{ "generated_at": "2026-03-27T00:37:45.901Z", "total_cases": 285, "cases": [ { "id": "08.97_bruno_s", "docket_number": "C-3760", "company_name": "Bruno's Inc.", "date_issued": "1997-08-15", "year": 1997, "administration": "Clinton", "categories": [ "Fair Credit Reporting (FCRA)" ], "violation_type": "both", "complaint_counts": [ "Violation of FCRA Section 615(a) — Failure to Notify Applicants of Adverse Action Based on Consumer Reports" ], "legal_authority": "Section 615(a) of the Fair Credit Reporting Act, 15 U.S.C. § 1681m(a) and Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Robert Pitofsky", "Mary L. Azcuenaga", "Janet D. Steiger", "Roscoe B. Starek, III", "Christine A. Varney" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/962-3086-brunos-inc-matter", "source_filename": "08.97, Bruno's.json", "num_provisions": 6, "num_requirements": 8, "order_duration_years": 20, "takeaway_brief": "Bruno's Inc. denied job applicants based on consumer reports without notifying them that such information contributed to the adverse employment decision.", "statutory_topics": [ "FCRA" ], "practice_areas": [ "Financial Practices" ], "industry_sectors": [ "Retail" ], "remedy_types": [ "Prohibition", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "FCRA": 6 } }, { "id": "09.97_aldi", "docket_number": "C-3764", "company_name": "ALDI INC.", "date_issued": "1997-09-15", "year": 1997, "administration": "Clinton", "categories": [ "Fair Credit Reporting (FCRA)" ], "violation_type": "both", "complaint_counts": [ "Failure to Provide Adverse Action Notice Under the Fair Credit Reporting Act" ], "legal_authority": "Section 615(a) of the Fair Credit Reporting Act, 15 U.S.C. § 1681m(a), and Section 5(a)(1) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1)", "commissioners": [ "Robert Pitofsky", "Mary L. Azcuenaga", "Janet D. Steiger", "Roscoe B. Starek, III" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/962-3064-aldi-inc-matter", "source_filename": "09.97, Aldi.json", "num_provisions": 6, "num_requirements": 7, "order_duration_years": 20, "takeaway_brief": "ALDI denied job applicants based on consumer reports without notifying them that such information factored into the adverse employment decision.", "statutory_topics": [ "FCRA" ], "practice_areas": [ "Financial Practices" ], "industry_sectors": [ "Retail" ], "remedy_types": [ "Prohibition", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "FCRA": 6 } }, { "id": "08.99_first_american_real_estate_solutions_ll", "docket_number": "DOCKET NO.", "company_name": "First American Real Estate Solutions, LLC", "date_issued": "1999-08-15", "year": 1999, "administration": "Clinton", "categories": [ "Fair Credit Reporting (FCRA)" ], "violation_type": "unfair", "complaint_counts": [ "Failure to Reinvestigate and Correct Disputed Information (FCRA § 611)", "Failure to Follow Reasonable Procedures to Ensure Accuracy (FCRA § 607(b))", "Unfair or Deceptive Acts or Practices (FTC Act § 5(a))" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), and Fair Credit Reporting Act, 15 U.S.C. §§ 1681-1681u", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/952-3267-first-american-real-estate-solutions-ll", "source_filename": "08.99, First American Real Estate Solutions, LL.json", "num_provisions": 6, "num_requirements": 15, "order_duration_years": 20, "takeaway_brief": "First American CREDCO routinely refused to reinvestigate disputed errors in merged credit reports, redirecting consumers to source repositories instead.", "statutory_topics": [ "FCRA" ], "practice_areas": [ "Financial Practices" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Prohibition", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "FCRA": 6 } }, { "id": "08.99_liberty_financial_companies", "docket_number": "C-3891", "company_name": "Liberty Financial Companies, Inc.", "date_issued": "1999-08-15", "year": 1999, "administration": "Clinton", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "False Anonymity Representation", "False E-Mail Newsletter Promise", "False Quarterly Prize Drawing Representation" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "commissioners": [ "Robert Pitofsky, Chairman", "Sheila F. Anthony", "Mozelle W. Thompson", "Orson Swindle" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/982-3522-liberty-financial-companies-inc", "source_filename": "08.99, Liberty Financial Companies.json", "num_provisions": 11, "num_requirements": 17, "order_duration_years": 20, "takeaway_brief": "Liberty Financial's children's website collected personal information under a false promise of anonymity and never delivered the promised newsletter or prize drawings.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Prohibition", "Consumer Notification", "Data Deletion", "Other", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 11 } }, { "id": "04.01_bigmailbox.com", "docket_number": "01-605-A", "company_name": "Bigmailbox.com, Inc.", "date_issued": "2001-04-15", "year": 2001, "administration": "G.W. Bush", "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ], "violation_type": "both", "complaint_counts": [ "Failure to Provide Sufficient Website Notice (COPPA Rule § 312.4(b))", "Failure to Provide Direct Notice to Parents (COPPA Rule § 312.4(c))", "Failure to Obtain Verifiable Parental Consent (COPPA Rule § 312.5)", "Failure to Provide Parental Review and Deletion Rights (COPPA Rule § 312.6)", "Conditioning Participation on Excess Information Disclosure (COPPA Rule § 312.7)", "Deceptive Privacy Policy Representations (FTC Act § 5(a))" ], "legal_authority": "Sections 1303(c) and 1306(d) of the Children's Online Privacy Protection Act of 1998 (COPPA), 15 U.S.C. §§ 6501-6506, 6502(c), and 6505(d), and Sections 5(a)(1), 5(m)(1)(A), 13(b), and 16(a) of the Federal Trade Commission Act (FTC Act), 15 U.S.C. §§ 41-58, 45(a)(1), 45(m)(1)(A), 53(b), and 56(a)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/002-3378-bigmailboxcom-inc-et-al", "source_filename": "04.01, Bigmailbox.Com.json", "num_provisions": 16, "num_requirements": 17, "order_duration_years": null, "takeaway_brief": "Bigmailbox.com collected children's personal information through kids' websites without parental notice or consent and then used it for marketing.", "statutory_topics": [ "COPPA" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Consumer Redress", "Monetary Penalty", "Order Administration", "Data Deletion", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "COPPA": 16 } }, { "id": "04.01_looksmart", "docket_number": "Civil Action No. 01-606-A", "company_name": "LookSmart Ltd.", "date_issued": "2001-04-15", "year": 2001, "administration": "G.W. Bush", "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Failure to Provide Sufficient Website Notice (§ 312.4(b))", "Failure to Provide Direct Notice to Parents (§ 312.4(c))", "Failure to Obtain Verifiable Parental Consent (§ 312.5)", "Failure to Provide Parental Review and Deletion Rights (§ 312.6)", "Conditioning Participation on Excess Information Disclosure (§ 312.7)" ], "legal_authority": "Sections 1303(c) and 1306(d) of the Children's Online Privacy Protection Act of 1998 (COPPA), 15 U.S.C. §§ 6501-6506, 6502(c), and 6505(d), and Sections 5(a)(1), 5(m)(1)(A), 13(b), and 16(a) of the Federal Trade Commission Act (FTC Act), 15 U.S.C. §§ 41-58, 45(a)(1), 45(m)(1)(A), 53(b), and 56(a)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/002-3379-looksmart-ltd", "source_filename": "04.01, Looksmart.json", "num_provisions": 16, "num_requirements": 19, "order_duration_years": 5, "takeaway_brief": "LookSmart collected and publicly posted personal information of children under 13 on its message board service without parental consent.", "statutory_topics": [ "COPPA" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Order Administration", "Prohibition", "Consumer Redress", "Monetary Penalty", "Data Deletion", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "COPPA": 16 } }, { "id": "04.01_monarch_services", "docket_number": "AMD 01 CV 1165", "company_name": "Monarch Services, Inc.", "date_issued": "2001-04-15", "year": 2001, "administration": "G.W. Bush", "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ], "violation_type": "both", "complaint_counts": [ "Failure to Provide Sufficient Website Notice", "Failure to Provide Notice to Parents", "Failure to Obtain Verifiable Parental Consent", "Failure to Provide Parental Notice and Opt-Out Under Consent Exception", "Failure to Provide Parental Review and Deletion Rights", "Conditioning Participation on Excess Information Disclosure" ], "legal_authority": "Sections 1303(c) and 1306(d) of the Children's Online Privacy Protection Act of 1998 (COPPA), 15 U.S.C. §§ 6501-6506, 6502(c), and 6505(d), and Sections 5(a)(1), 5(m)(1)(A), 13(b), and 16(a) of the Federal Trade Commission Act (FTC Act), 15 U.S.C. §§ 41-58, 45(a)(1), 45(m)(1)(A), 53(b), and 56(a)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/002-3375-monarch-services-inc-et-al", "source_filename": "04.01, Monarch Services.json", "num_provisions": 14, "num_requirements": 14, "order_duration_years": 5, "takeaway_brief": "Monarch Services collected personal information from children under 13 on its kids' website without parental notice or consent.", "statutory_topics": [ "COPPA" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Retail", "Technology" ], "remedy_types": [ "Prohibition", "Consumer Redress", "Monetary Penalty", "Order Administration", "Data Deletion", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "COPPA": 14 } }, { "id": "10.01_frank_lisa", "docket_number": "Civil Action No. _______________", "company_name": "Lisa Frank, Inc.", "date_issued": "2001-10-15", "year": 2001, "administration": "G.W. Bush", "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ], "violation_type": "unfair", "complaint_counts": [ "COPPA Rule Violations — Failure to Obtain Parental Consent, Provide Direct Notice, and Make Required Disclosures", "Deceptive Representation Regarding Parental Consent in Privacy Policy" ], "legal_authority": "Sections 1303(c) and 1306(d) of the Children's Online Privacy Protection Act of 1998 (COPPA), 15 U.S.C. §§ 6501-6506, §§ 6502(c), 6505(d), and Sections 5(a)(1), 5(m)(1)(A), 13(b), and 16(a) of the Federal Trade Commission Act (FTC Act), 15 U.S.C. §§ 41-58", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/012-3050-frank-lisa-inc", "source_filename": "10.01, Frank, Lisa.json", "num_provisions": 12, "num_requirements": 18, "order_duration_years": null, "takeaway_brief": "Lisa Frank's children's website collected personal information from children without parental consent and falsely claimed in its privacy policy that parental permission would be required.", "statutory_topics": [ "COPPA" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Retail" ], "remedy_types": [ "Prohibition", "Consumer Redress", "Monetary Penalty", "Data Deletion", "Order Administration", "Compliance Monitoring", "Recordkeeping", "Consumer Notification" ], "provision_counts_by_topic": { "COPPA": 12 } }, { "id": "02.02_american_pop_corn_company", "docket_number": "C02-4008DEO", "company_name": "American Pop Corn Company", "date_issued": "2002-02-15", "year": 2002, "administration": "G.W. Bush", "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ], "violation_type": "both", "complaint_counts": [ "Violations of the Children's Online Privacy Protection Rule", "False and Misleading Privacy Policy Statements — Violation of FTC Act Section 5(a)" ], "legal_authority": "Sections 1303(c) and 1306(d) of the Children's Online Privacy Protection Act of 1998 (COPPA), 15 U.S.C. §§ 6501-6506, 6502(c), and 6505(d), and Sections 5(a)(1), 5(m)(1)(A), 13(b), and 16(a) of the Federal Trade Commission Act (FTC Act), 15 U.S.C. §§ 41-58, 45(a)(1), 45(m)(1)(A), 53(b), and 56(a)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/012-3026-american-pop-corn-company", "source_filename": "02.02, American Pop Corn Company.json", "num_provisions": 13, "num_requirements": 16, "order_duration_years": 20, "takeaway_brief": "American Pop Corn Company collected children's personal information through its Kids Club website without parental notice or consent, while falsely claiming it would notify parents.", "statutory_topics": [ "COPPA" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Retail" ], "remedy_types": [ "Prohibition", "Consumer Redress", "Monetary Penalty", "Data Deletion", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "COPPA": 13 } }, { "id": "03.02_garrett_paula_l._dba_discreet_data_systems", "docket_number": "H-01-1255", "company_name": "Paula L. Garrett, d/b/a Discreet Data Systems", "date_issued": "2002-03-15", "year": 2002, "administration": "G.W. Bush", "categories": [ "Gramm-Leach-Bliley" ], "violation_type": "deceptive", "complaint_counts": [ "Violations of the Gramm-Leach-Bliley Act", "Violations of Section 5(a) of the FTC Act — Unfair or Deceptive Acts or Practices" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), and Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/012-3067-garrett-paula-l-dba-discreet-data-systems", "source_filename": "03.02, Garrett, Paula L. dba Discreet Data Systems.json", "num_provisions": 15, "num_requirements": 31, "order_duration_years": null, "takeaway_brief": "Paula Garrett ran an information brokerage that used impersonation and false pretenses to trick bank employees into disclosing customers' confidential account information, then sold that data.", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Financial Practices" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Prohibition", "Monetary Penalty", "Compliance Monitoring", "Consumer Redress", "Order Administration", "Recordkeeping" ], "provision_counts_by_topic": { "GLBA": 15 } }, { "id": "12.02_microsoft_corporation", "docket_number": "C-4069", "company_name": "Microsoft Corporation", "date_issued": "2002-12-15", "year": 2002, "administration": "G.W. Bush", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Passport Security Misrepresentation", "Passport Wallet Safety Misrepresentation", "Passport Privacy Policy Data Collection Misrepresentation", "Kids Passport Parental Control Misrepresentation" ], "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "commissioners": [ "Timothy J. Muris, Chairman", "Sheila F. Anthony", "Mozelle W. Thompson", "Orson Swindle", "Thomas B. Leary" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923258-microsoft-corporation-us-v", "source_filename": "12.02, Microsoft Corporation.json", "num_provisions": 8, "num_requirements": 14, "order_duration_years": 20, "takeaway_brief": "Microsoft falsely claimed its Passport service used strong security measures and safe servers while failing to implement basic safeguards against unauthorized access.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security", "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 8 } }, { "id": "05.03_educational_research_center_of_america_student_marketing_group_marian_sanjana_and_jan_stumacher", "docket_number": "C-4079", "company_name": "Educational Research Center of America, Inc.", "date_issued": "2003-05-15", "year": 2003, "administration": "G.W. Bush", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "False Representation of Data Sharing — All Students", "False Representation of Survey Use — Middle and Junior High School Students" ], "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "commissioners": [ "Timothy J. Muris, Chairman", "Sheila F. Anthony", "Mozelle W. Thompson", "Orson Swindle", "Thomas B. Leary" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3249-educational-research-center-america-inc-student-marketing-group-inc-marian-sanjana-jan-stumacher", "source_filename": "05.03, Educational Research Center of America; Student Marketing Group; Marian Sanjana; and Jan Stumacher.json", "num_provisions": 10, "num_requirements": 20, "order_duration_years": 20, "takeaway_brief": "ERCA collected personal data from millions of students under the guise of college recruitment surveys but secretly sold it to commercial marketers.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Education" ], "remedy_types": [ "Prohibition", "Consumer Notification", "Data Deletion", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 10 } }, { "id": "08.03_guess_and_guess.com", "docket_number": "C-4091", "company_name": "GUESS?, INC.", "date_issued": "2003-08-15", "year": 2003, "administration": "G.W. Bush", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "False Representation: Encrypted Storage of Personal Information", "False Representation: Reasonable and Appropriate Security Measures" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "commissioners": [ "Timothy J. Muris, Chairman", "Sheila F. Anthony", "Mozelle W. Thompson", "Orson Swindle", "Thomas B. Leary" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3260-guess-inc-guesscom-inc-matter", "source_filename": "08.03, Guess, and Guess.com.json", "num_provisions": 8, "num_requirements": 18, "order_duration_years": 20, "takeaway_brief": "GUESS? claimed its website encrypted all personal information while in reality storing data in plain text, vulnerable to well-known SQL injection attacks.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Retail" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 8 } }, { "id": "12.03_30_minute_mortgage_gregory_p._roth_and_peter_w._stolz", "docket_number": "03-6002 1-CIV-LENARD-SIMONTON", "company_name": "30 Minute Mortgage Inc.", "date_issued": "2003-12-15", "year": 2003, "administration": "G.W. Bush", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Gramm-Leach-Bliley" ], "violation_type": "both", "complaint_counts": [ "False Mortgage Rate Advertising", "False Mortgage Lender Representation", "False Data Security Representations (SSL/HTTPS)", "Truth in Lending Act (TILA) / Regulation Z Violations", "GLB Act Privacy Rule Violations — Failure to Provide Privacy and Opt-Out Notices", "GLB Act § 521 — Fraudulent Pretexting to Obtain Customer Financial Information" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 108(c) of the Truth in Lending Act (TILA), 15 U.S.C. § 1607(c); and Sections 505(a)(7) and 522(a) of the Gramm-Leach-Bliley Act (GLB Act), 15 U.S.C. §§ 6805(a)(7) & 6822(a)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3224-30-minute-mortgage-inc-gregory-p-roth-peter-w-stolz", "source_filename": "12.03, 30 Minute Mortgage, Gregory P. Roth, and Peter W. Stolz.json", "num_provisions": 15, "num_requirements": 38, "order_duration_years": null, "takeaway_brief": "30 Minute Mortgage falsely advertised low fixed-rate mortgages that did not exist, misrepresented itself as a direct lender, and falsely claimed SSL encryption protected consumer data.", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Financial Practices", "Data Security", "Privacy" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Consumer Notification", "Prohibition", "Compliance Monitoring", "Recordkeeping", "Order Administration" ], "provision_counts_by_topic": { "GLBA": 15 } }, { "id": "02.04_umg_recordings_us", "docket_number": "CV-04-1050 JFW (Ex)", "company_name": "UMG Recordings, Inc.", "date_issued": "2004-02-15", "year": 2004, "administration": "G.W. Bush", "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices", "Telemarketing / Do-Not-Call" ], "violation_type": "deceptive", "complaint_counts": [ "Failure to Provide Sufficient Website Notice to Parents (COPPA Rule § 312.4(b))", "Failure to Provide Direct Notice to Parents (COPPA Rule § 312.4(c))", "Failure to Obtain Verifiable Parental Consent (COPPA Rule § 312.5)", "Failure to Provide Parental Review and Deletion Mechanism (COPPA Rule § 312.6)" ], "legal_authority": "Sections 1303(c) and 1306(d) of the Children's Online Privacy Protection Act of 1998 (COPPA), 15 U.S.C. §§ 6501-6506, 6502(c), and 6505(d), and Sections 5(a)(1), 5(m)(1)(A), 13(b), and 16(a) of the Federal Trade Commission Act (FTC Act), 15 U.S.C. §§ 41-58, 45(a)(1), 45(m)(1)(A), 53(b), and 56(a)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/umg-recordings-inc-corporation-us", "source_filename": "02.04, UMG Recordings, US.json", "num_provisions": 14, "num_requirements": 16, "order_duration_years": 5, "takeaway_brief": "UMG Recordings collected extensive personal data from tens of thousands of children across its artist websites without adequate parental notice or verifiable parental consent.", "statutory_topics": [ "COPPA" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Other" ], "remedy_types": [ "Prohibition", "Order Administration", "Consumer Redress", "Monetary Penalty", "Data Deletion", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "COPPA": 14 } }, { "id": "06.04_mts", "docket_number": "C-4110", "company_name": "MTS, Inc.", "date_issued": "2004-06-15", "year": 2004, "administration": "G.W. Bush", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Deceptive Data Security Representations" ], "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "commissioners": [ "Timothy J. Muris, Chairman", "Mozelle W. Thompson", "Orson Swindle", "Thomas B. Leary", "Pamela Jones Harbour" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/032-3209-mts-inc-et-al-matter", "source_filename": "06.04, MTS.json", "num_provisions": 8, "num_requirements": 18, "order_duration_years": 20, "takeaway_brief": "Tower Records exposed consumers' order and personal information online through a broken authentication flaw while falsely claiming its website was secure.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Retail" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 8 } }, { "id": "10.04_bonzi_software", "docket_number": "C-4126", "company_name": "Bonzi Software, Inc.", "date_issued": "2004-10-15", "year": 2004, "administration": "G.W. Bush", "categories": [ "Other" ], "violation_type": "deceptive", "complaint_counts": [ "False or Misleading Security Protection Claims" ], "legal_authority": "Federal Trade Commission Act", "commissioners": [ "Deborah Platt Majoras, Chairman", "Orson Swindle", "Thomas B. Leary", "Pamela Jones Harbour", "Jon Leibowitz" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/042-3016-bonzi-software-inc", "source_filename": "10.04, Bonzi Software.json", "num_provisions": 10, "num_requirements": 18, "order_duration_years": 20, "takeaway_brief": "Bonzi Software falsely claimed its InternetALERT security software would significantly protect computers from hackers when it could only monitor a limited number of ports.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Monetary Penalty", "Order Administration", "Recordkeeping", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 10 } }, { "id": "12.04_gateway_learning", "docket_number": "C-4120", "company_name": "Gateway Learning Corporation", "date_issued": "2004-12-15", "year": 2004, "administration": "G.W. Bush", "categories": [ "Privacy / Deceptive Privacy Practices", "Telemarketing / Do-Not-Call" ], "violation_type": "deceptive", "complaint_counts": [ "False or Misleading Privacy Representations", "Unfair Retroactive Application of Revised Privacy Policy", "False or Misleading Notification Representation" ], "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "commissioners": [ "Deborah Platt Majoras, Chairman", "Orson Swindle", "Thomas B. Leary", "Pamela Jones Harbour", "Jon Leibowitz" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/042-3047-gateway-learning-corp-matter", "source_filename": "12.04, Gateway Learning.json", "num_provisions": 9, "num_requirements": 17, "order_duration_years": 20, "takeaway_brief": "Gateway Learning's 'Hooked on Phonics' business rented customers' personal information to third-party marketers in violation of its own promise never to share such data.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Education", "Retail" ], "remedy_types": [ "Prohibition", "Monetary Penalty", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 9 } }, { "id": "01.05_assail", "docket_number": "Civ. No. WA:03-CV-7", "company_name": "Assail, Inc.", "date_issued": "2005-01-15", "year": 2005, "administration": "G.W. Bush", "categories": [ "Gramm-Leach-Bliley", "Telemarketing / Do-Not-Call" ], "violation_type": "both", "complaint_counts": [ "Advance-Fee Credit Card Misrepresentations (FTC Act § 5)", "Unauthorized Billing (FTC Act § 5 — Unfair Practices)", "False or Misleading Statements to Induce Payment (TSR § 310.3(a)(4))", "Advance-Fee Credit — Upfront Payment After Guaranteeing Credit (TSR § 310.4(a)(4))", "Misrepresentation of Refund and Cancellation Policies (TSR § 310.3(a)(2)(iv))", "Failure to Disclose Identity of Seller and Purpose of Call (TSR § 310.4(d))", "Gramm-Leach-Bliley Act Pretexting Violations" ], "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45; Sections 13(b) and 19 of the Federal Trade Commission Act, 15 U.S.C. §§ 53(b) and 57(b); the Telemarketing and Consumer Fraud and Abuse Prevention Act, 15 U.S.C. §§ 6101 et seq.; Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3147-assail-inc-et-al", "source_filename": "01.05, Assail.json", "num_provisions": 18, "num_requirements": 54, "order_duration_years": null, "takeaway_brief": "Assail ran a telemarketing scam that swapped promised credit cards for worthless stored-value cards while making unauthorized debits from consumers' bank accounts.", "statutory_topics": [ "TSR", "GLBA" ], "practice_areas": [ "Telemarketing", "Financial Practices" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Prohibition", "Monetary Penalty", "Consumer Redress", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "TSR": 17, "GLBA": 17 } }, { "id": "01.05_sunbelt_lending_services", "docket_number": "C-4129", "company_name": "Sunbelt Lending Services, Inc.", "date_issued": "2005-01-15", "year": 2005, "administration": "G.W. Bush", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Gramm-Leach-Bliley" ], "violation_type": "both", "complaint_counts": [ "Violation of the Safeguards Rule", "Violation of the Privacy Rule" ], "legal_authority": "Section 5(a)(1) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1); Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314; Privacy of Consumer Financial Information Rule, 16 C.F.R. Part 313", "commissioners": [ "Deborah Platt Majoras, Chairman", "Orson Swindle", "Thomas B. Leary", "Pamela Jones Harbour", "Jon Leibowitz" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/042-3153-sunbelt-lending-services-inc-matter", "source_filename": "01.05, Sunbelt Lending Services.json", "num_provisions": 6, "num_requirements": 14, "order_duration_years": 20, "takeaway_brief": "Sunbelt Lending failed to implement any meaningful security or privacy protections for customers' sensitive financial information, including Social Security numbers and credit histories.", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Prohibition", "Third-Party Assessment", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "GLBA": 6 } }, { "id": "03.05_petco_animal_supplies_in_th_matter_of", "docket_number": "C-4133", "company_name": "PETCO ANIMAL SUPPLIES, INC.", "date_issued": "2005-03-15", "year": 2005, "administration": "G.W. Bush", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "False Representation of Encryption and Data Security", "False Representation of Reasonable Security Measures" ], "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "commissioners": [ "Deborah Platt Majoras, Chairman", "Orson Swindle", "Thomas B. Leary", "Pamela Jones Harbour", "Jon Leibowitz" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/032-3221-petco-animal-supplies-inc-th-matter", "source_filename": "03.05, Petco Animal Supplies, In th Matter of.json", "num_provisions": 8, "num_requirements": 19, "order_duration_years": 20, "takeaway_brief": "PETCO falsely promised customers their credit card data was encrypted and completely secure, while actually storing it in unprotected clear text vulnerable to SQL injection attacks.