{ "generated_at": "2026-03-02T19:55:39.896Z", "total_patterns": 13, "total_cases_categorized": 284, "patterns": [ { "id": "credit-reporting-violations", "name": "Credit Reporting Violations", "description": "FCRA violations, inaccurate credit reporting, failing to investigate disputes", "case_count": 40, "year_range": [ 1997, 2026 ], "most_recent_year": 2026, "most_recent_date": "2026-01-15", "enforcement_topics": [ "FCRA", "GLBA", "Section 5 Only", "TSR" ], "cases": [ { "case_id": "08.97_bruno_s", "company_name": "Bruno's Inc.", "date_issued": "1997-08-15", "year": 1997, "takeaway_brief": "Bruno's Inc. denied job applicants based on consumer reports without notifying them that such information contributed to the adverse employment decision.", "docket_number": "C-3760", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/962-3086-brunos-inc-matter", "statutory_topics": [ "FCRA" ], "categories": [ "Fair Credit Reporting (FCRA)" ] }, { "case_id": "09.97_aldi", "company_name": "ALDI INC.", "date_issued": "1997-09-15", "year": 1997, "takeaway_brief": "ALDI denied job applicants based on consumer reports without notifying them that such information factored into the adverse employment decision.", "docket_number": "C-3764", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/962-3064-aldi-inc-matter", "statutory_topics": [ "FCRA" ], "categories": [ "Fair Credit Reporting (FCRA)" ] }, { "case_id": "08.99_first_american_real_estate_solutions_ll", "company_name": "First American Real Estate Solutions, LLC", "date_issued": "1999-08-15", "year": 1999, "takeaway_brief": "First American CREDCO routinely refused to reinvestigate disputed errors in merged credit reports, redirecting consumers to source repositories instead.", "docket_number": "DOCKET NO.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/952-3267-first-american-real-estate-solutions-ll", "statutory_topics": [ "FCRA" ], "categories": [ "Fair Credit Reporting (FCRA)" ] }, { "case_id": "02.07_consumerinfo.com._dba_experian_consumer_direct_qspace_and_iplace", "company_name": "Consumerinfo.com, Inc.", "date_issued": "2007-02-15", "year": 2007, "takeaway_brief": "Consumerinfo.com advertised 'free' credit reports but secretly enrolled consumers in a paid subscription service charged to the credit card they provided.", "docket_number": "CV SAC 05-801 MS", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3263-consumerinfocom-inc-dba-experian-consumer-direct-qspace-inc-iplace-inc", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Fair Credit Reporting (FCRA)" ] }, { "case_id": "02.08_ingenix", "company_name": "Ingenix, Inc.", "date_issued": "2008-02-15", "year": 2008, "takeaway_brief": "Ingenix sold individual medical profiles — constituting consumer reports — to insurers without providing the legally required FCRA notice to those users.", "docket_number": "C-4214", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/062-3190-ingenix-inc-matter", "statutory_topics": [ "FCRA" ], "categories": [ "Health Data", "Fair Credit Reporting (FCRA)" ] }, { "case_id": "02.08_milliman", "company_name": "Milliman, Inc.", "date_issued": "2008-02-15", "year": 2008, "takeaway_brief": "Milliman sold individual medical profiles to insurers for underwriting without providing the legally required FCRA notice to those insurer users.", "docket_number": "C-4213", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/062-3189-milliman-inc-matter", "statutory_topics": [ "FCRA" ], "categories": [ "Health Data", "Fair Credit Reporting (FCRA)" ] }, { "case_id": "12.08_premier_capital_lending", "company_name": "Premier Capital Lending, Inc.", "date_issued": "2008-12-15", "year": 2008, "takeaway_brief": "Premier Capital Lending gave an unsecured third party login credentials to pull consumer credit reports and failed to monitor or audit use of that access.", "docket_number": "C-4241", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/0723004-premier-capital-lending-inc-et-al-matter", "statutory_topics": [ "GLBA" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Fair Credit Reporting (FCRA)", "Gramm-Leach-Bliley" ] }, { "case_id": "07.09_united_states_of_america_plaintiff_v._talx_corporation_defendant", "company_name": "TALX Corporation", "date_issued": "2009-07-15", "year": 2009, "takeaway_brief": "TALX Corporation, a nationwide employment data reporting agency, failed for years to provide legally required notices to data furnishers and report users.", "docket_number": "Civil Action No.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3173-united-states-america-federal-trade-commission-plaintiff-v-talx-corporation-defendant", "statutory_topics": [ "FCRA" ], "categories": [ "Fair Credit Reporting (FCRA)" ] }, { "case_id": "08.09_metropolitan_home_mortgage_also_dba_wholesale_home_lenders", "company_name": "Metropolitan Home Mortgage, Inc.", "date_issued": "2009-08-15", "year": 2009, "takeaway_brief": "Metropolitan Home Mortgage sent prescreened mortgage solicitations that lacked properly formatted opt-out notices as required by the FCRA and the Prescreen Rule.", "docket_number": "Civil Action No. 8:09-cv-00936-DOC(RNB)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/metropolitan-home-mortgage-inc-also-dba-wholesale-home-lenders", "statutory_topics": [ "FCRA" ], "categories": [ "Fair Credit Reporting (FCRA)" ] }, { "case_id": "08.09_united_states_of_america_plaintiff_v._quality_terminal_services_a_limited_liability_company_defendants", "company_name": "Quality Terminal Services, LLC", "date_issued": "2009-08-15", "year": 2009, "takeaway_brief": "Quality Terminal Services denied jobs to applicants based on background check results without providing the legally required pre- and post-adverse action notices.", "docket_number": "09-cv-01853-CMA-BNB", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/082-3022-united-states-america-federal-trade-commission-plaintiff-v-quality-terminal-services-llc-limited", "statutory_topics": [ "FCRA" ], "categories": [ "Fair Credit Reporting (FCRA)" ] }, { "case_id": "03.10_direct_marketing_associates_corp._et_al._usa", "company_name": "Direct Marketing Associates, Corp.", "date_issued": "2010-03-15", "year": 2010, "takeaway_brief": "Direct Marketing Associates mailed fake pre-approved auto financing solicitations using consumer credit data it obtained from credit bureaus under false pretenses.", "docket_number": "CV 10-0696-PHX-LOA", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3002-direct-marketing-associates-corp-et-al-usa", "statutory_topics": [ "FCRA" ], "categories": [ "Fair Credit Reporting (FCRA)" ] }, { "case_id": "04.10_united_states_of_america_v._central_credit", "company_name": "Central Credit, LLC", "date_issued": "2010-04-15", "year": 2010, "takeaway_brief": "Central Credit, a consumer reporting agency, failed to provide legally required notices to furnishers, users, and consumers and lacked a compliant process for free annual file disclosures.", "docket_number": "2:10-cv-00565", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/082-3106-united-states-america-v-central-credit-llc", "statutory_topics": [ "FCRA" ], "categories": [ "Fair Credit Reporting (FCRA)" ] }, { "case_id": "06.11_teletrack", "company_name": "TELETRACK, INC.", "date_issued": "2011-06-15", "year": 2011, "takeaway_brief": "Teletrack sold consumer credit inquiry data to third-party marketers as mailing lists without a permissible purpose under the Fair Credit Reporting Act.", "docket_number": "1 11-CV-2060", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3075-teletrack-inc", "statutory_topics": [ "FCRA" ], "categories": [ "Privacy / Deceptive Privacy Practices", "Fair Credit Reporting (FCRA)" ] }, { "case_id": "08.11_acranet", "company_name": "ACRAnet, Inc.", "date_issued": "2011-08-15", "year": 2011, "takeaway_brief": "ACRAnet, a credit reporting agency, failed to implement basic security safeguards for its clients, allowing hackers to access sensitive consumer credit reports through clients' unprotected networks.", "docket_number": "C-4331", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/092-3088-acranet-inc-matter", "statutory_topics": [ "FCRA", "GLBA" ], "categories": [ "Data Security", "Fair Credit Reporting (FCRA)", "Gramm-Leach-Bliley" ] }, { "case_id": "08.11_fajilan_and_associates_also_dba_statewide_credit_services", "company_name": "Fajilan and Associates, Inc.", "date_issued": "2011-08-15", "year": 2011, "takeaway_brief": "Statewide Credit Services sold sensitive credit reports to clients without verifying their security posture, enabling repeated hacker breaches of client networks.", "docket_number": "C-4332", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/092-3089-fajilan-associates-inc-also-dba-statewide-credit-services-matter", "statutory_topics": [ "FCRA", "GLBA" ], "categories": [ "Data Security", "Fair Credit Reporting (FCRA)", "Gramm-Leach-Bliley" ] }, { "case_id": "08.11_settlementone_credit_corporation", "company_name": "SettlementOne Credit Corporation", "date_issued": "2011-08-15", "year": 2011, "takeaway_brief": "SettlementOne Credit allowed client mortgage brokers without verified security to access sensitive consumer credit reports, enabling hackers to breach multiple client networks.", "docket_number": "C-4330", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/082-3208-settlementone-credit-corporation", "statutory_topics": [ "FCRA", "GLBA" ], "categories": [ "Data Security", "Fair Credit Reporting (FCRA)", "Gramm-Leach-Bliley" ] }, { "case_id": "01.12_asset_acceptance", "company_name": "Asset Acceptance, LLC", "date_issued": "2012-01-15", "year": 2012, "takeaway_brief": "Asset Acceptance pursued consumers for debts without adequate verification, failed to disclose statute-of-limitations issues, and furnished inaccurate information to credit bureaus.", "docket_number": "8:12-cv-00182-JDW-EAJ", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3133-asset-acceptance-llc", "statutory_topics": [ "FCRA" ], "categories": [ "Fair Credit Reporting (FCRA)" ] }, { "case_id": "06.12_spokeo", "company_name": "Spokeo, Inc.", "date_issued": "2012-06-15", "year": 2012, "takeaway_brief": "Spokeo marketed detailed consumer profiles for employment decisions while operating as an unregistered consumer reporting agency without any FCRA compliance procedures.", "docket_number": "C-12-cv-05001-MMM-SH (Case No. 2:12-cv-05001-MMM-SH)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1023163-spokeo-inc", "statutory_topics": [ "FCRA" ], "categories": [ "Fair Credit Reporting (FCRA)" ] }, { "case_id": "08.12_hireright_solutions", "company_name": "HireRight Solutions, Inc.", "date_issued": "2012-08-15", "year": 2012, "takeaway_brief": "HireRight systematically failed to ensure accuracy of background screening reports, denied consumers access to their own files, and refused to properly reinvestigate disputes.", "docket_number": "12-1313", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-313-hireright-solutions-inc", "statutory_topics": [ "FCRA" ], "categories": [ "Fair Credit Reporting (FCRA)" ] }, { "case_id": "05.13_filiquarian_publishing_choice_level_and_joshua_linsk", "company_name": "Filiquarian Publishing, LLC", "date_issued": "2013-05-15", "year": 2013, "takeaway_brief": "Filiquarian marketed mobile apps for employment background checks while operating as a consumer reporting agency without implementing any required FCRA procedures.", "docket_number": "C-4401", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3195-filiquarian-publishing-llc-choice-level-llc-joshua-linsk-matter", "statutory_topics": [ "FCRA" ], "categories": [ "Fair Credit Reporting (FCRA)" ] }, { "case_id": "08.13_certegy_check_services", "company_name": "Certegy Check Services, Inc.", "date_issued": "2013-08-15", "year": 2013, "takeaway_brief": "Certegy Check Services failed to maintain accurate consumer report information, required consumers to conduct their own reinvestigations, and lacked adequate dispute handling processes.", "docket_number": "C-4701", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3184-certegy-check-services-inc", "statutory_topics": [ "FCRA" ], "categories": [ "Fair Credit Reporting (FCRA)" ] }, { "case_id": "01.14_telecheck_services", "company_name": "TeleCheck Services, Inc.", "date_issued": "2014-01-15", "year": 2014, "takeaway_brief": "TeleCheck failed to properly reinvestigate disputed consumer information and did not maintain reasonable accuracy procedures, while its affiliate TRS lacked required written data furnisher policies.", "docket_number": "14cv00062", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3183-telecheck-services-inc", "statutory_topics": [ "FCRA" ], "categories": [ "Fair Credit Reporting (FCRA)" ] }, { "case_id": "04.14_infotrack_information_services", "company_name": "InfoTrack Information Services, Inc.", "date_issued": "2014-04-15", "year": 2014, "takeaway_brief": "InfoTrack provided inaccurate background check reports with unreliable sex offender data and failed to provide legally required FCRA notices.", "docket_number": "14-cv-2054", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3092-infotrack-information-services-inc-et-al", "statutory_topics": [ "FCRA" ], "categories": [ "Fair Credit Reporting (FCRA)" ] }, { "case_id": "04.14_instant_checkmate", "company_name": "Instant Checkmate, Inc.", "date_issued": "2014-04-15", "year": 2014, "takeaway_brief": "Instant Checkmate marketed background reports for employment screening purposes while failing to comply with any Fair Credit Reporting Act requirements.", "docket_number": "14CV0675H JMA", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3221-instant-checkmate-inc", "statutory_topics": [ "FCRA" ], "categories": [ "Fair Credit Reporting (FCRA)" ] }, { "case_id": "09.15_tricolor_auto_acceptance", "company_name": "Tricolor Auto Acceptance, LLC", "date_issued": "2015-09-15", "year": 2015, "takeaway_brief": "Tricolor Auto Acceptance furnished credit information to reporting agencies without any written accuracy policies and failed to investigate consumer disputes it received directly.", "docket_number": "3:15-cv-03002-G", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3073-tricolor-auto-acceptance-llc", "statutory_topics": [ "FCRA" ], "categories": [ "Fair Credit Reporting (FCRA)" ] }, { "case_id": "10.15_sprint_corporation", "company_name": "Sprint Corporation", "date_issued": "2015-10-15", "year": 2015, "takeaway_brief": "Sprint charged consumers higher fees based on their credit reports but failed to provide required risk-based pricing notices before they became contractually obligated.", "docket_number": "2:15-cv-9340", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3094-sprint-corporation-sprint-asl-program-0", "statutory_topics": [ "FCRA" ], "categories": [ "Fair Credit Reporting (FCRA)" ] }, { "case_id": "05.16_credit_protection_association", "company_name": "Credit Protection Association, LP", "date_issued": "2016-05-15", "year": 2016, "takeaway_brief": "Credit Protection Association furnished consumer data to credit bureaus without the required written accuracy and integrity policies, and failed to complete dispute investigations on time.", "docket_number": "3:16-cv-01255-D", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3142-credit-protection-association", "statutory_topics": [ "FCRA" ], "categories": [ "Fair Credit Reporting (FCRA)" ] }, { "case_id": "01.18_jerk_dba_jerk.com", "company_name": "Jerk, LLC", "date_issued": "2018-01-15", "year": 2018, "takeaway_brief": "Jerk.com misrepresented that profile content was created by users and that paid memberships would provide meaningful dispute rights.", "docket_number": "9361", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3141-jerk-llc-dba-jerkcom-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Other" ] }, { "case_id": "10.18_realpage", "company_name": "RealPage, Inc.", "date_issued": "2018-10-15", "year": 2018, "takeaway_brief": "RealPage used overly broad, inaccurate criminal record matching in tenant screening reports, causing wrong individuals' records to appear in consumer files.", "docket_number": "3:18-cv-02737-N", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3059-realpage-inc", "statutory_topics": [ "FCRA" ], "categories": [ "Fair Credit Reporting (FCRA)" ] }, { "case_id": "11.18_readytech_corporation", "company_name": "ReadyTech Corporation", "date_issued": "2018-11-15", "year": 2018, "takeaway_brief": "ReadyTech falsely claimed on its website to be actively certifying Privacy Shield compliance and committed to related dispute resolution, when it never completed certification.", "docket_number": "C-4659", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3100-readytech-corporation-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "01.20_mortgage_solutions_fcs", "company_name": "Mortgage Solutions FCS, Inc.", "date_issued": "2020-01-15", "year": 2020, "takeaway_brief": "Mortgage Solutions FCS publicly posted customers' sensitive financial and health information — including credit scores and medical conditions — in Yelp responses to negative reviews.", "docket_number": "4:20-cv-00110", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3199-mortgage-solutions-fcs-inc", "statutory_topics": [ "FCRA", "GLBA" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Fair Credit Reporting (FCRA)", "Gramm-Leach-Bliley" ] }, { "case_id": "03.20_boostmyscore", "company_name": "BoostMyScore LLC", "date_issued": "2020-03-15", "year": 2020, "takeaway_brief": "BoostMyScore sold illegal credit piggybacking services and charged prohibited advance fees while falsely guaranteeing FICO score boosts.", "docket_number": "1:20-cv-00641", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3059-boostmyscore-llc", "statutory_topics": [ "TSR" ], "categories": [ "Telemarketing / Do-Not-Call" ] }, { "case_id": "05.20_jasjit_gotra", "company_name": "Alliance Security Inc.", "date_issued": "2020-05-15", "year": 2020, "takeaway_brief": "Alliance Security and its CEO made over two million illegal telemarketing calls including to Do Not Call registrants, impersonated ADT, and obtained consumer reports without permissible purpose.", "docket_number": "1:18-cv-10548", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/x140022-jasjit-gotra-alliance-security", "statutory_topics": [ "TSR", "FCRA" ], "categories": [ "Fair Credit Reporting (FCRA)", "Telemarketing / Do-Not-Call" ] }, { "case_id": "11.20_midwest_recovery_systems", "company_name": "Midwest Recovery Systems, LLC", "date_issued": "2020-11-15", "year": 2020, "takeaway_brief": "Midwest Recovery Systems collected debts consumers did not owe and 'parked' over $98 million in unsubstantiated debts on credit reports without first notifying consumers.", "docket_number": "4:20-cv-01674", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923042-midwest-recovery-systems-llc", "statutory_topics": [ "FCRA" ], "categories": [ "Health Data", "Fair Credit Reporting (FCRA)" ] }, { "case_id": "12.20_appfolio", "company_name": "AppFolio, Inc.", "date_issued": "2020-12-15", "year": 2020, "takeaway_brief": "AppFolio included obsolete records more than seven years old and inaccurate information from an unvetted vendor in tenant screening reports used to deny housing.", "docket_number": "1:20-cv-03563", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923016-appfolio-inc", "statutory_topics": [ "FCRA" ], "categories": [ "Fair Credit Reporting (FCRA)" ] }, { "case_id": "04.22_credit_bureau_center", "company_name": "Credit Bureau Center, LLC", "date_issued": "2022-04-15", "year": 2022, "takeaway_brief": "Credit Bureau Center used fake rental property ads to lure consumers into hidden paid credit monitoring subscriptions falsely advertised as free.", "docket_number": "17-cv-00194", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3120-x170014-credit-bureau-center-llc-formerly-known-myscore-llc", "statutory_topics": [ "FCRA" ], "categories": [ "Fair Credit Reporting (FCRA)" ] }, { "case_id": "10.23_transunion_rental_screening_solutions_and_trans_union._ftc_and_cfpb_v.", "company_name": "TransUnion Rental Screening Solutions, Inc.", "date_issued": "2023-10-15", "year": 2023, "takeaway_brief": "TransUnion's rental screening subsidiary reported duplicated eviction entries, inaccurate case dispositions, mislabeled debt amounts, and sealed records in tenant background reports.", "docket_number": "1:23-cv-02659", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3204-transunion-rental-screening-solutions-inc-trans-union-llc-ftc-cfpb-v", "statutory_topics": [ "FCRA" ], "categories": [ "Fair Credit Reporting (FCRA)" ] }, { "case_id": "01.24_epic_games", "company_name": "Epic Games, Inc.", "date_issued": "2024-01-15", "year": 2024, "takeaway_brief": "Epic Games used dark patterns to charge consumers — including children — for Fortnite purchases without informed consent, and denied account access to those who disputed charges.", "docket_number": "C-4790", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923203-epic-games-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security" ] }, { "case_id": "12.24_vivint_smart_home", "company_name": "Vivint Smart Home, Inc.", "date_issued": "2024-12-15", "year": 2024, "takeaway_brief": "Vivint's sales force fraudulently pulled third parties' credit reports without consent to qualify unqualified customers for financing, then passed those innocent parties' information to debt collectors.", "docket_number": "2:21-cv-00267-TS", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3060-vivint-smart-home-inc", "statutory_topics": [ "FCRA" ], "categories": [ "Fair Credit Reporting (FCRA)" ] }, { "case_id": "01.26_general_motors", "company_name": "General Motors LLC, General Motors Holdings LLC, and OnStar, LLC", "date_issued": "2026-01-15", "year": 2026, "takeaway_brief": "General Motors and OnStar collected detailed driving behavior data every three seconds and sold it to consumer reporting agencies without consumers' meaningful informed consent.", "docket_number": "C-4828", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2423052-general-motors-llc-et-al-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices", "Location / Geolocation Data", "Fair Credit Reporting (FCRA)" ] } ] }, { "id": "unauthorized-data-sharing", "name": "Unauthorized Data Sharing", "description": "Selling or sharing consumer data with third parties without adequate consent or disclosure", "case_count": 27, "year_range": [ 2003, 2026 ], "most_recent_year": 2026, "most_recent_date": "2026-01-15", "enforcement_topics": [ "COPPA", "FCRA", "GLBA", "Health Breach Notification", "Section 5 Only" ], "cases": [ { "case_id": "05.03_educational_research_center_of_america_student_marketing_group_marian_sanjana_and_jan_stumacher", "company_name": "Educational Research Center of America, Inc.", "date_issued": "2003-05-15", "year": 2003, "takeaway_brief": "ERCA collected personal data from millions of students under the guise of college recruitment surveys but secretly sold it to commercial marketers.", "docket_number": "C-4079", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3249-educational-research-center-america-inc-student-marketing-group-inc-marian-sanjana-jan-stumacher", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "12.04_gateway_learning", "company_name": "Gateway Learning Corporation", "date_issued": "2004-12-15", "year": 2004, "takeaway_brief": "Gateway Learning's 'Hooked on Phonics' business rented customers' personal information to third-party marketers in violation of its own promise never to share such data.", "docket_number": "C-4120", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/042-3047-gateway-learning-corp-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices", "Telemarketing / Do-Not-Call" ] }, { "case_id": "04.05_vision_i_properties", "company_name": "Vision I Properties, LLC", "date_issued": "2005-04-15", "year": 2005, "takeaway_brief": "CartManager International secretly collected consumer data through merchants' checkout pages and sold it to third-party marketers without disclosure.", "docket_number": "C-4135", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/042-3068-vision-i-properties-llc-et-al-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices", "Telemarketing / Do-Not-Call" ] }, { "case_id": "05.08_action_research_group", "company_name": "ACTION RESEARCH GROUP, INC.", "date_issued": "2008-05-15", "year": 2008, "takeaway_brief": "Action Research Group impersonated account holders to fraudulently obtain confidential telephone records from carriers and sold them to third-party clients.", "docket_number": "C-6:07-cv-227-Orl-22UAM", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3021-action-research-group-inc-et-al", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "12.08_premier_capital_lending", "company_name": "Premier Capital Lending, Inc.", "date_issued": "2008-12-15", "year": 2008, "takeaway_brief": "Premier Capital Lending gave an unsecured third party login credentials to pull consumer credit reports and failed to monitor or audit use of that access.", "docket_number": "C-4241", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/0723004-premier-capital-lending-inc-et-al-matter", "statutory_topics": [ "GLBA" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Fair Credit Reporting (FCRA)", "Gramm-Leach-Bliley" ] }, { "case_id": "08.09_metropolitan_home_mortgage_also_dba_wholesale_home_lenders", "company_name": "Metropolitan Home Mortgage, Inc.", "date_issued": "2009-08-15", "year": 2009, "takeaway_brief": "Metropolitan Home Mortgage sent prescreened mortgage solicitations that lacked properly formatted opt-out notices as required by the FCRA and the Prescreen Rule.", "docket_number": "Civil Action No. 8:09-cv-00936-DOC(RNB)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/metropolitan-home-mortgage-inc-also-dba-wholesale-home-lenders", "statutory_topics": [ "FCRA" ], "categories": [ "Fair Credit Reporting (FCRA)" ] }, { "case_id": "11.10_echometrix", "company_name": "EchoMetrix, Inc.", "date_issued": "2010-11-15", "year": 2010, "takeaway_brief": "EchoMetrix sold parental monitoring software while secretly feeding children's online activity data to a third-party market research product sold to advertisers.", "docket_number": "2:10-cv-05516-DRH", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3006-echometrix-inc", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Other" ] }, { "case_id": "06.11_teletrack", "company_name": "TELETRACK, INC.", "date_issued": "2011-06-15", "year": 2011, "takeaway_brief": "Teletrack sold consumer credit inquiry data to third-party marketers as mailing lists without a permissible purpose under the Fair Credit Reporting Act.", "docket_number": "1 11-CV-2060", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3075-teletrack-inc", "statutory_topics": [ "FCRA" ], "categories": [ "Privacy / Deceptive Privacy Practices", "Fair Credit Reporting (FCRA)" ] }, { "case_id": "09.12_myspace", "company_name": "MYSPACE