues. The FTC is holding ongoing hearings on “Competition and Consumer Protection in the 21st Century” and, in June 2019, the Commission will host its fourth annual PrivacyCon, an FTC conference of privacy and security experts where FTC staff can learn about recent research in the field. Identity theft is also likely to remain an important topic for the FTC, given that the issue has ranked among the top consumer complaints in recent years.
Telecommunications. In 2017 and 2018, the FTC initiated or resolved approximately 35 telemarketing actions. In recent congressional testimony, the FTC noted that consumers’ top complaint was illegal telemarketing robocalls, which are calls delivering a prerecorded message.11 The FTC also has pursued companies that allegedly made false impersonations of the government and emergency responders or engaged in illegal tactics to persuade consumers to pay for unordered merchandise or promote financial services. Monetary judgments in resolved cases ranged from approximately $105,000 to over $280 million.
We expect the FTC to continue to dedicate substantial enforcement and other resources to address unwanted robocalls as well as other telecommunications scams and practices that violate the Telemarketing Sales Rule. We also expect the FTC to continue to both partner with the FCC on initiatives in this area and lobby to eliminate the common carrier exemption under the FTC Act.
Health Care. The FTC initiated or resolved approximately 29 enforcement actions against health care companies in 2017 and 2018. The Commission was particularly concerned with addressing false or unsubstantiated health claims in connection with various products and services, such as treatments for serious illnesses and personal care products. Monetary judgments in resolved cases ranged from approximately $120,000 to $179 million.
We expect the FTC to continue to address deceptive advertising in health care and other industries, including in new formats and new media such as apps, games, videos and social networks. We also expect the FTC to continue to scrutinize “false and unsubstantiated health claims, including those targeting older consumers, consumers affected by the opioid crisis, and consumers with serious medical conditions.”12
1 Identified based on a review of enforcement actions on the FTC’s website that were initiated or resolved in 2017 or 2018.
2 Thomas B. Pahl, “The Future of Financial Services Enforcement at the FTC,” Business Law Today, AM. BAR ASS’N (September 2017).
5 Press Release, Fed. Trade Comm’n, FTC, FCC Outline Agreement to Coordinate Online Consumer Protection Efforts Following Adoption of the Restoring Internet Freedom Order (Dec. 11, 2017) (on file with Fed. Trade Comm’n).
7 See, e.g., Press Release, Fed. Trade Comm’n, Statement by the Acting Director of FTC’s Bureau of Consumer Protection Regarding Reported Concerns About Facebook Privacy Practices (Mar. 26, 2018) (on file with Fed. Trade Comm’n).
8 Developing the Administration’s Approach to Consumer Privacy, Before the National Telecommunications & Information Administration at 18 (Fed. Trade Comm’n Nov. 9, 2018).
9 Prepared Statement, Fed. Trade Comm’n, Prepared Statement of the Federal Trade Commission: Oversight of the Federal Trade Commission at 7 (Nov. 27, 2018) (on file with Fed. Trade Comm’n) [hereinafter “November 27, 2018, FTC Prepared Statement”].
11 November 27, 2018, FTC Prepared Statement, supra note 9, at 14.
12 Id. at 9.
This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.