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Retail" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 8 } }, { "id": "04.05_nationwide_mortgage_group_and_john_d._eubank", "docket_number": "Docket No. 9319", "company_name": "Nationwide Mortgage Group, Inc.", "date_issued": "2005-04-15", "year": 2005, "administration": "G.W. Bush", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Gramm-Leach-Bliley" ], "violation_type": "both", "complaint_counts": [ "Violations of the Safeguards Rule", "Violations of the Privacy Rule" ], "legal_authority": "Section 5(a)(1) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1), and Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq.", "commissioners": [ "Deborah Platt Majoras, Chairman", "Orson Swindle", "Thomas B. Leary", "Pamela Jones Harbour", "Jon Leibowitz" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/042-3104-nationwide-mortgage-group-inc-john-d-eubank-matter", "source_filename": "04.05, Nationwide Mortgage Group, and John D. Eubank.json", "num_provisions": 7, "num_requirements": 13, "order_duration_years": 20, "takeaway_brief": "Nationwide Mortgage Group failed to implement basic security safeguards for sensitive customer financial data and omitted required privacy notices.", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Prohibition", "Third-Party Assessment", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "GLBA": 7 } }, { "id": "04.05_vision_i_properties", "docket_number": "C-4135", "company_name": "Vision I Properties, LLC", "date_issued": "2005-04-15", "year": 2005, "administration": "G.W. Bush", "categories": [ "Privacy / Deceptive Privacy Practices", "Telemarketing / Do-Not-Call" ], "violation_type": "unfair", "complaint_counts": [ "Unfair Data Collection and Sharing Practices" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Deborah Platt Majoras, Chairman", "Orson Swindle", "Thomas B. Leary", "Pamela Jones Harbour", "Jon Leibowitz" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/042-3068-vision-i-properties-llc-et-al-matter", "source_filename": "04.05, Vision I Properties.json", "num_provisions": 9, "num_requirements": 15, "order_duration_years": 20, "takeaway_brief": "CartManager International secretly collected consumer data through merchants' checkout pages and sold it to third-party marketers without disclosure.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Monetary Penalty", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 9 } }, { "id": "09.05_bj_s_wholesale_club", "docket_number": "C-4148", "company_name": "BJ's Wholesale Club, Inc.", "date_issued": "2005-09-15", "year": 2005, "administration": "G.W. Bush", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ], "violation_type": "unfair", "complaint_counts": [ "Unfair Data Security Practices" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Deborah Platt Majoras, Chairman", "Thomas B. Leary", "Pamela Jones Harbour", "Jon Leibowitz" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/042-3160-bjs-wholesale-club-inc-matter", "source_filename": "09.05, BJ's Wholesale Club.json", "num_provisions": 7, "num_requirements": 17, "order_duration_years": 20, "takeaway_brief": "BJ's Wholesale Club stored millions of payment card records in unencrypted form without proper access controls, enabling attackers to steal consumer financial data.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Retail" ], "remedy_types": [ "Comprehensive Security Program", "Third-Party Assessment", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 7 } }, { "id": "10.05_sun_spectrum_communications_organization", "docket_number": "03-8110-CIV-COHN/SNOW", "company_name": "Sun Spectrum Communications Organization, Inc.", "date_issued": "2005-10-15", "year": 2005, "administration": "G.W. Bush", "categories": [ "Gramm-Leach-Bliley", "Telemarketing / Do-Not-Call" ], "violation_type": "both", "complaint_counts": [ "False Promise of Unsecured Credit Card (FTC Act Section 5)", "Misrepresentation in Telemarketing — TSR Section 310.3(a)(2)(iii)", "Advance Fee Collection After Guaranteeing Credit — TSR Section 310.4(a)(4)", "Fraudulent Pretexting to Obtain Bank Account Information (GLB Act Section 521)" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Sections 13(b) and 19 of the FTC Act, 15 U.S.C. §§ 53(b) and 57(b); Telemarketing Sales Rule, 16 C.F.R. Part 310; Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/032-3032-sun-spectrum-communications-organization-inc-et-al", "source_filename": "10.05, Sun Spectrum Communications Organization.json", "num_provisions": 18, "num_requirements": 44, "order_duration_years": null, "takeaway_brief": "Telemarketers falsely promised bad-credit consumers they were pre-approved for major credit cards, collected advance fees, and then never delivered the promised cards.", "statutory_topics": [ "TSR", "GLBA" ], "practice_areas": [ "Telemarketing", "Financial Practices" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Prohibition", "Monetary Penalty", "Consumer Redress", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "TSR": 17, "GLBA": 15 } }, { "id": "12.05_superior_mortgage", "docket_number": "C-4153", "company_name": "Superior Mortgage Corporation", "date_issued": "2005-12-15", "year": 2005, "administration": "G.W. Bush", "categories": [ "Data Security", "Gramm-Leach-Bliley" ], "violation_type": "both", "complaint_counts": [ "Violations of the Safeguards Rule", "False or Misleading SSL Encryption Representation" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314, issued pursuant to Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq.", "commissioners": [ "Deborah Platt Majoras, Chairman", "Thomas B. Leary", "Pamela Jones Harbour", "Jon Leibowitz" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3136-superior-mortgage-corp-matter", "source_filename": "12.05, Superior Mortgage.json", "num_provisions": 7, "num_requirements": 11, "order_duration_years": 20, "takeaway_brief": "Superior Mortgage falsely claimed it encrypted consumer data submitted through its website using SSL while failing to implement required security under the GLB Safeguards Rule.", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Prohibition", "Third-Party Assessment", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "GLBA": 7 } }, { "id": "03.06_dsw_inc._in_the_matter_of", "docket_number": "C-4157", "company_name": "DSW Inc.", "date_issued": "2006-03-15", "year": 2006, "administration": "G.W. Bush", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ], "violation_type": "unfair", "complaint_counts": [ "Unfair Data Security Practices" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Deborah Platt Majoras, Chairman", "Pamela Jones Harbour", "Jon Leibowitz", "William E. Kovacic", "J. Thomas Rosch" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3096-dsw-incin-matter", "source_filename": "03.06, DSW Inc.,In the Matter of.json", "num_provisions": 7, "num_requirements": 14, "order_duration_years": 20, "takeaway_brief": "DSW failed to implement reasonable security for sensitive payment card and bank account data it collected, leaving it vulnerable to a hacker who accessed information through multiple security gaps.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Retail" ], "remedy_types": [ "Comprehensive Security Program", "Third-Party Assessment", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 7 } }, { "id": "06.06_nations_title_agency_nations_holding_company_and_christopher_m._likens.", "docket_number": "C-4161", "company_name": "Nations Title Agency, Inc.", "date_issued": "2006-06-15", "year": 2006, "administration": "G.W. Bush", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Gramm-Leach-Bliley" ], "violation_type": "both", "complaint_counts": [ "Violations of the Safeguards Rule", "Deceptive Security Representations — Violation of Section 5(a) of the FTC Act", "Violation of the Privacy Rule — Inaccurate Privacy Notice" ], "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45; Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314; Privacy of Customer Financial Information Rule, 16 C.F.R. Part 313", "commissioners": [ "Deborah Platt Majoras, Chairman", "Pamela Jones Harbour", "Jon Leibowitz", "William E. Kovacic", "J. Thomas Rosch" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3117-nations-title-agency-inc-nations-holding-company-christopher-m-likens-matter", "source_filename": "06.06, Nations Title Agency, Nations Holding Company, and Christopher M. Likens..json", "num_provisions": 10, "num_requirements": 23, "order_duration_years": 20, "takeaway_brief": "Nations Title Agency failed to implement basic security safeguards for consumers' mortgage-related financial data, enabling a hacker breach and violating privacy notice requirements.", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "GLBA": 10 } }, { "id": "09.06_cardsystems_solutions_and_solidus_networks_dba_pay_by_touch_solutions", "docket_number": "C-4168", "company_name": "CardSystems Solutions, Inc.", "date_issued": "2006-09-15", "year": 2006, "administration": "G.W. Bush", "categories": [ "Data Security" ], "violation_type": "unfair", "complaint_counts": [ "Unfair Data Security Practices" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Deborah Platt Majoras, Chairman", "Pamela Jones Harbour", "Jon Leibowitz", "William E. Kovacic", "J. Thomas Rosch" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3148-cardsystems-solutions-inc-solidus-networks-inc-dba-pay-touch-solutions-matter", "source_filename": "09.06, CardSystems Solutions, and Solidus Networks, dba Pay By Touch Solutions.json", "num_provisions": 7, "num_requirements": 23, "order_duration_years": 20, "takeaway_brief": "CardSystems Solutions stored sensitive payment card data in a vulnerable format and failed to implement basic security, enabling a hacker to compromise millions of consumer records.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Comprehensive Security Program", "Third-Party Assessment", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 7 } }, { "id": "09.06_xanga.com_john_hiler_and_marc_ginsburg", "docket_number": "06 Civ.", "company_name": "Xanga.com, Inc.", "date_issued": "2006-09-15", "year": 2006, "administration": "G.W. Bush", "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ], "violation_type": "both", "complaint_counts": [ "Failure to Provide Sufficient Website Notice (COPPA Rule § 312.4(b))", "Failure to Provide Direct Parental Notice (COPPA Rule § 312.4(c))", "Failure to Obtain Verifiable Parental Consent (COPPA Rule § 312.5)", "Failure to Provide Parental Review and Opt-Out Mechanism (COPPA Rule § 312.6)" ], "legal_authority": "Sections 1303(c) and 1306(d) of the Children's Online Privacy Protection Act of 1998 (COPPA), 15 U.S.C. §§ 6501-6506, 6502(c), and 6505(d), and Sections 5(a)(1), 5(m)(1)(A), 13(b), 16(a), and 19 of the Federal Trade Commission Act (FTC Act), 15 U.S.C. §§ 41-58, 45(a)(1), 45(m)(1)(A), 53(b), 56(a), and 57b", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/062-3073-xangacom-inc-john-hiler-marc-ginsburg", "source_filename": "09.06, Xanga.com, John Hiler, and Marc Ginsburg.json", "num_provisions": 12, "num_requirements": 19, "order_duration_years": null, "takeaway_brief": "Xanga knowingly allowed approximately 1.7 million children to create blogs and collected their personal data for targeted advertising without parental consent for five years.", "statutory_topics": [ "COPPA" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Social Media", "Technology" ], "remedy_types": [ "Prohibition", "Order Administration", "Other", "Monetary Penalty", "Data Deletion", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "COPPA": 12 } }, { "id": "10.06_integrity_security_investigation_services", "docket_number": "Civil Action No. 2:06-cv-241-RGD-JEB", "company_name": "Integrity Security & Investigation Services, Inc.", "date_issued": "2006-10-15", "year": 2006, "administration": "G.W. Bush", "categories": [ "Other" ], "violation_type": "deceptive", "complaint_counts": [ "Unfair Practice — Obtaining and Selling Confidential Customer Phone Records and Financial Information Without Authorization" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/062-3101-integrity-security-investigation-services-inc", "source_filename": "10.06, Integrity Security & Investigation Services.json", "num_provisions": 10, "num_requirements": 34, "order_duration_years": null, "takeaway_brief": "ISIS advertised and sold confidential consumer phone records and financial account information obtained by impersonating account holders without their authorization.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Other" ], "remedy_types": [ "Prohibition", "Monetary Penalty", "Third-Party Assessment", "Order Administration", "Recordkeeping", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 10 } }, { "id": "02.07_consumerinfo.com._dba_experian_consumer_direct_qspace_and_iplace", "docket_number": "CV SAC 05-801 MS", "company_name": "Consumerinfo.com, Inc.", "date_issued": "2007-02-15", "year": 2007, "administration": "G.W. Bush", "categories": [ "Fair Credit Reporting (FCRA)" ], "violation_type": "deceptive", "complaint_counts": [ "Failure to Disclose Membership Fee and Cancellation Requirement", "Unauthorized Charges to Consumer Accounts", "Failure to Disclose Non-Affiliation with FACT Act Free Credit Report Program" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), and Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/022-3263-consumerinfocom-inc-dba-experian-consumer-direct-qspace-inc-iplace-inc", "source_filename": "02.07, Consumerinfo.com., dba Experian Consumer Direct, Qspace, and Iplace.json", "num_provisions": 7, "num_requirements": 17, "order_duration_years": null, "takeaway_brief": "Consumerinfo.com advertised 'free' credit reports but secretly enrolled consumers in a paid subscription service charged to the credit card they provided.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Deceptive Design / Dark Patterns", "Financial Practices" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Prohibition", "Monetary Penalty", "Order Administration", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 7 } }, { "id": "02.07_information_search_and_david_j._kacala", "docket_number": "AMD-01-1121", "company_name": "Information Search, Inc.", "date_issued": "2007-02-15", "year": 2007, "administration": "G.W. Bush", "categories": [ "Gramm-Leach-Bliley" ], "violation_type": "both", "complaint_counts": [ "Violations of the Gramm-Leach-Bliley Act", "Violations of Section 5(a) of the FTC Act" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b); Section 521 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6821", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/062-3102-information-search-inc-david-j-kacala-district-maryland-northern-division", "source_filename": "02.07, Information Search, and David J. Kacala.json", "num_provisions": 11, "num_requirements": 35, "order_duration_years": null, "takeaway_brief": "Information Search, Inc. obtained consumers' confidential bank account data by impersonating customers to financial institution employees and then sold that information to clients.", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Privacy", "Financial Practices" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Prohibition", "Monetary Penalty", "Consumer Redress", "Compliance Monitoring", "Order Administration", "Recordkeeping" ], "provision_counts_by_topic": { "GLBA": 11 } }, { "id": "04.07_guidance_software", "docket_number": "C-4187", "company_name": "Guidance Software, Inc.", "date_issued": "2007-04-15", "year": 2007, "administration": "G.W. Bush", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Data Security Misrepresentation" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "commissioners": [ "Deborah Platt Majoras, Chairman", "Pamela Jones Harbour", "Jon Leibowitz", "William E. Kovacic", "J. Thomas Rosch" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/062-3057-guidance-software-inc-matter", "source_filename": "04.07, Guidance Software.json", "num_provisions": 8, "num_requirements": 23, "order_duration_years": 20, "takeaway_brief": "Guidance Software falsely claimed strong data security while storing customer credit card data in clear text, enabling a hacker breach.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 8 } }, { "id": "12.07_american_united_mortgage_company._united_states_of_america", "docket_number": "", "company_name": "American United", "date_issued": "2007-12-15", "year": 2007, "administration": "G.W. Bush", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Fair Credit Reporting (FCRA)", "Gramm-Leach-Bliley" ], "violation_type": "both", "complaint_counts": [ "Failure to Implement Reasonable Disposal Procedures (Disposal Rule / FCRA)", "Failure to Implement Comprehensive Information Security Program (Safeguards Rule)", "Failure to Provide Privacy Notice to Customers (Privacy Rule)" ], "legal_authority": "Sections 5(a)(1) and 13(b) of the Federal Trade Commission Act, Fair Credit Reporting Act (FCRA), and Safeguarding Customer Information Rule", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/062-3103-american-united-mortgage-company-united-states-america-ftc", "source_filename": "12.07, American United Mortgage Company., United States of America.json", "num_provisions": 0, "num_requirements": 0, "order_duration_years": null, "takeaway_brief": "American United discarded consumer documents in an unsecured dumpster, failed to implement a written security program, and failed to provide customers with required privacy notices.", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Data Security", "Financial Practices" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [], "provision_counts_by_topic": { "FCRA": 0, "GLBA": 0 } }, { "id": "12.07_ceo_group_dba_check_em_out_and_scott_joseph", "docket_number": "06-60602-CIV", "company_name": "CEO GROUP, INC.", "date_issued": "2007-12-15", "year": 2007, "administration": "G.W. Bush", "categories": [ "Telemarketing / Do-Not-Call" ], "violation_type": "deceptive", "complaint_counts": [ "Unfair Practice — Obtaining and Selling Confidential Phone Records Without Authorization" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/062-3100-ceo-group-inc-dba-check-em-out-scott-joseph", "source_filename": "12.07, CEO Group dba Check Em Out, and Scott Joseph.json", "num_provisions": 11, "num_requirements": 30, "order_duration_years": null, "takeaway_brief": "CEO Group sold confidential consumer telephone call records obtained through impersonation and false pretenses without account holders' knowledge or authorization.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy", "Surveillance" ], "industry_sectors": [ "Other" ], "remedy_types": [ "Prohibition", "Monetary Penalty", "Compliance Monitoring", "Third-Party Assessment", "Order Administration", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 11 } }, { "id": "02.08_ingenix", "docket_number": "C-4214", "company_name": "Ingenix, Inc.", "date_issued": "2008-02-15", "year": 2008, "administration": "G.W. Bush", "categories": [ "Health Data", "Fair Credit Reporting (FCRA)" ], "violation_type": "both", "complaint_counts": [ "Failure to Provide Required FCRA Notice to Users of Consumer Reports" ], "legal_authority": "Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq., and Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Deborah Platt Majoras, Chairman", "Pamela Jones Harbour", "Jon Leibowitz", "William E. Kovacic", "J. Thomas Rosch" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/062-3190-ingenix-inc-matter", "source_filename": "02.08, Ingenix.json", "num_provisions": 7, "num_requirements": 15, "order_duration_years": 20, "takeaway_brief": "Ingenix sold individual medical profiles — constituting consumer reports — to insurers without providing the legally required FCRA notice to those users.", "statutory_topics": [ "FCRA" ], "practice_areas": [ "Financial Practices" ], "industry_sectors": [ "Healthcare", "Financial Services" ], "remedy_types": [ "Prohibition", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "FCRA": 7 } }, { "id": "02.08_milliman", "docket_number": "C-4213", "company_name": "Milliman, Inc.", "date_issued": "2008-02-15", "year": 2008, "administration": "G.W. Bush", "categories": [ "Health Data", "Fair Credit Reporting (FCRA)" ], "violation_type": "both", "complaint_counts": [ "Failure to Provide Required Notice to Users of Consumer Reports (FCRA Section 607(d))" ], "legal_authority": "Section 5(a)(1) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1); Section 607(d) of the Fair Credit Reporting Act, 15 U.S.C. § 1681e(d)", "commissioners": [ "Deborah Platt Majoras, Chairman", "Pamela Jones Harbour", "Jon Leibowitz", "William E. Kovacic", "J. Thomas Rosch" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/062-3189-milliman-inc-matter", "source_filename": "02.08, Milliman.json", "num_provisions": 7, "num_requirements": 11, "order_duration_years": 20, "takeaway_brief": "Milliman sold individual medical profiles to insurers for underwriting without providing the legally required FCRA notice to those insurer users.", "statutory_topics": [ "FCRA" ], "practice_areas": [ "Financial Practices" ], "industry_sectors": [ "Healthcare", "Financial Services" ], "remedy_types": [ "Prohibition", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "FCRA": 7 } }, { "id": "04.08_goal_financial", "docket_number": "C-4216", "company_name": "GOAL FINANCIAL, LLC", "date_issued": "2008-04-15", "year": 2008, "administration": "G.W. Bush", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Gramm-Leach-Bliley" ], "violation_type": "both", "complaint_counts": [ "Violations of the Safeguards Rule", "Deceptive Data Security Representations — Violation of FTC Act Section 5", "Violation of the Privacy Rule — Inaccurate Privacy Notice" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45; Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314; Privacy of Customer Financial Information Rule, 16 C.F.R. Part 313; Title V, Subtitle A of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801-6809", "commissioners": [ "William E. Kovacic, Chairman", "Pamela Jones Harbour", "Jon Leibowitz", "J. Thomas Rosch" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3013-goal-financial-llc-matter", "source_filename": "04.08, Goal Financial.json", "num_provisions": 9, "num_requirements": 21, "order_duration_years": 20, "takeaway_brief": "Goal Financial failed to secure student loan applicants' sensitive data, allowing employees to steal thousands of consumer files for unauthorized use.", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Financial Services", "Education" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "GLBA": 9 } }, { "id": "04.08_life_is_good_and_life_is_good_retail", "docket_number": "C-4218", "company_name": "Life is good, Inc.", "date_issued": "2008-04-15", "year": 2008, "administration": "G.W. Bush", "categories": [ "Data Security" ], "violation_type": "deceptive", "complaint_counts": [ "Data Security Misrepresentation" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "commissioners": [ "William E. Kovacic, Chairman", "Pamela Jones Harbour", "Jon Leibowitz", "J. Thomas Rosch" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3046-life-good-inc-life-good-retail-inc-matter", "source_filename": "04.08, Life is good and Life is good Retail.json", "num_provisions": 8, "num_requirements": 19, "order_duration_years": 20, "takeaway_brief": "Life is Good falsely claimed to store customers' personal information securely while actually storing it in clear, unencrypted text.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Retail" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 8 } }, { "id": "05.08_action_research_group", "docket_number": "C-6:07-cv-227-Orl-22UAM", "company_name": "ACTION RESEARCH GROUP, INC.", "date_issued": "2008-05-15", "year": 2008, "administration": "G.W. Bush", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Deceptive Misrepresentations to Obtain Phone Records", "Unfair Practice of Obtaining and Selling Phone Records Without Consent" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3021-action-research-group-inc-et-al", "source_filename": "05.08, Action Research Group.json", "num_provisions": 11, "num_requirements": 38, "order_duration_years": null, "takeaway_brief": "Action Research Group impersonated account holders to fraudulently obtain confidential telephone records from carriers and sold them to third-party clients.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy", "Surveillance" ], "industry_sectors": [ "Telecom" ], "remedy_types": [ "Prohibition", "Monetary Penalty", "Consumer Redress", "Third-Party Assessment", "Compliance Monitoring", "Recordkeeping", "Order Administration" ], "provision_counts_by_topic": { "Section 5 Only": 11 } }, { "id": "08.08_reed_elsevier_inc._and_seisint", "docket_number": "C-4226", "company_name": "Reed Elsevier Inc. and Seisint, Inc.", "date_issued": "2008-08-15", "year": 2008, "administration": "G.W. Bush", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ], "violation_type": "unfair", "complaint_counts": [ "Unfair Data Security Practices" ], "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "commissioners": [ "William E. Kovacic, Chairman", "Pamela Jones Harbour", "Jon Leibowitz", "J. Thomas Rosch" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3094-reed-elsevier-inc-seisint-inc-matter", "source_filename": "08.08, Reed Elsevier Inc. and Seisint.json", "num_provisions": 7, "num_requirements": 17, "order_duration_years": 20, "takeaway_brief": "LexisNexis and Seisint failed to secure user credentials for their Accurint data products, allowing attackers to repeatedly access sensitive consumer records.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Comprehensive Security Program", "Third-Party Assessment", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 7 } }, { "id": "08.08_tjx_companies_the", "docket_number": "C-4227", "company_name": "The TJX Companies, Inc.", "date_issued": "2008-08-15", "year": 2008, "administration": "G.W. Bush", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ], "violation_type": "unfair", "complaint_counts": [ "Unfair Data Security Practices" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C § 45(a)", "commissioners": [ "William E. Kovacic, Chairman", "Pamela Jones Harbour", "Jon Leibowitz", "J. Thomas Rosch" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3055-tjx-companies-inc-matter", "source_filename": "08.08, TJX Companies, The.json", "num_provisions": 7, "num_requirements": 22, "order_duration_years": 20, "takeaway_brief": "TJX Companies stored customers' payment card data in clear text and used weak wireless security, enabling intruders to intercept vast amounts of sensitive information.