LLC", "date_issued": "2012-09-15", "year": 2012, "takeaway_brief": "Myspace transmitted users' personal identifiers to third-party advertisers without disclosure, enabling advertisers to link users' real identities to their browsing behavior.", "docket_number": "C-4369", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3058-myspace-llc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "10.12_direct_lending_source", "company_name": "Direct Lending Source, Inc.", "date_issued": "2012-10-15", "year": 2012, "takeaway_brief": "Direct Lending Source purchased and resold prescreened consumer credit lists to entities running fraudulent loan modification schemes without verifying permissible use.", "docket_number": "3:12-cv-02441-DMS-BLM", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3000-direct-lending-source-inc-et-al", "statutory_topics": [ "FCRA" ], "categories": [ "Fair Credit Reporting (FCRA)" ] }, { "case_id": "03.13_equifax_information_services_ll", "company_name": "Equifax Information Services LLC", "date_issued": "2013-03-15", "year": 2013, "takeaway_brief": "Equifax sold prescreened consumer credit lists to a company that resold them to third parties for general marketing, without maintaining adequate procedures to ensure permissible use.", "docket_number": "C-4387", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3203-equifax-inc", "statutory_topics": [ "FCRA" ], "categories": [ "Data Security", "Fair Credit Reporting (FCRA)" ] }, { "case_id": "07.13_htc_america", "company_name": "HTC America, Inc.", "date_issued": "2013-07-15", "year": 2013, "takeaway_brief": "HTC introduced serious security vulnerabilities into millions of Android and Windows Mobile devices, exposing sensitive user data to third-party apps without permission.", "docket_number": "C-4406", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3049-htc-america-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Location / Geolocation Data" ] }, { "case_id": "02.14_trendnet", "company_name": "TRENDnet, Inc.", "date_issued": "2014-02-15", "year": 2014, "takeaway_brief": "TRENDnet sold 'SecurView' cameras that transmitted login credentials in clear text and left live feeds of private areas exposed to hackers due to software security failures.", "docket_number": "C-4426", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3090-trendnet-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Other" ] }, { "case_id": "04.14_goldenshores_technologies_and_erik_m._geidl", "company_name": "Goldenshores Technologies, LLC", "date_issued": "2014-04-15", "year": 2014, "takeaway_brief": "Goldenshores Technologies' Brightest Flashlight Free app secretly transmitted users' precise geolocation and device identifiers to advertising networks without adequate disclosure.", "docket_number": "C-4446", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3087-goldenshores-technologies-llc-erik-m-geidl-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Location / Geolocation Data" ] }, { "case_id": "12.15_lai_systems", "company_name": "LAI Systems, LLC", "date_issued": "2015-12-15", "year": 2015, "takeaway_brief": "LAI Systems allowed third-party ad networks to collect persistent identifiers from children through its kids' apps for targeted advertising without parental notice or consent.", "docket_number": "2:15-cv-9691", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3261-lai-systems-llc", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "03.16_sitesearch_corporation_doing_business_as_leaplab", "company_name": "Sitesearch Corporation", "date_issued": "2016-03-15", "year": 2016, "takeaway_brief": "LeapLab collected consumers' sensitive payday loan applications and sold them to telemarketers and fraudulent merchants who used the data to make unauthorized bank account debits.", "docket_number": "CV-14-02750-PHX-NVW", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3192-x150060-sitesearch-corporation-doing-business-leaplab", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Other" ] }, { "case_id": "02.17_vizio_inc._and_vizio_inscape_services", "company_name": "VIZIO, Inc.", "date_issued": "2017-02-15", "year": 2017, "takeaway_brief": "VIZIO covertly collected second-by-second television viewing data from millions of consumers by default and sold it to third parties while describing the feature only as providing 'program offers and suggestions.'", "docket_number": "Case 2:17-cv-00758", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3024-vizio-inc-vizio-inscape-services-llc", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices", "AI / Algorithmic / Facial Recognition" ] }, { "case_id": "09.18_blu_products_and_samuel_ohev-zion", "company_name": "BLU PRODUCTS, INC.", "date_issued": "2018-09-15", "year": 2018, "takeaway_brief": "BLU Products sold smartphones with preinstalled software that secretly transmitted users' text messages, location data, and contact lists to servers in China.", "docket_number": "C-4657", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3025-blu-products-samuel-ohev-zion-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Location / Geolocation Data" ] }, { "case_id": "12.19_unrollme", "company_name": "Unrollme Inc.", "date_issued": "2019-12-15", "year": 2019, "takeaway_brief": "Unrollme assured users it would never 'touch' their personal emails while secretly giving its parent company access to those inboxes to harvest and sell e-receipt data.", "docket_number": "C-4692", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3139-unrollme-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices", "AI / Algorithmic / Facial Recognition" ] }, { "case_id": "06.21_flo_health", "company_name": "Flo Health, Inc.", "date_issued": "2021-06-15", "year": 2021, "takeaway_brief": "Flo Health promised not to share women's reproductive health data with third parties but secretly disclosed it to Facebook, Google, and others.", "docket_number": "C-4747", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3133-flo-health-inc", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices", "Health Data" ] }, { "case_id": "01.22_itmedia_solutions", "company_name": "ITMEDIA SOLUTIONS LLC", "date_issued": "2022-01-15", "year": 2022, "takeaway_brief": "ITMedia collected consumers' sensitive loan application data under the pretext of connecting them to lenders, then sold it to marketers, debt negotiators, and unknown entities.", "docket_number": "2:22-cv-00073", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1523225-itmedia-solutions-llc", "statutory_topics": [ "FCRA" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Fair Credit Reporting (FCRA)" ] }, { "case_id": "02.23_goodrx_holdings", "company_name": "GoodRx Holdings, Inc.", "date_issued": "2023-02-15", "year": 2023, "takeaway_brief": "GoodRx repeatedly promised never to share users' health information with advertisers, then secretly transmitted prescription drug names and health conditions to Facebook, Google, and Criteo for targeted advertising.", "docket_number": "23-cv-460", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023090-goodrx-holdings-inc", "statutory_topics": [ "Health Breach Notification" ], "categories": [ "Privacy / Deceptive Privacy Practices", "Health Data" ] }, { "case_id": "06.23_easy_healthcare_corporation", "company_name": "Easy Healthcare Corporation", "date_issued": "2023-06-15", "year": 2023, "takeaway_brief": "The Premom ovulation app secretly shared women's sensitive health and geolocation data with third parties for advertising despite explicit privacy promises.", "docket_number": "1:23-cv-3107", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3186-easy-healthcare-corporation-us-v", "statutory_topics": [ "Health Breach Notification" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Health Data", "Location / Geolocation Data" ] }, { "case_id": "05.24_betterhelp", "company_name": "BetterHelp, Inc.", "date_issued": "2024-05-15", "year": 2024, "takeaway_brief": "BetterHelp secretly shared consumers' sensitive mental health information with Facebook, Snapchat, and other advertising platforms for targeted advertising despite repeatedly promising strict privacy.", "docket_number": "C-4796", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023169-betterhelp-inc-matter", "statutory_topics": [ "Health Breach Notification" ], "categories": [ "Privacy / Deceptive Privacy Practices", "Health Data" ] }, { "case_id": "05.24_cerebral_and_kyle_robertson", "company_name": "Cerebral, Inc.", "date_issued": "2024-05-15", "year": 2024, "takeaway_brief": "Cerebral secretly shared millions of patients' sensitive mental health and personal data with over twenty advertising platforms while falsely promising confidential, secure care and making it difficult to cancel subscriptions.", "docket_number": "24-cv-21376-JLK", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/222-3067-cerebral-inc-kyle-robertson-us-v", "statutory_topics": [ "Health Breach Notification" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Health Data" ] }, { "case_id": "10.25_apitor", "company_name": "Apitor Technology Co., Ltd.", "date_issued": "2025-10-15", "year": 2025, "takeaway_brief": "Apitor's robot toy app secretly collected precise geolocation data from child users via a third-party SDK without parental notice or consent.", "docket_number": "3:25-cv-07363", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/apitor", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices", "Location / Geolocation Data" ] }, { "case_id": "01.26_general_motors", "company_name": "General Motors LLC, General Motors Holdings LLC, and OnStar, LLC", "date_issued": "2026-01-15", "year": 2026, "takeaway_brief": "General Motors and OnStar collected detailed driving behavior data every three seconds and sold it to consumer reporting agencies without consumers' meaningful informed consent.", "docket_number": "C-4828", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2423052-general-motors-llc-et-al-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices", "Location / Geolocation Data", "Fair Credit Reporting (FCRA)" ] } ] }, { "id": "false-security-privacy-claims", "name": "False Security & Privacy Claims", "description": "False claims about data security, encryption, privacy practices, HIPAA/Safe Harbor compliance, or data protection measures", "case_count": 125, "year_range": [ 1999, 2025 ], "most_recent_year": 2025, "most_recent_date": "2025-12-15", "enforcement_topics": [ "COPPA", "FCRA", "GLBA", "Health Breach Notification", "Section 5 Only", "TSR" ], "cases": [ { "case_id": "08.99_liberty_financial_companies", "company_name": "Liberty Financial Companies, Inc.", "date_issued": "1999-08-15", "year": 1999, "takeaway_brief": "Liberty Financial's children's website collected personal information under a false promise of anonymity and never delivered the promised newsletter or prize drawings.", "docket_number": "C-3891", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/982-3522-liberty-financial-companies-inc", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "10.01_frank_lisa", "company_name": "Lisa Frank, Inc.", "date_issued": "2001-10-15", "year": 2001, "takeaway_brief": "Lisa Frank's children's website collected personal information from children without parental consent and falsely claimed in its privacy policy that parental permission would be required.", "docket_number": "Civil Action No. _______________", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/012-3050-frank-lisa-inc", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "02.02_american_pop_corn_company", "company_name": "American Pop Corn Company", "date_issued": "2002-02-15", "year": 2002, "takeaway_brief": "American Pop Corn Company collected children's personal information through its Kids Club website without parental notice or consent, while falsely claiming it would notify parents.", "docket_number": "C02-4008DEO", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/012-3026-american-pop-corn-company", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "12.02_microsoft_corporation", "company_name": "Microsoft Corporation", "date_issued": "2002-12-15", "year": 2002, "takeaway_brief": "Microsoft falsely claimed its Passport service used strong security measures and safe servers while failing to implement basic safeguards against unauthorized access.", "docket_number": "C-4069", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923258-microsoft-corporation-us-v", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "12.03_30_minute_mortgage_gregory_p._roth_and_peter_w._stolz", "company_name": "30 Minute Mortgage Inc.", "date_issued": "2003-12-15", "year": 2003, "takeaway_brief": "30 Minute Mortgage falsely advertised low fixed-rate mortgages that did not exist, misrepresented itself as a direct lender, and falsely claimed SSL encryption protected consumer data.", "docket_number": "03-6002 1-CIV-LENARD-SIMONTON", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3224-30-minute-mortgage-inc-gregory-p-roth-peter-w-stolz", "statutory_topics": [ "GLBA" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Gramm-Leach-Bliley" ] }, { "case_id": "06.04_mts", "company_name": "MTS, Inc.", "date_issued": "2004-06-15", "year": 2004, "takeaway_brief": "Tower Records exposed consumers' order and personal information online through a broken authentication flaw while falsely claiming its website was secure.", "docket_number": "C-4110", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/032-3209-mts-inc-et-al-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "10.04_bonzi_software", "company_name": "Bonzi Software, Inc.", "date_issued": "2004-10-15", "year": 2004, "takeaway_brief": "Bonzi Software falsely claimed its InternetALERT security software would significantly protect computers from hackers when it could only monitor a limited number of ports.", "docket_number": "C-4126", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/042-3016-bonzi-software-inc", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Other" ] }, { "case_id": "03.05_petco_animal_supplies_in_th_matter_of", "company_name": "PETCO ANIMAL SUPPLIES, INC.", "date_issued": "2005-03-15", "year": 2005, "takeaway_brief": "PETCO falsely promised customers their credit card data was encrypted and completely secure, while actually storing it in unprotected clear text vulnerable to SQL injection attacks.", "docket_number": "C-4133", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/032-3221-petco-animal-supplies-inc-th-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "04.05_nationwide_mortgage_group_and_john_d._eubank", "company_name": "Nationwide Mortgage Group, Inc.", "date_issued": "2005-04-15", "year": 2005, "takeaway_brief": "Nationwide Mortgage Group failed to implement basic security safeguards for sensitive customer financial data and omitted required privacy notices.", "docket_number": "Docket No. 9319", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/042-3104-nationwide-mortgage-group-inc-john-d-eubank-matter", "statutory_topics": [ "GLBA" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Gramm-Leach-Bliley" ] }, { "case_id": "10.05_sun_spectrum_communications_organization", "company_name": "Sun Spectrum Communications Organization, Inc.", "date_issued": "2005-10-15", "year": 2005, "takeaway_brief": "Telemarketers falsely promised bad-credit consumers they were pre-approved for major credit cards, collected advance fees, and then never delivered the promised cards.", "docket_number": "03-8110-CIV-COHN/SNOW", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/032-3032-sun-spectrum-communications-organization-inc-et-al", "statutory_topics": [ "TSR", "GLBA" ], "categories": [ "Gramm-Leach-Bliley", "Telemarketing / Do-Not-Call" ] }, { "case_id": "12.05_superior_mortgage", "company_name": "Superior Mortgage Corporation", "date_issued": "2005-12-15", "year": 2005, "takeaway_brief": "Superior Mortgage falsely claimed it encrypted consumer data submitted through its website using SSL while failing to implement required security under the GLB Safeguards Rule.", "docket_number": "C-4153", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3136-superior-mortgage-corp-matter", "statutory_topics": [ "GLBA" ], "categories": [ "Data Security", "Gramm-Leach-Bliley" ] }, { "case_id": "04.07_guidance_software", "company_name": "Guidance Software, Inc.", "date_issued": "2007-04-15", "year": 2007, "takeaway_brief": "Guidance Software falsely claimed strong data security while storing customer credit card data in clear text, enabling a hacker breach.", "docket_number": "C-4187", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/062-3057-guidance-software-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "12.07_american_united_mortgage_company._united_states_of_america", "company_name": "American United", "date_issued": "2007-12-15", "year": 2007, "takeaway_brief": "American United discarded consumer documents in an unsecured dumpster, failed to implement a written security program, and failed to provide customers with required privacy notices.", "docket_number": "", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/062-3103-american-united-mortgage-company-united-states-america-ftc", "statutory_topics": [ "FCRA", "GLBA" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Fair Credit Reporting (FCRA)", "Gramm-Leach-Bliley" ] }, { "case_id": "04.08_life_is_good_and_life_is_good_retail", "company_name": "Life is good, Inc.", "date_issued": "2008-04-15", "year": 2008, "takeaway_brief": "Life is Good falsely claimed to store customers' personal information securely while actually storing it in clear, unencrypted text.", "docket_number": "C-4218", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3046-life-good-inc-life-good-retail-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security" ] }, { "case_id": "03.09_gencia_corporation_and_compgeeks.com_also_dba_computer_geeks_discount_outlet_and_geeks.com", "company_name": "Genica Corporation", "date_issued": "2009-03-15", "year": 2009, "takeaway_brief": "Genica Corporation falsely claimed to use state-of-the-art security for consumer data while actually storing credit card numbers and security codes in plain text, enabling SQL injection attacks.", "docket_number": "C-4252", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923258-microsoft-corporation-us-v", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "06.09_james_b._nutter_company", "company_name": "James B. Nutter & Company", "date_issued": "2009-06-15", "year": 2009, "takeaway_brief": "James B. Nutter & Company failed to implement basic information security safeguards and provided inaccurate privacy notices, resulting in its network being hijacked to send spam.", "docket_number": "C-4258", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3108-james-b-nutter-company-corporation-matter", "statutory_topics": [ "GLBA" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Fair Credit Reporting (FCRA)", "Gramm-Leach-Bliley" ] }, { "case_id": "10.09_iconix_brand_group", "company_name": "Iconix Brand Group, Inc.", "date_issued": "2009-10-15", "year": 2009, "takeaway_brief": "Iconix collected personal data from roughly 1,000 children under 13 through fan and sweepstakes features without parental consent, violating COPPA and its own privacy policy.", "docket_number": "09 Civ. 8864 (MGC)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/iconix-brand-group-inc", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "01.10_collectify_ll", "company_name": "Collectify LLC", "date_issued": "2010-01-15", "year": 2010, "takeaway_brief": "Collectify displayed Safe Harbor compliance claims on its website for nearly five years after its certification had lapsed.", "docket_number": "C-4272", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/092-3142-collectify-ll", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "01.10_expatedge_partners_ll", "company_name": "ExpatEdge Partners, LLC", "date_issued": "2010-01-15", "year": 2010, "takeaway_brief": "ExpatEdge continued claiming active Safe Harbor certification on its website years after its certification had lapsed.", "docket_number": "C-4269", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/0923138-expatedge-partners-ll", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "01.10_onyx_graphics", "company_name": "Onyx Graphics, Inc.", "date_issued": "2010-01-15", "year": 2010, "takeaway_brief": "Onyx Graphics claimed to be 'Safe Harbor Certified' on its website after its certification had already lapsed.", "docket_number": "C-4270", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/0923139-onyx-graphics-inc", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "01.10_progressive_gaitways_ll", "company_name": "Progressive Gaitways LLC", "date_issued": "2010-01-15", "year": 2010, "takeaway_brief": "Progressive Gaitways falsely claimed Safe Harbor participation on two websites — one after its certification lapsed, and one that was never certified at all.", "docket_number": "C-4271", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/0923141-progressive-gaitways-ll", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Health Data" ] }, { "case_id": "01.10_world_innovators", "company_name": "World Innovators, Inc.", "date_issued": "2010-01-15", "year": 2010, "takeaway_brief": "World Innovators continued displaying Safe Harbor membership claims on its website for years after its certification expired.", "docket_number": "C-4282", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/0923137-world-innovators-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "01.10_navone_gregory", "company_name": "Gregory Navone", "date_issued": "2010-01-15", "year": 2010, "takeaway_brief": "Gregory Navone falsely claimed his mortgage companies had robust data security, while personally storing consumers' sensitive financial documents without safeguards or proper disposal.", "docket_number": "2:08-cv-01842", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3067-navone-gregory", "statutory_topics": [ "FCRA" ], "categories": [ "Data Security", "Fair Credit Reporting (FCRA)" ] }, { "case_id": "02.10_controlscan", "company_name": "ControlScan, Inc.", "date_issued": "2010-02-15", "year": 2010, "takeaway_brief": "ControlScan sold privacy and security certification seals to websites while conducting little or no actual verification of those companies' data protection practices.", "docket_number": "1:10-cv-00532-JEC", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3165-controlscan-inc", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "11.10_echometrix", "company_name": "EchoMetrix, Inc.", "date_issued": "2010-11-15", "year": 2010, "takeaway_brief": "EchoMetrix sold parental monitoring software while secretly feeding children's online activity data to a third-party market research product sold to advertisers.", "docket_number": "2:10-cv-05516-DRH", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3006-echometrix-inc", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Other" ] }, { "case_id": "03.11_us_search", "company_name": "US Search, Inc.", "date_issued": "2011-03-15", "year": 2011, "takeaway_brief": "US Search sold a paid 'PrivacyLock' service promising to remove consumers' personal information from its site, while leaving that data accessible through multiple types of searches.", "docket_number": "C-4317", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/us-search-inc", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "03.11_twitter", "company_name": "Twitter, Inc.", "date_issued": "2011-03-15", "year": 2011, "takeaway_brief": "Twitter falsely claimed to protect user information with robust security measures while allowing nearly all employees broad administrative access with easily-compromised credentials for years.", "docket_number": "C-4316", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023062-twitter-inc-us-v", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "06.11_ceridian_corporation", "company_name": "Ceridian Corporation", "date_issued": "2011-06-15", "year": 2011, "takeaway_brief": "Ceridian falsely claimed its payroll processing service met high security standards while storing employee data in unencrypted clear text with no SQL injection defenses.", "docket_number": "C-4325", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3160-ceridian-corporation-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "06.11_lookout_services", "company_name": "Lookout Services, Inc.", "date_issued": "2011-06-15", "year": 2011, "takeaway_brief": "Lookout Services falsely claimed 24/7 network security monitoring for its I-9 compliance product while lacking basic security safeguards like strong passwords and URL authentication controls.", "docket_number": "C-4326", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3076-lookout-services-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "10.11_google", "company_name": "Google Inc.", "date_issued": "2011-10-15", "year": 2011, "takeaway_brief": "Google auto-enrolled Gmail users into its Buzz social network using their contacts, breaking promises that Gmail data would only be used for email.", "docket_number": "C-4336", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/google-inc", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "02.13_compete", "company_name": "Compete, Inc.", "date_issued": "2013-02-15", "year": 2013, "takeaway_brief": "Compete collected consumers' sensitive financial and personal information through tracking software while falsely claiming it only anonymously collected browsing data.", "docket_number": "C-4384", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3155-compete-inc", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "03.13_epic_marketplace", "company_name": "Epic Marketplace, Inc.", "date_issued": "2013-03-15", "year": 2013, "takeaway_brief": "Epic Marketplace secretly exploited browser history to track consumers' visits to sensitive websites — including medical and financial pages — without disclosing this practice in its privacy policy.", "docket_number": "C-4389", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3182-epic-marketplace-inc", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "05.13_cbr_systems", "company_name": "CBR Systems, Inc.", "date_issued": "2013-05-15", "year": 2013, "takeaway_brief": "CBR Systems falsely claimed to handle consumers' sensitive health and financial data securely while failing to implement basic data protection measures.", "docket_number": "C-4400", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3120-cbr-systems-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Health Data" ] }, { "case_id": "05.14_foru_international_corporation", "company_name": "GeneLink, Inc.", "date_issued": "2014-05-15", "year": 2014, "takeaway_brief": "GeneLink and foruTM made unsubstantiated claims that their DNA-based supplements could treat diseases and mitigate genetic