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Retail" ], "remedy_types": [ "Comprehensive Security Program", "Third-Party Assessment", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 7 } }, { "id": "09.08_emc_mortgage_co.", "docket_number": "4:08-cv-338", "company_name": "EMC Mortgage Corporation", "date_issued": "2008-09-15", "year": 2008, "administration": "G.W. Bush", "categories": [ "Fair Credit Reporting (FCRA)" ], "violation_type": "both", "complaint_counts": [ "Misrepresentation of Amounts Owed", "Unfair and Deceptive Assessment and Collection of Fees", "Deceptive Reasonable Basis Claims", "Harassment or Abuse (FDCPA § 806)", "False or Misleading Representations (FDCPA § 807)", "Unfair Practices — Unauthorized Collection Amounts (FDCPA § 808)", "Failure to Validate Debts (FDCPA § 809)", "Failure to Report Disputes to Consumer Reporting Agencies (FCRA § 623)", "Failure to Provide Required TILA/Regulation Z Disclosures" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the FTC Act, 15 U.S.C. § 53(b); Fair Debt Collection Practices Act (FDCPA), 15 U.S.C. § 1692 et seq.; Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681 et seq.; Truth in Lending Act (TILA) Regulation Z, 12 C.F.R. § 226", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/062-3031-emc-mortgage-co", "source_filename": "09.08, EMC Mortgage Co..json", "num_provisions": 18, "num_requirements": 39, "order_duration_years": null, "takeaway_brief": "EMC Mortgage made false representations to borrowers about loan balances and fees, charged unauthorized fees, and harassed borrowers in violation of multiple consumer protection laws.", "statutory_topics": [ "FCRA" ], "practice_areas": [ "Financial Practices" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Monetary Penalty", "Consumer Redress", "Compliance Monitoring", "Recordkeeping", "Order Administration" ], "provision_counts_by_topic": { "FCRA": 18 } }, { "id": "12.08_premier_capital_lending", "docket_number": "C-4241", "company_name": "Premier Capital Lending, Inc.", "date_issued": "2008-12-15", "year": 2008, "administration": "G.W. Bush", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Fair Credit Reporting (FCRA)", "Gramm-Leach-Bliley" ], "violation_type": "unfair", "complaint_counts": [ "Violation of the Safeguards Rule", "False or Misleading Security Representation — Violation of FTC Act Section 5", "Inaccurate Privacy Notice — Violation of the Privacy Rule" ], "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314, issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801-6809; and the Privacy of Consumer Financial Information Rule (Privacy Rule), 16 C.F.R. Part 313, issued pursuant to the Gramm-Leach-Bliley Act", "commissioners": [ "William E. Kovacic, Chairman", "Pamela Jones Harbour", "Jon Leibowitz", "J. Thomas Rosch" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/0723004-premier-capital-lending-inc-et-al-matter", "source_filename": "12.08, Premier Capital Lending.json", "num_provisions": 10, "num_requirements": 24, "order_duration_years": 20, "takeaway_brief": "Premier Capital Lending gave an unsecured third party login credentials to pull consumer credit reports and failed to monitor or audit use of that access.", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security", "Privacy" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "GLBA": 10 } }, { "id": "03.09_gencia_corporation_and_compgeeks.com_also_dba_computer_geeks_discount_outlet_and_geeks.com", "docket_number": "C-4252", "company_name": "Genica Corporation", "date_issued": "2009-03-15", "year": 2009, "administration": "Obama", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Data Security Misrepresentation" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "commissioners": [ "Jon Leibowitz, Chairman", "Pamela Jones Harbour", "William E. Kovacic", "J. Thomas Rosch" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923258-microsoft-corporation-us-v", "source_filename": "03.09, Gencia Corporation and Compgeeks.com, also dba Computer Geeks Discount Outlet and Geeks.com.json", "num_provisions": 8, "num_requirements": 21, "order_duration_years": 20, "takeaway_brief": "Genica Corporation falsely claimed to use state-of-the-art security for consumer data while actually storing credit card numbers and security codes in plain text, enabling SQL injection attacks.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Retail", "Technology" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 8 } }, { "id": "06.09_accusearch_dba_abika.com_and_jay_patel", "docket_number": "06-CV-00105-WFD", "company_name": "Accusearch, Inc.", "date_issued": "2009-06-15", "year": 2009, "administration": "Obama", "categories": [ "Other" ], "violation_type": "unfair", "complaint_counts": [ "Unfair Practice – Obtaining and Selling Confidential Customer Phone Records Without Consent" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3126-accusearch-inc-dba-abikacom-jay-patel", "source_filename": "06.09, Accusearch dba Abika.com, and Jay Patel.json", "num_provisions": 3, "num_requirements": 3, "order_duration_years": null, "takeaway_brief": "Accusearch obtained consumers' confidential phone records by impersonating account holders and then sold those records to paying clients without consumers' knowledge.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy", "Surveillance" ], "industry_sectors": [ "Technology", "Telecom" ], "remedy_types": [ "Prohibition", "Monetary Penalty" ], "provision_counts_by_topic": { "Section 5 Only": 3 } }, { "id": "06.09_cvs_caremark_corporation", "docket_number": "C-4259", "company_name": "CVS CAREMARK CORPORATION", "date_issued": "2009-06-15", "year": 2009, "administration": "Obama", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Health Data" ], "violation_type": "both", "complaint_counts": [ "False or Misleading Privacy Representation", "Unfair Data Security Practices" ], "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq", "commissioners": [ "Jon Leibowitz, Chairman", "Pamela Jones Harbour", "William E. Kovacic", "J. Thomas Rosch" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3119-cvs-caremark-corporation-matter", "source_filename": "06.09, CVS Caremark Corporation.json", "num_provisions": 8, "num_requirements": 17, "order_duration_years": 20, "takeaway_brief": "CVS Caremark disposed of prescription bottles, pharmacy labels, and other documents containing consumers' personal and health information in unsecured public trash containers.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Healthcare", "Retail" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 8 } }, { "id": "06.09_james_b._nutter_company", "docket_number": "C-4258", "company_name": "James B. Nutter & Company", "date_issued": "2009-06-15", "year": 2009, "administration": "Obama", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Fair Credit Reporting (FCRA)", "Gramm-Leach-Bliley" ], "violation_type": "both", "complaint_counts": [ "Violations of the Safeguards Rule", "Violations of the Privacy Rule" ], "legal_authority": "Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314, issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act (GLB Act), 15 U.S.C. § 6801-6809, and the Privacy of Customer Financial Information Rule (Privacy Rule), 16 C.F.R. Part 313", "commissioners": [ "Jon Leibowitz, Chairman", "Pamela Jones Harbour", "William E. Kovacic", "J. Thomas Rosch" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3108-james-b-nutter-company-corporation-matter", "source_filename": "06.09, James B. Nutter & Company.json", "num_provisions": 8, "num_requirements": 18, "order_duration_years": 20, "takeaway_brief": "James B. Nutter & Company failed to implement basic information security safeguards and provided inaccurate privacy notices, resulting in its network being hijacked to send spam.", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Comprehensive Security Program", "Prohibition", "Third-Party Assessment", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "GLBA": 8 } }, { "id": "07.09_united_states_of_america_plaintiff_v._talx_corporation_defendant", "docket_number": "Civil Action No.", "company_name": "TALX Corporation", "date_issued": "2009-07-15", "year": 2009, "administration": "Obama", "categories": [ "Fair Credit Reporting (FCRA)" ], "violation_type": "unfair", "complaint_counts": [ "Violations of Section 607(d) of the FCRA — Failure to Provide Required Notices" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 607(d) of the Fair Credit Reporting Act, 15 U.S.C. § 1681e(d); Section 621(a) of the Fair Credit Reporting Act, 15 U.S.C. § 1681s(a)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3173-united-states-america-federal-trade-commission-plaintiff-v-talx-corporation-defendant", "source_filename": "07.09, United States of America , Plaintiff, v. TALX Corporation, Defendant.json", "num_provisions": 9, "num_requirements": 23, "order_duration_years": null, "takeaway_brief": "TALX Corporation, a nationwide employment data reporting agency, failed for years to provide legally required notices to data furnishers and report users.", "statutory_topics": [ "FCRA" ], "practice_areas": [ "Financial Practices" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Monetary Penalty", "Prohibition", "Compliance Monitoring", "Recordkeeping", "Order Administration" ], "provision_counts_by_topic": { "FCRA": 9 } }, { "id": "08.09_metropolitan_home_mortgage_also_dba_wholesale_home_lenders", "docket_number": "Civil Action No. 8:09-cv-00936-DOC(RNB)", "company_name": "Metropolitan Home Mortgage, Inc.", "date_issued": "2009-08-15", "year": 2009, "administration": "Obama", "categories": [ "Fair Credit Reporting (FCRA)" ], "violation_type": "deceptive", "complaint_counts": [ "Violations of Section 615(d)(2) of the FCRA and the Prescreen Rule" ], "legal_authority": "Sections 5(a), 13(b), and 16(a) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(a), 53(b), and 56(a); sections 615 and 621 of the Fair Credit Reporting Act, 15 U.S.C. §§ 1681m and 1681s; and the Prescreen Opt-Out Notice Rule, 16 C.F.R. Part 642", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/metropolitan-home-mortgage-inc-also-dba-wholesale-home-lenders", "source_filename": "08.09, Metropolitan Home Mortgage, also dba Wholesale Home Lenders.json", "num_provisions": 9, "num_requirements": 23, "order_duration_years": 5, "takeaway_brief": "Metropolitan Home Mortgage sent prescreened mortgage solicitations that lacked properly formatted opt-out notices as required by the FCRA and the Prescreen Rule.", "statutory_topics": [ "FCRA" ], "practice_areas": [ "Financial Practices" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Monetary Penalty", "Prohibition", "Compliance Monitoring", "Recordkeeping", "Order Administration" ], "provision_counts_by_topic": { "FCRA": 9 } }, { "id": "08.09_united_states_of_america_plaintiff_v._quality_terminal_services_a_limited_liability_company_defendants", "docket_number": "09-cv-01853-CMA-BNB", "company_name": "Quality Terminal Services, LLC", "date_issued": "2009-08-15", "year": 2009, "administration": "Obama", "categories": [ "Fair Credit Reporting (FCRA)" ], "violation_type": "both", "complaint_counts": [ "Failure to Provide Pre-Adverse Action Notices", "Failure to Provide Post-Adverse Action Notices" ], "legal_authority": "Section 621(a) of the Fair Credit Reporting Act, 15 U.S.C. § 1681s(a); Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/082-3022-united-states-america-federal-trade-commission-plaintiff-v-quality-terminal-services-llc-limited", "source_filename": "08.09, United States of America Plaintiff, v. Quality Terminal Services, a limited liability company, Defendants.json", "num_provisions": 9, "num_requirements": 26, "order_duration_years": null, "takeaway_brief": "Quality Terminal Services denied jobs to applicants based on background check results without providing the legally required pre- and post-adverse action notices.", "statutory_topics": [ "FCRA" ], "practice_areas": [ "Financial Practices" ], "industry_sectors": [ "Other" ], "remedy_types": [ "Monetary Penalty", "Prohibition", "Compliance Monitoring", "Recordkeeping", "Order Administration" ], "provision_counts_by_topic": { "FCRA": 9 } }, { "id": "09.09_cash_today", "docket_number": "CV-S-08-00590", "company_name": "Cash Today, Ltd.", "date_issued": "2009-09-15", "year": 2009, "administration": "Obama", "categories": [ "Telemarketing / Do-Not-Call" ], "violation_type": "both", "complaint_counts": [ "Deceptive Collection Practices", "Unfair Collection Practices", "Violations of TILA and Regulation Z", "Failure to Disclose Material Facts (Nevada NRS § 598.0923(2))", "Violation of State or Federal Statute Relating to Sale of Services (Nevada NRS § 598.0923(3))", "Operating Without Required Licenses (Nevada NRS § 598.0923(1))" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b), and the Truth in Lending Act (TILA), 15 U.S.C. §§ 1601-1666j", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3093-cash-today-ltd", "source_filename": "09.09, Cash Today.json", "num_provisions": 13, "num_requirements": 47, "order_duration_years": null, "takeaway_brief": "Overseas payday lenders offered loans without required disclosures and then threatened consumers with arrest and prosecution to coerce repayment, even on potentially unenforceable loans.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Financial Practices" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Prohibition", "Consumer Notification", "Compliance Monitoring", "Monetary Penalty", "Recordkeeping", "Order Administration" ], "provision_counts_by_topic": { "Section 5 Only": 13 } }, { "id": "10.09_iconix_brand_group", "docket_number": "09 Civ. 8864 (MGC)", "company_name": "Iconix Brand Group, Inc.", "date_issued": "2009-10-15", "year": 2009, "administration": "Obama", "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ], "violation_type": "both", "complaint_counts": [ "Violation of the Children's Online Privacy Protection Rule", "Unfair or Deceptive Acts or Practices — False Privacy Policy Representations" ], "legal_authority": "Sections 1303(c) and 1306(d) of the Children's Online Privacy Protection Act of 1998 (COPPA), 15 U.S.C. §§ 6501-6506, 6502(c) and 6505(d), and Sections 5(a)(1), 5(m)(1)(A), 13(b), 16(a) and 19 of the Federal Trade Commission Act (FTC Act), 15 U.S.C. §§ 41-58, 45(a)(1), 45(m)(1)(A), 53(b), 56(a) and 57(b)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/iconix-brand-group-inc", "source_filename": "10.09, Iconix Brand Group.json", "num_provisions": 14, "num_requirements": 23, "order_duration_years": null, "takeaway_brief": "Iconix collected personal data from roughly 1,000 children under 13 through fan and sweepstakes features without parental consent, violating COPPA and its own privacy policy.", "statutory_topics": [ "COPPA" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Retail" ], "remedy_types": [ "Prohibition", "Consumer Redress", "Monetary Penalty", "Order Administration", "Data Deletion", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "COPPA": 14 } }, { "id": "01.10_collectify_ll", "docket_number": "C-4272", "company_name": "Collectify LLC", "date_issued": "2010-01-15", "year": 2010, "administration": "Obama", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "False or Misleading Safe Harbor Participation Representation" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "commissioners": [ "Jon Leibowitz, Chairman", "Pamela Jones Harbour", "William E. Kovacic", "J. Thomas Rosch" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/092-3142-collectify-ll", "source_filename": "01.10, Collectify LL.json", "num_provisions": 6, "num_requirements": 10, "order_duration_years": 20, "takeaway_brief": "Collectify displayed Safe Harbor compliance claims on its website for nearly five years after its certification had lapsed.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "01.10_expatedge_partners_ll", "docket_number": "C-4269", "company_name": "ExpatEdge Partners, LLC", "date_issued": "2010-01-15", "year": 2010, "administration": "Obama", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "False Safe Harbor Participation Claim" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "commissioners": [ "Jon Leibowitz, Chairman", "Pamela Jones Harbour", "William E. Kovacic", "J. Thomas Rosch" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/0923138-expatedge-partners-ll", "source_filename": "01.10, ExpatEdge Partners, LL.json", "num_provisions": 6, "num_requirements": 10, "order_duration_years": 20, "takeaway_brief": "ExpatEdge continued claiming active Safe Harbor certification on its website years after its certification had lapsed.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "01.10_navone_gregory", "docket_number": "2:08-cv-01842", "company_name": "Gregory Navone", "date_issued": "2010-01-15", "year": 2010, "administration": "Obama", "categories": [ "Data Security", "Fair Credit Reporting (FCRA)" ], "violation_type": "both", "complaint_counts": [ "Misrepresentation of Data Security Measures", "Misrepresentation of Service Provider Data Safeguard Agreements", "Violation of FCRA Disposal Rule — Failure to Properly Dispose of Consumer Report Information" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 628 of the Fair Credit Reporting Act, 15 U.S.C. § 1681w; and the Disposal Rule, 16 C.F.R. § 682.1 et seq.", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3067-navone-gregory", "source_filename": "01.10, Navone, Gregory.json", "num_provisions": 10, "num_requirements": 37, "order_duration_years": null, "takeaway_brief": "Gregory Navone falsely claimed his mortgage companies had robust data security, while personally storing consumers' sensitive financial documents without safeguards or proper disposal.", "statutory_topics": [ "FCRA" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Monetary Penalty", "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Compliance Monitoring", "Recordkeeping", "Order Administration" ], "provision_counts_by_topic": { "FCRA": 10 } }, { "id": "01.10_onyx_graphics", "docket_number": "C-4270", "company_name": "Onyx Graphics, Inc.", "date_issued": "2010-01-15", "year": 2010, "administration": "Obama", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "False or Misleading Safe Harbor Participation Claim" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "commissioners": [ "Jon Leibowitz, Chairman", "Pamela Jones Harbour", "William E. Kovacic", "J. Thomas Rosch" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/0923139-onyx-graphics-inc", "source_filename": "01.10, Onyx Graphics.json", "num_provisions": 6, "num_requirements": 11, "order_duration_years": 20, "takeaway_brief": "Onyx Graphics claimed to be 'Safe Harbor Certified' on its website after its certification had already lapsed.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "01.10_progressive_gaitways_ll", "docket_number": "C-4271", "company_name": "Progressive Gaitways LLC", "date_issued": "2010-01-15", "year": 2010, "administration": "Obama", "categories": [ "Health Data" ], "violation_type": "deceptive", "complaint_counts": [ "False Safe Harbor Claim — theratogs.com", "False Safe Harbor Claim — gaitways.com" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "commissioners": [ "Jon Leibowitz, Chairman", "Pamela Jones Harbour", "William E. Kovacic", "J. Thomas Rosch" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/0923141-progressive-gaitways-ll", "source_filename": "01.10, Progressive Gaitways LL.json", "num_provisions": 6, "num_requirements": 9, "order_duration_years": 20, "takeaway_brief": "Progressive Gaitways falsely claimed Safe Harbor participation on two websites — one after its certification lapsed, and one that was never certified at all.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Healthcare" ], "remedy_types": [ "Prohibition", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "01.10_world_innovators", "docket_number": "C-4282", "company_name": "World Innovators, Inc.", "date_issued": "2010-01-15", "year": 2010, "administration": "Obama", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "False Safe Harbor Membership Representation" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "commissioners": [ "Jon Leibowitz, Chairman", "Pamela Jones Harbour", "William E. Kovacic", "J. Thomas Rosch" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/0923137-world-innovators-inc-matter", "source_filename": "01.10, World Innovators.json", "num_provisions": 6, "num_requirements": 9, "order_duration_years": 20, "takeaway_brief": "World Innovators continued displaying Safe Harbor membership claims on its website for years after its certification expired.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Other" ], "remedy_types": [ "Prohibition", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "02.10_controlscan", "docket_number": "1:10-cv-00532-JEC", "company_name": "ControlScan, Inc.", "date_issued": "2010-02-15", "year": 2010, "administration": "Obama", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Misrepresentation of Verification of Privacy and Security Protections", "Misrepresentation About PCI Compliance Efforts", "Misrepresentation of Daily Reviews" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3165-controlscan-inc", "source_filename": "02.10, ControlScan.json", "num_provisions": 10, "num_requirements": 20, "order_duration_years": null, "takeaway_brief": "ControlScan sold privacy and security certification seals to websites while conducting little or no actual verification of those companies' data protection practices.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Order Administration", "Monetary Penalty", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 10 } }, { "id": "03.10_direct_marketing_associates_corp._et_al._usa", "docket_number": "CV 10-0696-PHX-LOA", "company_name": "Direct Marketing Associates, Corp.", "date_issued": "2010-03-15", "year": 2010, "administration": "Obama", "categories": [ "Fair Credit Reporting (FCRA)" ], "violation_type": "deceptive", "complaint_counts": [ "False Pre-Approval Representations (FTC Act Section 5)", "Impermissible Use of Consumer Reports (FCRA Section 604(f))" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) and 16(a) of the Federal Trade Commission Act, 15 U.S.C. §§ 53(b) and 56(a); and the Fair Credit Reporting Act, 15 U.S.C. §§ 1681-1681x", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3002-direct-marketing-associates-corp-et-al-usa", "source_filename": "03.10, Direct Marketing Associates, Corp., et al., USA.json", "num_provisions": 1, "num_requirements": 1, "order_duration_years": null, "takeaway_brief": "Direct Marketing Associates mailed fake pre-approved auto financing solicitations using consumer credit data it obtained from credit bureaus under false pretenses.", "statutory_topics": [ "FCRA" ], "practice_areas": [ "Financial Practices" ], "industry_sectors": [ "Other" ], "remedy_types": [ "Order Administration" ], "provision_counts_by_topic": { "FCRA": 1 } }, { "id": "04.10_united_states_of_america_v._central_credit", "docket_number": "2:10-cv-00565", "company_name": "Central Credit, LLC", "date_issued": "2010-04-15", "year": 2010, "administration": "Obama", "categories": [ "Fair Credit Reporting (FCRA)" ], "violation_type": "both", "complaint_counts": [ "Failure to Provide Furnisher and User Notices — Section 607(d) FCRA", "Failure to Provide Adequate Summary of Rights — Section 609(c)(2) FCRA", "Failure to Establish Streamlined Process for Free Annual File Disclosures — Sections 612(a)(1)(C) and 612(a)(2) FCRA and Streamlined Process Rule" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) and 16(a) of the FTC Act, 15 U.S.C. §§ 53(b) and 56(a); and Sections 607(d), 609(c), 612(a)(1)(C) and (a)(2), and 621 of the Fair Credit Reporting Act, 15 U.S.C. §§ 1681e, 1681g, and 1681s", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/082-3106-united-states-america-v-central-credit-llc", "source_filename": "04.10, United States of America v. Central Credit.json", "num_provisions": 9, "num_requirements": 27, "order_duration_years": null, "takeaway_brief": "Central Credit, a consumer reporting agency, failed to provide legally required notices to furnishers, users, and consumers and lacked a compliant process for free annual file disclosures.", "statutory_topics": [ "FCRA" ], "practice_areas": [ "Financial Practices" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Monetary Penalty", "Prohibition", "Compliance Monitoring", "Recordkeeping", "Order Administration" ], "provision_counts_by_topic": { "FCRA": 9 } }, { "id": "06.10_dave_buster_s_in_the_matter_of", "docket_number": "C-4291", "company_name": "Dave & Buster's, Inc.", "date_issued": "2010-06-15", "year": 2010, "administration": "Obama", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ], "violation_type": "unfair", "complaint_counts": [ "Unfair Data Security Practices" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Jon Leibowitz, Chairman", "William E. Kovacic", "J. Thomas Rosch", "Edith Ramirez", "Julie Brill" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/082-3153-dave-busters-incin-matter", "source_filename": "06.10, Dave & Buster's,In the Matter of.json", "num_provisions": 7, "num_requirements": 22, "order_duration_years": 20, "takeaway_brief": "Dave & Buster's failed to implement basic network security measures, allowing an intruder to steal customers' payment card information from its restaurant networks.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Retail" ], "remedy_types": [ "Comprehensive Security Program", "Third-Party Assessment", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 7 } }, { "id": "09.10_choicepoint", "docket_number": "1:06-cv-00198-JTC", "company_name": "ChoicePoint Inc.", "date_issued": "2010-09-15", "year": 2010, "administration": "Obama", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Fair Credit Reporting (FCRA)" ], "violation_type": "deceptive", "complaint_counts": [ "Furnishing Consumer Reports Without Permissible Purpose (FCRA § 604)", "Failure to Maintain Reasonable Procedures to Limit Furnishing of Consumer Reports (FCRA § 607(a))", "Failure to Employ Reasonable Data Security Measures (FTC Act § 5(a))", "False or Misleading Privacy and Security Representations (FTC Act § 5(a))" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 621(a) of the Fair Credit Reporting Act, 15 U.S.C. § 1681s(a)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3069-choicepoint-inc", "source_filename": "09.10, ChoicePoint.json", "num_provisions": 4, "num_requirements": 12, "order_duration_years": null, "takeaway_brief": "ChoicePoint failed to verify the identities of prospective data subscribers, allowing fraudulent actors to access the personal information of approximately 163,000 consumers.", "statutory_topics": [ "FCRA" ], "practice_areas": [ "Data Security", "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Third-Party Assessment", "Order Administration" ], "provision_counts_by_topic": { "FCRA": 4 } }, { "id": "11.10_echometrix", "docket_number": "2:10-cv-05516-DRH", "company_name": "EchoMetrix, Inc.", "date_issued": "2010-11-15", "year": 2010, "administration": "Obama", "categories": [ "Other" ], "violation_type": "deceptive", "complaint_counts": [ "Deceptive Omission — Failure to Disclose Data Sharing with Third-Party Marketers" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3006-echometrix-inc", "source_filename": "11.10, EchoMetrix.json", "num_provisions": 8, "num_requirements": 21, "order_duration_years": null, "takeaway_brief": "EchoMetrix sold parental monitoring software while secretly feeding children's online activity data to a third-party market research product sold to advertisers.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy", "Surveillance" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Data Deletion", "Compliance Monitoring", "Recordkeeping", "Order Administration" ], "provision_counts_by_topic": { "Section 5 Only": 8 } }, { "id": "11.10_rite_aid_corporation", "docket_number": "C-4308", "company_name": "Rite Aid Corporation", "date_issued": "2010-11-15", "year": 2010, "administration": "Obama", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Health Data" ], "violation_type": "both", "complaint_counts": [ "Deceptive Privacy and Security Representations", "Unfair Data Security Practices" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Jon Leibowitz, Chairman", "William E. Kovacic", "J. Thomas Rosch", "Edith Ramirez", "Julie Brill" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023190-rite-aid-corporation-ftc-v", "source_filename": "11.10, Rite Aid Corporation.json", "num_provisions": 18, "num_requirements": 68, "order_duration_years": 20, "takeaway_brief": "Rite Aid publicly claimed to protect patient privacy but failed to implement adequate policies for secure disposal of sensitive health and personal information.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security", "AI / Automated Decision-Making", "Surveillance" ], "industry_sectors": [ "Healthcare", "Retail" ], "remedy_types": [ "Biometric Ban", "Data Deletion", "Comprehensive Security Program", "Prohibition", "Recordkeeping", "Third-Party Assessment", "Compliance Monitoring", "Order Administration", "Other" ], "provision_counts_by_topic": { "Section 5 Only": 18 } }, { "id": "03.11_twitter", "docket_number": "C-4316", "company_name": "Twitter, Inc.", "date_issued": "2011-03-15", "year": 2011, "administration": "Obama", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Misrepresentation of Security Measures to Protect Nonpublic User Information", "Misrepresentation of Security Measures to Honor User Privacy Choices" ], "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "commissioners": [ "Jon Leibowitz, Chairman", "William E. Kovacic", "J. Thomas Rosch", "Edith Ramirez", "Julie Brill" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023062-twitter-inc-us-v", "source_filename": "03.11, Twitter.json", "num_provisions": 8, "num_requirements": 28, "order_duration_years": 20, "takeaway_brief": "Twitter falsely claimed to protect user information with robust security measures while allowing nearly all employees broad administrative access with easily-compromised credentials for years.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Social Media" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 8 } }, { "id": "03.11_us_search", "docket_number": "C-4317", "company_name": "US Search, Inc.", "date_issued": "2011-03-15", "year": 2011, "administration": "Obama", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "False or Misleading PrivacyLock Representation" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Jon Leibowitz, Chairman", "William E. Kovacic", "J. Thomas Rosch", "Edith Ramirez", "Julie Brill" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/us-search-inc", "source_filename": "03.11, US Search.json", "num_provisions": 8, "num_requirements": 16, "order_duration_years": 20, "takeaway_brief": "US Search sold a paid 'PrivacyLock' service promising to remove consumers' personal information from its site, while leaving that data accessible through multiple types of searches.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Monetary Penalty", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 8 } }, { "id": "05.11_playdom", "docket_number": "Case No. CV11-0724 (Central District of California)", "company_name": "Playdom, Inc.", "date_issued": "2011-05-15", "year": 2011, "administration": "Obama", "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ], "violation_type": "both", "complaint_counts": [ "Violations of the Children's Online Privacy Protection Rule", "Misrepresentation in Violation of Section 5 of the FTC Act" ], "legal_authority": "Sections 1303(c) and 1306(d) of the Children's Online Privacy Protection Act of 1998 (COPPA), 15 U.S.C. §§ 6501-6506, 6502(c) and 6505(d), and Sections 5(a)(1), 5(m)(1)(A), 13(b), and 16(a) of the Federal Trade Commission Act (FTC Act), 15 U.S.C. §§ 41-58, 45(a)(1), 45(m)(1)(A), 53(b), and 56(a)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1023036-playdom-inc", "source_filename": "05.11, Playdom.json", "num_provisions": 17, "num_requirements": 35, "order_duration_years": null, "takeaway_brief": "Playdom allowed children under 13 immediate access to its online games and public profiles before obtaining any parental consent, violating COPPA.", "statutory_topics": [ "COPPA" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology", "Social Media" ], "remedy_types": [ "Prohibition", "Data Deletion", "Consumer Redress", "Monetary Penalty", "Compliance Monitoring", "Recordkeeping", "Order Administration" ], "provision_counts_by_topic": { "COPPA": 17 } }, { "id": "06.11_best_priced_brands", "docket_number": "CV 09-5276 DDP", "company_name": "Balls of Kryptonite, LLC", "date_issued": "2011-06-15", "year": 2011, "administration": "Obama", "categories": [ "Privacy / Deceptive Privacy Practices", "Telemarketing / Do-Not-Call" ], "violation_type": "deceptive", "complaint_counts": [ "False UK Location and Manufacturer Warranty Claims", "False Total Delivered Price Representations", "False UK Distance Selling Regulations Compliance Claims", "Failure to Deliver Products as Promised", "False Safe Harbor Self-Certification Claims", "Violations of the Mail Order Rule" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), and the Commission's Trade Regulation Rule Concerning the Sale of Mail or Telephone Order Merchandise (Mail Order Rule), 16 C.F.R. Part 435", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/092-3081-best-priced-brands-llc-et-al", "source_filename": "06.11, Best Priced Brands.json", "num_provisions": 13, "num_requirements": 46, "order_duration_years": null, "takeaway_brief": "Best Priced Brands deceived UK consumers by falsely presenting its U.S. businesses as UK-based retailers and misrepresenting prices, warranties, and consumer rights.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "industry_sectors": [ "Retail" ], "remedy_types": [ "Prohibition", "Consumer Redress", "Monetary Penalty", "Compliance Monitoring", "Recordkeeping", "Order Administration" ], "provision_counts_by_topic": { "Section 5 Only": 13 } }, { "id": "06.11_ceridian_corporation", "docket_number": "C-4325", "company_name": "Ceridian Corporation", "date_issued": "2011-06-15", "year": 2011, "administration": "Obama", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ], "violation_type": "both", "complaint_counts": [ "Deceptive Data Security Representations", "Unfair Data Security Practices" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Jon Leibowitz, Chairman", "William E. Kovacic", "J. Thomas Rosch", "Edith Ramirez", "Julie Brill" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3160-ceridian-corporation-matter", "source_filename": "06.11, Ceridian Corporation.json", "num_provisions": 8, "num_requirements": 26, "order_duration_years": 20, "takeaway_brief": "Ceridian falsely claimed its payroll processing service met high security standards while storing employee data in unencrypted clear text with no SQL injection defenses.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 8 } }, { "id": "06.11_chitika", "docket_number": "C-4324", "company_name": "CHITIKA, INC.", "date_issued": "2011-06-15", "year": 2011, "administration": "Obama", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Deceptive Opt-Out Representation" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "commissioners": [ "Jon Leibowitz, Chairman", "William E. Kovacic", "J. Thomas Rosch", "Edith Ramirez", "Julie Brill" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1023087-chitika-inc-matter", "source_filename": "06.11, Chitika.json", "num_provisions": 8, "num_requirements": 19, "order_duration_years": 20, "takeaway_brief": "Chitika told consumers that clicking its opt-out button stopped behavioral advertising tracking, but the opt-out cookie expired after only 10 days without any notice.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Consumer Notification", "Data Deletion", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 8 } }, { "id": "06.11_lookout_services", "docket_number": "C-4326", "company_name": "Lookout Services, Inc.", "date_issued": "2011-06-15", "year": 2011, "administration": "Obama", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ], "violation_type": "both", "complaint_counts": [ "Data Security Misrepresentation (Deceptive Practice)", "Failure to Provide Reasonable Data Security (Unfair Practice)" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Jon Leibowitz, Chairman", "William E. Kovacic", "J. Thomas Rosch", "Edith Ramirez", "Julie Brill" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3076-lookout-services-inc-matter", "source_filename": "06.11, Lookout Services.json", "num_provisions": 8, "num_requirements": 21, "order_duration_years": 20, "takeaway_brief": "Lookout Services falsely claimed 24/7 network security monitoring for its I-9 compliance product while lacking basic security safeguards like strong passwords and URL authentication controls.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 8 } }, { "id": "06.11_teletrack", "docket_number": "1 11-CV-2060", "company_name": "TELETRACK, INC.", "date_issued": "2011-06-15", "year": 2011, "administration": "Obama", "categories": [ "Privacy / Deceptive Privacy Practices", "Fair Credit Reporting (FCRA)" ], "violation_type": "both", "complaint_counts": [ "Furnishing Consumer Reports Without Permissible Purpose (FCRA § 604)" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 621(a) of the Fair Credit Reporting Act, 15 U.S.C. § 1681s(a); Sections 13(b) and 16(a) of the FTC Act, 15 U.S.C. §§ 53(b) and 56(a)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3075-teletrack-inc", "source_filename": "06.11, Teletrack.json", "num_provisions": 9, "num_requirements": 22, "order_duration_years": null, "takeaway_brief": "Teletrack sold consumer credit inquiry data to third-party marketers as mailing lists without a permissible purpose under the Fair Credit Reporting Act.", "statutory_topics": [ "FCRA" ], "practice_areas": [ "Financial Practices" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Monetary Penalty", "Prohibition", "Compliance Monitoring", "Recordkeeping", "Order Administration" ], "provision_counts_by_topic": { "FCRA": 9 } }, { "id": "08.11_acranet", "docket_number": "C-4331", "company_name": "ACRAnet, Inc.", "date_issued": "2011-08-15", "year": 2011, "administration": "Obama", "categories": [ "Data Security", "Fair Credit Reporting (FCRA)", "Gramm-Leach-Bliley" ], "violation_type": "unfair", "complaint_counts": [ "Violations of the Safeguards Rule (GLB Act)", "Violation of FCRA Section 604 — Furnishing Reports Without Permissible Purpose", "Violation of FCRA Section 607(a) — Failure to Maintain Reasonable Procedures", "Violation of FCRA Section 607(a) — Furnishing Reports With Grounds to Believe Impermissible Use", "Unfair and Deceptive Acts via FCRA Violations — FTC Act Section 5(a)", "Unfair Acts or Practices — Failure to Employ Reasonable Security Measures (FTC Act Section 5(a))" ], "legal_authority": "Section 5 of the Federal Trade Commission Act (15 U.S.C. § 45(a)); Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.); and the Standards for Safeguarding Customer Information Rule (16 C.F.R. Part 314), issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act (15 U.S.C. §§ 6801-6809)", "commissioners": [ "Jon Leibowitz, Chairman", "William E. Kovacic", "J. Thomas Rosch", "Edith Ramirez", "Julie Brill" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/092-3088-acranet-inc-matter", "source_filename": "08.11, ACRAnet.json", "num_provisions": 9, "num_requirements": 24, "order_duration_years": 20, "takeaway_brief": "ACRAnet, a credit reporting agency, failed to implement basic security safeguards for its clients, allowing hackers to access sensitive consumer credit reports through clients' unprotected networks.", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Data Security", "Financial Practices" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Comprehensive Security Program", "Prohibition", "Third-Party Assessment", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "FCRA": 8, "GLBA": 8 } }, { "id": "08.11_fajilan_and_associates_also_dba_statewide_credit_services", "docket_number": "C-4332", "company_name": "Fajilan and Associates, Inc.", "date_issued": "2011-08-15", "year": 2011, "administration": "Obama", "categories": [ "Data Security", "Fair Credit Reporting (FCRA)", "Gramm-Leach-Bliley" ], "violation_type": "both", "complaint_counts": [ "Violations of the Safeguards Rule (GLB Act)", "Furnishing Consumer Reports Without Permissible Purpose (FCRA § 604)", "Failure to Maintain Reasonable Procedures to Limit Furnishing (FCRA § 607(a))", "Furnishing Reports With Reasonable Grounds to Believe No Permissible Purpose (FCRA § 607(a))", "Unfair and Deceptive Acts via FCRA Violations (FTC Act § 5(a))", "Unfair Security Practices (FTC Act § 5(a))" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq.; and the Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314, issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6809", "commissioners": [ "Jon Leibowitz, Chairman", "William E. Kovacic", "J. Thomas Rosch", "Edith Ramirez", "Julie Brill" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/092-3089-fajilan-associates-inc-also-dba-statewide-credit-services-matter", "source_filename": "08.11, Fajilan and Associates, also dba Statewide Credit Services.json", "num_provisions": 10, "num_requirements": 30, "order_duration_years": 20, "takeaway_brief": "Statewide Credit Services sold sensitive credit reports to clients without verifying their security posture, enabling repeated hacker breaches of client networks.", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Data Security", "Financial Practices" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Comprehensive Security Program", "Prohibition", "Third-Party Assessment", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "FCRA": 9, "GLBA": 9 } }, { "id": "08.11_settlementone_credit_corporation", "docket_number": "C-4330", "company_name": "SettlementOne Credit Corporation", "date_issued": "2011-08-15", "year": 2011, "administration": "Obama", "categories": [ "Data Security", "Fair Credit Reporting (FCRA)", "Gramm-Leach-Bliley" ], "violation_type": "both", "complaint_counts": [ "Violation of the Safeguards Rule (GLB Act)", "Violation of FCRA Section 604 — Furnishing Reports Without Permissible Purpose", "Violation of FCRA Section 607(a) — Failure to Maintain Reasonable Procedures", "Violation of FCRA Section 607(a) — Furnishing Reports with Reasonable Grounds to Believe No Permissible Purpose", "Unfair and Deceptive Acts or Practices — FCRA Violations as FTC Act Violations", "Unfair Acts or Practices — Failure to Employ Reasonable Security Measures (FTC Act Section 5)" ], "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq.; and the Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314, issued pursuant to Title V, Subtitle A of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6809", "commissioners": [ "Jon Leibowitz, Chairman", "William E. Kovacic", "J. Thomas Rosch", "Edith Ramirez", "Julie Brill" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/082-3208-settlementone-credit-corporation", "source_filename": "08.11, SettlementOne Credit Corporation.json", "num_provisions": 9, "num_requirements": 27, "order_duration_years": 20, "takeaway_brief": "SettlementOne Credit allowed client mortgage brokers without verified security to access sensitive consumer credit reports, enabling hackers to breach multiple client networks.", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Data Security", "Financial Practices" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Comprehensive Security Program", "Prohibition", "Third-Party Assessment", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "FCRA": 8, "GLBA": 8 } }, { "id": "09.11_w3_innovations_dba_broken_thumb_apps_and_justin_maples_u.s.", "docket_number": "C-11-03958", "company_name": "W3 Innovations, LLC", "date_issued": "2011-09-15", "year": 2011, "administration": "Obama", "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ], "violation_type": "both", "complaint_counts": [ "Violations of the Children's Online Privacy Protection Rule" ], "legal_authority": "Sections 1303(c) and 1306(d) of the Children's Online Privacy Protection Act of 1998 (COPPA), 15 U.S.C. §§ 6501-6506, 6502(c) and 6505(d), and Sections 5(a)(1), 5(m)(1)(A), 13(b), and 16(a) of the Federal Trade Commission Act", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3251-w3-innovations-llc-dba-broken-thumb-apps-justin-maples-us", "source_filename": "09.11, W3 Innovations dba Broken Thumb Apps and Justin Maples, U.S..json", "num_provisions": 10, "num_requirements": 29, "order_duration_years": null, "takeaway_brief": "Broken Thumbs Apps collected over 30,000 email addresses from children through child-directed mobile apps without any privacy notice or parental consent.", "statutory_topics": [ "COPPA" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Data Deletion", "Monetary Penalty", "Compliance Monitoring", "Recordkeeping", "Order Administration" ], "provision_counts_by_topic": { "COPPA": 10 } }, { "id": "10.11_frostwire_llc_and_angel_leon", "docket_number": "11-23643-CV-GRAHAM", "company_name": "Frostwire LLC", "date_issued": "2011-10-15", "year": 2011, "administration": "Obama", "categories": [ "Other" ], "violation_type": "deceptive", "complaint_counts": [ "False Representation About the Sharing of Downloads in FrostWire Desktop", "Failure to Disclose Material Information About the Sharing of Downloads in FrostWire Desktop", "Unfair Design of FrostWire for Android" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3041-frostwire-llc-angel-leon", "source_filename": "10.11, Frostwire LLC and Angel Leon.json", "num_provisions": 10, "num_requirements": 40, "order_duration_years": null, "takeaway_brief": "FrostWire's file-sharing apps deceived users about which files were being publicly shared on peer-to-peer networks.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy", "Deceptive Design / Dark Patterns" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Compliance Monitoring", "Recordkeeping", "Order Administration" ], "provision_counts_by_topic": { "Section 5 Only": 10 } }, { "id": "10.11_google", "docket_number": "C-4336", "company_name": "Google Inc.", "date_issued": "2011-10-15", "year": 2011, "administration": "Obama", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "False Representation: Gmail Data Used Only for Email Service", "False Representation: Consent Before Repurposing User Data", "False Representation: Opting Out of Buzz", "Deceptive Omission: Lack of Adequate Disclosure of Default Public Sharing", "False Representation: Adherence to U.S.-EU Safe Harbor Framework" ], "legal_authority": "Federal Trade Commission Act", "commissioners": [ "Jon Leibowitz, Chairman", "J. Thomas Rosch", "Edith Ramirez", "Julie Brill" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/google-inc", "source_filename": "10.11, Google.json", "num_provisions": 9, "num_requirements": 25, "order_duration_years": 20, "takeaway_brief": "Google auto-enrolled Gmail users into its Buzz social network using their contacts, breaking promises that Gmail data would only be used for email.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 9 } }, { "id": "11.11_godwin_jones_o._dba_skidekids.com", "docket_number": "Civil Action No. 1:11-cv-03846-JOF", "company_name": "Jones O. Godwin", "date_issued": "2011-11-15", "year": 2011, "administration": "Obama", "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ], "violation_type": "both", "complaint_counts": [ "Violations of the Children's Online Privacy Protection Rule (COPPA Rule)", "Violations of the FTC Act — Deceptive Misrepresentation" ], "legal_authority": "Sections 1303(c) and 1306(d) of the Children's Online Privacy Protection Act of 1998 (COPPA), 15 U.S.C. §§ 6501-6506, 6502(c) and 6505(d), and Sections 5(a)(1), 5(m)(1)(A), 13(b), and 16(a) of the Federal Trade Commission Act (FTC Act), 15 U.S.C. §§ 41-58, 45(a)(1), 45(m)(1)(A), 53(b), and 56(a)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1123033-godwin-jones-o-dba-skidekidscom", "source_filename": "11.11, Godwin, Jones O., dba skidekids.com.json", "num_provisions": 15, "num_requirements": 37, "order_duration_years": null, "takeaway_brief": "Skid-e-kids' operator claimed to collect parental email addresses and notify parents before activating children's accounts, but never actually did so.", "statutory_topics": [ "COPPA" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Social Media" ], "remedy_types": [ "Prohibition", "Data Deletion", "Consumer Redress", "Monetary Penalty", "Order Administration", "Third-Party Assessment", "Recordkeeping", "Compliance Monitoring" ], "provision_counts_by_topic": { "COPPA": 15 } }, { "id": "12.11_scanscout", "docket_number": "C-4344", "company_name": "ScanScout, Inc.", "date_issued": "2011-12-15", "year": 2011, "administration": "Obama", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "False Opt-Out Representation Regarding Cookie Data Collection" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Jon Leibowitz, Chairman", "J. Thomas Rosch", "Edith Ramirez", "Julie Brill" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3185-scanscout-inc-matter", "source_filename": "12.11, ScanScout.json", "num_provisions": 7, "num_requirements": 17, "order_duration_years": 20, "takeaway_brief": "ScanScout falsely told consumers they could opt out of tracking cookies by changing browser settings, when its Flash cookies were immune to browser-level controls.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 7 } }, { "id": "01.12_asset_acceptance", "docket_number": "8:12-cv-00182-JDW-EAJ", "company_name": "Asset Acceptance, LLC", "date_issued": "2012-01-15", "year": 2012, "administration": "Obama", "categories": [ "Fair Credit Reporting (FCRA)" ], "violation_type": "both", "complaint_counts": [ "Lack of Reasonable Basis – False Representations of Debt Validity", "Failure to Disclose Statute of Limitations Status", "Furnishing Inaccurate Information to Consumer Reporting Agencies – FCRA § 623(a)(1)(A)", "Failure to Provide Required Negative Information Notice – FCRA § 623(a)(7)", "Failure to Conduct Reasonable Investigation of ACDV Disputes – FCRA § 623(b)(1)", "Repeated Communications with Third Parties for Location Information – FDCPA § 804(3)", "Unauthorized Third-Party Communications About Debts – FDCPA § 805(b)", "False, Deceptive, or Misleading Representations in Debt Collection – FDCPA § 807", "Failure to Obtain Debt Verification Before Resuming Collection – FDCPA § 809(b)" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 5(m)(1)(A) of the FTC Act, 15 U.S.C. § 45(m)(1)(A); the Fair Credit Reporting Act (FCRA), 15 U.S.C. §§ 1681-1681x; and the Fair Debt Collection Practices Act (FDCPA), 15 U.S.C. §§ 1692-1692p", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/052-3133-asset-acceptance-llc", "source_filename": "01.12, Asset Acceptance.json", "num_provisions": 2, "num_requirements": 2, "order_duration_years": null, "takeaway_brief": "Asset Acceptance pursued consumers for debts without adequate verification, failed to disclose statute-of-limitations issues, and furnished inaccurate information to credit bureaus.", "statutory_topics": [ "FCRA" ], "practice_areas": [ "Financial Practices" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Order Administration" ], "provision_counts_by_topic": { "FCRA": 2 } }, { "id": "03.12_rockyou", "docket_number": "CV '12 1487", "company_name": "RockYou, Inc.", "date_issued": "2012-03-15", "year": 2012, "administration": "Obama", "categories": [ "COPPA / Children's Privacy", "Data Security", "Privacy / Deceptive Privacy Practices" ], "violation_type": "both", "complaint_counts": [ "Data Security Misrepresentation", "COPPA Rule Violations", "Misrepresentation About Children's Information Collection" ], "legal_authority": "Sections 5(a)(1), 5(m)(1)(A), 13(b), and 16(a) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(a)(1), 45(m)(1)(A), 53(b), and 56(a); Sections 1303(c) and 1306(d) of the Children's Online Privacy Protection Act of 1998 (COPPA), 15 U.S.C. §§ 6501-6506, 6502(c) and 6505(d)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1023120-rockyou-inc", "source_filename": "03.12, RockYou.json", "num_provisions": 12, "num_requirements": 36, "order_duration_years": 20, "takeaway_brief": "RockYou failed to secure 32 million email addresses and passwords, and knowingly collected personal data from approximately 179,000 children without parental consent in violation of COPPA.", "statutory_topics": [ "COPPA" ], "practice_areas": [ "Privacy", "Data Security" ], "industry_sectors": [ "Technology", "Social Media" ], "remedy_types": [ "Prohibition", "Data Deletion", "Consumer Redress", "Monetary Penalty", "Comprehensive Security Program", "Third-Party Assessment", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "COPPA": 12 } }, { "id": "06.12_spokeo", "docket_number": "C-12-cv-05001-MMM-SH (Case No. 2:12-cv-05001-MMM-SH)", "company_name": "Spokeo, Inc.", "date_issued": "2012-06-15", "year": 2012, "administration": "Obama", "categories": [ "Fair Credit Reporting (FCRA)" ], "violation_type": "both", "complaint_counts": [ "Failure to Maintain Reasonable Procedures for Permissible Purposes", "Failure to Follow Reasonable Procedures to Assure Maximum Possible Accuracy", "Failure to Provide User Notices", "Furnishing Consumer Reports Without Permissible Purpose", "Fake Endorsements" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 621(a) of the Fair Credit Reporting Act, 15 U.S.C. § 1681s(a)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1023163-spokeo-inc", "source_filename": "06.12, Spokeo.json", "num_provisions": 8, "num_requirements": 28, "order_duration_years": 20, "takeaway_brief": "Spokeo marketed detailed consumer profiles for employment decisions while operating as an unregistered consumer reporting agency without any FCRA compliance procedures.", "statutory_topics": [ "FCRA" ], "practice_areas": [ "Financial Practices" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Monetary Penalty", "Prohibition", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "FCRA": 8 } }, { "id": "08.12_hireright_solutions", "docket_number": "12-1313", "company_name": "HireRight Solutions, Inc.", "date_issued": "2012-08-15", "year": 2012, "administration": "Obama", "categories": [ "Fair Credit Reporting (FCRA)" ], "violation_type": "both", "complaint_counts": [ "Failure to Ensure Maximum Possible Accuracy", "Failure to Disclose Consumer File Information", "Failure to Conduct Proper Reinvestigations", "Failure to Provide Written Notice of Reinvestigation Results", "Failure to Comply with Public Record Information Requirements" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b); Section 16(a) of the Federal Trade Commission Act, 15 U.S.C. § 56(a); Section 621(a) of the Fair Credit Reporting Act, 15 U.S.C. § 1681s(a)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-313-hireright-solutions-inc", "source_filename": "08.12, HireRight Solutions.json", "num_provisions": 8, "num_requirements": 33, "order_duration_years": null, "takeaway_brief": "HireRight systematically failed to ensure accuracy of background screening reports, denied consumers access to their own files, and refused to properly reinvestigate disputes.", "statutory_topics": [ "FCRA" ], "practice_areas": [ "Financial Practices" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Monetary Penalty", "Prohibition", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "FCRA": 8 } }, { "id": "09.12_myspace", "docket_number": "C-4369", "company_name": "MYSPACE LLC", "date_issued": "2012-09-15", "year": 2012, "administration": "Obama", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Unauthorized Sharing of PII", "False Claims About Ad Customization Privacy", "False Anonymization Claims", "Safe Harbor Compliance Misrepresentation" ], "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "commissioners": [ "Jon Leibowitz, Chairman", "J. Thomas Rosch", "Edith Ramirez", "Julie Brill", "Maureen K. Ohlhausen" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3058-myspace-llc-matter", "source_filename": "09.12, Myspace.json", "num_provisions": 8, "num_requirements": 27, "order_duration_years": 20, "takeaway_brief": "Myspace transmitted users' personal identifiers to third-party advertisers without disclosure, enabling advertisers to link users' real identities to their browsing behavior.