disadvantages, while failing to secure consumers' genetic data.", "docket_number": "C-4456 and C-4457", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3095-genelink-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "05.14_genelink", "company_name": "GeneLink, Inc.", "date_issued": "2014-05-15", "year": 2014, "takeaway_brief": "GeneLink made false and unsubstantiated claims that its DNA-based supplements could treat diseases while failing to protect nearly 30,000 consumers' genetic and financial data.", "docket_number": "C-4456", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3095-genelink-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "06.14_american_apparel", "company_name": "American Apparel, Inc.", "date_issued": "2014-06-15", "year": 2014, "takeaway_brief": "American Apparel falsely claimed active Safe Harbor certification for roughly six months after its certification had lapsed.", "docket_number": "C-4459", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3036-american-apparel-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "06.14_apperian", "company_name": "Apperian, Inc.", "date_issued": "2014-06-15", "year": 2014, "takeaway_brief": "Apperian displayed the Safe Harbor certification mark and claimed compliance for over a year after its certification status had lapsed.", "docket_number": "C-4461", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3017-apperian-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Other" ] }, { "case_id": "06.14_atlanta_falcons_football_club", "company_name": "Atlanta Falcons Football Club, LLC", "date_issued": "2014-06-15", "year": 2014, "takeaway_brief": "The Atlanta Falcons Football Club falsely claimed active Safe Harbor participation for nearly eight years after its certification had lapsed.", "docket_number": "C-4462", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3018-atlanta-falcons-football-club-llc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "06.14_baker_tilly_virchow_krause_llp", "company_name": "Baker Tilly Virchow Krause, LLP", "date_issued": "2014-06-15", "year": 2014, "takeaway_brief": "Baker Tilly continued displaying the Safe Harbor certification mark and claiming certification for over two years after its certification had lapsed.", "docket_number": "C-4463", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3019-baker-tilly-virchow-krause-llp-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "06.14_bittorrent", "company_name": "BitTorrent, Inc.", "date_issued": "2014-06-15", "year": 2014, "takeaway_brief": "BitTorrent falsely claimed adherence to EU Safe Harbor principles for approximately five years after its certification had lapsed.", "docket_number": "C-4464", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3020-bittorrent-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Other" ] }, { "case_id": "06.14_charles_river_laboratories_int_l.", "company_name": "Charles River Laboratories International, Inc.", "date_issued": "2014-06-15", "year": 2014, "takeaway_brief": "Charles River Laboratories claimed current Safe Harbor compliance for over two years after its certification had lapsed.", "docket_number": "C-4465", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3022-charles-river-laboratories-intl-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "06.14_datamotion", "company_name": "DataMotion, Inc.", "date_issued": "2014-06-15", "year": 2014, "takeaway_brief": "DataMotion displayed the Safe Harbor certification mark and claimed active framework participation after its certification had lapsed.", "docket_number": "C-4466", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3023-datamotion-inc-corporation-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Other" ] }, { "case_id": "06.14_ddc_laboratories_also_dba_dna_diagnostics_center", "company_name": "DDC Laboratories, Inc.", "date_issued": "2014-06-15", "year": 2014, "takeaway_brief": "DDC Laboratories, a DNA testing company, continued claiming Safe Harbor compliance for two years after its certification had lapsed.", "docket_number": "C-4467", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3024-ddc-laboratories-inc-also-dba-dna-diagnostics-center-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "06.14_fantage.com", "company_name": "Fantage.com, Inc.", "date_issued": "2014-06-15", "year": 2014, "takeaway_brief": "Fantage.com falsely claimed active Safe Harbor participation for approximately 19 months after its certification had lapsed.", "docket_number": "C-4469", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3026-fantagecom-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "06.14_level_3_communications", "company_name": "Level 3 Communications, LLC", "date_issued": "2014-06-15", "year": 2014, "takeaway_brief": "Level 3 Communications falsely claimed active Safe Harbor certification for over a year after its certification lapsed.", "docket_number": "C-4470", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3028-level-3-communications-llc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Other" ] }, { "case_id": "06.14_pdb_sports_ltd._dba_denver_broncos_football_club", "company_name": "PDB Sports, Ltd.", "date_issued": "2014-06-15", "year": 2014, "takeaway_brief": "The Denver Broncos falsely claimed compliance with the EU Safe Harbor framework two years after its certification expired.", "docket_number": "C-4468", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3025-pdb-sports-ltd-dba-denver-broncos-football-club-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Other" ] }, { "case_id": "06.14_receivable_management_services_corporation_the", "company_name": "The Receivable Management Services Corporation", "date_issued": "2014-06-15", "year": 2014, "takeaway_brief": "A debt collection agency displayed a lapsed Safe Harbor certification mark for nearly four years after its certification expired.", "docket_number": "C-4472", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3031-receivable-management-services-corporation-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Other" ] }, { "case_id": "06.14_reynolds_consumer_products", "company_name": "Reynolds Consumer Products Inc.", "date_issued": "2014-06-15", "year": 2014, "takeaway_brief": "Reynolds Consumer Products continued claiming Safe Harbor compliance for years after its customer and HR data certifications both expired.", "docket_number": "C-4471", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3030-reynolds-consumer-products-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "06.14_tennessee_football", "company_name": "Tennessee Football, Inc.", "date_issued": "2014-06-15", "year": 2014, "takeaway_brief": "Tennessee Titans ownership falsely claimed EU Safe Harbor compliance for more than four years after its certification expired.", "docket_number": "C-4473", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3032-tennessee-football-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Other" ] }, { "case_id": "08.14_fandango", "company_name": "Fandango, LLC", "date_issued": "2014-08-15", "year": 2014, "takeaway_brief": "Fandango's iOS app disabled SSL certificate validation for four years, exposing customers' credit card and login credentials to interception despite security promises.", "docket_number": "C-4481", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3089-fandango-llc", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Other" ] }, { "case_id": "08.14_gmr_transcription_services", "company_name": "GMR Transcription Services, Inc.", "date_issued": "2014-08-15", "year": 2014, "takeaway_brief": "GMR Transcription falsely claimed HIPAA-compliant security while medical transcription files were stored in plain text on a publicly accessible FTP server.", "docket_number": "C-4482", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3095-gmr-transcription-services-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Health Data" ] }, { "case_id": "12.14_snapchat", "company_name": "Snapchat, Inc.", "date_issued": "2014-12-15", "year": 2014, "takeaway_brief": "Snapchat falsely claimed messages disappeared permanently, that users received screenshot notifications, and that it did not collect location data, while also failing to secure user information.", "docket_number": "C-4501", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3078-snapchat-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices", "Location / Geolocation Data" ] }, { "case_id": "05.15_american_international_mailing", "company_name": "American International Mailing, Inc.", "date_issued": "2015-05-15", "year": 2015, "takeaway_brief": "American International Mailing continued claiming active EU-U.S. Safe Harbor participation for five years after its certification had lapsed.", "docket_number": "C-4526", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3051-american-international-mailing-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Other" ] }, { "case_id": "05.15_tes_franchising", "company_name": "TES Franchising, LLC", "date_issued": "2015-05-15", "year": 2015, "takeaway_brief": "TES Franchising falsely claimed active participation in U.S.-EU and U.S.-Swiss Safe Harbor Frameworks and the TRUSTe Privacy Program when none of those certifications were current.", "docket_number": "C-4525", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3015-tes-franchising-llc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "10.15_contract_logix", "company_name": "Contract Logix, LLC", "date_issued": "2015-10-15", "year": 2015, "takeaway_brief": "Contract Logix continued displaying Safe Harbor participation claims on its website for nearly three years after its certification had lapsed.", "docket_number": "C-4541", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3184-contract-logix-llc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "10.15_dale_jarrett_racing_adventure", "company_name": "Dale Jarrett Racing Adventure, Inc.", "date_issued": "2015-10-15", "year": 2015, "takeaway_brief": "Dale Jarrett Racing Adventure falsely claimed Safe Harbor participation on its website when it was never a certified participant.", "docket_number": "C-4545", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3190-dale-jarrett-racing-adventure-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Other" ] }, { "case_id": "10.15_forensics_consulting_solutions", "company_name": "Forensics Consulting Solutions, LLC", "date_issued": "2015-10-15", "year": 2015, "takeaway_brief": "Forensics Consulting Solutions continued claiming Safe Harbor compliance on its website for nearly three years after its certification lapsed.", "docket_number": "C-4551", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3185-forensics-consulting-solutions-llc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "10.15_golf_connect", "company_name": "Golf Connect, LLC", "date_issued": "2015-10-15", "year": 2015, "takeaway_brief": "Golf Connect displayed inherited Safe Harbor participation claims on an acquired website after neither the predecessor nor the acquirer held a valid certification.", "docket_number": "C-4540", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3141-golf-connect-llc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "10.15_inbox_group", "company_name": "Inbox Group, LLC", "date_issued": "2015-10-15", "year": 2015, "takeaway_brief": "Inbox Group falsely claimed on its website to be certified under the U.S.-EU Safe Harbor Framework when it had never participated.", "docket_number": "C-4546", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3202-inbox-group-llc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Other" ] }, { "case_id": "10.15_ioactive", "company_name": "IOActive, Inc.", "date_issued": "2015-10-15", "year": 2015, "takeaway_brief": "IOActive displayed Safe Harbor participation claims on its website for approximately three years after its certification had lapsed.", "docket_number": "C-4542", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3187-ioactive-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Other" ] }, { "case_id": "10.15_jhayrmaine_daniels", "company_name": "Jhayrmaine Daniels, d/b/a California Skate-Line", "date_issued": "2015-10-15", "year": 2015, "takeaway_brief": "California Skate-Line claimed to adhere to Safe Harbor Privacy Principles despite never having been a Safe Harbor participant.", "docket_number": "C-4543", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3198-jhayrmaine-daniels-california-skate-line-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "10.15_jubilant_clinsys", "company_name": "Jubilant Clinsys, Inc.", "date_issued": "2015-10-15", "year": 2015, "takeaway_brief": "Jubilant Clinsys continued claiming annual Safe Harbor self-certification and compliance on its website for over two years after its certification lapsed.", "docket_number": "C-4549", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3140-jubilant-clinsys-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "10.15_just_bagels_manufacturing", "company_name": "Just Bagels Manufacturing, Inc.", "date_issued": "2015-10-15", "year": 2015, "takeaway_brief": "Just Bagels Manufacturing published Safe Harbor compliance claims on its website despite never having been a participant in either the U.S.-EU or U.S.-Swiss Safe Harbor Framework.", "docket_number": "C-4547", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3199-just-bagels-manufacturing-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "10.15_naics_association", "company_name": "NAICS Association, LLC", "date_issued": "2015-10-15", "year": 2015, "takeaway_brief": "NAICS Association continued claiming Safe Harbor compliance on its website for over a year after its certification expired.", "docket_number": "C-4548", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3138-naics-association-llc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "10.15_one_industries", "company_name": "One Industries Corp.", "date_issued": "2015-10-15", "year": 2015, "takeaway_brief": "One Industries, a motocross gear seller, falsely claimed to adhere to Safe Harbor Privacy Principles when it had never self-certified or participated.", "docket_number": "C-4544", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3201-one-industries-corp-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "10.15_pinger", "company_name": "Pinger, Inc.", "date_issued": "2015-10-15", "year": 2015, "takeaway_brief": "Pinger continued claiming certified compliance with U.S.-EU and U.S.-Swiss Safe Harbor Frameworks on its website after allowing its annual certification to lapse.", "docket_number": "C-4550", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3137-pinger-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "10.15_sterimed_medical_waste_solutions", "company_name": "SteriMed Medical Waste Solutions", "date_issued": "2015-10-15", "year": 2015, "takeaway_brief": "SteriMed Medical Waste Solutions falsely claimed to be a registered Safe Harbor participant when it had never self-certified.", "docket_number": "C-4552", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3193-sterimed-medical-waste-solutions-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices", "Health Data" ] }, { "case_id": "05.16_henry_schein_practice_solutions", "company_name": "Henry Schein Practice Solutions, Inc.", "date_issued": "2016-05-15", "year": 2016, "takeaway_brief": "Henry Schein falsely marketed its dental software as providing industry-standard encryption for patient data when it actually used a weaker, proprietary algorithm.", "docket_number": "C-4575", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3161-c4575-henry-schein-practice-solutions-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Health Data", "AI / Algorithmic / Facial Recognition" ] }, { "case_id": "07.16_asustek_computer", "company_name": "ASUSTeK Computer, Inc.", "date_issued": "2016-07-15", "year": 2016, "takeaway_brief": "ASUS marketed its routers as secure while leaving them vulnerable to authentication bypass attacks and exposing users' USB storage to public internet access by default.", "docket_number": "C-4587", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3156-asustek-computer-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "08.16_practice_fusion", "company_name": "Practice Fusion, Inc.", "date_issued": "2016-08-15", "year": 2016, "takeaway_brief": "Practice Fusion sent patient satisfaction surveys implying responses would go privately to doctors, while actually posting them publicly on a physician rating website.", "docket_number": "C-4591", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3039-practice-fusion-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Health Data" ] }, { "case_id": "08.16_very_incognito_technologies", "company_name": "Very Incognito Technologies, Inc.", "date_issued": "2016-08-15", "year": 2016, "takeaway_brief": "Vipvape falsely claimed in its privacy policy to participate in the APEC Cross-Border Privacy Rules system without ever obtaining the required certification.", "docket_number": "C-4580", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3034-very-incognito-technologies-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "02.17_vizio_inc._and_vizio_inscape_services", "company_name": "VIZIO, Inc.", "date_issued": "2017-02-15", "year": 2017, "takeaway_brief": "VIZIO covertly collected second-by-second television viewing data from millions of consumers by default and sold it to third parties while describing the feature only as providing 'program offers and suggestions.'", "docket_number": "Case 2:17-cv-00758", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3024-vizio-inc-vizio-inscape-services-llc", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices", "AI / Algorithmic / Facial Recognition" ] }, { "case_id": "03.17_upromise", "company_name": "Upromise, Inc.", "date_issued": "2017-03-15", "year": 2017, "takeaway_brief": "Upromise violated a prior FTC order by burying required data collection disclosures in tiny gray text and obtaining sham compliance assessments that did not actually evaluate its RewardU toolbar.", "docket_number": "C-4351", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3116-c-4351-upromise-inc", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "04.17_turn", "company_name": "Turn Inc.", "date_issued": "2017-04-15", "year": 2017, "takeaway_brief": "Turn Inc. falsely told consumers that deleting cookies would stop its tracking, while secretly using unkillable Verizon tracking headers to continue surveillance.", "docket_number": "C-4612", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3099-turn-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "09.17_ashley_madison", "company_name": "Ruby Corp.", "date_issued": "2017-09-15", "year": 2017, "takeaway_brief": "Ashley Madison used fake female profiles to lure users into paid memberships, falsely advertised a nonexistent security award, and charged for a deletion service that did not work.", "docket_number": "Case 1:16-cv-02438", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3284-ashley-madison", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "11.17_decusoft", "company_name": "Decusoft, LLC", "date_issued": "2017-11-15", "year": 2017, "takeaway_brief": "Decusoft falsely claimed on its website to be certified under both the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks when it had never completed the certification process.", "docket_number": "C-4630", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3173-decusoft-llc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "11.17_md7", "company_name": "Md7, LLC", "date_issued": "2017-11-15", "year": 2017, "takeaway_brief": "Md7 falsely claimed in its privacy policy to be certified under the EU-U.S. Privacy Shield Framework when it had only begun but never completed the application.", "docket_number": "C-4629", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3172-md7-llc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "11.17_tru_communication", "company_name": "Tru Communication, Inc.", "date_issued": "2017-11-15", "year": 2017, "takeaway_brief": "Tru Communication falsely claimed its website would remain compliant with the EU-U.S. Privacy Shield Framework when it had never completed the certification process.", "docket_number": "C-4628", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3171-tru-communication-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "01.18_vtech_electronics_limited", "company_name": "VTech Electronics Limited and VTech Electronics North America, LLC", "date_issued": "2018-01-15", "year": 2018, "takeaway_brief": "VTech collected children's personal data through its online services without parental consent, maintained inadequate security, and falsely claimed personal information was encrypted during transmission.", "docket_number": "1:18-cv-00114", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3032-vtech-electronics-limited", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "02.18_sears_holdings_management_corporation", "company_name": "Sears Holdings Management Corporation", "date_issued": "2018-02-15", "year": 2018, "takeaway_brief": "Sears secretly installed software on consumers' computers that tracked nearly all internet activity — including financial and health data from secure sessions — while describing it as simple 'online browsing' research.", "docket_number": "C-4264", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/082-3099-c-4264-sears-holdings-management-corporation-corporation-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "02.18_prime_sites", "company_name": "Prime Sites, Inc.", "date_issued": "2018-02-15", "year": 2018, "takeaway_brief": "Explore Talent collected personal information from over 100,000 children without parental consent and used false promises of casting opportunities to sell paid memberships.", "docket_number": "2:18-cv-199", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3218-prime-sites-inc-explore-talent", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices", "Telemarketing / Do-Not-Call" ] }, { "case_id": "05.18_paypal", "company_name": "PayPal, Inc.", "date_issued": "2018-05-15", "year": 2018, "takeaway_brief": "Venmo misled consumers about fund availability, privacy settings that did not work as described, and its bank-grade security claim while also violating Gramm-Leach-Bliley rules.", "docket_number": "C-4651", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3102-paypal-inc-matter", "statutory_topics": [ "GLBA" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Gramm-Leach-Bliley" ] }, { "case_id": "10.18_idmission", "company_name": "IDmission LLC", "date_issued": "2018-10-15", "year": 2018, "takeaway_brief": "IDmission publicly claimed Privacy Shield certification on its website despite never completing the required certification steps.", "docket_number": "C-4665", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3150-idmission-llc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "10.18_uber_technologies", "company_name": "Uber Technologies, Inc.", "date_issued": "2018-10-15", "year": 2018, "takeaway_brief": "Uber falsely claimed to rigorously monitor employee access to rider and driver data and to use industry-standard security, when its actual practices fell far short.", "docket_number": "C-4662", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3054-c-4662-uber-technologies-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Location / Geolocation Data" ] }, { "case_id": "11.18_mresource", "company_name": "mResource LLC", "date_issued": "2018-11-15", "year": 2018, "takeaway_brief": "mResource continued claiming current Privacy Shield participation on its website after its certification expired without renewal.", "docket_number": "C-4663", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3143-mresource-llc-loop-works-llc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "11.18_readytech_corporation", "company_name": "ReadyTech Corporation", "date_issued": "2018-11-15", "year": 2018, "takeaway_brief": "ReadyTech falsely claimed on its website to be actively certifying Privacy Shield compliance and committed to related dispute resolution, when it never completed certification.", "docket_number": "C-4659", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3100-readytech-corporation-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "11.18_smartstart_employment_screening", "company_name": "SmartStart Employment Screening, Inc.", "date_issued": "2018-11-15", "year": 2018, "takeaway_brief": "SmartStart claimed current Privacy Shield participation for nearly a year after its certification lapsed and never affirmed it would continue protecting EU personal data after withdrawal.", "docket_number": "C-4666", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3154-smartstart-employment-screening-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "11.18_venpath", "company_name": "VenPath, Inc.", "date_issued": "2018-11-15", "year": 2018, "takeaway_brief": "VenPath continued claiming active Privacy Shield participation after its certification expired and failed to affirm it would continue protecting EU consumer data.", "docket_number": "C-4664", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3144-venpath-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "07.19_d-link", "company_name": "D-Link Systems, Inc.", "date_issued": "2019-07-15", "year": 2019, "takeaway_brief": "D-Link marketed routers and IP cameras as secure while leaving them vulnerable to hard-coded credentials, command injection flaws, and backdoors.", "docket_number": "3:17-CV-00039-JD", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3157-x170030-d-link", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security" ] }, { "case_id": "08.19_securtest", "company_name": "SecurTest, Inc.", "date_issued": "2019-08-15", "year": 2019, "takeaway_brief": "SecurTest falsely claimed Privacy Shield certification on its website after failing to complete the required certification steps.", "docket_number": "C-4685", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3152-securtest-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "12.19_unrollme", "company_name": "Unrollme Inc.", "date_issued": "2019-12-15", "year": 2019, "takeaway_brief": "Unrollme assured users it would never 'touch' their personal emails while secretly giving its parent company access to those inboxes to harvest and sell e-receipt data.", "docket_number": "C-4692", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3139-unrollme-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices", "AI / Algorithmic / Facial Recognition" ] }, { "case_id": "12.19_aleksandr_kogan_and_alexander_nix", "company_name": "Cambridge Analytica, LLC", "date_issued": "2019-12-15", "year": 2019, "takeaway_brief": "Aleksandr Kogan and Alexander Nix built a Facebook app that falsely promised not to collect users' identifiable information while harvesting data from millions