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Social Media", "Technology" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 8 } }, { "id": "10.12_artist_arena_llc_united_states_of_america", "docket_number": "12 Civ. 07386", "company_name": "Artist Arena LLC", "date_issued": "2012-10-15", "year": 2012, "administration": "Obama", "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "COPPA Rule Violations", "Deceptive Representations About Parental Consent" ], "legal_authority": "Sections 1303(c) and 1306(d) of the Children's Online Privacy Protection Act of 1998, 15 U.S.C. §§ 6501-6506, 6502(c) and 6505(d), and Sections 5(a)(1), 5(m)(1)(A), 13(b), and 16(a) of the Federal Trade Commission Act, 15 U.S.C. §§ 41-58, 45(a)(1), 45(m)(1)(A), 53(b), and 56(a)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3167-artist-arena-llc-united-states-america-federal-trade-commission", "source_filename": "10.12, Artist Arena LLC, United States of America.json", "num_provisions": 9, "num_requirements": 23, "order_duration_years": null, "takeaway_brief": "Artist Arena collected personal data from over 101,000 children under 13 for celebrity fan clubs without proper parental notice or consent.", "statutory_topics": [ "COPPA" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Data Deletion", "Consumer Redress", "Monetary Penalty", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "COPPA": 9 } }, { "id": "10.12_direct_lending_source", "docket_number": "3:12-cv-02441-DMS-BLM", "company_name": "Direct Lending Source, Inc.", "date_issued": "2012-10-15", "year": 2012, "administration": "Obama", "categories": [ "Fair Credit Reporting (FCRA)" ], "violation_type": "both", "complaint_counts": [ "Obtaining Consumer Reports Without Permissible Purpose", "Failure to Identify End-User of Consumer Reports", "Failure to Establish Reasonable Procedures for Resale", "Failure to Maintain Required Criteria Documentation", "Unfair Practices - Failure to Control Access to Sensitive Consumer Information" ], "legal_authority": "Section 5(a), Section 5(n), Section 13(b), and Section 16(a) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(a), 45(n), 53(b), and 56(a); and sections 604(f), 607(e)(1), 607(e)(2), 615(d)(3), and 621 of the Fair Credit Reporting Act, 15 U.S.C. §§ 1681b(f), 1681e(e)(1), 1681e(e)(2), 1681m(d)(3), and 1681s", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3000-direct-lending-source-inc-et-al", "source_filename": "10.12, Direct Lending Source.json", "num_provisions": 8, "num_requirements": 44, "order_duration_years": 20, "takeaway_brief": "Direct Lending Source purchased and resold prescreened consumer credit lists to entities running fraudulent loan modification schemes without verifying permissible use.", "statutory_topics": [ "FCRA" ], "practice_areas": [ "Financial Practices" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Monetary Penalty", "Prohibition", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "FCRA": 8 } }, { "id": "10.12_epn_also_dba_checknet", "docket_number": "C-4370", "company_name": "EPN, Inc., also d/b/a Checknet, Inc.", "date_issued": "2012-10-15", "year": 2012, "administration": "Obama", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ], "violation_type": "unfair", "complaint_counts": [ "Unfair Data Security Practices" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "commissioners": [ "Jon Leibowitz, Chairman", "J. Thomas Rosch", "Edith Ramirez", "Julie Brill", "Maureen K. Ohlhausen" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3143-epn-inc-also-dba-checknet-inc-matter", "source_filename": "10.12, EPN, also dba Checknet.json", "num_provisions": 8, "num_requirements": 27, "order_duration_years": 20, "takeaway_brief": "EPN, a debt collector, failed to implement reasonable data security, allowing a peer-to-peer app to expose sensitive consumer information on a public network.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 8 } }, { "id": "10.12_franklin_s_budget_car_sales_also_dba_franklin_toyotascion", "docket_number": "C-4371", "company_name": "Franklin's Budget Car Sales, Inc., also dba Franklin Toyota/Scion", "date_issued": "2012-10-15", "year": 2012, "administration": "Obama", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Gramm-Leach-Bliley" ], "violation_type": "both", "complaint_counts": [ "Deceptive Security Claims (FTC Act Violation)", "Safeguards Rule Violations", "Privacy Rule Violations" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314; Privacy of Customer Financial Information Rule, 16 C.F.R. Part 313", "commissioners": [ "Jon Leibowitz, Chairman", "J. Thomas Rosch", "Edith Ramirez", "Julie Brill", "Maureen K. Ohlhausen" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3094-franklins-budget-car-sales-inc-also-dba-franklin-toyotascion-matter", "source_filename": "10.12, Franklin's Budget Car Sales, also dba Franklin ToyotaScion.json", "num_provisions": 9, "num_requirements": 24, "order_duration_years": 20, "takeaway_brief": "Franklin Toyota claimed to maintain legally compliant security safeguards while allowing a P2P app to expose nearly 95,000 customers' sensitive personal information.", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Retail" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "GLBA": 9 } }, { "id": "11.12_pls_financial_services", "docket_number": "1:12-cv-08334", "company_name": "PLS Financial Services, Inc.", "date_issued": "2012-11-15", "year": 2012, "administration": "Obama", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Fair Credit Reporting (FCRA)", "Gramm-Leach-Bliley" ], "violation_type": "both", "complaint_counts": [ "Disposal Rule Violation", "Safeguards Rule Violation", "Deceptive Security Claims", "Privacy Rule Violation" ], "legal_authority": "Sections 5(a), 13(b), and 16(a) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(a), 53(b), and 56(a); Section 621(a) of the Fair Credit Reporting Act, 15 U.S.C. § 1681s(a); Disposal Rule, 16 C.F.R. Part 682; Safeguards Rule, 16 C.F.R. Part 314; Privacy Rule, 16 C.F.R. Part 313", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1023172-pls-financial-services-inc-et-al", "source_filename": "11.12, PLS Financial Services.json", "num_provisions": 14, "num_requirements": 36, "order_duration_years": 20, "takeaway_brief": "PLS Financial Services represented it maintained legally compliant security safeguards but discarded consumer documents containing sensitive personal information in unsecured dumpsters.", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Data Security", "Financial Practices" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Monetary Penalty", "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "FCRA": 12, "GLBA": 12 } }, { "id": "02.13_compete", "docket_number": "C-4384", "company_name": "Compete, Inc.", "date_issued": "2013-02-15", "year": 2013, "administration": "Obama", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Failure to Disclose Extent of Data Collection", "False Claims About Data Filtering", "False Security Claims", "Unfair Data Security Practices" ], "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "commissioners": [ "Jon Leibowitz, Chairman", "Edith Ramirez", "Julie Brill", "Maureen K. Ohlhausen", "Joshua D. Wright" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3155-compete-inc", "source_filename": "02.13, Compete.json", "num_provisions": 12, "num_requirements": 34, "order_duration_years": 20, "takeaway_brief": "Compete collected consumers' sensitive financial and personal information through tracking software while falsely claiming it only anonymously collected browsing data.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy", "Data Security" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Consumer Notification", "Order Administration", "Comprehensive Security Program", "Third-Party Assessment", "Data Deletion", "Recordkeeping", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 12 } }, { "id": "02.13_path", "docket_number": "C-3:13-cv-00448-RS", "company_name": "Path, Inc.", "date_issued": "2013-02-15", "year": 2013, "administration": "Obama", "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Deceptive User Interface Representation", "Deceptive Privacy Policy Statement", "COPPA Rule Violations" ], "legal_authority": "Sections 5(a)(1), 5(m)(1)(A), 13(b), and 16(a) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(a)(1), 45(m)(1)(A), 53(b), and 56(a); Sections 1303(c) and 1306(d) of the Children's Online Privacy Protection Act of 1998, 15 U.S.C. §§ 6501-6506, 6502(c), and 6505(d)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3158-path-inc", "source_filename": "02.13, Path.json", "num_provisions": 10, "num_requirements": 36, "order_duration_years": 20, "takeaway_brief": "Path's mobile app silently collected users' entire phone contact lists without consent and knowingly gathered personal data from thousands of children without parental approval.", "statutory_topics": [ "COPPA" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Social Media", "Technology" ], "remedy_types": [ "Prohibition", "Data Deletion", "Monetary Penalty", "Third-Party Assessment", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "COPPA": 10 } }, { "id": "03.13_epic_marketplace", "docket_number": "C-4389", "company_name": "Epic Marketplace, Inc.", "date_issued": "2013-03-15", "year": 2013, "administration": "Obama", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Misrepresentation of Data Collection Scope", "Failure to Disclose History Sniffing" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "commissioners": [ "Edith Ramirez, Chairman", "Julie Brill", "Maureen K. Ohlhausen", "Joshua D. Wright" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3182-epic-marketplace-inc", "source_filename": "03.13, Epic Marketplace.json", "num_provisions": 8, "num_requirements": 16, "order_duration_years": 20, "takeaway_brief": "Epic Marketplace secretly exploited browser history to track consumers' visits to sensitive websites — including medical and financial pages — without disclosing this practice in its privacy policy.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy", "Surveillance" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Data Deletion", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 8 } }, { "id": "03.13_equifax_information_services_ll", "docket_number": "C-4387", "company_name": "Equifax Information Services LLC", "date_issued": "2013-03-15", "year": 2013, "administration": "Obama", "categories": [ "Data Security", "Fair Credit Reporting (FCRA)" ], "violation_type": "both", "complaint_counts": [ "Furnishing Consumer Reports Without Permissible Purpose", "Failure to Maintain Reasonable Procedures", "Unfair Data Security Practices" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Fair Credit Reporting Act, 15 U.S.C. §§ 1681 et seq.", "commissioners": [ "Edith Ramirez, Chairman", "Jon Leibowitz", "Julie Brill", "Maureen K. Ohlhausen", "Joshua D. Wright" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3203-equifax-inc", "source_filename": "03.13, Equifax Information Services LL.json", "num_provisions": 7, "num_requirements": 19, "order_duration_years": 20, "takeaway_brief": "Equifax sold prescreened consumer credit lists to a company that resold them to third parties for general marketing, without maintaining adequate procedures to ensure permissible use.", "statutory_topics": [ "FCRA" ], "practice_areas": [ "Financial Practices" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Prohibition", "Monetary Penalty", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "FCRA": 7 } }, { "id": "04.13_aspen_way_enterprises", "docket_number": "C-4392", "company_name": "Aspen Way Enterprises, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "categories": [ "Privacy / Deceptive Privacy Practices", "Health Data" ], "violation_type": "both", "complaint_counts": [ "Unfair Gathering of Consumers' Personal Information", "Unfair Collection Practices", "Deceptive Gathering of Consumers' Personal Information" ], "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Joshua D. Wright" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-aspen-way-enterprises-inc-matter", "source_filename": "04.13, Aspen Way Enterprises.json", "num_provisions": 10, "num_requirements": 24, "order_duration_years": 20, "takeaway_brief": "Aspen Way Enterprises installed hidden monitoring software on rented computers to secretly capture consumers' sensitive personal information, including via webcam.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "industry_sectors": [ "Retail" ], "remedy_types": [ "Prohibition", "Data Deletion", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 10 } }, { "id": "04.13_b._stamper_enterprises", "docket_number": "C-4393", "company_name": "B. Stamper Enterprises, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "categories": [ "Privacy / Deceptive Privacy Practices", "Health Data" ], "violation_type": "both", "complaint_counts": [ "Unfair Gathering of Consumers' Personal Information", "Unfair Collection Practices", "Deceptive Gathering of Consumers' Personal Information" ], "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Joshua D. Wright" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-b-stamper-enterprises-inc-matter", "source_filename": "04.13, B. Stamper Enterprises.json", "num_provisions": 10, "num_requirements": 24, "order_duration_years": 20, "takeaway_brief": "B. Stamper Enterprises secretly monitored rented computer users via hidden software to capture passwords, medical records, and personal images.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "industry_sectors": [ "Retail" ], "remedy_types": [ "Prohibition", "Data Deletion", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 10 } }, { "id": "04.13_c.a.l.m._ventures", "docket_number": "C-4394", "company_name": "C.A.L.M. Ventures, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "both", "complaint_counts": [ "Unfair Gathering of Consumers' Personal Information", "Unfair Collection Practices", "Deceptive Gathering of Consumers' Personal Information" ], "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Joshua D. Wright" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-calm-ventures-inc-matter", "source_filename": "04.13, C.A.L.M. Ventures.json", "num_provisions": 10, "num_requirements": 24, "order_duration_years": 20, "takeaway_brief": "C.A.L.M. Ventures used hidden monitoring software on rented computers to secretly spy on consumers in their homes, including activating webcams without consent.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "industry_sectors": [ "Retail" ], "remedy_types": [ "Prohibition", "Data Deletion", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 10 } }, { "id": "04.13_designerware", "docket_number": "C-4390", "company_name": "DesignerWare, LLC", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "categories": [ "Privacy / Deceptive Privacy Practices", "Health Data" ], "violation_type": "deceptive", "complaint_counts": [ "Unfair Gathering and Disclosure of Consumers' Personal Information", "Means and Instrumentalities to Engage in Unfairness", "Deceptive Gathering and Disclosure of Consumers' Personal Information" ], "legal_authority": "Federal Trade Commission Act, 15 U.S.C § 45 et seq.", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Joshua D. Wright" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-designerware-llc-matter", "source_filename": "04.13, DesignerWare.json", "num_provisions": 9, "num_requirements": 27, "order_duration_years": 20, "takeaway_brief": "DesignerWare developed and licensed stalkerware that secretly activated webcams, logged keystrokes, and tracked consumers' locations on rented computers.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Data Deletion", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 9 } }, { "id": "04.13_j.a.g._rents_also_dba_colortyme", "docket_number": "C-4395", "company_name": "J.A.G. Rents, LLC", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "categories": [ "Privacy / Deceptive Privacy Practices", "Health Data" ], "violation_type": "both", "complaint_counts": [ "Unfair Gathering of Consumers' Personal Information", "Unfair Collection Practices", "Deceptive Gathering of Consumers' Personal Information" ], "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Joshua D. Wright" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-jag-rents-llc-also-dba-colortyme-matter", "source_filename": "04.13, J.A.G. Rents, also dba ColorTyme.json", "num_provisions": 10, "num_requirements": 23, "order_duration_years": 20, "takeaway_brief": "J.A.G. Rents secretly monitored rented computer users through hidden software, capturing sensitive personal information and tricking consumers with fake registration pop-ups.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "industry_sectors": [ "Retail" ], "remedy_types": [ "Prohibition", "Data Deletion", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 10 } }, { "id": "04.13_red_zone_investment_group", "docket_number": "C-4396", "company_name": "Red Zone Investment Group, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "both", "complaint_counts": [ "Unfair Gathering of Consumers' Personal Information", "Unfair Collection Practices", "Deceptive Gathering of Consumers' Personal Information" ], "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Joshua D. Wright" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-red-zone-investment-group-inc-matter", "source_filename": "04.13, Red Zone Investment Group.json", "num_provisions": 10, "num_requirements": 24, "order_duration_years": 20, "takeaway_brief": "Red Zone Investment Group installed covert monitoring software on rented computers to secretly surveil users and collect personal information without their knowledge.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "industry_sectors": [ "Retail" ], "remedy_types": [ "Prohibition", "Data Deletion", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 10 } }, { "id": "04.13_showplace", "docket_number": "C-4397", "company_name": "Showplace, Inc.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "categories": [ "Privacy / Deceptive Privacy Practices", "Health Data" ], "violation_type": "both", "complaint_counts": [ "Unfair Gathering of Consumers' Personal Information", "Unfair Collection Practices", "Deceptive Gathering of Consumers' Personal Information" ], "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Joshua D. Wright" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-showplace-inc-matter", "source_filename": "04.13, Showplace.json", "num_provisions": 10, "num_requirements": 24, "order_duration_years": 20, "takeaway_brief": "Showplace secretly installed monitoring software on rented computers to capture consumers' webcam images, keystrokes, and personal data without their knowledge.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "industry_sectors": [ "Retail" ], "remedy_types": [ "Prohibition", "Data Deletion", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 10 } }, { "id": "04.13_watershed_development", "docket_number": "C-4398", "company_name": "Watershed Development Corp.", "date_issued": "2013-04-15", "year": 2013, "administration": "Obama", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "both", "complaint_counts": [ "Unfair Gathering of Consumers' Personal Information", "Unfair Collection Practices", "Deceptive Gathering of Consumers' Personal Information" ], "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Joshua D. Wright" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3151-watershed-development-corp-matter", "source_filename": "04.13, Watershed Development.json", "num_provisions": 10, "num_requirements": 24, "order_duration_years": 20, "takeaway_brief": "Watershed Development secretly monitored rented computer users through hidden keylogging, screenshot, and webcam software without their knowledge or consent.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "industry_sectors": [ "Retail" ], "remedy_types": [ "Prohibition", "Data Deletion", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 10 } }, { "id": "05.13_cbr_systems", "docket_number": "C-4400", "company_name": "CBR Systems, Inc.", "date_issued": "2013-05-15", "year": 2013, "administration": "Obama", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Health Data" ], "violation_type": "deceptive", "complaint_counts": [ "Deceptive Data Security Practices" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Joshua D. Wright" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3120-cbr-systems-inc-matter", "source_filename": "05.13, CBR Systems.json", "num_provisions": 8, "num_requirements": 22, "order_duration_years": 20, "takeaway_brief": "CBR Systems falsely claimed to handle consumers' sensitive health and financial data securely while failing to implement basic data protection measures.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Healthcare" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 8 } }, { "id": "05.13_filiquarian_publishing_choice_level_and_joshua_linsk", "docket_number": "C-4401", "company_name": "Filiquarian Publishing, LLC", "date_issued": "2013-05-15", "year": 2013, "administration": "Obama", "categories": [ "Fair Credit Reporting (FCRA)" ], "violation_type": "both", "complaint_counts": [ "Failure to Maintain Permissible Purpose Procedures (Section 604(a))", "Failure to Limit Furnishing to Permissible Purposes (Section 607(a))", "Failure to Ensure Maximum Possible Accuracy (Section 607(b))", "Failure to Provide Required Notices (Section 607(d))", "Unfair and Deceptive Acts or Practices (Section 5(a) FTC Act)" ], "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a), and the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq.", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Joshua D. Wright" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3195-filiquarian-publishing-llc-choice-level-llc-joshua-linsk-matter", "source_filename": "05.13, Filiquarian Publishing; Choice Level; and Joshua Linsk.json", "num_provisions": 6, "num_requirements": 16, "order_duration_years": 20, "takeaway_brief": "Filiquarian marketed mobile apps for employment background checks while operating as a consumer reporting agency without implementing any required FCRA procedures.", "statutory_topics": [ "FCRA" ], "practice_areas": [ "Financial Practices" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "FCRA": 6 } }, { "id": "07.13_htc_america", "docket_number": "C-4406", "company_name": "HTC America, Inc.", "date_issued": "2013-07-15", "year": 2013, "administration": "Obama", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Location / Geolocation Data" ], "violation_type": "both", "complaint_counts": [ "Unfair Security Practices", "Deceptive Android User Manuals", "Deceptive Tell HTC User Interface" ], "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Joshua D. Wright" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3049-htc-america-inc-matter", "source_filename": "07.13, HTC America.json", "num_provisions": 9, "num_requirements": 28, "order_duration_years": 20, "takeaway_brief": "HTC introduced serious security vulnerabilities into millions of Android and Windows Mobile devices, exposing sensitive user data to third-party apps without permission.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Consumer Notification", "Third-Party Assessment", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 9 } }, { "id": "08.13_certegy_check_services", "docket_number": "C-4701", "company_name": "Certegy Check Services, Inc.", "date_issued": "2013-08-15", "year": 2013, "administration": "Obama", "categories": [ "Fair Credit Reporting (FCRA)" ], "violation_type": "both", "complaint_counts": [ "Accuracy of Consumer Report Information", "Reinvestigations of Disputed Information", "Consumer File Disclosures and Streamlined Process", "Written Policies (Furnishers)" ], "legal_authority": "Sections 5(a), 5(m)(1)(A), 13(b), 16(a)(1), and 19 of the Federal Trade Commission Act, 15 U.S.C. §§ 45(a), 45(m)(1)(A), 53(b), 56(a)(1), and 57b; and section 621(a) of the Fair Credit Reporting Act, 15 U.S.C. § 1681s(a)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3184-certegy-check-services-inc", "source_filename": "08.13, Certegy Check Services.json", "num_provisions": 8, "num_requirements": 29, "order_duration_years": 10, "takeaway_brief": "Certegy Check Services failed to maintain accurate consumer report information, required consumers to conduct their own reinvestigations, and lacked adequate dispute handling processes.", "statutory_topics": [ "FCRA" ], "practice_areas": [ "Financial Practices" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Monetary Penalty", "Consumer Redress", "Prohibition", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "FCRA": 8 } }, { "id": "12.13_time_warner_cable", "docket_number": "1:13-cv-08998-AJN", "company_name": "Time Warner Cable Inc.", "date_issued": "2013-12-15", "year": 2013, "administration": "Obama", "categories": [ "Fair Credit Reporting (FCRA)", "Telemarketing / Do-Not-Call" ], "violation_type": "unfair", "complaint_counts": [ "Violation of the Risk-Based Pricing Rule" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 615 of the Fair Credit Reporting Act, 15 U.S.C. § 1681m; and the Risk-Based Pricing Rule, 16 C.F.R. § 640.1 et seq.", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3149-time-warner-cable-inc", "source_filename": "12.13, Time Warner Cable.json", "num_provisions": 0, "num_requirements": 0, "order_duration_years": null, "takeaway_brief": "Time Warner Cable required consumers with weaker credit to pay deposits without providing the required risk-based pricing notices before they became contractually obligated.", "statutory_topics": [ "FCRA" ], "practice_areas": [ "Financial Practices" ], "industry_sectors": [ "Telecom" ], "remedy_types": [], "provision_counts_by_topic": { "FCRA": 0 } }, { "id": "01.14_telecheck_services", "docket_number": "14cv00062", "company_name": "TeleCheck Services, Inc.", "date_issued": "2014-01-15", "year": 2014, "administration": "Obama", "categories": [ "Fair Credit Reporting (FCRA)" ], "violation_type": "both", "complaint_counts": [ "Reinvestigations of Disputed Information", "Accuracy of Consumer Report Information", "Requirements of Furnishers: Written Policies" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 621(a) of the Fair Credit Reporting Act, 15 U.S.C. § 1681s(a)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3183-telecheck-services-inc", "source_filename": "01.14, TeleCheck Services.json", "num_provisions": 9, "num_requirements": 24, "order_duration_years": null, "takeaway_brief": "TeleCheck failed to properly reinvestigate disputed consumer information and did not maintain reasonable accuracy procedures, while its affiliate TRS lacked required written data furnisher policies.", "statutory_topics": [ "FCRA" ], "practice_areas": [ "Financial Practices" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Monetary Penalty", "Consumer Redress", "Prohibition", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "FCRA": 9 } }, { "id": "02.14_accretive_health", "docket_number": "C-4432", "company_name": "Accretive Health, Inc.", "date_issued": "2014-02-15", "year": 2014, "administration": "Obama", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Health Data" ], "violation_type": "unfair", "complaint_counts": [ "Unfair Data Security Practices" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Joshua D. Wright" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3077-accretive-health-inc-matter", "source_filename": "02.14, Accretive Health.json", "num_provisions": 7, "num_requirements": 23, "order_duration_years": 20, "takeaway_brief": "Accretive Health failed to implement reasonable data security measures to protect sensitive patient information, resulting in a laptop theft that exposed over 23,000 patients' data.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Healthcare" ], "remedy_types": [ "Comprehensive Security Program", "Third-Party Assessment", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 7 } }, { "id": "02.14_trendnet", "docket_number": "C-4426", "company_name": "TRENDnet, Inc.", "date_issued": "2014-02-15", "year": 2014, "administration": "Obama", "categories": [ "Other" ], "violation_type": "deceptive", "complaint_counts": [ "Security Misrepresentation", "Security Settings Misrepresentation", "Unfair Practice - Inadequate Security" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Joshua D. Wright" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3090-trendnet-inc-matter", "source_filename": "02.14, TRENDnet.json", "num_provisions": 9, "num_requirements": 37, "order_duration_years": 20, "takeaway_brief": "TRENDnet sold 'SecurView' cameras that transmitted login credentials in clear text and left live feeds of private areas exposed to hackers due to software security failures.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Consumer Notification", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 9 } }, { "id": "03.14_aaron_s", "docket_number": "C-4442", "company_name": "Aaron's, Inc.", "date_issued": "2014-03-15", "year": 2014, "administration": "Obama", "categories": [ "Privacy / Deceptive Privacy Practices", "Health Data" ], "violation_type": "deceptive", "complaint_counts": [ "Unfair Acts or Practices" ], "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Joshua D. Wright" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3256-aarons-inc-matter", "source_filename": "03.14, Aaron’s.json", "num_provisions": 11, "num_requirements": 26, "order_duration_years": 20, "takeaway_brief": "Aaron's provided its franchisees with spyware that secretly logged keystrokes, captured screenshots, and activated webcams on rented computers without consumers' knowledge or consent.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "industry_sectors": [ "Retail" ], "remedy_types": [ "Prohibition", "Data Deletion", "Compliance Monitoring", "Order Administration", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 11 } }, { "id": "04.14_goldenshores_technologies_and_erik_m._geidl", "docket_number": "C-4446", "company_name": "Goldenshores Technologies, LLC", "date_issued": "2014-04-15", "year": 2014, "administration": "Obama", "categories": [ "Location / Geolocation Data" ], "violation_type": "deceptive", "complaint_counts": [ "Failure to Disclose Data Sharing with Third Parties", "False Choice to Refuse Data Collection" ], "legal_authority": "Federal Trade Commission Act", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Joshua D. Wright" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3087-goldenshores-technologies-llc-erik-m-geidl-matter", "source_filename": "04.14, Goldenshores Technologies, and Erik M. Geidl.json", "num_provisions": 9, "num_requirements": 20, "order_duration_years": 20, "takeaway_brief": "Goldenshores Technologies' Brightest Flashlight Free app secretly transmitted users' precise geolocation and device identifiers to advertising networks without adequate disclosure.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Data Deletion", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 9 } }, { "id": "04.14_infotrack_information_services", "docket_number": "14-cv-2054", "company_name": "InfoTrack Information Services, Inc.", "date_issued": "2014-04-15", "year": 2014, "administration": "Obama", "categories": [ "Fair Credit Reporting (FCRA)" ], "violation_type": "both", "complaint_counts": [ "Failure to Ensure Maximum Possible Accuracy", "Failure to Provide Required Notices", "Failure to Comply with Public Record Reporting Requirements" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Fair Credit Reporting Act sections 607(b), 609(a), 611(a)(1)(A), 611(a)(6), and 613(a)(1), 15 U.S.C. §§ 1681e, 1681g, 1681i, and 1681k", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3092-infotrack-information-services-inc-et-al", "source_filename": "04.14, Infotrack Information Services.json", "num_provisions": 10, "num_requirements": 26, "order_duration_years": 20, "takeaway_brief": "InfoTrack provided inaccurate background check reports with unreliable sex offender data and failed to provide legally required FCRA notices.", "statutory_topics": [ "FCRA" ], "practice_areas": [ "Financial Practices" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Monetary Penalty", "Consumer Notification", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "FCRA": 10 } }, { "id": "04.14_instant_checkmate", "docket_number": "14CV0675H JMA", "company_name": "Instant Checkmate, Inc.", "date_issued": "2014-04-15", "year": 2014, "administration": "Obama", "categories": [ "Fair Credit Reporting (FCRA)" ], "violation_type": "both", "complaint_counts": [ "Failure to Maintain Reasonable Procedures to Limit Report Furnishing", "Failure to Follow Reasonable Procedures to Assure Maximum Accuracy", "Failure to Provide Notice to Users of Their FCRA Responsibilities", "Furnishing Consumer Reports Without Permissible Purpose" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 621(a) of the Fair Credit Reporting Act, 15 U.S.C. § 1681s(a)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3221-instant-checkmate-inc", "source_filename": "04.14, Instant Checkmate.json", "num_provisions": 10, "num_requirements": 28, "order_duration_years": 3, "takeaway_brief": "Instant Checkmate marketed background reports for employment screening purposes while failing to comply with any Fair Credit Reporting Act requirements.", "statutory_topics": [ "FCRA" ], "practice_areas": [ "Financial Practices" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Monetary Penalty", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "FCRA": 10 } }, { "id": "05.14_foru_international_corporation", "docket_number": "C-4456 and C-4457", "company_name": "GeneLink, Inc.", "date_issued": "2014-05-15", "year": 2014, "administration": "Obama", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "False Claims About Genetic Disadvantage Mitigation", "Lack of Substantiation for Custom Supplement Efficacy Claims", "Lack of Substantiation for Disease Treatment Claims", "False Claims About Skin Repair Serum Efficacy", "Providing Means and Instrumentalities for Deception", "False Data Security Representations", "Unfair Data Security Practices" ], "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Joshua D. Wright", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3095-genelink-inc-matter", "source_filename": "05.14, foru™ International Corporation.json", "num_provisions": 14, "num_requirements": 39, "order_duration_years": 20, "takeaway_brief": "GeneLink and foruTM made unsubstantiated claims that their DNA-based supplements could treat diseases and mitigate genetic disadvantages, while failing to secure consumers' genetic data.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security", "Other" ], "industry_sectors": [ "Healthcare", "Retail" ], "remedy_types": [ "Prohibition", "Order Administration", "Other", "Comprehensive Security Program", "Third-Party Assessment", "Recordkeeping", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 14 } }, { "id": "05.14_genelink", "docket_number": "C-4456", "company_name": "GeneLink, Inc.", "date_issued": "2014-05-15", "year": 2014, "administration": "Obama", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "False Claims About Scientific Proof for Genetic Disadvantage Mitigation", "Lack of Substantiation for Custom Supplement Efficacy Claims", "Lack of Substantiation for Disease Treatment Claims", "False Claims About Skin Repair Serum Efficacy", "False Data Security Representations", "Unfair Data Security Practices" ], "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Joshua D. Wright", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/112-3095-genelink-inc-matter", "source_filename": "05.14, Genelink.json", "num_provisions": 14, "num_requirements": 42, "order_duration_years": 20, "takeaway_brief": "GeneLink made false and unsubstantiated claims that its DNA-based supplements could treat diseases while failing to protect nearly 30,000 consumers' genetic and financial data.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security", "Other" ], "industry_sectors": [ "Healthcare", "Retail" ], "remedy_types": [ "Prohibition", "Order Administration", "Other", "Comprehensive Security Program", "Third-Party Assessment", "Recordkeeping", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 14 } }, { "id": "06.14_american_apparel", "docket_number": "C-4459", "company_name": "American Apparel, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "False Safe Harbor Certification Claims" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Joshua D. Wright", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3036-american-apparel-inc-matter", "source_filename": "06.14, American Apparel.json", "num_provisions": 6, "num_requirements": 13, "order_duration_years": 20, "takeaway_brief": "American Apparel falsely claimed active Safe Harbor certification for roughly six months after its certification had lapsed.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Retail" ], "remedy_types": [ "Prohibition", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "06.14_apperian", "docket_number": "C-4461", "company_name": "Apperian, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "categories": [ "Other" ], "violation_type": "deceptive", "complaint_counts": [ "False Safe Harbor Participation Claims" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Joshua D. Wright", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3017-apperian-inc-matter", "source_filename": "06.14, Apperian.json", "num_provisions": 6, "num_requirements": 12, "order_duration_years": 20, "takeaway_brief": "Apperian displayed the Safe Harbor certification mark and claimed compliance for over a year after its certification status had lapsed.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "06.14_atlanta_falcons_football_club", "docket_number": "C-4462", "company_name": "Atlanta Falcons Football Club, LLC", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "False Safe Harbor Certification Claim" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Joshua D. Wright", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3018-atlanta-falcons-football-club-llc-matter", "source_filename": "06.14, Atlanta Falcons Football Club.json", "num_provisions": 6, "num_requirements": 10, "order_duration_years": 20, "takeaway_brief": "The Atlanta Falcons Football Club falsely claimed active Safe Harbor participation for nearly eight years after its certification had lapsed.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Other" ], "remedy_types": [ "Prohibition", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "06.14_baker_tilly_virchow_krause_llp", "docket_number": "C-4463", "company_name": "Baker Tilly Virchow Krause, LLP", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "False Safe Harbor Participation Claims" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Joshua D. Wright", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3019-baker-tilly-virchow-krause-llp-matter", "source_filename": "06.14, Baker Tilly Virchow Krause, LLP.json", "num_provisions": 6, "num_requirements": 12, "order_duration_years": 20, "takeaway_brief": "Baker Tilly continued displaying the Safe Harbor certification mark and claiming certification for over two years after its certification had lapsed.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Prohibition", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "06.14_bittorrent", "docket_number": "C-4464", "company_name": "BitTorrent, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "categories": [ "Other" ], "violation_type": "deceptive", "complaint_counts": [ "False Safe Harbor Participation Claim" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Joshua D. Wright", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3020-bittorrent-inc-matter", "source_filename": "06.14, BitTorrent.json", "num_provisions": 6, "num_requirements": 11, "order_duration_years": 20, "takeaway_brief": "BitTorrent falsely claimed adherence to EU Safe Harbor principles for approximately five years after its certification had lapsed.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "06.14_charles_river_laboratories_int_l.", "docket_number": "C-4465", "company_name": "Charles River Laboratories International, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "False Safe Harbor Participation Claim" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Joshua D. Wright", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3022-charles-river-laboratories-intl-matter", "source_filename": "06.14, Charles River Laboratories, Int’l..json", "num_provisions": 6, "num_requirements": 14, "order_duration_years": 20, "takeaway_brief": "Charles River Laboratories claimed current Safe Harbor compliance for over two years after its certification had lapsed.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Healthcare" ], "remedy_types": [ "Prohibition", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "06.14_datamotion", "docket_number": "C-4466", "company_name": "DataMotion, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "categories": [ "Other" ], "violation_type": "deceptive", "complaint_counts": [ "Safe Harbor Framework Participation Misrepresentation" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Joshua D. Wright", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3023-datamotion-inc-corporation-matter", "source_filename": "06.14, DataMotion.json", "num_provisions": 6, "num_requirements": 11, "order_duration_years": 20, "takeaway_brief": "DataMotion displayed the Safe Harbor certification mark and claimed active framework participation after its certification had lapsed.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "06.14_ddc_laboratories_also_dba_dna_diagnostics_center", "docket_number": "C-4467", "company_name": "DDC Laboratories, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Safe Harbor Framework Misrepresentation" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Joshua D. Wright", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3024-ddc-laboratories-inc-also-dba-dna-diagnostics-center-matter", "source_filename": "06.14, DDC Laboratories, also dba DNA Diagnostics Center.json", "num_provisions": 6, "num_requirements": 12, "order_duration_years": 20, "takeaway_brief": "DDC Laboratories, a DNA testing company, continued claiming Safe Harbor compliance for two years after its certification had lapsed.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Healthcare" ], "remedy_types": [ "Prohibition", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "06.14_fantage.com", "docket_number": "C-4469", "company_name": "Fantage.com, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "False Safe Harbor Participation Claim" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Joshua D. Wright", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3026-fantagecom-inc-matter", "source_filename": "06.14, Fantage.com.json", "num_provisions": 6, "num_requirements": 12, "order_duration_years": 20, "takeaway_brief": "Fantage.com falsely claimed active Safe Harbor participation for approximately 19 months after its certification had lapsed.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "06.14_level_3_communications", "docket_number": "C-4470", "company_name": "Level 3 Communications, LLC", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "categories": [ "Other" ], "violation_type": "deceptive", "complaint_counts": [ "False Safe Harbor Participation Claim" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Joshua D. Wright", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3028-level-3-communications-llc-matter", "source_filename": "06.14, Level 3 Communications.json", "num_provisions": 6, "num_requirements": 12, "order_duration_years": 20, "takeaway_brief": "Level 3 Communications falsely claimed active Safe Harbor certification for over a year after its certification lapsed.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Telecom" ], "remedy_types": [ "Prohibition", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "06.14_pdb_sports_ltd._dba_denver_broncos_football_club", "docket_number": "C-4468", "company_name": "PDB Sports, Ltd.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "categories": [ "Other" ], "violation_type": "deceptive", "complaint_counts": [ "False Safe Harbor Participation Claims" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Joshua D. Wright", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3025-pdb-sports-ltd-dba-denver-broncos-football-club-matter", "source_filename": "06.14, PDB Sports, Ltd., dba Denver Broncos Football Club.json", "num_provisions": 6, "num_requirements": 10, "order_duration_years": 20, "takeaway_brief": "The Denver Broncos falsely claimed compliance with the EU Safe Harbor framework two years after its certification expired.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Other" ], "remedy_types": [ "Prohibition", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "06.14_receivable_management_services_corporation_the", "docket_number": "C-4472", "company_name": "The Receivable Management Services Corporation", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "categories": [ "Other" ], "violation_type": "deceptive", "complaint_counts": [ "False Safe Harbor Participation Claims" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Joshua D. Wright", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3031-receivable-management-services-corporation-matter", "source_filename": "06.14, Receivable Management Services Corporation, The.json", "num_provisions": 6, "num_requirements": 12, "order_duration_years": 20, "takeaway_brief": "A debt collection agency displayed a lapsed Safe Harbor certification mark for nearly four years after its certification expired.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Prohibition", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "06.14_reynolds_consumer_products", "docket_number": "C-4471", "company_name": "Reynolds Consumer Products Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "False Safe Harbor Certification Claims" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Joshua D. Wright", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3030-reynolds-consumer-products-inc-matter", "source_filename": "06.14, Reynolds Consumer Products.json", "num_provisions": 6, "num_requirements": 12, "order_duration_years": 20, "takeaway_brief": "Reynolds Consumer Products continued claiming Safe Harbor compliance for years after its customer and HR data certifications both expired.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Retail" ], "remedy_types": [ "Prohibition", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "06.14_tennessee_football", "docket_number": "C-4473", "company_name": "Tennessee Football, Inc.", "date_issued": "2014-06-15", "year": 2014, "administration": "Obama", "categories": [ "Other" ], "violation_type": "deceptive", "complaint_counts": [ "False Safe Harbor Compliance Claim" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Joshua D. Wright", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3032-tennessee-football-inc-matter", "source_filename": "06.14, Tennessee Football.json", "num_provisions": 6, "num_requirements": 11, "order_duration_years": 20, "takeaway_brief": "Tennessee Titans ownership falsely claimed EU Safe Harbor compliance for more than four years after its certification expired.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Other" ], "remedy_types": [ "Prohibition", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "08.14_credit_karma", "docket_number": "C-4480", "company_name": "Credit Karma, Inc.", "date_issued": "2014-08-15", "year": 2014, "administration": "Obama", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Fair Credit Reporting (FCRA)" ], "violation_type": "deceptive", "complaint_counts": [ "Misrepresentation of Security Practices", "Misrepresentation of SSL Connection Security" ], "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Joshua D. Wright", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3091-credit-karma-inc", "source_filename": "08.14, Credit Karma.json", "num_provisions": 8, "num_requirements": 25, "order_duration_years": 20, "takeaway_brief": "Credit Karma's mobile app failed to validate SSL certificates, exposing users' Social Security numbers and credit data to interception on public Wi-Fi networks.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 8 } }, { "id": "08.14_fandango", "docket_number": "C-4481", "company_name": "Fandango, LLC", "date_issued": "2014-08-15", "year": 2014, "administration": "Obama", "categories": [ "Other" ], "violation_type": "deceptive", "complaint_counts": [ "Deceptive Security Representations" ], "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Joshua D. Wright", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3089-fandango-llc", "source_filename": "08.14, Fandango.json", "num_provisions": 8, "num_requirements": 27, "order_duration_years": 20, "takeaway_brief": "Fandango's iOS app disabled SSL certificate validation for four years, exposing customers' credit card and login credentials to interception despite security promises.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 8 } }, { "id": "08.14_gmr_transcription_services", "docket_number": "C-4482", "company_name": "GMR Transcription Services, Inc.", "date_issued": "2014-08-15", "year": 2014, "administration": "Obama", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Health Data" ], "violation_type": "deceptive", "complaint_counts": [ "Misrepresentation of Security Measures", "Failure to Oversee Service Providers", "Unfair Security Practices" ], "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Joshua D. Wright", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3095-gmr-transcription-services-inc-matter", "source_filename": "08.14, GMR Transcription Services.json", "num_provisions": 9, "num_requirements": 29, "order_duration_years": 20, "takeaway_brief": "GMR Transcription falsely claimed HIPAA-compliant security while medical transcription files were stored in plain text on a publicly accessible FTP server.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 9 } }, { "id": "09.14_tinyco", "docket_number": "3:14-cv-04164", "company_name": "TinyCo, Inc.", "date_issued": "2014-09-15", "year": 2014, "administration": "Obama", "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "COPPA Rule Violations - Failure to Provide Notice and Obtain Consent" ], "legal_authority": "Sections 1303(c) and 1306(d) of the Children's Online Privacy Protection Act of 1998 (COPPA), 15 U.S.C. §§ 6502(c) and 6505(d), and Sections 5(a)(1), 5(m)(1)(A), 13(b), and 16(a) of the Federal Trade Commission Act (FTC Act), 15 U.S.C. §§ 45(a)(1), 45(m)(1)(A), 53(b), and 56(a)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3209-tinyco-inc", "source_filename": "09.14, TinyCo.json", "num_provisions": 8, "num_requirements": 19, "order_duration_years": null, "takeaway_brief": "TinyCo collected tens of thousands of email addresses from children through child-directed gaming apps without notifying parents or obtaining their consent.", "statutory_topics": [ "COPPA" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Data Deletion", "Monetary Penalty", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "COPPA": 8 } }, { "id": "09.14_yelp", "docket_number": "3:14-CV-4163", "company_name": "Yelp Inc.", "date_issued": "2014-09-15", "year": 2014, "administration": "Obama", "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Failure to Provide Sufficient Notice on Website", "Failure to Provide Direct Notice to Parents", "Failure to Obtain Verifiable Parental Consent" ], "legal_authority": "Sections 13(b), 16(a)(1), and 19 of the Federal Trade Commission Act, 15 U.S.C. §§ 53(b), 56(a)(1), and 57b; Sections 1303(c) and 1306(d) of the Children's Online Privacy Protection Act of 1998, 15 U.S.C. §§ 6502(c) and 6505(d); and the Commission's Children's Online Privacy Protection Rule, 16 C.F.R. Part 312", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3066-yelp-inc", "source_filename": "09.14, Yelp.json", "num_provisions": 8, "num_requirements": 20, "order_duration_years": 10, "takeaway_brief": "Yelp's app registration feature accepted sign-ups from children under 13 for four years and collected their personal data without parental notice or consent.", "statutory_topics": [ "COPPA" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology", "Social Media" ], "remedy_types": [ "Prohibition", "Data Deletion", "Monetary Penalty", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "COPPA": 8 } }, { "id": "12.14_snapchat", "docket_number": "C-4501", "company_name": "Snapchat, Inc.", "date_issued": "2014-12-15", "year": 2014, "administration": "Obama", "categories": [ "Privacy / Deceptive Privacy Practices", "Location / Geolocation Data" ], "violation_type": "deceptive", "complaint_counts": [ "False Claims About Disappearing Messages", "False Screenshot Notification Claims", "False Claims About Location Data Collection", "Deceptive Find Friends User Interface", "Deceptive Privacy Policy Regarding Find Friends", "False Security Claims and Failure to Secure Find Friends" ], "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Joshua D. Wright", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3078-snapchat-inc-matter", "source_filename": "12.14, Snapchat.json", "num_provisions": 8, "num_requirements": 28, "order_duration_years": 20, "takeaway_brief": "Snapchat falsely claimed messages disappeared permanently, that users received screenshot notifications, and that it did not collect location data, while also failing to secure user information.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy", "Data Security" ], "industry_sectors": [ "Social Media", "Technology" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 8 } }, { "id": "02.15_paymentsmd", "docket_number": "C-4505", "company_name": "PaymentsMD, LLC", "date_issued": "2015-02-15", "year": 2015, "administration": "Obama", "categories": [ "Health Data" ], "violation_type": "deceptive", "complaint_counts": [ "Deceptive Omission - Failure to Disclose Third-Party Health Information Collection", "Deceptive Representation - Misrepresentation of Authorization Purpose" ], "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Joshua D. Wright", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3088-paymentsmd-llc-matter", "source_filename": "02.15, PaymentsMD.json", "num_provisions": 8, "num_requirements": 18, "order_duration_years": 20, "takeaway_brief": "PaymentsMD secretly used consumers' registration for a free billing portal to collect comprehensive health information from pharmacies and health plans for a separate fee-based service.