of users and their friends.", "docket_number": "C-4693, C-4694", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3107-cambridge-analytica-llc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Other" ] }, { "case_id": "12.19_cambridge_analytica", "company_name": "Cambridge Analytica, LLC", "date_issued": "2019-12-15", "year": 2019, "takeaway_brief": "Cambridge Analytica misrepresented its data practices and privacy program participation in connection with harvesting personal data from millions of consumers.", "docket_number": "D09383", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3107-cambridge-analytica-llc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Other" ] }, { "case_id": "01.20_click_labs", "company_name": "Click Labs, Inc.", "date_issued": "2020-01-15", "year": 2020, "takeaway_brief": "Click Labs falsely claimed Privacy Shield certification on its website after never completing the certification process.", "docket_number": "C-4705", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3090-click-labs-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "01.20_dcr_workforce", "company_name": "DCR Workforce, Inc.", "date_issued": "2020-01-15", "year": 2020, "takeaway_brief": "DCR Workforce continued claiming active Privacy Shield compliance on its website after its certification had lapsed.", "docket_number": "C-4698", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3188-dcr-workforce-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "01.20_global_data_vault", "company_name": "Global Data Vault, LLC", "date_issued": "2020-01-15", "year": 2020, "takeaway_brief": "Global Data Vault continued claiming active Privacy Shield participation after its certification expired and also failed to obtain required annual verification while certified.", "docket_number": "C-4706", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3093-global-data-vault-llc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "01.20_incentive_services", "company_name": "Incentive Services, Inc.", "date_issued": "2020-01-15", "year": 2020, "takeaway_brief": "Incentive Services claimed Privacy Shield compliance on its website despite never completing the certification process for either framework.", "docket_number": "C-4703", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3078-incentive-services-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "01.20_lotadata", "company_name": "LotaData, Inc.", "date_issued": "2020-01-15", "year": 2020, "takeaway_brief": "LotaData falsely claimed Privacy Shield certification on its website despite never completing the required certification steps.", "docket_number": "C-4700", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3194-lotadata-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices", "Location / Geolocation Data" ] }, { "case_id": "01.20_medable", "company_name": "Medable, Inc.", "date_issued": "2020-01-15", "year": 2020, "takeaway_brief": "Medable falsely claimed to be EU/US Privacy Shield certified on its website after never completing the certification process.", "docket_number": "C-4697", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3192-medable-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "01.20_tdarx", "company_name": "TDARX, Inc.", "date_issued": "2020-01-15", "year": 2020, "takeaway_brief": "TDARX continued claiming Privacy Shield participation on its website after certification lapsed and also failed to obtain required annual verification while certified.", "docket_number": "C-4704", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3084-tdarx-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "01.20_thru", "company_name": "Thru, Inc.", "date_issued": "2020-01-15", "year": 2020, "takeaway_brief": "Thru displayed Privacy Shield compliance claims in its privacy policy after never completing the certification steps for either the EU-U.S. or Swiss-U.S. frameworks.", "docket_number": "C-4702", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3196-thru-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "01.20_trueface.ai", "company_name": "214 Technologies, Inc.", "date_issued": "2020-01-15", "year": 2020, "takeaway_brief": "Trueface.ai falsely claimed it had self-certified to the EU-U.S. Privacy Shield framework when it had never completed the certification process.", "docket_number": "C-4699", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923019-openx-technologies-inc", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "03.20_t_m_protection_resources", "company_name": "T&M Protection Resources, LLC", "date_issued": "2020-03-15", "year": 2020, "takeaway_brief": "T&M Protection Resources falsely claimed active EU-U.S. Privacy Shield participation after its certification had lapsed.", "docket_number": "C-4709", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3092-tm-protection-resources-llc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices", "Fair Credit Reporting (FCRA)" ] }, { "case_id": "03.20_retina-x_studios", "company_name": "RETINA-X STUDIOS, LLC", "date_issued": "2020-03-15", "year": 2020, "takeaway_brief": "Retina-X sold covert device monitoring apps enabling stalking while falsely claiming consumers' data was kept private and secure.", "docket_number": "C-4711", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3118-retina-x-studios-llc-matter", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Data Security", "Privacy / Deceptive Privacy Practices", "Location / Geolocation Data" ] }, { "case_id": "07.20_miniclip", "company_name": "Miniclip S.A.", "date_issued": "2020-07-15", "year": 2020, "takeaway_brief": "Miniclip falsely claimed for years to be a certified participant in the CARU COPPA safe harbor program after its certified status was terminated.", "docket_number": "C-4722", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3129-miniclip-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "07.20_ortho-clinical_diagnostics", "company_name": "Ortho-Clinical Diagnostics, Inc.", "date_issued": "2020-07-15", "year": 2020, "takeaway_brief": "Ortho-Clinical Diagnostics kept claiming Privacy Shield compliance on its website after its certification lapsed and even after Commerce warned it to remove those claims.", "docket_number": "C-4723", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3050-ortho-clinical-diagnostics-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "10.20_ntt_global_data_centers_americas", "company_name": "Raging Wire Data Centers, Inc.", "date_issued": "2020-10-15", "year": 2020, "takeaway_brief": "Raging Wire Data Centers misrepresented its participation in or compliance with a privacy framework, based on provision titles alone as no factual background was available.", "docket_number": "D09386", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3189-ntt-global-data-centers-americas-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Other" ] }, { "case_id": "11.20_midwest_recovery_systems", "company_name": "Midwest Recovery Systems, LLC", "date_issued": "2020-11-15", "year": 2020, "takeaway_brief": "Midwest Recovery Systems collected debts consumers did not owe and 'parked' over $98 million in unsubstantiated debts on credit reports without first notifying consumers.", "docket_number": "4:20-cv-01674", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923042-midwest-recovery-systems-llc", "statutory_topics": [ "FCRA" ], "categories": [ "Health Data", "Fair Credit Reporting (FCRA)" ] }, { "case_id": "02.21_skymed_international", "company_name": "SkyMed International, Inc.", "date_issued": "2021-02-15", "year": 2021, "takeaway_brief": "SkyMed displayed a self-created 'HIPAA Compliance' seal implying government verification of its practices, and misled consumers about what was exposed in a data security incident.", "docket_number": "C-4732", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923140-skymed-international-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Health Data" ] }, { "case_id": "02.21_zoom_video_communications", "company_name": "Zoom Video Communications, Inc.", "date_issued": "2021-02-15", "year": 2021, "takeaway_brief": "Zoom falsely claimed to offer end-to-end encryption for meetings and secretly installed software on Mac computers that bypassed Apple's security controls.", "docket_number": "C-4731", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3167-zoom-video-communications-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "06.21_flo_health", "company_name": "Flo Health, Inc.", "date_issued": "2021-06-15", "year": 2021, "takeaway_brief": "Flo Health promised not to share women's reproductive health data with third parties but secretly disclosed it to Facebook, Google, and others.", "docket_number": "C-4747", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3133-flo-health-inc", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices", "Health Data" ] }, { "case_id": "07.21_kuuhuub_et_al._u.s._v.", "company_name": "Kuuhubb Inc.", "date_issued": "2021-07-15", "year": 2021, "takeaway_brief": "Kuuhubb's Recolor App marketed as an adult coloring book contained a child-directed section through which it collected children's personal data for behavioral advertising without parental consent.", "docket_number": "21-cv-01758", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3184-kuuhuub-inc-et-al-us-v-recolor-oy", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "04.22_credit_bureau_center", "company_name": "Credit Bureau Center, LLC", "date_issued": "2022-04-15", "year": 2022, "takeaway_brief": "Credit Bureau Center used fake rental property ads to lure consumers into hidden paid credit monitoring subscriptions falsely advertised as free.", "docket_number": "17-cv-00194", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3120-x170014-credit-bureau-center-llc-formerly-known-myscore-llc", "statutory_topics": [ "FCRA" ], "categories": [ "Fair Credit Reporting (FCRA)" ] }, { "case_id": "02.23_goodrx_holdings", "company_name": "GoodRx Holdings, Inc.", "date_issued": "2023-02-15", "year": 2023, "takeaway_brief": "GoodRx repeatedly promised never to share users' health information with advertisers, then secretly transmitted prescription drug names and health conditions to Facebook, Google, and Criteo for targeted advertising.", "docket_number": "23-cv-460", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023090-goodrx-holdings-inc", "statutory_topics": [ "Health Breach Notification" ], "categories": [ "Privacy / Deceptive Privacy Practices", "Health Data" ] }, { "case_id": "06.23_easy_healthcare_corporation", "company_name": "Easy Healthcare Corporation", "date_issued": "2023-06-15", "year": 2023, "takeaway_brief": "The Premom ovulation app secretly shared women's sensitive health and geolocation data with third parties for advertising despite explicit privacy promises.", "docket_number": "1:23-cv-3107", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3186-easy-healthcare-corporation-us-v", "statutory_topics": [ "Health Breach Notification" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Health Data", "Location / Geolocation Data" ] }, { "case_id": "10.23_truthfinder", "company_name": "Instant Checkmate, LLC", "date_issued": "2023-10-15", "year": 2023, "takeaway_brief": "Instant Checkmate and TruthFinder falsely advertised report accuracy, implied searched individuals had criminal records when they often did not, and offered fake data correction tools.", "docket_number": "23-CV-1674", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3221-instant-checkmate-inc", "statutory_topics": [ "FCRA" ], "categories": [ "Fair Credit Reporting (FCRA)" ] }, { "case_id": "05.24_betterhelp", "company_name": "BetterHelp, Inc.", "date_issued": "2024-05-15", "year": 2024, "takeaway_brief": "BetterHelp secretly shared consumers' sensitive mental health information with Facebook, Snapchat, and other advertising platforms for targeted advertising despite repeatedly promising strict privacy.", "docket_number": "C-4796", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023169-betterhelp-inc-matter", "statutory_topics": [ "Health Breach Notification" ], "categories": [ "Privacy / Deceptive Privacy Practices", "Health Data" ] }, { "case_id": "05.24_blackbaud", "company_name": "Blackbaud, Inc.", "date_issued": "2024-05-15", "year": 2024, "takeaway_brief": "Blackbaud's deficient security practices allowed a cyberattacker to remain undetected for months and exfiltrate millions of consumers' personal data, which the company then misrepresented in its breach notification.", "docket_number": "C-4804", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023181-blackbaud-inc", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Health Data" ] }, { "case_id": "05.24_cerebral_and_kyle_robertson", "company_name": "Cerebral, Inc.", "date_issued": "2024-05-15", "year": 2024, "takeaway_brief": "Cerebral secretly shared millions of patients' sensitive mental health and personal data with over twenty advertising platforms while falsely promising confidential, secure care and making it difficult to cancel subscriptions.", "docket_number": "24-cv-21376-JLK", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/222-3067-cerebral-inc-kyle-robertson-us-v", "statutory_topics": [ "Health Breach Notification" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Health Data" ] }, { "case_id": "06.24_monument", "company_name": "Monument, Inc.", "date_issued": "2024-06-15", "year": 2024, "takeaway_brief": "Monument falsely claimed its alcohol addiction treatment platform was HIPAA compliant and 100% confidential while sharing users' sensitive health data with advertisers.", "docket_number": "1:24-cv-01034", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2323043-monument-inc-us-v", "statutory_topics": [ "Health Breach Notification" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Health Data" ] }, { "case_id": "09.24_1health.iovitagene", "company_name": "1Health.io Inc.", "date_issued": "2024-09-15", "year": 2024, "takeaway_brief": "Vitagene falsely claimed industry-leading security for DNA health data while publicly exposing the genetic and health records of over 2,600 consumers through unsecured cloud storage.", "docket_number": "C-4798", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923170-1healthiovitagene-matter", "statutory_topics": [ "Health Breach Notification" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "02.25_avast", "company_name": "Avast Limited", "date_issued": "2025-02-15", "year": 2025, "takeaway_brief": "Avast collected consumers' detailed browsing histories through its privacy-protection software and secretly sold that data to over 100 third parties without adequate disclosure or consent.", "docket_number": "2023033", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023033-avast", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "05.25_godaddy", "company_name": "GoDaddy Inc.", "date_issued": "2025-05-15", "year": 2025, "takeaway_brief": "GoDaddy marketed itself as a secure hosting provider with award-winning security while failing to implement basic controls, resulting in multiple major data compromises.", "docket_number": "C-202-3133", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023133-godaddy-inc-et-al-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "12.25_illuminate_education", "company_name": "Illuminate Education, Inc.", "date_issued": "2025-12-15", "year": 2025, "takeaway_brief": "Illuminate Education stored millions of students' personal data in plaintext with inadequate access controls, suffered a breach, and had made contractual security promises it did not keep.", "docket_number": "222-3105", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/222-3105-illuminate-education-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "12.25_illusory_systemsnomad", "company_name": "Illusory Systems, Inc.", "date_issued": "2025-12-15", "year": 2025, "takeaway_brief": "Nomad marketed its cryptocurrency bridge as 'security-first' while deploying inadequately tested code with no incident response plan, leading to the near-total loss of user assets.", "docket_number": "C-2323016", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/illusory-systemsnomad", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security" ] } ] }, { "id": "inadequate-data-security", "name": "Inadequate Data Security", "description": "Failure to protect consumer data, security breaches, or inadequate security practices", "case_count": 59, "year_range": [ 2002, 2025 ], "most_recent_year": 2025, "most_recent_date": "2025-12-15", "enforcement_topics": [ "CAN-SPAM", "COPPA", "FCRA", "GLBA", "Health Breach Notification", "Section 5 Only" ], "cases": [ { "case_id": "12.02_microsoft_corporation", "company_name": "Microsoft Corporation", "date_issued": "2002-12-15", "year": 2002, "takeaway_brief": "Microsoft falsely claimed its Passport service used strong security measures and safe servers while failing to implement basic safeguards against unauthorized access.", "docket_number": "C-4069", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923258-microsoft-corporation-us-v", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "08.03_guess_and_guess.com", "company_name": "GUESS?, INC.", "date_issued": "2003-08-15", "year": 2003, "takeaway_brief": "GUESS? claimed its website encrypted all personal information while in reality storing data in plain text, vulnerable to well-known SQL injection attacks.", "docket_number": "C-4091", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3260-guess-inc-guesscom-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "01.05_sunbelt_lending_services", "company_name": "Sunbelt Lending Services, Inc.", "date_issued": "2005-01-15", "year": 2005, "takeaway_brief": "Sunbelt Lending failed to implement any meaningful security or privacy protections for customers' sensitive financial information, including Social Security numbers and credit histories.", "docket_number": "C-4129", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/042-3153-sunbelt-lending-services-inc-matter", "statutory_topics": [ "GLBA" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Gramm-Leach-Bliley" ] }, { "case_id": "03.05_petco_animal_supplies_in_th_matter_of", "company_name": "PETCO ANIMAL SUPPLIES, INC.", "date_issued": "2005-03-15", "year": 2005, "takeaway_brief": "PETCO falsely promised customers their credit card data was encrypted and completely secure, while actually storing it in unprotected clear text vulnerable to SQL injection attacks.", "docket_number": "C-4133", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/032-3221-petco-animal-supplies-inc-th-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "04.05_nationwide_mortgage_group_and_john_d._eubank", "company_name": "Nationwide Mortgage Group, Inc.", "date_issued": "2005-04-15", "year": 2005, "takeaway_brief": "Nationwide Mortgage Group failed to implement basic security safeguards for sensitive customer financial data and omitted required privacy notices.", "docket_number": "Docket No. 9319", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/042-3104-nationwide-mortgage-group-inc-john-d-eubank-matter", "statutory_topics": [ "GLBA" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Gramm-Leach-Bliley" ] }, { "case_id": "09.05_bj_s_wholesale_club", "company_name": "BJ's Wholesale Club, Inc.", "date_issued": "2005-09-15", "year": 2005, "takeaway_brief": "BJ's Wholesale Club stored millions of payment card records in unencrypted form without proper access controls, enabling attackers to steal consumer financial data.", "docket_number": "C-4148", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/042-3160-bjs-wholesale-club-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "03.06_dsw_inc._in_the_matter_of", "company_name": "DSW Inc.", "date_issued": "2006-03-15", "year": 2006, "takeaway_brief": "DSW failed to implement reasonable security for sensitive payment card and bank account data it collected, leaving it vulnerable to a hacker who accessed information through multiple security gaps.", "docket_number": "C-4157", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3096-dsw-incin-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "06.06_nations_title_agency_nations_holding_company_and_christopher_m._likens.", "company_name": "Nations Title Agency, Inc.", "date_issued": "2006-06-15", "year": 2006, "takeaway_brief": "Nations Title Agency failed to implement basic security safeguards for consumers' mortgage-related financial data, enabling a hacker breach and violating privacy notice requirements.", "docket_number": "C-4161", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3117-nations-title-agency-inc-nations-holding-company-christopher-m-likens-matter", "statutory_topics": [ "GLBA" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Gramm-Leach-Bliley" ] }, { "case_id": "09.06_cardsystems_solutions_and_solidus_networks_dba_pay_by_touch_solutions", "company_name": "CardSystems Solutions, Inc.", "date_issued": "2006-09-15", "year": 2006, "takeaway_brief": "CardSystems Solutions stored sensitive payment card data in a vulnerable format and failed to implement basic security, enabling a hacker to compromise millions of consumer records.", "docket_number": "C-4168", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3148-cardsystems-solutions-inc-solidus-networks-inc-dba-pay-touch-solutions-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security" ] }, { "case_id": "04.07_guidance_software", "company_name": "Guidance Software, Inc.", "date_issued": "2007-04-15", "year": 2007, "takeaway_brief": "Guidance Software falsely claimed strong data security while storing customer credit card data in clear text, enabling a hacker breach.", "docket_number": "C-4187", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/062-3057-guidance-software-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "12.07_american_united_mortgage_company._united_states_of_america", "company_name": "American United", "date_issued": "2007-12-15", "year": 2007, "takeaway_brief": "American United discarded consumer documents in an unsecured dumpster, failed to implement a written security program, and failed to provide customers with required privacy notices.", "docket_number": "", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/062-3103-american-united-mortgage-company-united-states-america-ftc", "statutory_topics": [ "FCRA", "GLBA" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Fair Credit Reporting (FCRA)", "Gramm-Leach-Bliley" ] }, { "case_id": "04.08_goal_financial", "company_name": "GOAL FINANCIAL, LLC", "date_issued": "2008-04-15", "year": 2008, "takeaway_brief": "Goal Financial failed to secure student loan applicants' sensitive data, allowing employees to steal thousands of consumer files for unauthorized use.", "docket_number": "C-4216", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3013-goal-financial-llc-matter", "statutory_topics": [ "GLBA" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Gramm-Leach-Bliley" ] }, { "case_id": "04.08_life_is_good_and_life_is_good_retail", "company_name": "Life is good, Inc.", "date_issued": "2008-04-15", "year": 2008, "takeaway_brief": "Life is Good falsely claimed to store customers' personal information securely while actually storing it in clear, unencrypted text.", "docket_number": "C-4218", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3046-life-good-inc-life-good-retail-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security" ] }, { "case_id": "08.08_reed_elsevier_inc._and_seisint", "company_name": "Reed Elsevier Inc. and Seisint, Inc.", "date_issued": "2008-08-15", "year": 2008, "takeaway_brief": "LexisNexis and Seisint failed to secure user credentials for their Accurint data products, allowing attackers to repeatedly access sensitive consumer records.", "docket_number": "C-4226", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3094-reed-elsevier-inc-seisint-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "08.08_tjx_companies_the", "company_name": "The TJX Companies, Inc.", "date_issued": "2008-08-15", "year": 2008, "takeaway_brief": "TJX Companies stored customers' payment card data in clear text and used weak wireless security, enabling intruders to intercept vast amounts of sensitive information.", "docket_number": "C-4227", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3055-tjx-companies-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "12.08_premier_capital_lending", "company_name": "Premier Capital Lending, Inc.", "date_issued": "2008-12-15", "year": 2008, "takeaway_brief": "Premier Capital Lending gave an unsecured third party login credentials to pull consumer credit reports and failed to monitor or audit use of that access.", "docket_number": "C-4241", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/0723004-premier-capital-lending-inc-et-al-matter", "statutory_topics": [ "GLBA" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Fair Credit Reporting (FCRA)", "Gramm-Leach-Bliley" ] }, { "case_id": "03.09_gencia_corporation_and_compgeeks.com_also_dba_computer_geeks_discount_outlet_and_geeks.com", "company_name": "Genica Corporation", "date_issued": "2009-03-15", "year": 2009, "takeaway_brief": "Genica Corporation falsely claimed to use state-of-the-art security for consumer data while actually storing credit card numbers and security codes in plain text, enabling SQL injection attacks.", "docket_number": "C-4252", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923258-microsoft-corporation-us-v", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "06.09_cvs_caremark_corporation", "company_name": "CVS CAREMARK CORPORATION", "date_issued": "2009-06-15", "year": 2009, "takeaway_brief": "CVS Caremark disposed of prescription bottles, pharmacy labels, and other documents containing consumers' personal and health information in unsecured public trash containers.", "docket_number": "C-4259", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3119-cvs-caremark-corporation-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Health Data" ] }, { "case_id": "06.09_james_b._nutter_company", "company_name": "James B. Nutter & Company", "date_issued": "2009-06-15", "year": 2009, "takeaway_brief": "James B. Nutter & Company failed to implement basic information security safeguards and provided inaccurate privacy notices, resulting in its network being hijacked to send spam.", "docket_number": "C-4258", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3108-james-b-nutter-company-corporation-matter", "statutory_topics": [ "GLBA" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Fair Credit Reporting (FCRA)", "Gramm-Leach-Bliley" ] }, { "case_id": "06.10_dave_buster_s_in_the_matter_of", "company_name": "Dave & Buster's, Inc.", "date_issued": "2010-06-15", "year": 2010, "takeaway_brief": "Dave & Buster's failed to implement basic network security measures, allowing an intruder to steal customers' payment card information from its restaurant networks.", "docket_number": "C-4291", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/082-3153-dave-busters-incin-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "11.10_rite_aid_corporation", "company_name": "Rite Aid Corporation", "date_issued": "2010-11-15", "year": 2010, "takeaway_brief": "Rite Aid publicly claimed to protect patient privacy but failed to implement adequate policies for secure disposal of sensitive health and personal information.", "docket_number": "C-4308", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023190-rite-aid-corporation-ftc-v", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Health Data" ] }, { "case_id": "03.11_twitter", "company_name": "Twitter, Inc.", "date_issued": "2011-03-15", "year": 2011, "takeaway_brief": "Twitter falsely claimed to protect user information with robust security measures while allowing nearly all employees broad administrative access with easily-compromised credentials for years.", "docket_number": "C-4316", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023062-twitter-inc-us-v", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "06.11_ceridian_corporation", "company_name": "Ceridian Corporation", "date_issued": "2011-06-15", "year": 2011, "takeaway_brief": "Ceridian falsely claimed its payroll processing service met high security standards while storing employee data in unencrypted clear text with no SQL injection defenses.", "docket_number": "C-4325", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3160-ceridian-corporation-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "08.11_acranet", "company_name": "ACRAnet, Inc.", "date_issued": "2011-08-15", "year": 2011, "takeaway_brief": "ACRAnet, a credit reporting agency, failed to implement basic security safeguards for its clients, allowing hackers to access sensitive consumer credit reports through clients' unprotected networks.", "docket_number": "C-4331", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/092-3088-acranet-inc-matter", "statutory_topics": [ "FCRA", "GLBA" ], "categories": [ "Data Security", "Fair Credit Reporting (FCRA)", "Gramm-Leach-Bliley" ] }, { "case_id": "10.11_frostwire_llc_and_angel_leon", "company_name": "Frostwire LLC", "date_issued": "2011-10-15", "year": 2011, "takeaway_brief": "FrostWire's file-sharing apps deceived users about which files were being publicly shared on peer-to-peer networks.", "docket_number": "11-23643-CV-GRAHAM", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3041-frostwire-llc-angel-leon", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Other" ] }, { "case_id": "03.12_rockyou", "company_name": "RockYou, Inc.", "date_issued": "2012-03-15", "year": 2012, "takeaway_brief": "RockYou failed to secure 32 million email addresses and passwords, and knowingly collected personal data from approximately 179,000 children without parental consent in violation of COPPA.", "docket_number": "CV '12 1487", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1023120-rockyou-inc", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "10.12_epn_also_dba_checknet", "company_name": "EPN, Inc., also d/b/a Checknet, Inc.", "date_issued": "2012-10-15", "year": 2012, "takeaway_brief": "EPN, a debt collector, failed to implement reasonable data security, allowing a peer-to-peer app to expose sensitive consumer information on a public network.", "docket_number": "C-4370", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3143-epn-inc-also-dba-checknet-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "10.12_franklin_s_budget_car_sales_also_dba_franklin_toyotascion", "company_name": "Franklin's Budget Car Sales, Inc., also dba Franklin Toyota/Scion", "date_issued": "2012-10-15", "year": 2012, "takeaway_brief": "Franklin Toyota claimed to maintain legally compliant security safeguards while allowing a P2P app to expose nearly 95,000 customers' sensitive personal information.", "docket_number": "C-4371", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3094-franklins-budget-car-sales-inc-also-dba-franklin-toyotascion-matter", "statutory_topics": [ "GLBA" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Gramm-Leach-Bliley" ] }, { "case_id": "11.12_pls_financial_services", "company_name": "PLS Financial Services, Inc.", "date_issued": "2012-11-15", "year": 2012, "takeaway_brief": "PLS Financial Services represented it maintained legally compliant security safeguards but discarded consumer documents containing sensitive personal information in unsecured dumpsters.", "docket_number": "1:12-cv-08334", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1023172-pls-financial-services-inc-et-al", "statutory_topics": [ "FCRA", "GLBA" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Fair Credit Reporting (FCRA)", "Gramm-Leach-Bliley" ] }, { "case_id": "07.13_htc_america", "company_name": "HTC America, Inc.", "date_issued": "2013-07-15", "year": 2013, "takeaway_brief": "HTC introduced serious security vulnerabilities into millions of Android and Windows Mobile devices, exposing sensitive user data to third-party apps without permission.", "docket_number": "C-4406", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3049-htc-america-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Location / Geolocation Data" ] }, { "case_id": "02.14_accretive_health", "company_name": "Accretive Health, Inc.", "date_issued": "2014-02-15", "year": 2014, "takeaway_brief": "Accretive Health failed to implement reasonable data security measures to protect sensitive patient information, resulting in a laptop theft that exposed over 23,000 patients' data.", "docket_number": "C-4432", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3077-accretive-health-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Health Data" ] }, { "case_id": "02.14_trendnet", "company_name": "TRENDnet, Inc.", "date_issued": "2014-02-15", "year": 2014, "takeaway_brief": "TRENDnet sold 'SecurView' cameras that transmitted login credentials in clear text and left live feeds of private areas exposed to hackers due to software security failures.", "docket_number": "C-4426", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3090-trendnet-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Other" ] }, { "case_id": "08.14_credit_karma", "company_name": "Credit Karma, Inc.", "date_issued": "2014-08-15", "year": 2014, "takeaway_brief": "Credit Karma's mobile app failed to validate SSL certificates, exposing users' Social Security numbers and credit data to interception on public Wi-Fi networks.", "docket_number": "C-4480", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3091-credit-karma-inc", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Fair Credit Reporting (FCRA)" ] }, { "case_id": "08.14_fandango", "company_name": "Fandango, LLC", "date_issued": "2014-08-15", "year": 2014, "takeaway_brief": "Fandango's iOS app disabled SSL certificate validation for four years, exposing customers' credit card and login credentials to interception despite security promises.", "docket_number": "C-4481", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3089-fandango-llc", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Other" ] }, { "case_id": "12.15_wyndham_worldwide_corporation", "company_name": "Wyndham Worldwide Corporation", "date_issued": "2015-12-15", "year": 2015, "takeaway_brief": "Wyndham Worldwide's inadequate network security led to three separate data breaches compromising over 619,000 payment card numbers across its hotel properties.", "docket_number": "C-13-1887 (also cited as 2:13-CV-01887-ES-JAD)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1023142-x120032-wyndham-worldwide-corporation", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "03.16_oracle_corporation", "company_name": "Oracle Corporation", "date_issued": "2016-03-15", "year": 2016, "takeaway_brief": "Oracle told consumers that updating Java SE would give them 'the latest security improvements,' while the update process left older, vulnerable versions of Java installed on their computers.", "docket_number": "C-4571", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3115-c4571-oracle-corporation-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "07.16_asustek_computer", "company_name": "ASUSTeK Computer, Inc.", "date_issued": "2016-07-15", "year": 2016, "takeaway_brief": "ASUS marketed its routers as secure while leaving them vulnerable to authentication bypass attacks and exposing users' USB storage to public internet access by default.", "docket_number": "C-4587", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3156-asustek-computer-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "09.16_labmd", "company_name": "LabMD, Inc.", "date_issued": "2016-09-15", "year": 2016, "takeaway_brief": "LabMD allegedly failed to implement reasonable data security practices, resulting in sensitive patient information becoming accessible on a public peer-to-peer file-sharing network.", "docket_number": "No. 9357", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3099-labmd-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security" ] }, { "case_id": "01.18_lenovo", "company_name": "Lenovo (United States) Inc.", "date_issued": "2018-01-15", "year": 2018, "takeaway_brief": "Lenovo preinstalled man-in-the-middle adware on consumer laptops that intercepted encrypted web traffic and created serious security vulnerabilities without adequate disclosure.", "docket_number": "C-4636", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3134-lenovo-inc", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "01.18_vtech_electronics_limited", "company_name": "VTech Electronics Limited and VTech Electronics North America, LLC", "date_issued": "2018-01-15", "year": 2018, "takeaway_brief": "VTech collected children's personal data through its online services without parental consent, maintained inadequate security, and falsely claimed personal information was encrypted during transmission.", "docket_number": "1:18-cv-00114", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3032-vtech-electronics-limited", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "07.19_d-link", "company_name": "D-Link Systems, Inc.", "date_issued": "2019-07-15", "year": 2019, "takeaway_brief": "D-Link marketed routers and IP cameras as secure while leaving them vulnerable to hard-coded credentials, command injection flaws, and backdoors.", "docket_number": "3:17-CV-00039-JD", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3157-x170030-d-link", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security" ] }, { "case_id": "07.19_equifax", "company_name": "Equifax Inc.", "date_issued": "2019-07-15", "year": 2019, "takeaway_brief": "Equifax's failure to patch a known security vulnerability for over four months led to a breach exposing the personal information of approximately 147 million consumers.", "docket_number": "1:19-cv-03297-TWT", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3203-equifax-inc", "statutory_topics": [ "GLBA" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Fair Credit Reporting (FCRA)", "Gramm-Leach-Bliley", "AI / Algorithmic / Facial Recognition", "Telemarketing / Do-Not-Call" ] }, { "case_id": "07.19_james_v._grago_jr._doing_business_as_clixsense.com", "company_name": "James V. Grago, Jr., individually and d/b/a ClixSense.com", "date_issued": "2019-07-15", "year": 2019, "takeaway_brief": "ClixSense.com claimed to use encryption and the latest security techniques while storing 6.6 million users' data entirely in clear text with no encryption.", "docket_number": "C-4678", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3003-james-v-grago-jr-doing-business-clixsensecom-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "09.19_lightyear_dealer_technologies", "company_name": "LightYear Dealer Technologies, LLC", "date_issued": "2019-09-15", "year": 2019, "takeaway_brief": "DealerBuilt stored the personal information of over 14 million consumers and 39,000 employees in clear text without access controls or a written security program.", "docket_number": "C-4687", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3051-lightyear-dealer-technologies-llc-matter", "statutory_topics": [ "GLBA" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Gramm-Leach-Bliley" ] }, { "case_id": "01.20_infotrax_systems_l.c.", "company_name": "InfoTrax Systems, L.C.", "date_issued": "2020-01-15", "year": 2020, "takeaway_brief": "InfoTrax Systems failed to implement basic data security measures for sensitive consumer financial information, allowing a hacker to access its servers seventeen times undetected over nearly two years.", "docket_number": "C-4696", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3130-infotrax-systems-lc", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "02.21_zoom_video_communications", "company_name": "Zoom Video Communications, Inc.", "date_issued": "2021-02-15", "year": 2021, "takeaway_brief": "Zoom falsely claimed to offer end-to-end encryption for meetings and secretly installed software on Mac computers that bypassed Apple's security controls.", "docket_number": "C-4731", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3167-zoom-video-communications-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "12.21_ascension_data_analytics", "company_name": "Ascension Data & Analytics, LLC", "date_issued": "2021-12-15", "year": 2021, "takeaway_brief": "Ascension Data & Analytics handed mortgage documents containing sensitive consumer data to a vendor without conducting any security vetting, resulting in a cloud storage misconfiguration that exposed the data.", "docket_number": "C-4758", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3126-ascension-data-analytics-llc-matter", "statutory_topics": [ "GLBA" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Gramm-Leach-Bliley" ] }, { "case_id": "12.21_openx_technologies", "company_name": "OpenX Technologies, Inc.", "date_issued": "2021-12-15", "year": 2021, "takeaway_brief": "OpenX collected precise location data via a backdoor method that bypassed users' location permission denials, and collected children's personal data from child-directed apps without parental consent.", "docket_number": "2:21-cv-09693", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923019-openx-technologies-inc", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices", "Location / Geolocation Data" ] }, { "case_id": "01.23_chegg", "company_name": "Chegg, Inc.", "date_issued": "2023-01-15", "year": 2023, "takeaway_brief": "Chegg failed to implement basic data security controls for years, resulting in multiple breaches that exposed tens of millions of students' personal information.", "docket_number": "C-4782", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/chegg", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "01.23_drizly", "company_name": "DRIZLY, LLC", "date_issued": "2023-01-15", "year": 2023, "takeaway_brief": "Drizly stored sensitive credentials insecurely in public GitHub repositories and failed to enforce basic account security, allowing a hacker to steal data on 2.5 million consumers.", "docket_number": "C-4780", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023185-drizly-llc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "01.24_cafepress", "company_name": "Residual Pumpkin Entity, LLC", "date_issued": "2024-01-15", "year": 2024, "takeaway_brief": "CafePress failed to secure consumer data against well-known attack vectors, suffered a massive breach, misled consumers about the breach's scope, and withheld shopkeeper commissions as retaliation.", "docket_number": "C-4768", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923209-cafepress-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "02.24_global_tel_link_corporation", "company_name": "Global Tel*Link Corporation", "date_issued": "2024-02-15", "year": 2024, "takeaway_brief": "Global Tel*Link copied 649,500 incarcerated individuals' personal data to an unprotected test environment, exposed it to the internet for days, and then misled consumers and facilities about the breach.", "docket_number": "C-4801", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2123012-global-tel-link-corporation", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Health Data" ] }, { "case_id": "04.24_ring", "company_name": "Ring LLC", "date_issued": "2024-04-15", "year": 2024, "takeaway_brief": "Ring gave employees and contractors unrestricted access to all customers' private home camera footage and failed to protect accounts from credential-stuffing attacks.", "docket_number": "1:23-cv-01549", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023113-ring-llc", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security" ] }, { "case_id": "08.24_verkada", "company_name": "Verkada Inc.", "date_issued": "2024-08-15", "year": 2024, "takeaway_brief": "Verkada made false security claims for its building surveillance cameras, failed to implement basic security practices, and violated CAN-SPAM requirements in its marketing emails.", "docket_number": "3:24-cv-06153", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2123068-verkada-inc-us-v", "statutory_topics": [ "CAN-SPAM" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Health Data" ] }, { "case_id": "09.24_1health.iovitagene", "company_name": "1Health.io Inc.", "date_issued": "2024-09-15", "year": 2024, "takeaway_brief": "Vitagene falsely claimed industry-leading security for DNA health data while publicly exposing the genetic and health records of over 2,600 consumers through unsecured cloud storage.", "docket_number": "C-4798", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923170-1healthiovitagene-matter", "statutory_topics": [ "Health Breach Notification" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "10.24_marriott_international_and_starwood_hotels_resorts_worldwide", "company_name": "Marriott International, Inc.", "date_issued": "2024-10-15", "year": 2024, "takeaway_brief": "Marriott and Starwood Hotels suffered three major data breaches affecting hundreds of millions of consumers due to persistently inadequate security practices.", "docket_number": "C-4807", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3022-marriott-international-inc-starwood-hotels-resorts-worldwide-llc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "05.25_godaddy", "company_name": "GoDaddy Inc.", "date_issued": "2025-05-15", "year": 2025, "takeaway_brief": "GoDaddy marketed itself as a secure hosting provider with award-winning security while failing to implement basic controls, resulting in multiple major data compromises.", "docket_number": "C-202-3133", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023133-godaddy-inc-et-al-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "12.25_illuminate_education", "company_name": "Illuminate Education, Inc.", "date_issued": "2025-12-15", "year": 2025, "takeaway_brief": "Illuminate Education stored millions of students' personal data in plaintext with inadequate access controls, suffered a breach, and had made contractual security promises it did not keep.", "docket_number": "222-3105", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/222-3105-illuminate-education-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "12.25_illusory_systemsnomad", "company_name": "Illusory Systems, Inc.", "date_issued": "2025-12-15", "year": 2025, "takeaway_brief": "Nomad marketed its cryptocurrency bridge as 'security-first' while deploying inadequately tested code with no incident response plan, leading to the near-total loss of user assets.", "docket_number": "C-2323016", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/illusory-systemsnomad", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security" ] } ] }, { "id": "childrens-privacy-violations", "name": "Children's Privacy Violations", "description": "COPPA violations, collecting data from minors without parental consent", "case_count": 42, "year_range": [ 1999, 2025 ], "most_recent_year": 2025, "most_recent_date": "2025-12-15", "enforcement_topics": [ "COPPA", "Section 5 Only" ], "cases": [ { "case_id": "08.99_liberty_financial_companies", "company_name": "Liberty Financial Companies, Inc.", "date_issued": "1999-08-15", "year": 1999, "takeaway_brief": "Liberty Financial's children's website collected personal information under a false promise of anonymity and never delivered the promised newsletter or prize drawings.", "docket_number": "C-3891", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/982-3522-liberty-financial-companies-inc", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "04.01_bigmailbox.com", "company_name": "Bigmailbox.com, Inc.", "date_issued": "2001-04-15", "year": 2001, "takeaway_brief": "Bigmailbox.com collected children's personal information through kids' websites without parental notice or consent and then used it for marketing.", "docket_number": "01-605-A", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/002-3378-bigmailboxcom-inc-et-al", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "04.01_looksmart", "company_name": "LookSmart Ltd.", "date_issued": "2001-04-15", "year": 2001, "takeaway_brief": "LookSmart collected and publicly posted personal information of children under 13 on its message board service without parental consent.", "docket_number": "Civil Action No. 01-606-A", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/002-3379-looksmart-ltd", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "04.01_monarch_services", "company_name": "Monarch Services, Inc.", "date_issued": "2001-04-15", "year": 2001, "takeaway_brief": "Monarch Services collected personal information from children under 13 on its kids' website without parental notice or consent.", "docket_number": "AMD 01 CV 1165", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/002-3375-monarch-services-inc-et-al", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "10.01_frank_lisa", "company_name": "Lisa Frank, Inc.", "date_issued": "2001-10-15", "year": 2001, "takeaway_brief": "Lisa Frank's children's website collected personal information from children without parental consent and falsely claimed in its privacy policy that parental permission would be required.", "docket_number": "Civil Action No. _______________", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/012-3050-frank-lisa-inc", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "02.02_american_pop_corn_company", "company_name": "American Pop Corn Company", "date_issued": "2002-02-15", "year": 2002, "takeaway_brief": "American Pop Corn Company collected children's personal information through its Kids Club website without parental notice or consent, while falsely claiming it would notify parents.", "docket_number": "C02-4008DEO", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/012-3026-american-pop-corn-company", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "02.04_umg_recordings_us", "company_name": "UMG Recordings, Inc.", "date_issued": "2004-02-15", "year": 2004, "takeaway_brief": "UMG Recordings collected extensive personal data from tens of thousands of children across its artist websites without adequate parental notice or verifiable parental consent.", "docket_number": "CV-04-1050 JFW (Ex)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/umg-recordings-inc-corporation-us", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices", "Telemarketing / Do-Not-Call" ] }, { "case_id": "09.06_xanga.com_john_hiler_and_marc_ginsburg", "company_name": "Xanga.com, Inc.", "date_issued": "2006-09-15", "year": 2006, "takeaway_brief": "Xanga knowingly allowed approximately 1.7 million children to create blogs and collected their personal data for targeted advertising without parental consent for five years.", "docket_number": "06 Civ.", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/062-3073-xangacom-inc-john-hiler-marc-ginsburg", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "10.09_iconix_brand_group", "company_name": "Iconix Brand Group, Inc.", "date_issued": "2009-10-15", "year": 2009, "takeaway_brief": "Iconix collected personal data from roughly 1,000 children under 13 through fan and sweepstakes features without parental consent, violating COPPA and its own privacy policy.", "docket_number": "09 Civ. 8864 (MGC)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/iconix-brand-group-inc", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "11.10_echometrix", "company_name": "EchoMetrix, Inc.", "date_issued": "2010-11-15", "year": 2010, "takeaway_brief": "EchoMetrix sold parental monitoring software while secretly feeding children's online activity data to a third-party market research product sold to advertisers.", "docket_number": "2:10-cv-05516-DRH", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3006-echometrix-inc", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Other" ] }, { "case_id": "05.11_playdom", "company_name": "Playdom, Inc.", "date_issued": "2011-05-15", "year": 2011, "takeaway_brief": "Playdom allowed children under 13 immediate access to its online games and public profiles before obtaining any parental consent, violating COPPA.", "docket_number": "Case No. CV11-0724 (Central District of California)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1023036-playdom-inc", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "09.11_w3_innovations_dba_broken_thumb_apps_and_justin_maples_u.s.", "company_name": "W3 Innovations, LLC", "date_issued": "2011-09-15", "year": 2011, "takeaway_brief": "Broken Thumbs Apps collected over 30,000 email addresses from children through child-directed mobile apps without any privacy notice or parental consent.", "docket_number": "C-11-03958", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3251-w3-innovations-llc-dba-broken-thumb-apps-justin-maples-us", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "11.11_godwin_jones_o._dba_skidekids.com", "company_name": "Jones O. Godwin", "date_issued": "2011-11-15", "year": 2011, "takeaway_brief": "Skid-e-kids' operator claimed to collect parental email addresses and notify parents before activating children's accounts, but never actually did so.", "docket_number": "Civil Action No. 1:11-cv-03846-JOF", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1123033-godwin-jones-o-dba-skidekidscom", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "03.12_rockyou", "company_name": "RockYou, Inc.", "date_issued": "2012-03-15", "year": 2012, "takeaway_brief": "RockYou failed to secure 32 million email addresses and passwords, and knowingly collected personal data from approximately 179,000 children without parental consent in violation of COPPA.", "docket_number": "CV '12 1487", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1023120-rockyou-inc", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "10.12_artist_arena_llc_united_states_of_america", "company_name": "Artist Arena LLC", "date_issued": "2012-10-15", "year": 2012, "takeaway_brief": "Artist