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Healthcare", "Technology" ], "remedy_types": [ "Prohibition", "Data Deletion", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 8 } }, { "id": "05.15_american_international_mailing", "docket_number": "C-4526", "company_name": "American International Mailing, Inc.", "date_issued": "2015-05-15", "year": 2015, "administration": "Obama", "categories": [ "Other" ], "violation_type": "deceptive", "complaint_counts": [ "False Safe Harbor Participation Claim" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Joshua D. Wright", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3051-american-international-mailing-inc-matter", "source_filename": "05.15, American International Mailing.json", "num_provisions": 6, "num_requirements": 12, "order_duration_years": 20, "takeaway_brief": "American International Mailing continued claiming active EU-U.S. Safe Harbor participation for five years after its certification had lapsed.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Other" ], "remedy_types": [ "Prohibition", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "05.15_tes_franchising", "docket_number": "C-4525", "company_name": "TES Franchising, LLC", "date_issued": "2015-05-15", "year": 2015, "administration": "Obama", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "False Safe Harbor Participation Claim", "Misrepresentation of Dispute Resolution Mechanism", "False TRUSTe Licensee Claim" ], "legal_authority": "Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Joshua D. Wright", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3015-tes-franchising-llc-matter", "source_filename": "05.15, TES Franchising.json", "num_provisions": 7, "num_requirements": 13, "order_duration_years": 20, "takeaway_brief": "TES Franchising falsely claimed active participation in U.S.-EU and U.S.-Swiss Safe Harbor Frameworks and the TRUSTe Privacy Program when none of those certifications were current.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Other" ], "remedy_types": [ "Prohibition", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 7 } }, { "id": "09.15_nomi_technologies", "docket_number": "C-4538", "company_name": "Nomi Technologies, Inc.", "date_issued": "2015-09-15", "year": 2015, "administration": "Obama", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Failure to Provide Opt-Out at Retail Locations", "Failure to Provide Notice at Retail Locations" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3251-nomi-technologies-inc-matter", "source_filename": "09.15, Nomi Technologies.json", "num_provisions": 6, "num_requirements": 13, "order_duration_years": 20, "takeaway_brief": "Nomi Technologies promised consumers opt-out rights at retail locations while never actually providing any in-store opt-out mechanism.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy", "Surveillance" ], "industry_sectors": [ "Technology", "Retail" ], "remedy_types": [ "Prohibition", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "09.15_tricolor_auto_acceptance", "docket_number": "3:15-cv-03002-G", "company_name": "Tricolor Auto Acceptance, LLC", "date_issued": "2015-09-15", "year": 2015, "administration": "Obama", "categories": [ "Fair Credit Reporting (FCRA)" ], "violation_type": "both", "complaint_counts": [ "No Established Written Policies and Procedures", "No Reasonable Investigation of or Response to Direct Disputes" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 621(a) of the Fair Credit Reporting Act, 15 U.S.C. § 1681s(a); Furnisher Rule, 16 C.F.R. § 660, recodified at 12 C.F.R. § 1022, Subpart E", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3073-tricolor-auto-acceptance-llc", "source_filename": "09.15, Tricolor Auto Acceptance.json", "num_provisions": 9, "num_requirements": 21, "order_duration_years": 20, "takeaway_brief": "Tricolor Auto Acceptance furnished credit information to reporting agencies without any written accuracy policies and failed to investigate consumer disputes it received directly.", "statutory_topics": [ "FCRA" ], "practice_areas": [ "Financial Practices" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Prohibition", "Monetary Penalty", "Consumer Redress", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "FCRA": 9 } }, { "id": "10.15_contract_logix", "docket_number": "C-4541", "company_name": "Contract Logix, LLC", "date_issued": "2015-10-15", "year": 2015, "administration": "Obama", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Misrepresentation of Safe Harbor Participation" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3184-contract-logix-llc-matter", "source_filename": "10.15, Contract Logix.json", "num_provisions": 6, "num_requirements": 10, "order_duration_years": 20, "takeaway_brief": "Contract Logix continued displaying Safe Harbor participation claims on its website for nearly three years after its certification had lapsed.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "10.15_dale_jarrett_racing_adventure", "docket_number": "C-4545", "company_name": "Dale Jarrett Racing Adventure, Inc.", "date_issued": "2015-10-15", "year": 2015, "administration": "Obama", "categories": [ "Other" ], "violation_type": "deceptive", "complaint_counts": [ "False Safe Harbor Participation Claim" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3190-dale-jarrett-racing-adventure-inc-matter", "source_filename": "10.15, Dale Jarrett Racing Adventure.json", "num_provisions": 6, "num_requirements": 11, "order_duration_years": 20, "takeaway_brief": "Dale Jarrett Racing Adventure falsely claimed Safe Harbor participation on its website when it was never a certified participant.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Other" ], "remedy_types": [ "Prohibition", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "10.15_forensics_consulting_solutions", "docket_number": "C-4551", "company_name": "Forensics Consulting Solutions, LLC", "date_issued": "2015-10-15", "year": 2015, "administration": "Obama", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "False Safe Harbor Participation Claims" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3185-forensics-consulting-solutions-llc-matter", "source_filename": "10.15, Forensics Consulting Solutions.json", "num_provisions": 6, "num_requirements": 13, "order_duration_years": 20, "takeaway_brief": "Forensics Consulting Solutions continued claiming Safe Harbor compliance on its website for nearly three years after its certification lapsed.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "10.15_golf_connect", "docket_number": "C-4540", "company_name": "Golf Connect, LLC", "date_issued": "2015-10-15", "year": 2015, "administration": "Obama", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "False Safe Harbor Participation Claims" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3141-golf-connect-llc-matter", "source_filename": "10.15, Golf Connect.json", "num_provisions": 6, "num_requirements": 14, "order_duration_years": 20, "takeaway_brief": "Golf Connect displayed inherited Safe Harbor participation claims on an acquired website after neither the predecessor nor the acquirer held a valid certification.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "10.15_inbox_group", "docket_number": "C-4546", "company_name": "Inbox Group, LLC", "date_issued": "2015-10-15", "year": 2015, "administration": "Obama", "categories": [ "Other" ], "violation_type": "deceptive", "complaint_counts": [ "False Safe Harbor Certification" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3202-inbox-group-llc-matter", "source_filename": "10.15, Inbox Group.json", "num_provisions": 6, "num_requirements": 14, "order_duration_years": 20, "takeaway_brief": "Inbox Group falsely claimed on its website to be certified under the U.S.-EU Safe Harbor Framework when it had never participated.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "10.15_ioactive", "docket_number": "C-4542", "company_name": "IOActive, Inc.", "date_issued": "2015-10-15", "year": 2015, "administration": "Obama", "categories": [ "Other" ], "violation_type": "deceptive", "complaint_counts": [ "Misrepresentations Regarding Safe Harbor Participation" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3187-ioactive-inc-matter", "source_filename": "10.15, IOActive.json", "num_provisions": 6, "num_requirements": 11, "order_duration_years": 20, "takeaway_brief": "IOActive displayed Safe Harbor participation claims on its website for approximately three years after its certification had lapsed.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "10.15_jhayrmaine_daniels", "docket_number": "C-4543", "company_name": "Jhayrmaine Daniels, d/b/a California Skate-Line", "date_issued": "2015-10-15", "year": 2015, "administration": "Obama", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "False Safe Harbor Participation Claim" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3198-jhayrmaine-daniels-california-skate-line-matter", "source_filename": "10.15, Jhayrmaine Daniels.json", "num_provisions": 6, "num_requirements": 14, "order_duration_years": 20, "takeaway_brief": "California Skate-Line claimed to adhere to Safe Harbor Privacy Principles despite never having been a Safe Harbor participant.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Other" ], "remedy_types": [ "Prohibition", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "10.15_jubilant_clinsys", "docket_number": "C-4549", "company_name": "Jubilant Clinsys, Inc.", "date_issued": "2015-10-15", "year": 2015, "administration": "Obama", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "False Safe Harbor Participation Claims" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3140-jubilant-clinsys-inc-matter", "source_filename": "10.15, Jubilant Clinsys.json", "num_provisions": 6, "num_requirements": 12, "order_duration_years": 20, "takeaway_brief": "Jubilant Clinsys continued claiming annual Safe Harbor self-certification and compliance on its website for over two years after its certification lapsed.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Healthcare" ], "remedy_types": [ "Prohibition", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "10.15_just_bagels_manufacturing", "docket_number": "C-4547", "company_name": "Just Bagels Manufacturing, Inc.", "date_issued": "2015-10-15", "year": 2015, "administration": "Obama", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "False Safe Harbor Compliance Claim" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3199-just-bagels-manufacturing-inc-matter", "source_filename": "10.15, Just Bagels Manufacturing.json", "num_provisions": 6, "num_requirements": 14, "order_duration_years": 20, "takeaway_brief": "Just Bagels Manufacturing published Safe Harbor compliance claims on its website despite never having been a participant in either the U.S.-EU or U.S.-Swiss Safe Harbor Framework.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Other" ], "remedy_types": [ "Prohibition", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "10.15_naics_association", "docket_number": "C-4548", "company_name": "NAICS Association, LLC", "date_issued": "2015-10-15", "year": 2015, "administration": "Obama", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Safe Harbor Framework Participation Misrepresentation" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3138-naics-association-llc-matter", "source_filename": "10.15, NAICS Association.json", "num_provisions": 6, "num_requirements": 12, "order_duration_years": 20, "takeaway_brief": "NAICS Association continued claiming Safe Harbor compliance on its website for over a year after its certification expired.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "10.15_one_industries", "docket_number": "C-4544", "company_name": "One Industries Corp.", "date_issued": "2015-10-15", "year": 2015, "administration": "Obama", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "False U.S.-EU Safe Harbor Participation Claim" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3201-one-industries-corp-matter", "source_filename": "10.15, One Industries.json", "num_provisions": 6, "num_requirements": 14, "order_duration_years": 20, "takeaway_brief": "One Industries, a motocross gear seller, falsely claimed to adhere to Safe Harbor Privacy Principles when it had never self-certified or participated.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Retail" ], "remedy_types": [ "Prohibition", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "10.15_pinger", "docket_number": "C-4550", "company_name": "Pinger, Inc.", "date_issued": "2015-10-15", "year": 2015, "administration": "Obama", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "False Safe Harbor Participation Claim" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3137-pinger-inc-matter", "source_filename": "10.15, Pinger.json", "num_provisions": 6, "num_requirements": 11, "order_duration_years": 20, "takeaway_brief": "Pinger continued claiming certified compliance with U.S.-EU and U.S.-Swiss Safe Harbor Frameworks on its website after allowing its annual certification to lapse.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "10.15_sprint_corporation", "docket_number": "2:15-cv-9340", "company_name": "Sprint Corporation", "date_issued": "2015-10-15", "year": 2015, "administration": "Obama", "categories": [ "Fair Credit Reporting (FCRA)" ], "violation_type": "unfair", "complaint_counts": [ "Failure to Provide Required Risk-Based Pricing Notice" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 615 of the Fair Credit Reporting Act, 15 U.S.C. § 1681m; and the Risk-Based Pricing Rule, 12 C.F.R. § 1022.70 et seq.", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3094-sprint-corporation-sprint-asl-program-0", "source_filename": "10.15, Sprint Corporation.json", "num_provisions": 7, "num_requirements": 26, "order_duration_years": null, "takeaway_brief": "Sprint charged consumers higher fees based on their credit reports but failed to provide required risk-based pricing notices before they became contractually obligated.", "statutory_topics": [ "FCRA" ], "practice_areas": [ "Financial Practices" ], "industry_sectors": [ "Telecom" ], "remedy_types": [ "Prohibition", "Monetary Penalty", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "FCRA": 7 } }, { "id": "10.15_sterimed_medical_waste_solutions", "docket_number": "C-4552", "company_name": "SteriMed Medical Waste Solutions", "date_issued": "2015-10-15", "year": 2015, "administration": "Obama", "categories": [ "Privacy / Deceptive Privacy Practices", "Health Data" ], "violation_type": "deceptive", "complaint_counts": [ "False U.S.-EU Safe Harbor Participation Claim" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3193-sterimed-medical-waste-solutions-matter", "source_filename": "10.15, SteriMed Medical Waste Solutions.json", "num_provisions": 6, "num_requirements": 13, "order_duration_years": 20, "takeaway_brief": "SteriMed Medical Waste Solutions falsely claimed to be a registered Safe Harbor participant when it had never self-certified.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Healthcare" ], "remedy_types": [ "Prohibition", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "12.15_lai_systems", "docket_number": "2:15-cv-9691", "company_name": "LAI Systems, LLC", "date_issued": "2015-12-15", "year": 2015, "administration": "Obama", "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Violations of the COPPA Rule — Failure to Provide Notice, Direct Notice to Parents, and Obtain Verifiable Parental Consent" ], "legal_authority": "Sections 1303(c) and 1306(d) of the Children's Online Privacy Protection Act of 1998 (COPPA), 15 U.S.C. §§ 6502(c) and 6505(d), and Sections 5(a)(1), 5(m)(1)(A), 13(b), and 16(a) of the Federal Trade Commission Act (FTC Act), 15 U.S.C. §§ 45(a)(1), 45(m)(1)(A), 53(b), and 56(a)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3261-lai-systems-llc", "source_filename": "12.15, LAI Systems.json", "num_provisions": 7, "num_requirements": 23, "order_duration_years": null, "takeaway_brief": "LAI Systems allowed third-party ad networks to collect persistent identifiers from children through its kids' apps for targeted advertising without parental notice or consent.", "statutory_topics": [ "COPPA" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Monetary Penalty", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "COPPA": 7 } }, { "id": "12.15_retro_dreamer", "docket_number": "5:15-cv-2569", "company_name": "Retro Dreamer", "date_issued": "2015-12-15", "year": 2015, "administration": "Obama", "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Violations of the COPPA Rule — Failure to Provide Notice, Direct Parental Notice, and Obtain Verifiable Parental Consent" ], "legal_authority": "Sections 1303(c) and 1306(d) of the Children's Online Privacy Protection Act of 1998 (COPPA), 15 U.S.C. §§ 6502(c) and 6505(d), and Sections 5(a)(1), 5(m)(1)(A), 13(b), and 16(a) of the Federal Trade Commission Act (FTC Act), 15 U.S.C. §§ 45(a)(1), 45(m)(1)(A), 53(b), and 56(a)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3262-retro-dreamer", "source_filename": "12.15, Retro Dreamer.json", "num_provisions": 7, "num_requirements": 23, "order_duration_years": null, "takeaway_brief": "Retro Dreamer knowingly allowed ad networks to collect children's personal data through its kids' apps for targeted advertising without parental consent, even after being put on notice.", "statutory_topics": [ "COPPA" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Monetary Penalty", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "COPPA": 7 } }, { "id": "12.15_wyndham_worldwide_corporation", "docket_number": "C-13-1887 (also cited as 2:13-CV-01887-ES-JAD)", "company_name": "Wyndham Worldwide Corporation", "date_issued": "2015-12-15", "year": 2015, "administration": "Obama", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ], "violation_type": "both", "complaint_counts": [ "Deceptive Data Security Misrepresentation", "Unfair Data Security Practices" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), enforced through Section 13(b) of the FTC Act, 15 U.S.C. § 53(b)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1023142-x120032-wyndham-worldwide-corporation", "source_filename": "12.15, Wyndham Worldwide Corporation.json", "num_provisions": 8, "num_requirements": 23, "order_duration_years": 20, "takeaway_brief": "Wyndham Worldwide's inadequate network security led to three separate data breaches compromising over 619,000 payment card numbers across its hotel properties.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Retail" ], "remedy_types": [ "Comprehensive Security Program", "Third-Party Assessment", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 8 } }, { "id": "01.16_craig_brittain", "docket_number": "C-4564", "company_name": "Craig Brittain", "date_issued": "2016-01-15", "year": 2016, "administration": "Obama", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "both", "complaint_counts": [ "Unfair Practices — Posting Photographs and Personal Information Without Consent", "False Claims — Solicitation of Photographs Under False Pretenses" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3120-craig-brittain-matter", "source_filename": "01.16, Craig Brittain.json", "num_provisions": 8, "num_requirements": 20, "order_duration_years": 20, "takeaway_brief": "Craig Brittain operated a 'revenge porn' site, posting intimate photos of over 1,000 individuals without consent and running a sham removal service that charged victims to take down their own images.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Data Deletion", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 8 } }, { "id": "03.16_oracle_corporation", "docket_number": "C-4571", "company_name": "Oracle Corporation", "date_issued": "2016-03-15", "year": 2016, "administration": "Obama", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Failure to Disclose That Java SE Updates Left Older Insecure Versions Installed" ], "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "commissioners": [ "Edith Ramirez, Chairwoman", "Julie Brill", "Maureen K. Ohlhausen", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3115-c4571-oracle-corporation-matter", "source_filename": "03.16, Oracle Corporation.json", "num_provisions": 8, "num_requirements": 24, "order_duration_years": 20, "takeaway_brief": "Oracle told consumers that updating Java SE would give them 'the latest security improvements,' while the update process left older, vulnerable versions of Java installed on their computers.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Consumer Notification", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 8 } }, { "id": "03.16_sitesearch_corporation_doing_business_as_leaplab", "docket_number": "CV-14-02750-PHX-NVW", "company_name": "Sitesearch Corporation", "date_issued": "2016-03-15", "year": 2016, "administration": "Obama", "categories": [ "Other" ], "violation_type": "unfair", "complaint_counts": [ "Unfair Sale of Sensitive Consumer Financial Information to Non-Lenders" ], "legal_authority": "Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b) and Section 5(a) of the FTC Act, 15 U.S.C. § 45(a)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3192-x150060-sitesearch-corporation-doing-business-leaplab", "source_filename": "03.16, Sitesearch Corporation, Doing Business As LeapLab.json", "num_provisions": 10, "num_requirements": 33, "order_duration_years": 20, "takeaway_brief": "LeapLab collected consumers' sensitive payday loan applications and sold them to telemarketers and fraudulent merchants who used the data to make unauthorized bank account debits.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy", "Financial Practices" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Prohibition", "Data Deletion", "Monetary Penalty", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 10 } }, { "id": "05.16_credit_protection_association", "docket_number": "3:16-cv-01255-D", "company_name": "Credit Protection Association, LP", "date_issued": "2016-05-15", "year": 2016, "administration": "Obama", "categories": [ "Fair Credit Reporting (FCRA)" ], "violation_type": "both", "complaint_counts": [ "Lack of Reasonable Written Policies and Procedures", "Failure to Report Results of Investigation" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 621(a) of the Fair Credit Reporting Act, 15 U.S.C. § 1681s(a); and the Duties of Furnishers of Information to Consumer Reporting Agencies (Furnisher Rule), 16 C.F.R. § 660 / 12 C.F.R. § 1022, Subpart E", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3142-credit-protection-association", "source_filename": "05.16, Credit Protection Association.json", "num_provisions": 8, "num_requirements": 29, "order_duration_years": 20, "takeaway_brief": "Credit Protection Association furnished consumer data to credit bureaus without the required written accuracy and integrity policies, and failed to complete dispute investigations on time.", "statutory_topics": [ "FCRA" ], "practice_areas": [ "Financial Practices" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Prohibition", "Monetary Penalty", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "FCRA": 8 } }, { "id": "05.16_henry_schein_practice_solutions", "docket_number": "C-4575", "company_name": "Henry Schein Practice Solutions, Inc.", "date_issued": "2016-05-15", "year": 2016, "administration": "Obama", "categories": [ "Health Data", "AI / Algorithmic / Facial Recognition" ], "violation_type": "deceptive", "complaint_counts": [ "Deceptive Claims of Encryption – Industry-Standard", "Deceptive Claims of Encryption – Regulatory Obligations" ], "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "commissioners": [ "Edith Ramirez, Chairwoman", "Maureen K. Ohlhausen", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3161-c4575-henry-schein-practice-solutions-inc-matter", "source_filename": "05.16, Henry Schein Practice Solutions.json", "num_provisions": 10, "num_requirements": 26, "order_duration_years": 20, "takeaway_brief": "Henry Schein falsely marketed its dental software as providing industry-standard encryption for patient data when it actually used a weaker, proprietary algorithm.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Healthcare", "Technology" ], "remedy_types": [ "Prohibition", "Consumer Notification", "Monetary Penalty", "Consumer Redress", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 10 } }, { "id": "06.16_inmobi_pte", "docket_number": "3:16-cv-3474", "company_name": "InMobi Pte Ltd.", "date_issued": "2016-06-15", "year": 2016, "administration": "Obama", "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Location Tracking Without API Permission", "Location Tracking Without Opt-In Consent", "Collection of Children'sPersonal Information", "COPPA Rule Violations" ], "legal_authority": "Sections 5(a)(1), 5(m)(1)(A), 13(b), and 16(a) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(a)(1), 45(m)(1)(A), 53(b), and 56(a); Sections 1303(c) and 1306(d) of the Children's Online Privacy Protection Act of 1998, 15 U.S.C. §§ 6502(c) and 6505(d); Children's Online Privacy Protection Rule, 16 C.F.R. Part 312", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3203-inmobi-pte-ltd", "source_filename": "06.16, InMobi Pte.json", "num_provisions": 14, "num_requirements": 38, "order_duration_years": 20, "takeaway_brief": "InMobi secretly tracked users' locations without permission and collected personal data from children across thousands of apps without parental consent.", "statutory_topics": [ "COPPA" ], "practice_areas": [ "Privacy", "Surveillance" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Data Deletion", "Monetary Penalty", "Order Administration", "Comprehensive Security Program", "Third-Party Assessment", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "COPPA": 14 } }, { "id": "07.16_asustek_computer", "docket_number": "C-4587", "company_name": "ASUSTeK Computer, Inc.", "date_issued": "2016-07-15", "year": 2016, "administration": "Obama", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Router Security Misrepresentations", "AiCloud Security Misrepresentations", "AiDisk Security Misrepresentations", "Firmware Upgrade Tool Misrepresentations", "Unfair Security Practices" ], "legal_authority": "Section 5 of the Federal Trade Commission Act", "commissioners": [ "Edith Ramirez, Chairwoman", "Maureen K. Ohlhausen", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3156-asustek-computer-inc-matter", "source_filename": "07.16, ASUSTeK Computer.json", "num_provisions": 9, "num_requirements": 38, "order_duration_years": 20, "takeaway_brief": "ASUS marketed its routers as secure while leaving them vulnerable to authentication bypass attacks and exposing users' USB storage to public internet access by default.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Consumer Notification", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 9 } }, { "id": "08.16_practice_fusion", "docket_number": "C-4591", "company_name": "Practice Fusion, Inc.", "date_issued": "2016-08-15", "year": 2016, "administration": "Obama", "categories": [ "Health Data" ], "violation_type": "deceptive", "complaint_counts": [ "Deceptive Failure to Disclose Public Posting of Survey Responses" ], "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45 et seq.", "commissioners": [ "Edith Ramirez, Chairwoman", "Maureen K. Ohlhausen", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3039-practice-fusion-inc-matter", "source_filename": "08.16, Practice Fusion.json", "num_provisions": 8, "num_requirements": 25, "order_duration_years": 20, "takeaway_brief": "Practice Fusion sent patient satisfaction surveys implying responses would go privately to doctors, while actually posting them publicly on a physician rating website.