Arena collected personal data from over 101,000 children under 13 for celebrity fan clubs without proper parental notice or consent.", "docket_number": "12 Civ. 07386", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3167-artist-arena-llc-united-states-america-federal-trade-commission", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "02.13_path", "company_name": "Path, Inc.", "date_issued": "2013-02-15", "year": 2013, "takeaway_brief": "Path's mobile app silently collected users' entire phone contact lists without consent and knowingly gathered personal data from thousands of children without parental approval.", "docket_number": "C-3:13-cv-00448-RS", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3158-path-inc", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "09.14_tinyco", "company_name": "TinyCo, Inc.", "date_issued": "2014-09-15", "year": 2014, "takeaway_brief": "TinyCo collected tens of thousands of email addresses from children through child-directed gaming apps without notifying parents or obtaining their consent.", "docket_number": "3:14-cv-04164", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3209-tinyco-inc", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "09.14_yelp", "company_name": "Yelp Inc.", "date_issued": "2014-09-15", "year": 2014, "takeaway_brief": "Yelp's app registration feature accepted sign-ups from children under 13 for four years and collected their personal data without parental notice or consent.", "docket_number": "3:14-CV-4163", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3066-yelp-inc", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "12.15_lai_systems", "company_name": "LAI Systems, LLC", "date_issued": "2015-12-15", "year": 2015, "takeaway_brief": "LAI Systems allowed third-party ad networks to collect persistent identifiers from children through its kids' apps for targeted advertising without parental notice or consent.", "docket_number": "2:15-cv-9691", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3261-lai-systems-llc", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "12.15_retro_dreamer", "company_name": "Retro Dreamer", "date_issued": "2015-12-15", "year": 2015, "takeaway_brief": "Retro Dreamer knowingly allowed ad networks to collect children's personal data through its kids' apps for targeted advertising without parental consent, even after being put on notice.", "docket_number": "5:15-cv-2569", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3262-retro-dreamer", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "06.16_inmobi_pte", "company_name": "InMobi Pte Ltd.", "date_issued": "2016-06-15", "year": 2016, "takeaway_brief": "InMobi secretly tracked users' locations without permission and collected personal data from children across thousands of apps without parental consent.", "docket_number": "3:16-cv-3474", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3203-inmobi-pte-ltd", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "01.18_vtech_electronics_limited", "company_name": "VTech Electronics Limited and VTech Electronics North America, LLC", "date_issued": "2018-01-15", "year": 2018, "takeaway_brief": "VTech collected children's personal data through its online services without parental consent, maintained inadequate security, and falsely claimed personal information was encrypted during transmission.", "docket_number": "1:18-cv-00114", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3032-vtech-electronics-limited", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "02.18_prime_sites", "company_name": "Prime Sites, Inc.", "date_issued": "2018-02-15", "year": 2018, "takeaway_brief": "Explore Talent collected personal information from over 100,000 children without parental consent and used false promises of casting opportunities to sell paid memberships.", "docket_number": "2:18-cv-199", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3218-prime-sites-inc-explore-talent", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices", "Telemarketing / Do-Not-Call" ] }, { "case_id": "02.19_musical.ly", "company_name": "Musical.ly", "date_issued": "2019-02-15", "year": 2019, "takeaway_brief": "Musical.ly knowingly collected personal data from millions of children under 13 without parental notice or consent and failed to delete children's data when parents requested it.", "docket_number": "2:19-cv-1439", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3004-musically-inc", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "04.19_unixiz_doing_business_as_i-dressup.com", "company_name": "UNIXIZ, Inc.", "date_issued": "2019-04-15", "year": 2019, "takeaway_brief": "UNIXIZ collected personal information from over 245,000 children on its gaming site without verifiable parental consent and with grossly inadequate data security.", "docket_number": "5:19-cv-2222", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3002-unixiz-inc-doing-business-i-dressupcom", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "09.19_google_llc_and_youtube", "company_name": "Google LLC and YouTube, LLC", "date_issued": "2019-09-15", "year": 2019, "takeaway_brief": "Google and YouTube collected persistent identifiers from child viewers of child-directed YouTube channels to serve behavioral advertising without parental notice or consent.", "docket_number": "1:19-cv-02642", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3083-google-llc-youtube-llc", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "01.20_infotrax_systems_l.c.", "company_name": "InfoTrax Systems, L.C.", "date_issued": "2020-01-15", "year": 2020, "takeaway_brief": "InfoTrax Systems failed to implement basic data security measures for sensitive consumer financial information, allowing a hacker to access its servers seventeen times undetected over nearly two years.", "docket_number": "C-4696", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3130-infotrax-systems-lc", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "06.20_hyperbeard", "company_name": "HyperBeard, Inc.", "date_issued": "2020-06-15", "year": 2020, "takeaway_brief": "HyperBeard operated child-directed mobile apps that allowed advertising networks to collect children's personal data for behavioral advertising without parental consent.", "docket_number": "3:20-cv-03683", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3109-hyperbeard-inc", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "07.20_miniclip", "company_name": "Miniclip S.A.", "date_issued": "2020-07-15", "year": 2020, "takeaway_brief": "Miniclip falsely claimed for years to be a certified participant in the CARU COPPA safe harbor program after its certified status was terminated.", "docket_number": "C-4722", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3129-miniclip-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "07.21_kuuhuub_et_al._u.s._v.", "company_name": "Kuuhubb Inc.", "date_issued": "2021-07-15", "year": 2021, "takeaway_brief": "Kuuhubb's Recolor App marketed as an adult coloring book contained a child-directed section through which it collected children's personal data for behavioral advertising without parental consent.", "docket_number": "21-cv-01758", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3184-kuuhuub-inc-et-al-us-v-recolor-oy", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "12.21_openx_technologies", "company_name": "OpenX Technologies, Inc.", "date_issued": "2021-12-15", "year": 2021, "takeaway_brief": "OpenX collected precise location data via a backdoor method that bypassed users' location permission denials, and collected children's personal data from child-directed apps without parental consent.", "docket_number": "2:21-cv-09693", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923019-openx-technologies-inc", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices", "Location / Geolocation Data" ] }, { "case_id": "03.22_weight_watchersww", "company_name": "Kurbo, Inc.", "date_issued": "2022-03-15", "year": 2022, "takeaway_brief": "Kurbo by WW collected personal data from children under 13 without adequate parental notice or verifiable consent.", "docket_number": "3:22-cv-00946", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923228-weight-watchersww", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "02.23_epic_games", "company_name": "Epic Games, Inc.", "date_issued": "2023-02-15", "year": 2023, "takeaway_brief": "Epic Games violated COPPA by collecting children's personal data in Fortnite without parental consent, and enabled on-by-default voice and text chat that exposed children to harmful contact.", "docket_number": "5:22-CV-00518", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923203-epic-games-matter", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "06.23_microsoft_corporation", "company_name": "Microsoft Corporation", "date_issued": "2023-06-15", "year": 2023, "takeaway_brief": "Microsoft collected personal information from children on Xbox Live before notifying parents or obtaining required parental consent, and retained incomplete-registration data for years.", "docket_number": "2:23-cv-00836-RAJ", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923258-microsoft-corporation-us-v", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "07.23_amazon.com", "company_name": "Amazon.com, Inc.", "date_issued": "2023-07-15", "year": 2023, "takeaway_brief": "Amazon retained children's Alexa voice recordings indefinitely and failed to honor user requests to delete voice and geolocation data despite explicit promises of full deletion control.", "docket_number": "2:23-cv-00811", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3128-amazoncom-alexa-us-v", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices", "Location / Geolocation Data" ] }, { "case_id": "08.23_edmodo", "company_name": "Edmodo, LLC", "date_issued": "2023-08-15", "year": 2023, "takeaway_brief": "Edmodo collected personal information from hundreds of thousands of children without parental consent and attempted to shift its COPPA compliance obligations onto schools.", "docket_number": "23-cv-02495", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3129-edmodo-llc-us-v", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "01.24_epic_games", "company_name": "Epic Games, Inc.", "date_issued": "2024-01-15", "year": 2024, "takeaway_brief": "Epic Games used dark patterns to charge consumers — including children — for Fortnite purchases without informed consent, and denied account access to those who disputed charges.", "docket_number": "C-4790", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923203-epic-games-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security" ] }, { "case_id": "03.24_rite_aid_corporation", "company_name": "Rite Aid Corporation", "date_issued": "2024-03-15", "year": 2024, "takeaway_brief": "Rite Aid deployed inaccurate facial recognition technology without adequate safeguards, causing wrongful surveillance of innocent consumers including disproportionate harms to minority shoppers.", "docket_number": "2:23-cv-05023", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023190-rite-aid-corporation-ftc-v", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "AI / Algorithmic / Facial Recognition" ] }, { "case_id": "01.25_cognosphere", "company_name": "COGNOSPHERE, LLC", "date_issued": "2025-01-15", "year": 2025, "takeaway_brief": "HoYoverse collected children's personal data without parental consent and misled players about their true odds of winning loot box prizes, obscuring the actual cost of rare items.", "docket_number": "2:25-cv-447", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/222-3152-cognosphere-llc-us-v", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "09.25_pornhubmindgeekaylo", "company_name": "AYLO GROUP LTD.", "date_issued": "2025-09-15", "year": 2025, "takeaway_brief": "Pornhub's operator actively distributed child sexual abuse material and non-consensual content for years while falsely claiming to promptly review and remove flagged material.", "docket_number": "2:25-cv-00752", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3202-inbox-group-llc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "10.25_apitor", "company_name": "Apitor Technology Co., Ltd.", "date_issued": "2025-10-15", "year": 2025, "takeaway_brief": "Apitor's robot toy app secretly collected precise geolocation data from child users via a third-party SDK without parental notice or consent.", "docket_number": "3:25-cv-07363", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/apitor", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices", "Location / Geolocation Data" ] }, { "case_id": "12.25_disney", "company_name": "Disney Worldwide Services, Inc. and Disney Entertainment Operations LLC", "date_issued": "2025-12-15", "year": 2025, "takeaway_brief": "Disney failed to accurately designate child-directed YouTube videos as 'Made for Kids,' allowing targeted advertising and personal data collection on content directed at children.", "docket_number": "2:25-cv-08223", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/disney", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ] } ] }, { "id": "unauthorized-data-collection", "name": "Unauthorized Data Collection", "description": "Collecting personal data without consent, beyond stated purposes, or through deceptive means", "case_count": 36, "year_range": [ 1999, 2025 ], "most_recent_year": 2025, "most_recent_date": "2025-10-15", "enforcement_topics": [ "COPPA", "FCRA", "GLBA", "Health Breach Notification", "Section 5 Only" ], "cases": [ { "case_id": "08.99_liberty_financial_companies", "company_name": "Liberty Financial Companies, Inc.", "date_issued": "1999-08-15", "year": 1999, "takeaway_brief": "Liberty Financial's children's website collected personal information under a false promise of anonymity and never delivered the promised newsletter or prize drawings.", "docket_number": "C-3891", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/982-3522-liberty-financial-companies-inc", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "04.01_monarch_services", "company_name": "Monarch Services, Inc.", "date_issued": "2001-04-15", "year": 2001, "takeaway_brief": "Monarch Services collected personal information from children under 13 on its kids' website without parental notice or consent.", "docket_number": "AMD 01 CV 1165", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/002-3375-monarch-services-inc-et-al", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "10.01_frank_lisa", "company_name": "Lisa Frank, Inc.", "date_issued": "2001-10-15", "year": 2001, "takeaway_brief": "Lisa Frank's children's website collected personal information from children without parental consent and falsely claimed in its privacy policy that parental permission would be required.", "docket_number": "Civil Action No. _______________", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/012-3050-frank-lisa-inc", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "05.03_educational_research_center_of_america_student_marketing_group_marian_sanjana_and_jan_stumacher", "company_name": "Educational Research Center of America, Inc.", "date_issued": "2003-05-15", "year": 2003, "takeaway_brief": "ERCA collected personal data from millions of students under the guise of college recruitment surveys but secretly sold it to commercial marketers.", "docket_number": "C-4079", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3249-educational-research-center-america-inc-student-marketing-group-inc-marian-sanjana-jan-stumacher", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "04.05_vision_i_properties", "company_name": "Vision I Properties, LLC", "date_issued": "2005-04-15", "year": 2005, "takeaway_brief": "CartManager International secretly collected consumer data through merchants' checkout pages and sold it to third-party marketers without disclosure.", "docket_number": "C-4135", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/042-3068-vision-i-properties-llc-et-al-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices", "Telemarketing / Do-Not-Call" ] }, { "case_id": "10.09_iconix_brand_group", "company_name": "Iconix Brand Group, Inc.", "date_issued": "2009-10-15", "year": 2009, "takeaway_brief": "Iconix collected personal data from roughly 1,000 children under 13 through fan and sweepstakes features without parental consent, violating COPPA and its own privacy policy.", "docket_number": "09 Civ. 8864 (MGC)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/iconix-brand-group-inc", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "03.12_rockyou", "company_name": "RockYou, Inc.", "date_issued": "2012-03-15", "year": 2012, "takeaway_brief": "RockYou failed to secure 32 million email addresses and passwords, and knowingly collected personal data from approximately 179,000 children without parental consent in violation of COPPA.", "docket_number": "CV '12 1487", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1023120-rockyou-inc", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "10.12_artist_arena_llc_united_states_of_america", "company_name": "Artist Arena LLC", "date_issued": "2012-10-15", "year": 2012, "takeaway_brief": "Artist Arena collected personal data from over 101,000 children under 13 for celebrity fan clubs without proper parental notice or consent.", "docket_number": "12 Civ. 07386", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3167-artist-arena-llc-united-states-america-federal-trade-commission", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "02.13_path", "company_name": "Path, Inc.", "date_issued": "2013-02-15", "year": 2013, "takeaway_brief": "Path's mobile app silently collected users' entire phone contact lists without consent and knowingly gathered personal data from thousands of children without parental approval.", "docket_number": "C-3:13-cv-00448-RS", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3158-path-inc", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "04.13_c.a.l.m._ventures", "company_name": "C.A.L.M. Ventures, Inc.", "date_issued": "2013-04-15", "year": 2013, "takeaway_brief": "C.A.L.M. Ventures used hidden monitoring software on rented computers to secretly spy on consumers in their homes, including activating webcams without consent.", "docket_number": "C-4394", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-calm-ventures-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "04.13_showplace", "company_name": "Showplace, Inc.", "date_issued": "2013-04-15", "year": 2013, "takeaway_brief": "Showplace secretly installed monitoring software on rented computers to capture consumers' webcam images, keystrokes, and personal data without their knowledge.", "docket_number": "C-4397", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-showplace-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices", "Health Data" ] }, { "case_id": "07.13_htc_america", "company_name": "HTC America, Inc.", "date_issued": "2013-07-15", "year": 2013, "takeaway_brief": "HTC introduced serious security vulnerabilities into millions of Android and Windows Mobile devices, exposing sensitive user data to third-party apps without permission.", "docket_number": "C-4406", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3049-htc-america-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Location / Geolocation Data" ] }, { "case_id": "04.14_goldenshores_technologies_and_erik_m._geidl", "company_name": "Goldenshores Technologies, LLC", "date_issued": "2014-04-15", "year": 2014, "takeaway_brief": "Goldenshores Technologies' Brightest Flashlight Free app secretly transmitted users' precise geolocation and device identifiers to advertising networks without adequate disclosure.", "docket_number": "C-4446", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3087-goldenshores-technologies-llc-erik-m-geidl-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Location / Geolocation Data" ] }, { "case_id": "02.15_paymentsmd", "company_name": "PaymentsMD, LLC", "date_issued": "2015-02-15", "year": 2015, "takeaway_brief": "PaymentsMD secretly used consumers' registration for a free billing portal to collect comprehensive health information from pharmacies and health plans for a separate fee-based service.", "docket_number": "C-4505", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3088-paymentsmd-llc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Health Data" ] }, { "case_id": "01.16_craig_brittain", "company_name": "Craig Brittain", "date_issued": "2016-01-15", "year": 2016, "takeaway_brief": "Craig Brittain operated a 'revenge porn' site, posting intimate photos of over 1,000 individuals without consent and running a sham removal service that charged victims to take down their own images.", "docket_number": "C-4564", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3120-craig-brittain-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "06.16_inmobi_pte", "company_name": "InMobi Pte Ltd.", "date_issued": "2016-06-15", "year": 2016, "takeaway_brief": "InMobi secretly tracked users' locations without permission and collected personal data from children across thousands of apps without parental consent.", "docket_number": "3:16-cv-3474", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3203-inmobi-pte-ltd", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "02.17_vizio_inc._and_vizio_inscape_services", "company_name": "VIZIO, Inc.", "date_issued": "2017-02-15", "year": 2017, "takeaway_brief": "VIZIO covertly collected second-by-second television viewing data from millions of consumers by default and sold it to third parties while describing the feature only as providing 'program offers and suggestions.'", "docket_number": "Case 2:17-cv-00758", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3024-vizio-inc-vizio-inscape-services-llc", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices", "AI / Algorithmic / Facial Recognition" ] }, { "case_id": "01.18_lenovo", "company_name": "Lenovo (United States) Inc.", "date_issued": "2018-01-15", "year": 2018, "takeaway_brief": "Lenovo preinstalled man-in-the-middle adware on consumer laptops that intercepted encrypted web traffic and created serious security vulnerabilities without adequate disclosure.", "docket_number": "C-4636", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3134-lenovo-inc", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "02.18_prime_sites", "company_name": "Prime Sites, Inc.", "date_issued": "2018-02-15", "year": 2018, "takeaway_brief": "Explore Talent collected personal information from over 100,000 children without parental consent and used false promises of casting opportunities to sell paid memberships.", "docket_number": "2:18-cv-199", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3218-prime-sites-inc-explore-talent", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices", "Telemarketing / Do-Not-Call" ] }, { "case_id": "02.18_sears_holdings_management_corporation", "company_name": "Sears Holdings Management Corporation", "date_issued": "2018-02-15", "year": 2018, "takeaway_brief": "Sears secretly installed software on consumers' computers that tracked nearly all internet activity — including financial and health data from secure sessions — while describing it as simple 'online browsing' research.", "docket_number": "C-4264", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/082-3099-c-4264-sears-holdings-management-corporation-corporation-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "09.18_blu_products_and_samuel_ohev-zion", "company_name": "BLU PRODUCTS, INC.", "date_issued": "2018-09-15", "year": 2018, "takeaway_brief": "BLU Products sold smartphones with preinstalled software that secretly transmitted users' text messages, location data, and contact lists to servers in China.", "docket_number": "C-4657", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3025-blu-products-samuel-ohev-zion-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Location / Geolocation Data" ] }, { "case_id": "02.19_musical.ly", "company_name": "Musical.ly", "date_issued": "2019-02-15", "year": 2019, "takeaway_brief": "Musical.ly knowingly collected personal data from millions of children under 13 without parental notice or consent and failed to delete children's data when parents requested it.", "docket_number": "2:19-cv-1439", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3004-musically-inc", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "04.19_unixiz_doing_business_as_i-dressup.com", "company_name": "UNIXIZ, Inc.", "date_issued": "2019-04-15", "year": 2019, "takeaway_brief": "UNIXIZ collected personal information from over 245,000 children on its gaming site without verifiable parental consent and with grossly inadequate data security.", "docket_number": "5:19-cv-2222", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3002-unixiz-inc-doing-business-i-dressupcom", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "12.19_aleksandr_kogan_and_alexander_nix", "company_name": "Cambridge Analytica, LLC", "date_issued": "2019-12-15", "year": 2019, "takeaway_brief": "Aleksandr Kogan and Alexander Nix built a Facebook app that falsely promised not to collect users' identifiable information while harvesting data from millions of users and their friends.", "docket_number": "C-4693, C-4694", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3107-cambridge-analytica-llc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Other" ] }, { "case_id": "02.21_zoom_video_communications", "company_name": "Zoom Video Communications, Inc.", "date_issued": "2021-02-15", "year": 2021, "takeaway_brief": "Zoom falsely claimed to offer end-to-end encryption for meetings and secretly installed software on Mac computers that bypassed Apple's security controls.", "docket_number": "C-4731", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3167-zoom-video-communications-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "12.21_ascension_data_analytics", "company_name": "Ascension Data & Analytics, LLC", "date_issued": "2021-12-15", "year": 2021, "takeaway_brief": "Ascension Data & Analytics handed mortgage documents containing sensitive consumer data to a vendor without conducting any security vetting, resulting in a cloud storage misconfiguration that exposed the data.", "docket_number": "C-4758", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3126-ascension-data-analytics-llc-matter", "statutory_topics": [ "GLBA" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Gramm-Leach-Bliley" ] }, { "case_id": "01.22_itmedia_solutions", "company_name": "ITMEDIA SOLUTIONS LLC", "date_issued": "2022-01-15", "year": 2022, "takeaway_brief": "ITMedia collected consumers' sensitive loan application data under the pretext of connecting them to lenders, then sold it to marketers, debt negotiators, and unknown entities.", "docket_number": "2:22-cv-00073", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1523225-itmedia-solutions-llc", "statutory_topics": [ "FCRA" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Fair Credit Reporting (FCRA)" ] }, { "case_id": "03.22_weight_watchersww", "company_name": "Kurbo, Inc.", "date_issued": "2022-03-15", "year": 2022, "takeaway_brief": "Kurbo by WW collected personal data from children under 13 without adequate parental notice or verifiable consent.", "docket_number": "3:22-cv-00946", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923228-weight-watchersww", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "02.23_goodrx_holdings", "company_name": "GoodRx Holdings, Inc.", "date_issued": "2023-02-15", "year": 2023, "takeaway_brief": "GoodRx repeatedly promised never to share users' health information with advertisers, then secretly transmitted prescription drug names and health conditions to Facebook, Google, and Criteo for targeted advertising.", "docket_number": "23-cv-460", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023090-goodrx-holdings-inc", "statutory_topics": [ "Health Breach Notification" ], "categories": [ "Privacy / Deceptive Privacy Practices", "Health Data" ] }, { "case_id": "06.23_microsoft_corporation", "company_name": "Microsoft Corporation", "date_issued": "2023-06-15", "year": 2023, "takeaway_brief": "Microsoft collected personal information from children on Xbox Live before notifying parents or obtaining required parental consent, and retained incomplete-registration data for years.", "docket_number": "2:23-cv-00836-RAJ", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923258-microsoft-corporation-us-v", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "08.23_edmodo", "company_name": "Edmodo, LLC", "date_issued": "2023-08-15", "year": 2023, "takeaway_brief": "Edmodo collected personal information from hundreds of thousands of children without parental consent and attempted to shift its COPPA compliance obligations onto schools.", "docket_number": "23-cv-02495", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3129-edmodo-llc-us-v", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "04.24_x-mode_social", "company_name": "X-Mode Social, Inc.", "date_issued": "2024-04-15", "year": 2024, "takeaway_brief": "X-Mode Social collected precise consumer location data through hundreds of apps and sold it—including sensitive locations like medical facilities—to government contractors without adequate disclosure or consumer consent.", "docket_number": "C-4802", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2123038-x-mode-social-inc", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices", "Health Data", "Location / Geolocation Data" ] }, { "case_id": "05.24_blackbaud", "company_name": "Blackbaud, Inc.", "date_issued": "2024-05-15", "year": 2024, "takeaway_brief": "Blackbaud's deficient security practices allowed a cyberattacker to remain undetected for months and exfiltrate millions of consumers' personal data, which the company then misrepresented in its breach notification.", "docket_number": "C-4804", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023181-blackbaud-inc", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Health Data" ] }, { "case_id": "12.24_vivint_smart_home", "company_name": "Vivint Smart Home, Inc.", "date_issued": "2024-12-15", "year": 2024, "takeaway_brief": "Vivint's sales force fraudulently pulled third parties' credit reports without consent to qualify unqualified customers for financing, then passed those innocent parties' information to debt collectors.", "docket_number": "2:21-cv-00267-TS", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3060-vivint-smart-home-inc", "statutory_topics": [ "FCRA" ], "categories": [ "Fair Credit Reporting (FCRA)" ] }, { "case_id": "02.25_avast", "company_name": "Avast Limited", "date_issued": "2025-02-15", "year": 2025, "takeaway_brief": "Avast collected consumers' detailed browsing histories through its privacy-protection software and secretly sold that data to over 100 third parties without adequate disclosure or consent.", "docket_number": "2023033", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023033-avast", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "10.25_apitor", "company_name": "Apitor Technology Co., Ltd.", "date_issued": "2025-10-15", "year": 2025, "takeaway_brief": "Apitor's robot toy app secretly collected precise geolocation data from child users via a third-party SDK without parental notice or consent.", "docket_number": "3:25-cv-07363", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/apitor", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices", "Location / Geolocation Data" ] } ] }, { "id": "surveillance-and-tracking", "name": "Surveillance & Tracking", "description": "Undisclosed monitoring, location tracking, spyware, or stalkerware", "case_count": 35, "year_range": [ 2010, 2025 ], "most_recent_year": 2025, "most_recent_date": "2025-10-15", "enforcement_topics": [ "CAN-SPAM", "COPPA", "FCRA", "Health Breach Notification", "Section 5 Only" ], "cases": [ { "case_id": "11.10_echometrix", "company_name": "EchoMetrix, Inc.", "date_issued": "2010-11-15", "year": 2010, "takeaway_brief": "EchoMetrix sold parental monitoring software while secretly feeding children's online activity data to a third-party market research product sold to advertisers.", "docket_number": "2:10-cv-05516-DRH", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3006-echometrix-inc", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Other" ] }, { "case_id": "06.11_chitika", "company_name": "CHITIKA, INC.", "date_issued": "2011-06-15", "year": 2011, "takeaway_brief": "Chitika told consumers that clicking its opt-out button stopped behavioral advertising tracking, but the opt-out cookie expired after only 10 days without any notice.", "docket_number": "C-4324", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1023087-chitika-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "06.11_lookout_services", "company_name": "Lookout Services, Inc.", "date_issued": "2011-06-15", "year": 2011, "takeaway_brief": "Lookout Services falsely claimed 24/7 network security monitoring for its I-9 compliance product while lacking basic security safeguards like strong passwords and URL authentication controls.", "docket_number": "C-4326", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3076-lookout-services-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "12.11_scanscout", "company_name": "ScanScout, Inc.", "date_issued": "2011-12-15", "year": 2011, "takeaway_brief": "ScanScout falsely told consumers they could opt out of tracking cookies by changing browser settings, when its Flash cookies were immune to browser-level controls.", "docket_number": "C-4344", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3185-scanscout-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "02.13_compete", "company_name": "Compete, Inc.", "date_issued": "2013-02-15", "year": 2013, "takeaway_brief": "Compete collected consumers' sensitive financial and personal information through tracking software while falsely claiming it only anonymously collected browsing data.", "docket_number": "C-4384", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3155-compete-inc", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "04.13_aspen_way_enterprises", "company_name": "Aspen Way Enterprises, Inc.", "date_issued": "2013-04-15", "year": 2013, "takeaway_brief": "Aspen Way Enterprises installed hidden monitoring software on rented computers to secretly capture consumers' sensitive personal information, including via webcam.", "docket_number": "C-4392", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-aspen-way-enterprises-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices", "Health Data" ] }, { "case_id": "04.13_b._stamper_enterprises", "company_name": "B. Stamper Enterprises, Inc.", "date_issued": "2013-04-15", "year": 2013, "takeaway_brief": "B. Stamper Enterprises secretly monitored rented computer users via hidden software to capture passwords, medical records, and personal images.", "docket_number": "C-4393", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-b-stamper-enterprises-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices", "Health Data" ] }, { "case_id": "04.13_c.a.l.m._ventures", "company_name": "C.A.L.M. Ventures, Inc.", "date_issued": "2013-04-15", "year": 2013, "takeaway_brief": "C.A.L.M. Ventures used hidden monitoring software on rented computers to secretly spy on consumers in their homes, including activating webcams without consent.", "docket_number": "C-4394", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-calm-ventures-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "04.13_designerware", "company_name": "DesignerWare, LLC", "date_issued": "2013-04-15", "year": 2013, "takeaway_brief": "DesignerWare developed and licensed stalkerware that secretly activated webcams, logged keystrokes, and tracked consumers' locations on rented computers.", "docket_number": "C-4390", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-designerware-llc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices", "Health Data" ] }, { "case_id": "04.13_j.a.g._rents_also_dba_colortyme", "company_name": "J.A.G. Rents, LLC", "date_issued": "2013-04-15", "year": 2013, "takeaway_brief": "J.A.G. Rents secretly monitored rented computer users through hidden software, capturing sensitive personal information and tricking consumers with fake registration pop-ups.", "docket_number": "C-4395", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-jag-rents-llc-also-dba-colortyme-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices", "Health Data" ] }, { "case_id": "04.13_red_zone_investment_group", "company_name": "Red Zone Investment Group, Inc.", "date_issued": "2013-04-15", "year": 2013, "takeaway_brief": "Red Zone Investment Group installed covert monitoring software on rented computers to secretly surveil users and collect personal information without their knowledge.", "docket_number": "C-4396", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-red-zone-investment-group-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "04.13_showplace", "company_name": "Showplace, Inc.", "date_issued": "2013-04-15", "year": 2013, "takeaway_brief": "Showplace secretly installed monitoring software on rented computers to capture consumers' webcam images, keystrokes, and personal data without their knowledge.", "docket_number": "C-4397", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-showplace-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices", "Health Data" ] }, { "case_id": "04.13_watershed_development", "company_name": "Watershed Development Corp.", "date_issued": "2013-04-15", "year": 2013, "takeaway_brief": "Watershed Development secretly monitored rented computer users through hidden keylogging, screenshot, and webcam software without their knowledge or consent.", "docket_number": "C-4398", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-watershed-development-corp-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "03.14_aaron_s", "company_name": "Aaron's, Inc.", "date_issued": "2014-03-15", "year": 2014, "takeaway_brief": "Aaron's provided its franchisees with spyware that secretly logged keystrokes, captured screenshots, and activated webcams on rented computers without consumers' knowledge or consent.", "docket_number": "C-4442", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3256-aarons-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices", "Health Data" ] }, { "case_id": "04.14_goldenshores_technologies_and_erik_m._geidl", "company_name": "Goldenshores Technologies, LLC", "date_issued": "2014-04-15", "year": 2014, "takeaway_brief": "Goldenshores Technologies' Brightest Flashlight Free app secretly transmitted users' precise geolocation and device identifiers to advertising networks without adequate disclosure.", "docket_number": "C-4446", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3087-goldenshores-technologies-llc-erik-m-geidl-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Location / Geolocation Data" ] }, { "case_id": "12.14_snapchat", "company_name": "Snapchat, Inc.", "date_issued": "2014-12-15", "year": 2014, "takeaway_brief": "Snapchat falsely claimed messages disappeared permanently, that users received screenshot notifications, and that it did not collect location data, while also failing to secure user information.", "docket_number": "C-4501", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3078-snapchat-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices", "Location / Geolocation Data" ] }, { "case_id": "01.16_craig_brittain", "company_name": "Craig Brittain", "date_issued": "2016-01-15", "year": 2016, "takeaway_brief": "Craig Brittain operated a 'revenge porn' site, posting intimate photos of over 1,000 individuals without consent and running a sham removal service that charged victims to take down their own images.", "docket_number": "C-4564", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3120-craig-brittain-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "04.17_turn", "company_name": "Turn Inc.", "date_issued": "2017-04-15", "year": 2017, "takeaway_brief": "Turn Inc. falsely told consumers that deleting cookies would stop its tracking, while secretly using unkillable Verizon tracking headers to continue surveillance.", "docket_number": "C-4612", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3099-turn-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "01.18_lenovo", "company_name": "Lenovo (United States) Inc.", "date_issued": "2018-01-15", "year": 2018, "takeaway_brief": "Lenovo preinstalled man-in-the-middle adware on consumer laptops that intercepted encrypted web traffic and created serious security vulnerabilities without adequate disclosure.", "docket_number": "C-4636", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3134-lenovo-inc", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "02.18_sears_holdings_management_corporation", "company_name": "Sears Holdings Management Corporation", "date_issued": "2018-02-15", "year": 2018, "takeaway_brief": "Sears secretly installed software on consumers' computers that tracked nearly all internet activity — including financial and health data from secure sessions — while describing it as simple 'online browsing' research.", "docket_number": "C-4264", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/082-3099-c-4264-sears-holdings-management-corporation-corporation-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "09.18_blu_products_and_samuel_ohev-zion", "company_name": "BLU PRODUCTS, INC.", "date_issued": "2018-09-15", "year": 2018, "takeaway_brief": "BLU Products sold smartphones with preinstalled software that secretly transmitted users' text messages, location data, and contact lists to servers in China.", "docket_number": "C-4657", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3025-blu-products-samuel-ohev-zion-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Location / Geolocation Data" ] }, { "case_id": "03.20_retina-x_studios", "company_name": "RETINA-X STUDIOS, LLC", "date_issued": "2020-03-15", "year": 2020, "takeaway_brief": "Retina-X sold covert device monitoring apps enabling stalking while falsely claiming consumers' data was kept private and secure.", "docket_number": "C-4711", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3118-retina-x-studios-llc-matter", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Data Security", "Privacy / Deceptive Privacy Practices", "Location / Geolocation Data" ] }, { "case_id": "09.20_emp_media", "company_name": "EMP Media, Inc.", "date_issued": "2020-09-15", "year": 2020, "takeaway_brief": "MyEx.com publicly posted intimate images and personal information of individuals without their consent and charged victims thousands of dollars to have the content removed.", "docket_number": "2:18-cv-00035-APG-NJK", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3052-emp-media-inc-myexcom", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "12.21_openx_technologies", "company_name": "OpenX Technologies, Inc.", "date_issued": "2021-12-15", "year": 2021, "takeaway_brief": "OpenX collected precise location data via a backdoor method that bypassed users' location permission denials, and collected children's personal data from child-directed apps without parental consent.", "docket_number": "2:21-cv-09693", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923019-openx-technologies-inc", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices", "Location / Geolocation Data" ] }, { "case_id": "04.22_credit_bureau_center", "company_name": "Credit Bureau Center, LLC", "date_issued": "2022-04-15", "year": 2022, "takeaway_brief": "Credit Bureau Center used fake rental property ads to lure consumers into hidden paid credit monitoring subscriptions falsely advertised as free.", "docket_number": "17-cv-00194", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3120-x170014-credit-bureau-center-llc-formerly-known-myscore-llc", "statutory_topics": [ "FCRA" ], "categories": [ "Fair Credit Reporting (FCRA)" ] }, { "case_id": "06.23_easy_healthcare_corporation", "company_name": "Easy Healthcare Corporation", "date_issued": "2023-06-15", "year": 2023, "takeaway_brief": "The Premom ovulation app secretly shared women's sensitive health and geolocation data with third parties for advertising despite explicit privacy promises.", "docket_number": "1:23-cv-3107", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3186-easy-healthcare-corporation-us-v", "statutory_topics": [ "Health Breach Notification" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Health Data", "Location / Geolocation Data" ] }, { "case_id": "07.23_amazon.com", "company_name": "Amazon.com, Inc.", "date_issued": "2023-07-15", "year": 2023, "takeaway_brief": "Amazon retained children's Alexa voice recordings indefinitely and failed to honor user requests to delete voice and geolocation data despite explicit promises of full deletion control.", "docket_number": "2:23-cv-00811", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3128-amazoncom-alexa-us-v", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices", "Location / Geolocation Data" ] }, { "case_id": "03.24_rite_aid_corporation", "company_name": "Rite Aid Corporation", "date_issued": "2024-03-15", "year": 2024, "takeaway_brief": "Rite Aid deployed inaccurate facial recognition technology without adequate safeguards, causing wrongful surveillance of innocent consumers including disproportionate harms to minority shoppers.", "docket_number": "2:23-cv-05023", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023190-rite-aid-corporation-ftc-v", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "AI / Algorithmic / Facial Recognition" ] }, { "case_id": "04.24_x-mode_social", "company_name": "X-Mode Social, Inc.", "date_issued": "2024-04-15", "year": 2024, "takeaway_brief": "X-Mode Social collected precise consumer location data through hundreds of apps and sold it—including sensitive locations like medical facilities—to government contractors without adequate disclosure or consumer consent.", "docket_number": "C-4802", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2123038-x-mode-social-inc", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices", "Health Data", "Location / Geolocation Data" ] }, { "case_id": "05.24_inmarket_media", "company_name": "InMarket Media, LLC", "date_issued": "2024-05-15", "year": 2024, "takeaway_brief": "InMarket Media misled consumers about location data use in its apps and SDK, collecting precise location data for advertising profiling while telling consumers it was only for app functionality.", "docket_number": "C-4803", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023088-inmarket-media-llc", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Health Data", "Location / Geolocation Data" ] }, { "case_id": "08.24_verkada", "company_name": "Verkada Inc.", "date_issued": "2024-08-15", "year": 2024, "takeaway_brief": "Verkada made false security claims for its building surveillance cameras, failed to implement basic security practices, and violated CAN-SPAM requirements in its marketing emails.", "docket_number": "3:24-cv-06153", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2123068-verkada-inc-us-v", "statutory_topics": [ "CAN-SPAM" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Health Data" ] }, { "case_id": "12.24_gravy_analytics", "company_name": "Gravy Analytics, Inc.", "date_issued": "2024-12-15", "year": 2024, "takeaway_brief": "Gravy Analytics collected and sold precise mobile location data revealing consumers' sensitive characteristics — including health decisions and religious practices — without verifying user consent.", "docket_number": "C-4810", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/212-3035-gravy-analytics-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Health Data", "Location / Geolocation Data" ] }, { "case_id": "01.25_mobilewalla", "company_name": "Mobilewalla, Inc.", "date_issued": "2025-01-15", "year": 2025, "takeaway_brief": "Mobilewalla collected and sold consumers' sensitive location data — including data revealing visits to medical facilities and places of worship — without meaningful consent and in violation of ad exchange terms.", "docket_number": "C-4811", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3196-mobilewalla-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices", "Health Data", "Location / Geolocation Data" ] }, { "case_id": "02.25_avast", "company_name": "Avast Limited", "date_issued": "2025-02-15", "year": 2025, "takeaway_brief": "Avast collected consumers' detailed browsing histories through its privacy-protection software and secretly sold that data to over 100 third parties without adequate disclosure or consent.", "docket_number": "2023033", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023033-avast", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "10.25_apitor", "company_name": "Apitor Technology Co., Ltd.", "date_issued": "2025-10-15", "year": 2025, "takeaway_brief": "Apitor's robot toy app secretly collected precise geolocation data from child users via a third-party SDK without parental notice or consent.", "docket_number": "3:25-cv-07363", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/apitor", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices", "Location / Geolocation Data" ] } ] }, { "id": "deceptive-product-service-claims", "name": "Deceptive Product & Service Claims", "description": "False or misleading advertising about products, services, or business practices unrelated to data security or privacy", "case_count": 18, "year_range": [ 2008, 2025 ], "most_recent_year": 2025, "most_recent_date": "2025-09-15", "enforcement_topics": [ "FCRA", "Section 5 Only", "TSR" ], "cases": [ { "case_id": "09.08_emc_mortgage_co.", "company_name": "EMC Mortgage Corporation", "date_issued": "2008-09-15", "year": 2008, "takeaway_brief": "EMC Mortgage made false representations to borrowers about loan balances and fees, charged unauthorized fees, and harassed borrowers in violation of multiple consumer protection laws.", "docket_number": "4:08-cv-338", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/062-3031-emc-mortgage-co", "statutory_topics": [ "FCRA" ], "categories": [ "Fair Credit Reporting (FCRA)" ] }, { "case_id": "06.11_best_priced_brands", "company_name": "Balls of Kryptonite, LLC", "date_issued": "2011-06-15", "year": 2011, "takeaway_brief": "Best Priced Brands deceived UK consumers by falsely presenting its U.S. businesses as UK-based retailers and misrepresenting prices, warranties, and consumer rights.", "docket_number": "CV 09-5276 DDP", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/092-3081-best-priced-brands-llc-et-al", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices", "Telemarketing / Do-Not-Call" ] }, { "case_id": "06.12_spokeo", "company_name": "Spokeo, Inc.", "date_issued": "2012-06-15", "year": 2012, "takeaway_brief": "Spokeo marketed detailed consumer profiles for employment decisions while operating as an unregistered consumer reporting agency without any FCRA compliance procedures.", "docket_number": "C-12-cv-05001-MMM-SH (Case No. 2:12-cv-05001-MMM-SH)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1023163-spokeo-inc", "statutory_topics": [ "FCRA" ], "categories": [ "Fair Credit Reporting (FCRA)" ] }, { "case_id": "05.13_filiquarian_publishing_choice_level_and_joshua_linsk", "company_name": "Filiquarian Publishing, LLC", "date_issued": "2013-05-15", "year": 2013, "takeaway_brief": "Filiquarian marketed mobile apps for employment background checks while operating as a consumer reporting agency without implementing any required FCRA procedures.", "docket_number": "C-4401", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3195-filiquarian-publishing-llc-choice-level-llc-joshua-linsk-matter", "statutory_topics": [ "FCRA" ], "categories": [ "Fair Credit Reporting (FCRA)" ] }, { "case_id": "04.14_instant_checkmate", "company_name": "Instant Checkmate, Inc.", "date_issued": "2014-04-15", "year": 2014, "takeaway_brief": "Instant Checkmate marketed background reports for employment screening purposes while failing to comply with any Fair Credit Reporting Act requirements.", "docket_number": "14CV0675H JMA", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3221-instant-checkmate-inc", "statutory_topics": [ "FCRA" ], "categories": [ "Fair Credit Reporting (FCRA)" ] }, { "case_id": "01.16_craig_brittain", "company_name": "Craig Brittain", "date_issued": "2016-01-15", "year": 2016, "takeaway_brief": "Craig Brittain operated a 'revenge porn' site, posting intimate photos of over 1,000 individuals without consent and running a sham removal service that charged victims to take down their own images.", "docket_number": "C-4564", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3120-craig-brittain-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "01.18_jerk_dba_jerk.com", "company_name": "Jerk, LLC", "date_issued": "2018-01-15", "year": 2018, "takeaway_brief": "Jerk.com misrepresented that profile content was created by users and that paid memberships would provide meaningful dispute rights.", "docket_number": "9361", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3141-jerk-llc-dba-jerkcom-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Other" ] }, { "case_id": "09.18_integrated_flight_solutions", "company_name": "Integrated Flight Solutions LLC", "date_issued": "2018-09-15", "year": 2018, "takeaway_brief": "NoveltyExcuses.com sold fake financial documents—including pay stubs and insurance cards—designed to look authentic enough to deceive lenders and landlords.", "docket_number": "3:18-cv-1658", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3151-integrated-flight-solutions-et-al", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Health Data" ] }, { "case_id": "09.18_katrina_moore", "company_name": "Innovative Paycheck Solutions", "date_issued": "2018-09-15", "year": 2018, "takeaway_brief": "Innovative Paycheck Solutions sold fake pay stubs and bank statements marketed as authentic-looking documents for use in deceiving lenders and landlords.", "docket_number": "5:18-cv-01960", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3111-katrina-moore", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Other" ] }, { "case_id": "10.19_lifelock", "company_name": "LifeLock, Inc.", "date_issued": "2019-10-15", "year": 2019, "takeaway_brief": "LifeLock falsely marketed its identity theft protection service as comprehensive and complete when it actually covered only a narrow subset of identity theft scenarios.", "docket_number": "CV-10-00530-PHX-JJT", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3069-x100023-lifelock-inc-corporation", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Health Data" ] }, { "case_id": "02.20_office_depot", "company_name": "Office Depot, Inc.", "date_issued": "2020-02-15", "year": 2020, "takeaway_brief": "Office Depot used a fake diagnostic software tool that automatically reported false malware findings to sell unnecessary repair services to consumers.", "docket_number": "9:19-cv-80431", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3023-office-depot-inc", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Other" ] }, { "case_id": "03.20_boostmyscore", "company_name": "BoostMyScore LLC", "date_issued": "2020-03-15", "year": 2020, "takeaway_brief": "BoostMyScore sold illegal credit piggybacking services and charged prohibited advance fees while falsely guaranteeing FICO score boosts.", "docket_number": "1:20-cv-00641", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3059-boostmyscore-llc", "statutory_topics": [ "TSR" ], "categories": [ "Telemarketing / Do-Not-Call" ] }, { "case_id": "05.20_tapplock", "company_name": "Tapplock, Inc.", "date_issued": "2020-05-15", "year": 2020, "takeaway_brief": "Tapplock marketed its Internet-connected padlocks as 'unbreakable' and secure while critical physical and electronic vulnerabilities made them trivially easy to compromise.", "docket_number": "C-4718", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3011-tapplock-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "05.23_fashion_nova", "company_name": "Fashion Nova, LLC", "date_issued": "2023-05-15", "year": 2023, "takeaway_brief": "Fashion Nova suppressed hundreds of thousands of negative customer reviews to create a falsely positive impression of its products.", "docket_number": "C-4759", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3138-fashion-nova-llc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Other" ] }, { "case_id": "01.25_intellivision", "company_name": "IntelliVision Technologies Corp.", "date_issued": "2025-01-15", "year": 2025, "takeaway_brief": "IntelliVision marketed its facial recognition software as free of racial and gender bias and highly accurate when it had no testing to support those claims.", "docket_number": "C-4809", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/232-3023-intellivision-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "AI / Algorithmic / Facial Recognition" ] }, { "case_id": "02.25_aqua_finance", "company_name": "Aqua Finance, Inc.", "date_issued": "2025-02-15", "year": 2025, "takeaway_brief": "Aqua Finance funded home water treatment financing arrangements whose terms were systematically misrepresented by dealers and structured deceptively as open-end credit in violation of federal lending law.", "docket_number": "3:24-cv-00288", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/aqua-finance", "statutory_topics": [ "FCRA" ], "categories": [ "Fair Credit Reporting (FCRA)" ] }, { "case_id": "07.25_roca_labs", "company_name": "Roca Labs, Inc.", "date_issued": "2025-07-15", "year": 2025, "takeaway_brief": "Roca Labs falsely claimed its dietary supplement had a scientifically proven 90% weight-loss success rate and silenced unhappy customers with non-disparagement clauses.", "docket_number": "8:15-cv-02231-MSS-TBM", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3255-x150061-roca-labs-inc", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices", "Health Data" ] }, { "case_id": "09.25_pornhubmindgeekaylo", "company_name": "AYLO GROUP LTD.", "date_issued": "2025-09-15", "year": 2025, "takeaway_brief": "Pornhub's operator actively distributed child sexual abuse material and non-consensual content for years while falsely claiming to promptly review and remove flagged material.", "docket_number": "2:25-cv-00752", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3202-inbox-group-llc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ] } ] }, { "id": "algorithmic-harm", "name": "Algorithmic Harm", "description": "Biased or deceptive AI/automated decision-making, or algorithmic discrimination", "case_count": 5, "year_range": [ 2015, 2025 ], "most_recent_year": 2025, "most_recent_date": "2025-01-15", "enforcement_topics": [ "COPPA", "Section 5 Only" ], "cases": [ { "case_id": "12.15_lai_systems", "company_name": "LAI Systems, LLC", "date_issued": "2015-12-15", "year": 2015, "takeaway_brief": "LAI Systems allowed third-party ad networks to collect persistent identifiers from children through its kids' apps for targeted advertising without parental notice or consent.", "docket_number": "2:15-cv-9691", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3261-lai-systems-llc", "statutory_topics": [ "COPPA" ], "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "05.16_henry_schein_practice_solutions", "company_name": "Henry Schein Practice Solutions, Inc.", "date_issued": "2016-05-15", "year": 2016, "takeaway_brief": "Henry Schein falsely marketed its dental software as providing industry-standard encryption for patient data when it actually used a weaker, proprietary algorithm.", "docket_number": "C-4575", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3161-c4575-henry-schein-practice-solutions-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Health Data", "AI / Algorithmic / Facial Recognition" ] }, { "case_id": "05.22_everalbum", "company_name": "Everalbum, Inc.", "date_issued": "2022-05-15", "year": 2022, "takeaway_brief": "Everalbum enabled facial recognition by default without user consent and used consumers' photos to train commercial AI without adequately disclosing this or deleting data when accounts were deactivated.", "docket_number": "C-4743", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3172-everalbum-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "03.24_rite_aid_corporation", "company_name": "Rite Aid Corporation", "date_issued": "2024-03-15", "year": 2024, "takeaway_brief": "Rite Aid deployed inaccurate facial recognition technology without adequate safeguards, causing wrongful surveillance of innocent consumers including disproportionate harms to minority shoppers.", "docket_number": "2:23-cv-05023", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023190-rite-aid-corporation-ftc-v", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "AI / Algorithmic / Facial Recognition" ] }, { "case_id": "01.25_intellivision", "company_name": "IntelliVision Technologies Corp.", "date_issued": "2025-01-15", "year": 2025, "takeaway_brief": "IntelliVision marketed its facial recognition software as free of racial and gender bias and highly accurate when it had no testing to support those claims.", "docket_number": "C-4809", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/232-3023-intellivision-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "AI / Algorithmic / Facial Recognition" ] } ] }, { "id": "unfair-billing-practices", "name": "Unfair Billing Practices", "description": "Unauthorized charges, deceptive pricing, hidden fees, or difficulty canceling", "case_count": 13, "year_range": [ 2005, 2024 ], "most_recent_year": 2024, "most_recent_date": "2024-05-15", "enforcement_topics": [ "FCRA", "GLBA", "Health Breach Notification", "Section 5 Only", "TSR" ], "cases": [ { "case_id": "01.05_assail", "company_name": "Assail, Inc.", "date_issued": "2005-01-15", "year": 2005, "takeaway_brief": "Assail ran a telemarketing scam that swapped promised credit cards for worthless stored-value cards while making unauthorized debits from consumers' bank accounts.", "docket_number": "Civ. No. WA:03-CV-7", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3147-assail-inc-et-al", "statutory_topics": [ "TSR", "GLBA" ], "categories": [ "Gramm-Leach-Bliley", "Telemarketing / Do-Not-Call" ] }, { "case_id": "10.05_sun_spectrum_communications_organization", "company_name": "Sun Spectrum Communications Organization, Inc.", "date_issued": "2005-10-15", "year": 2005, "takeaway_brief": "Telemarketers falsely promised bad-credit consumers they were pre-approved for major credit cards, collected advance fees, and then never delivered the promised cards.", "docket_number": "03-8110-CIV-COHN/SNOW", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/032-3032-sun-spectrum-communications-organization-inc-et-al", "statutory_topics": [ "TSR", "GLBA" ], "categories": [ "Gramm-Leach-Bliley", "Telemarketing / Do-Not-Call" ] }, { "case_id": "09.08_emc_mortgage_co.", "company_name": "EMC Mortgage Corporation", "date_issued": "2008-09-15", "year": 2008, "takeaway_brief": "EMC Mortgage made false representations to borrowers about loan balances and fees, charged unauthorized fees, and harassed borrowers in violation of multiple consumer protection laws.", "docket_number": "4:08-cv-338", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/062-3031-emc-mortgage-co", "statutory_topics": [ "FCRA" ], "categories": [ "Fair Credit Reporting (FCRA)" ] }, { "case_id": "09.09_cash_today", "company_name": "Cash Today, Ltd.", "date_issued": "2009-09-15", "year": 2009, "takeaway_brief": "Overseas payday lenders offered loans without required disclosures and then threatened consumers with arrest and prosecution to coerce repayment, even on potentially unenforceable loans.", "docket_number": "CV-S-08-00590", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3093-cash-today-ltd", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Telemarketing / Do-Not-Call" ] }, { "case_id": "12.13_time_warner_cable", "company_name": "Time Warner Cable Inc.", "date_issued": "2013-12-15", "year": 2013, "takeaway_brief": "Time Warner Cable required consumers with weaker credit to pay deposits without providing the required risk-based pricing notices before they became contractually obligated.", "docket_number": "1:13-cv-08998-AJN", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3149-time-warner-cable-inc", "statutory_topics": [ "FCRA" ], "categories": [ "Fair Credit Reporting (FCRA)", "Telemarketing / Do-Not-Call" ] }, { "case_id": "10.15_sprint_corporation", "company_name": "Sprint Corporation", "date_issued": "2015-10-15", "year": 2015, "takeaway_brief": "Sprint charged consumers higher fees based on their credit reports but failed to provide required risk-based pricing notices before they became contractually obligated.", "docket_number": "2:15-cv-9340", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3094-sprint-corporation-sprint-asl-program-0", "statutory_topics": [ "FCRA" ], "categories": [ "Fair Credit Reporting (FCRA)" ] }, { "case_id": "01.16_craig_brittain", "company_name": "Craig Brittain", "date_issued": "2016-01-15", "year": 2016, "takeaway_brief": "Craig Brittain operated a 'revenge porn' site, posting intimate photos of over 1,000 individuals without consent and running a sham removal service that charged victims to take down their own images.", "docket_number": "C-4564", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3120-craig-brittain-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "09.18_apartment_hunters_et_al.", "company_name": "Apartment Hunters, Inc.", "date_issued": "2018-09-15", "year": 2018, "takeaway_brief": "Apartment Hunters charged fees for access to rental listings that were mostly inaccurate, unavailable, or identical to what was available for free online.", "docket_number": "8:18-CV-01636", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3007-apartment-hunters-inc-et-al-wetakesection8com", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Other" ] }, { "case_id": "02.20_office_depot", "company_name": "Office Depot, Inc.", "date_issued": "2020-02-15", "year": 2020, "takeaway_brief": "Office Depot used a fake diagnostic software tool that automatically reported false malware findings to sell unnecessary repair services to consumers.", "docket_number": "9:19-cv-80431", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3023-office-depot-inc", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Other" ] }, { "case_id": "03.20_boostmyscore", "company_name": "BoostMyScore LLC", "date_issued": "2020-03-15", "year": 2020, "takeaway_brief": "BoostMyScore sold illegal credit piggybacking services and charged prohibited advance fees while falsely guaranteeing FICO score boosts.", "docket_number": "1:20-cv-00641", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3059-boostmyscore-llc", "statutory_topics": [ "TSR" ], "categories": [ "Telemarketing / Do-Not-Call" ] }, { "case_id": "09.20_emp_media", "company_name": "EMP Media, Inc.", "date_issued": "2020-09-15", "year": 2020, "takeaway_brief": "MyEx.com publicly posted intimate images and personal information of individuals without their consent and charged victims thousands of dollars to have the content removed.", "docket_number": "2:18-cv-00035-APG-NJK", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3052-emp-media-inc-myexcom", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "12.21_mylife.com", "company_name": "MyLife.com, Inc.", "date_issued": "2021-12-15", "year": 2021, "takeaway_brief": "MyLife.com used deceptive teaser results suggesting searched individuals had criminal or sex offender records to sell subscriptions, and made cancellation deliberately difficult.", "docket_number": "2:20-cv-6692", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3022-mylifecom-inc", "statutory_topics": [ "FCRA", "TSR" ], "categories": [ "Fair Credit Reporting (FCRA)", "Telemarketing / Do-Not-Call" ] }, { "case_id": "05.24_cerebral_and_kyle_robertson", "company_name": "Cerebral, Inc.", "date_issued": "2024-05-15", "year": 2024, "takeaway_brief": "Cerebral secretly shared millions of patients' sensitive mental health and personal data with over twenty advertising platforms while falsely promising confidential, secure care and making it difficult to cancel subscriptions.", "docket_number": "24-cv-21376-JLK", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/222-3067-cerebral-inc-kyle-robertson-us-v", "statutory_topics": [ "Health Breach Notification" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Health Data" ] } ] }, { "id": "dark-patterns-deceptive-design", "name": "Dark Patterns & Deceptive Design", "description": "Trick interfaces, manipulative UX, hard-to-cancel subscriptions, or deceptive enrollment", "case_count": 9, "year_range": [ 2002, 2024 ], "most_recent_year": 2024, "most_recent_date": "2024-01-15", "enforcement_topics": [ "FCRA", "GLBA", "Section 5 Only" ], "cases": [ { "case_id": "03.02_garrett_paula_l._dba_discreet_data_systems", "company_name": "Paula L. Garrett, d/b/a Discreet Data Systems", "date_issued": "2002-03-15", "year": 2002, "takeaway_brief": "Paula Garrett ran an information brokerage that used impersonation and false pretenses to trick bank employees into disclosing customers' confidential account information, then sold that data.", "docket_number": "H-01-1255", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/012-3067-garrett-paula-l-dba-discreet-data-systems", "statutory_topics": [ "GLBA" ], "categories": [ "Gramm-Leach-Bliley" ] }, { "case_id": "08.09_metropolitan_home_mortgage_also_dba_wholesale_home_lenders", "company_name": "Metropolitan Home Mortgage, Inc.", "date_issued": "2009-08-15", "year": 2009, "takeaway_brief": "Metropolitan Home Mortgage sent prescreened mortgage solicitations that lacked properly formatted opt-out notices as required by the FCRA and the Prescreen Rule.", "docket_number": "Civil Action No. 8:09-cv-00936-DOC(RNB)", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/metropolitan-home-mortgage-inc-also-dba-wholesale-home-lenders", "statutory_topics": [ "FCRA" ], "categories": [ "Fair Credit Reporting (FCRA)" ] }, { "case_id": "06.11_chitika", "company_name": "CHITIKA, INC.", "date_issued": "2011-06-15", "year": 2011, "takeaway_brief": "Chitika told consumers that clicking its opt-out button stopped behavioral advertising tracking, but the opt-out cookie expired after only 10 days without any notice.", "docket_number": "C-4324", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1023087-chitika-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "10.11_google", "company_name": "Google Inc.", "date_issued": "2011-10-15", "year": 2011, "takeaway_brief": "Google auto-enrolled Gmail users into its Buzz social network using their contacts, breaking promises that Gmail data would only be used for email.", "docket_number": "C-4336", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/google-inc", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "12.11_scanscout", "company_name": "ScanScout, Inc.", "date_issued": "2011-12-15", "year": 2011, "takeaway_brief": "ScanScout falsely told consumers they could opt out of tracking cookies by changing browser settings, when its Flash cookies were immune to browser-level controls.", "docket_number": "C-4344", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3185-scanscout-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "04.13_j.a.g._rents_also_dba_colortyme", "company_name": "J.A.G. Rents, LLC", "date_issued": "2013-04-15", "year": 2013, "takeaway_brief": "J.A.G. Rents secretly monitored rented computer users through hidden software, capturing sensitive personal information and tricking consumers with fake registration pop-ups.", "docket_number": "C-4395", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-jag-rents-llc-also-dba-colortyme-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices", "Health Data" ] }, { "case_id": "09.15_nomi_technologies", "company_name": "Nomi Technologies, Inc.", "date_issued": "2015-09-15", "year": 2015, "takeaway_brief": "Nomi Technologies promised consumers opt-out rights at retail locations while never actually providing any in-store opt-out mechanism.", "docket_number": "C-4538", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3251-nomi-technologies-inc-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "11.17_taxslayer", "company_name": "TaxSlayer, LLC", "date_issued": "2017-11-15", "year": 2017, "takeaway_brief": "TaxSlayer, a tax preparation service handling highly sensitive financial data, lacked a written security program, performed no risk assessments, and buried its privacy notice in a license agreement.", "docket_number": "C-4626", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3063-taxslayer-matter", "statutory_topics": [ "GLBA" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Gramm-Leach-Bliley" ] }, { "case_id": "01.24_epic_games", "company_name": "Epic Games, Inc.", "date_issued": "2024-01-15", "year": 2024, "takeaway_brief": "Epic Games used dark patterns to charge consumers — including children — for Fortnite purchases without informed consent, and denied account access to those who disputed charges.", "docket_number": "C-4790", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923203-epic-games-matter", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security" ] } ] }, { "id": "identity-theft-facilitation", "name": "Identity Theft Facilitation", "description": "Enabling or failing to prevent identity theft, or fraudulently obtaining personal information", "case_count": 10, "year_range": [ 2002, 2020 ], "most_recent_year": 2020, "most_recent_date": "2020-06-15", "enforcement_topics": [ "FCRA", "GLBA", "Section 5 Only", "TSR" ], "cases": [ { "case_id": "03.02_garrett_paula_l._dba_discreet_data_systems", "company_name": "Paula L. Garrett, d/b/a Discreet Data Systems", "date_issued": "2002-03-15", "year": 2002, "takeaway_brief": "Paula Garrett ran an information brokerage that used impersonation and false pretenses to trick bank employees into disclosing customers' confidential account information, then sold that data.", "docket_number": "H-01-1255", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/012-3067-garrett-paula-l-dba-discreet-data-systems", "statutory_topics": [ "GLBA" ], "categories": [ "Gramm-Leach-Bliley" ] }, { "case_id": "10.06_integrity_security_investigation_services", "company_name": "Integrity Security & Investigation Services, Inc.", "date_issued": "2006-10-15", "year": 2006, "takeaway_brief": "ISIS advertised and sold confidential consumer phone records and financial account information obtained by impersonating account holders without their authorization.", "docket_number": "Civil Action No. 2:06-cv-241-RGD-JEB", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/062-3101-integrity-security-investigation-services-inc", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Other" ] }, { "case_id": "02.07_information_search_and_david_j._kacala", "company_name": "Information Search, Inc.", "date_issued": "2007-02-15", "year": 2007, "takeaway_brief": "Information Search, Inc. obtained consumers' confidential bank account data by impersonating customers to financial institution employees and then sold that information to clients.", "docket_number": "AMD-01-1121", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/062-3102-information-search-inc-david-j-kacala-district-maryland-northern-division", "statutory_topics": [ "GLBA" ], "categories": [ "Gramm-Leach-Bliley" ] }, { "case_id": "12.07_ceo_group_dba_check_em_out_and_scott_joseph", "company_name": "CEO GROUP, INC.", "date_issued": "2007-12-15", "year": 2007, "takeaway_brief": "CEO Group sold confidential consumer telephone call records obtained through impersonation and false pretenses without account holders' knowledge or authorization.", "docket_number": "06-60602-CIV", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/062-3100-ceo-group-inc-dba-check-em-out-scott-joseph", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Telemarketing / Do-Not-Call" ] }, { "case_id": "05.08_action_research_group", "company_name": "ACTION RESEARCH GROUP, INC.", "date_issued": "2008-05-15", "year": 2008, "takeaway_brief": "Action Research Group impersonated account holders to fraudulently obtain confidential telephone records from carriers and sold them to third-party clients.", "docket_number": "C-6:07-cv-227-Orl-22UAM", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3021-action-research-group-inc-et-al", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Privacy / Deceptive Privacy Practices" ] }, { "case_id": "06.09_accusearch_dba_abika.com_and_jay_patel", "company_name": "Accusearch, Inc.", "date_issued": "2009-06-15", "year": 2009, "takeaway_brief": "Accusearch obtained consumers' confidential phone records by impersonating account holders and then sold those records to paying clients without consumers' knowledge.", "docket_number": "06-CV-00105-WFD", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3126-accusearch-inc-dba-abikacom-jay-patel", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Other" ] }, { "case_id": "09.10_choicepoint", "company_name": "ChoicePoint Inc.", "date_issued": "2010-09-15", "year": 2010, "takeaway_brief": "ChoicePoint failed to verify the identities of prospective data subscribers, allowing fraudulent actors to access the personal information of approximately 163,000 consumers.", "docket_number": "1:06-cv-00198-JTC", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3069-choicepoint-inc", "statutory_topics": [ "FCRA" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Fair Credit Reporting (FCRA)" ] }, { "case_id": "10.19_lifelock", "company_name": "LifeLock, Inc.", "date_issued": "2019-10-15", "year": 2019, "takeaway_brief": "LifeLock falsely marketed its identity theft protection service as comprehensive and complete when it actually covered only a narrow subset of identity theft scenarios.", "docket_number": "CV-10-00530-PHX-JJT", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3069-x100023-lifelock-inc-corporation", "statutory_topics": [ "Section 5 Only" ], "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Health Data" ] }, { "case_id": "05.20_jasjit_gotra", "company_name": "Alliance Security Inc.", "date_issued": "2020-05-15", "year": 2020, "takeaway_brief": "Alliance Security and its CEO made over two million illegal telemarketing calls including to Do Not Call registrants, impersonated ADT, and obtained consumer reports without permissible purpose.", "docket_number": "1:18-cv-10548", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/x140022-jasjit-gotra-alliance-security", "statutory_topics": [ "TSR", "FCRA" ], "categories": [ "Fair Credit Reporting (FCRA)", "Telemarketing / Do-Not-Call" ] }, { "case_id": "06.20_kohl_s_department_stores", "company_name": "Kohl's Department Stores, Inc.", "date_issued": "2020-06-15", "year": 2020, "takeaway_brief": "Kohl's denied identity theft victims access to transaction records about fraudulent purchases made in their names.", "docket_number": "Civil Action No. 2:20-cv-859", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3200-kohls-department-stores-inc", "statutory_topics": [ "FCRA" ], "categories": [ "Fair Credit Reporting (FCRA)" ] } ] }, { "id": "illegal-telemarketing", "name": "Illegal Telemarketing", "description": "Do Not Call violations, robocalls, TSR violations, and deceptive telemarketing", "case_count": 2, "year_range": [ 2005, 2020 ], "most_recent_year": 2020, "most_recent_date": "2020-05-15", "enforcement_topics": [ "FCRA", "GLBA", "TSR" ], "cases": [ { "case_id": "01.05_assail", "company_name": "Assail, Inc.", "date_issued": "2005-01-15", "year": 2005, "takeaway_brief": "Assail ran a telemarketing scam that swapped promised credit cards for worthless stored-value cards while making unauthorized debits from consumers' bank accounts.", "docket_number": "Civ. No. WA:03-CV-7", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3147-assail-inc-et-al", "statutory_topics": [ "TSR", "GLBA" ], "categories": [ "Gramm-Leach-Bliley", "Telemarketing / Do-Not-Call" ] }, { "case_id": "05.20_jasjit_gotra", "company_name": "Alliance Security Inc.", "date_issued": "2020-05-15", "year": 2020, "takeaway_brief": "Alliance Security and its CEO made over two million illegal telemarketing calls including to Do Not Call registrants, impersonated ADT, and obtained consumer reports without permissible purpose.", "docket_number": "1:18-cv-10548", "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/x140022-jasjit-gotra-alliance-security", "statutory_topics": [ "TSR", "FCRA" ], "categories": [ "Fair Credit Reporting (FCRA)", "Telemarketing / Do-Not-Call" ] } ] } ] }