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Healthcare", "Technology" ], "remedy_types": [ "Prohibition", "Data Deletion", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 8 } }, { "id": "08.16_very_incognito_technologies", "docket_number": "C-4580", "company_name": "Very Incognito Technologies, Inc.", "date_issued": "2016-08-15", "year": 2016, "administration": "Obama", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "False APEC CBPR Certification Claim" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "commissioners": [ "Edith Ramirez, Chairwoman", "Maureen K. Ohlhausen", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3034-very-incognito-technologies-matter", "source_filename": "08.16, Very Incognito Technologies.json", "num_provisions": 6, "num_requirements": 18, "order_duration_years": 20, "takeaway_brief": "Vipvape falsely claimed in its privacy policy to participate in the APEC Cross-Border Privacy Rules system without ever obtaining the required certification.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Retail" ], "remedy_types": [ "Prohibition", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "09.16_labmd", "docket_number": "No. 9357", "company_name": "LabMD, Inc.", "date_issued": "2016-09-15", "year": 2016, "administration": "Obama", "categories": [ "Data Security" ], "violation_type": "unfair", "complaint_counts": [ "Unfair Data Security Practices — Section 5 of the FTC Act" ], "legal_authority": "", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3099-labmd-inc-matter", "source_filename": "09.16, LabMD.json", "num_provisions": 1, "num_requirements": 2, "order_duration_years": null, "takeaway_brief": "LabMD allegedly failed to implement reasonable data security practices, resulting in sensitive patient information becoming accessible on a public peer-to-peer file-sharing network.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Healthcare" ], "remedy_types": [ "Order Administration" ], "provision_counts_by_topic": { "Section 5 Only": 1 } }, { "id": "02.17_vizio_inc._and_vizio_inscape_services", "docket_number": "Case 2:17-cv-00758", "company_name": "VIZIO, Inc.", "date_issued": "2017-02-15", "year": 2017, "administration": "Trump (1st)", "categories": [ "Privacy / Deceptive Privacy Practices", "AI / Algorithmic / Facial Recognition" ], "violation_type": "both", "complaint_counts": [ "Unfair Tracking Without Consumer Consent", "Deceptive Omission Regarding Smart Interactivity", "Deceptive Representation Regarding Smart Interactivity" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3024-vizio-inc-vizio-inscape-services-llc", "source_filename": "02.17, VIZIO, INC. and VIZIO Inscape Services.json", "num_provisions": 12, "num_requirements": 45, "order_duration_years": 20, "takeaway_brief": "VIZIO covertly collected second-by-second television viewing data from millions of consumers by default and sold it to third parties while describing the feature only as providing 'program offers and suggestions.'", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy", "Surveillance" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Data Deletion", "Third-Party Assessment", "Monetary Penalty", "Consumer Redress", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 12 } }, { "id": "03.17_upromise", "docket_number": "C-4351", "company_name": "Upromise, Inc.", "date_issued": "2017-03-15", "year": 2017, "administration": "Trump (1st)", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Failure to Clearly and Prominently Disclose Targeting Tool Data Collection and Use", "Failure to Obtain Compliant Third-Party Assessments Covering the RewardU Targeting Tool" ], "legal_authority": "Section 5(l) and Section 16(a)(1) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(l) and 56(a)(1)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/102-3116-c-4351-upromise-inc", "source_filename": "03.17, Upromise.json", "num_provisions": 22, "num_requirements": 58, "order_duration_years": 20, "takeaway_brief": "Upromise violated a prior FTC order by burying required data collection disclosures in tiny gray text and obtaining sham compliance assessments that did not actually evaluate its RewardU toolbar.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy", "Surveillance" ], "industry_sectors": [ "Technology", "Financial Services" ], "remedy_types": [ "Prohibition", "Monetary Penalty", "Third-Party Assessment", "Data Deletion", "Order Administration", "Compliance Monitoring", "Recordkeeping", "Consumer Notification", "Comprehensive Security Program" ], "provision_counts_by_topic": { "Section 5 Only": 22 } }, { "id": "04.17_turn", "docket_number": "C-4612", "company_name": "Turn Inc.", "date_issued": "2017-04-15", "year": 2017, "administration": "Trump (1st)", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Misrepresentations about Deleting Cookies", "Misrepresentations About Effectiveness of Opt-Out Mechanism" ], "legal_authority": "Federal Trade Commission Act", "commissioners": [ "Maureen K. Ohlhausen, Acting Chairman", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3099-turn-inc-matter", "source_filename": "04.17, Turn.json", "num_provisions": 8, "num_requirements": 24, "order_duration_years": 20, "takeaway_brief": "Turn Inc. falsely told consumers that deleting cookies would stop its tracking, while secretly using unkillable Verizon tracking headers to continue surveillance.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Consumer Notification", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 8 } }, { "id": "09.17_ashley_madison", "docket_number": "Case 1:16-cv-02438", "company_name": "Ruby Corp.", "date_issued": "2017-09-15", "year": 2017, "administration": "Trump (1st)", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ], "violation_type": "both", "complaint_counts": [ "Misrepresentations Regarding Network Security", "Misrepresentations Regarding User Profiles", "Misrepresentations Regarding the Terms and Conditions for Deleting Profiles", "Misrepresentations Regarding Data Security Seal", "Unfair Security Practices" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3284-ashley-madison", "source_filename": "09.17, Ashley Madison.json", "num_provisions": 11, "num_requirements": 48, "order_duration_years": 20, "takeaway_brief": "Ashley Madison used fake female profiles to lure users into paid memberships, falsely advertised a nonexistent security award, and charged for a deletion service that did not work.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security", "Deceptive Design / Dark Patterns" ], "industry_sectors": [ "Technology", "Social Media" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Monetary Penalty", "Consumer Redress", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 11 } }, { "id": "11.17_decusoft", "docket_number": "C-4630", "company_name": "Decusoft, LLC", "date_issued": "2017-11-15", "year": 2017, "administration": "Trump (1st)", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "False Privacy Shield Certification Claim" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "commissioners": [ "Maureen K. Ohlhausen, Acting Chairman", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3173-decusoft-llc-matter", "source_filename": "11.17, Decusoft.json", "num_provisions": 6, "num_requirements": 18, "order_duration_years": 20, "takeaway_brief": "Decusoft falsely claimed on its website to be certified under both the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks when it had never completed the certification process.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "11.17_md7", "docket_number": "C-4629", "company_name": "Md7, LLC", "date_issued": "2017-11-15", "year": 2017, "administration": "Trump (1st)", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "False Claim of EU-U.S. Privacy Shield Participation" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "commissioners": [ "Maureen K. Ohlhausen, Acting Chairman", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3172-md7-llc-matter", "source_filename": "11.17, Md7.json", "num_provisions": 6, "num_requirements": 18, "order_duration_years": 20, "takeaway_brief": "Md7 falsely claimed in its privacy policy to be certified under the EU-U.S. Privacy Shield Framework when it had only begun but never completed the application.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Telecom" ], "remedy_types": [ "Prohibition", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "11.17_taxslayer", "docket_number": "C-4626", "company_name": "TaxSlayer, LLC", "date_issued": "2017-11-15", "year": 2017, "administration": "Trump (1st)", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Gramm-Leach-Bliley" ], "violation_type": "both", "complaint_counts": [ "Violations of the Privacy Rule and Reg. P", "Violations of the Safeguards Rule" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Privacy of Consumer Financial Information Rule, 16 C.F.R. Part 313; the Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314", "commissioners": [ "Maureen K. Ohlhausen, Acting Chairman", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3063-taxslayer-matter", "source_filename": "11.17, TaxSlayer.json", "num_provisions": 7, "num_requirements": 31, "order_duration_years": 20, "takeaway_brief": "TaxSlayer, a tax preparation service handling highly sensitive financial data, lacked a written security program, performed no risk assessments, and buried its privacy notice in a license agreement.", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security", "Privacy" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Prohibition", "Third-Party Assessment", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "GLBA": 7 } }, { "id": "11.17_tru_communication", "docket_number": "C-4628", "company_name": "Tru Communication, Inc.", "date_issued": "2017-11-15", "year": 2017, "administration": "Trump (1st)", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "False Representation of EU-U.S. Privacy Shield Participation" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "commissioners": [ "Maureen K. Ohlhausen, Acting Chairman", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3171-tru-communication-inc-matter", "source_filename": "11.17, Tru Communication.json", "num_provisions": 6, "num_requirements": 18, "order_duration_years": 20, "takeaway_brief": "Tru Communication falsely claimed its website would remain compliant with the EU-U.S. Privacy Shield Framework when it had never completed the certification process.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Other" ], "remedy_types": [ "Prohibition", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "01.18_jerk_dba_jerk.com", "docket_number": "9361", "company_name": "Jerk, LLC", "date_issued": "2018-01-15", "year": 2018, "administration": "Trump (1st)", "categories": [ "Other" ], "violation_type": "deceptive", "complaint_counts": [ "Misrepresentation of Content Source", "Misrepresentation of Membership Benefits" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Maureen K. Ohlhausen, Acting Chairman", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3141-jerk-llc-dba-jerkcom-matter", "source_filename": "01.18, Jerk, dba Jerk.com.json", "num_provisions": 2, "num_requirements": 4, "order_duration_years": 5, "takeaway_brief": "Jerk.com misrepresented that profile content was created by users and that paid memberships would provide meaningful dispute rights.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Deceptive Design / Dark Patterns" ], "industry_sectors": [ "Social Media" ], "remedy_types": [ "Compliance Monitoring", "Other" ], "provision_counts_by_topic": { "Section 5 Only": 2 } }, { "id": "01.18_lenovo", "docket_number": "C-4636", "company_name": "Lenovo (United States) Inc.", "date_issued": "2018-01-15", "year": 2018, "administration": "Trump (1st)", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Deceptive Failure to Disclose", "Unfair Preinstallation of Man-in-the-Middle Software", "Unfair Security Practices" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Maureen K. Ohlhausen, Acting Chairman", "Terrell McSweeny" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3134-lenovo-inc", "source_filename": "01.18, Lenovo.json", "num_provisions": 9, "num_requirements": 32, "order_duration_years": 20, "takeaway_brief": "Lenovo preinstalled man-in-the-middle adware on consumer laptops that intercepted encrypted web traffic and created serious security vulnerabilities without adequate disclosure.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security", "Surveillance" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 9 } }, { "id": "01.18_vtech_electronics_limited", "docket_number": "1:18-cv-00114", "company_name": "VTech Electronics Limited and VTech Electronics North America, LLC", "date_issued": "2018-01-15", "year": 2018, "administration": "Trump (1st)", "categories": [ "COPPA / Children's Privacy", "Data Security", "Privacy / Deceptive Privacy Practices" ], "violation_type": "both", "complaint_counts": [ "COPPA Rule Violations (Kid Connect)", "False Encryption Representation (FTC Act Section 5)" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act (15 U.S.C. § 45(a)); Sections 1303(c) and 1306(d) of the Children's Online Privacy Protection Act (15 U.S.C. §§ 6502(c) and 6505(d)); Children's Online Privacy Protection Rule (16 C.F.R. Part 312)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3032-vtech-electronics-limited", "source_filename": "01.18, VTech Electronics Limited.json", "num_provisions": 11, "num_requirements": 36, "order_duration_years": 20, "takeaway_brief": "VTech collected children's personal data through its online services without parental consent, maintained inadequate security, and falsely claimed personal information was encrypted during transmission.", "statutory_topics": [ "COPPA" ], "practice_areas": [ "Privacy", "Data Security" ], "industry_sectors": [ "Technology", "Education" ], "remedy_types": [ "Prohibition", "Monetary Penalty", "Consumer Redress", "Comprehensive Security Program", "Third-Party Assessment", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "COPPA": 11 } }, { "id": "02.18_prime_sites", "docket_number": "2:18-cv-199", "company_name": "Prime Sites, Inc.", "date_issued": "2018-02-15", "year": 2018, "administration": "Trump (1st)", "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices", "Telemarketing / Do-Not-Call" ], "violation_type": "deceptive", "complaint_counts": [ "COPPA Rule Violations — Failure to Provide Notice, Direct Notice to Parents, and Obtain Verifiable Parental Consent", "False Representation of Not Collecting Children's Personal Information", "False Representations Regarding Casting Opportunities to Sell Pro Memberships" ], "legal_authority": "Sections 5(a)(1), 5(m)(1)(A), 13(b), and 16(a) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(a)(1), 45(m)(1)(A), 53(b), and 56(a); Sections 1303(c) and 1306(d) of the Children's Online Privacy Protection Act of 1998, 15 U.S.C. §§ 6502(c) and 6505(d); and the Children's Online Privacy Protection Rule, 16 C.F.R. Part 312", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3218-prime-sites-inc-explore-talent", "source_filename": "02.18, Prime Sites.json", "num_provisions": 8, "num_requirements": 36, "order_duration_years": 20, "takeaway_brief": "Explore Talent collected personal information from over 100,000 children without parental consent and used false promises of casting opportunities to sell paid memberships.", "statutory_topics": [ "COPPA" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Data Deletion", "Monetary Penalty", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "COPPA": 8 } }, { "id": "02.18_sears_holdings_management_corporation", "docket_number": "C-4264", "company_name": "Sears Holdings Management Corporation", "date_issued": "2018-02-15", "year": 2018, "administration": "Trump (1st)", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Deceptive Failure to Disclose Scope of Tracking Software" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "commissioners": [ "Jon Leibowitz, Chairman", "Pamela Jones Harbour", "William E. Kovacic", "J. Thomas Rosch" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/082-3099-c-4264-sears-holdings-management-corporation-corporation-matter", "source_filename": "02.18, Sears Holdings Management Corporation.json", "num_provisions": 2, "num_requirements": 2, "order_duration_years": null, "takeaway_brief": "Sears secretly installed software on consumers' computers that tracked nearly all internet activity — including financial and health data from secure sessions — while describing it as simple 'online browsing' research.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Surveillance" ], "industry_sectors": [ "Retail" ], "remedy_types": [ "Order Administration", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 2 } }, { "id": "05.18_paypal", "docket_number": "C-4651", "company_name": "PayPal, Inc.", "date_issued": "2018-05-15", "year": 2018, "administration": "Trump (1st)", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Gramm-Leach-Bliley" ], "violation_type": "deceptive", "complaint_counts": [ "Deceptive Fund Transfer Representations", "Deceptive Default Audience Privacy Setting", "Deceptive Individual Audience Privacy Setting", "False Bank-Grade Security Claim", "Violation of Privacy Rule and Reg. P", "Violation of the Safeguards Rule" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Privacy of Consumer Financial Information Rule (Reg. P), 16 C.F.R. Part 313; and the Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314", "commissioners": [ "Joseph J. Simons, Chairman", "Maureen K. Ohlhausen", "Noah Joshua Phillips", "Rohit Chopra", "Rebecca Kelly Slaughter" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3102-paypal-inc-matter", "source_filename": "05.18, PayPal.json", "num_provisions": 10, "num_requirements": 30, "order_duration_years": 20, "takeaway_brief": "Venmo misled consumers about fund availability, privacy settings that did not work as described, and its bank-grade security claim while also violating Gramm-Leach-Bliley rules.", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Privacy", "Data Security", "Financial Practices" ], "industry_sectors": [ "Financial Services", "Technology" ], "remedy_types": [ "Prohibition", "Consumer Notification", "Third-Party Assessment", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "GLBA": 10 } }, { "id": "09.18_apartment_hunters_et_al.", "docket_number": "8:18-CV-01636", "company_name": "Apartment Hunters, Inc.", "date_issued": "2018-09-15", "year": 2018, "administration": "Trump (1st)", "categories": [ "Other" ], "violation_type": "deceptive", "complaint_counts": [ "False or Misleading Representations About Listing Accuracy and Availability", "False or Misleading Representations About Speed of Finding Housing", "False or Misleading Representations About Exclusive Listings Not Found on Free Websites" ], "legal_authority": "Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b), and Section 5(a) of the FTC Act, 15 U.S.C. § 45(a)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3007-apartment-hunters-inc-et-al-wetakesection8com", "source_filename": "09.18, Apartment Hunters et al..json", "num_provisions": 8, "num_requirements": 23, "order_duration_years": 20, "takeaway_brief": "Apartment Hunters charged fees for access to rental listings that were mostly inaccurate, unavailable, or identical to what was available for free online.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "industry_sectors": [ "Other" ], "remedy_types": [ "Prohibition", "Monetary Penalty", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 8 } }, { "id": "09.18_blu_products_and_samuel_ohev-zion", "docket_number": "C-4657", "company_name": "BLU PRODUCTS, INC.", "date_issued": "2018-09-15", "year": 2018, "administration": "Trump (1st)", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Location / Geolocation Data" ], "violation_type": "both", "complaint_counts": [ "Deceptive Representation Regarding Disclosure of Personal Information", "Deceptive Representation Regarding Data Security Practices" ], "legal_authority": "Federal Trade Commission Act", "commissioners": [ "Joseph J. Simons, Chairman", "Maureen K. Ohlhausen", "Noah Joshua Phillips", "Rohit Chopra", "Rebecca Kelly Slaughter" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3025-blu-products-samuel-ohev-zion-matter", "source_filename": "09.18, BLU Products and Samuel Ohev-Zion.json", "num_provisions": 9, "num_requirements": 41, "order_duration_years": 20, "takeaway_brief": "BLU Products sold smartphones with preinstalled software that secretly transmitted users' text messages, location data, and contact lists to servers in China.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy", "Data Security" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 9 } }, { "id": "09.18_integrated_flight_solutions", "docket_number": "3:18-cv-1658", "company_name": "Integrated Flight Solutions LLC", "date_issued": "2018-09-15", "year": 2018, "administration": "Trump (1st)", "categories": [ "Health Data" ], "violation_type": "unfair", "complaint_counts": [ "Unfair Acts or Practices — Sale of Fake Documents Facilitating Fraud" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3151-integrated-flight-solutions-et-al", "source_filename": "09.18, Integrated Flight Solutions.json", "num_provisions": 9, "num_requirements": 31, "order_duration_years": 20, "takeaway_brief": "NoveltyExcuses.com sold fake financial documents—including pay stubs and insurance cards—designed to look authentic enough to deceive lenders and landlords.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "industry_sectors": [ "Other" ], "remedy_types": [ "Prohibition", "Monetary Penalty", "Consumer Redress", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 9 } }, { "id": "09.18_katrina_moore", "docket_number": "5:18-cv-01960", "company_name": "Innovative Paycheck Solutions", "date_issued": "2018-09-15", "year": 2018, "administration": "Trump (1st)", "categories": [ "Other" ], "violation_type": "both", "complaint_counts": [ "Unfair Acts or Practices — Sale of Fake Financial Documents" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3111-katrina-moore", "source_filename": "09.18, Katrina Moore.json", "num_provisions": 9, "num_requirements": 28, "order_duration_years": 20, "takeaway_brief": "Innovative Paycheck Solutions sold fake pay stubs and bank statements marketed as authentic-looking documents for use in deceiving lenders and landlords.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "industry_sectors": [ "Other" ], "remedy_types": [ "Prohibition", "Monetary Penalty", "Consumer Redress", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 9 } }, { "id": "10.18_idmission", "docket_number": "C-4665", "company_name": "IDmission LLC", "date_issued": "2018-10-15", "year": 2018, "administration": "Trump (1st)", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Privacy Shield Misrepresentation" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "commissioners": [ "Joseph J. Simons, Chairman", "Noah Joshua Phillips", "Rohit Chopra", "Rebecca Kelly Slaughter", "Christine S. Wilson" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3150-idmission-llc-matter", "source_filename": "10.18, IDmission.json", "num_provisions": 6, "num_requirements": 18, "order_duration_years": 20, "takeaway_brief": "IDmission publicly claimed Privacy Shield certification on its website despite never completing the required certification steps.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "10.18_realpage", "docket_number": "3:18-cv-02737-N", "company_name": "RealPage, Inc.", "date_issued": "2018-10-15", "year": 2018, "administration": "Trump (1st)", "categories": [ "Fair Credit Reporting (FCRA)" ], "violation_type": "unfair", "complaint_counts": [ "Failure to Follow Reasonable Procedures to Assure Maximum Possible Accuracy — Violation of FCRA Section 607(b)" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b); Section 16(a)(1) of the Federal Trade Commission Act, 15 U.S.C. § 56(a)(1); Section 621(a) of the Fair Credit Reporting Act, 15 U.S.C. § 1681s(a)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3059-realpage-inc", "source_filename": "10.18, RealPage.json", "num_provisions": 8, "num_requirements": 23, "order_duration_years": null, "takeaway_brief": "RealPage used overly broad, inaccurate criminal record matching in tenant screening reports, causing wrong individuals' records to appear in consumer files.", "statutory_topics": [ "FCRA" ], "practice_areas": [ "Financial Practices" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Monetary Penalty", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "FCRA": 8 } }, { "id": "10.18_uber_technologies", "docket_number": "C-4662", "company_name": "Uber Technologies, Inc.", "date_issued": "2018-10-15", "year": 2018, "administration": "Trump (1st)", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Location / Geolocation Data" ], "violation_type": "deceptive", "complaint_counts": [ "False Claim of Ongoing Data Access Monitoring", "False Claim of Reasonable Data Security Practices" ], "legal_authority": "Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Joseph J. Simons, Chairman", "Noah Joshua Phillips", "Rohit Chopra", "Rebecca Kelly Slaughter", "Christine S. Wilson" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3054-c-4662-uber-technologies-inc-matter", "source_filename": "10.18, Uber Technologies.json", "num_provisions": 9, "num_requirements": 38, "order_duration_years": 20, "takeaway_brief": "Uber falsely claimed to rigorously monitor employee access to rider and driver data and to use industry-standard security, when its actual practices fell far short.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security", "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Compliance Monitoring", "Order Administration", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 9 } }, { "id": "11.18_mresource", "docket_number": "C-4663", "company_name": "mResource LLC", "date_issued": "2018-11-15", "year": 2018, "administration": "Trump (1st)", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Privacy Shield Participation Misrepresentation" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "commissioners": [ "Joseph J. Simons, Chairman", "Noah Joshua Phillips", "Rohit Chopra", "Rebecca Kelly Slaughter", "Christine S. Wilson" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3143-mresource-llc-loop-works-llc-matter", "source_filename": "11.18, mResource.json", "num_provisions": 6, "num_requirements": 18, "order_duration_years": 20, "takeaway_brief": "mResource continued claiming current Privacy Shield participation on its website after its certification expired without renewal.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Other" ], "remedy_types": [ "Prohibition", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "11.18_readytech_corporation", "docket_number": "C-4659", "company_name": "ReadyTech Corporation", "date_issued": "2018-11-15", "year": 2018, "administration": "Trump (1st)", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Privacy Shield Misrepresentation" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "commissioners": [ "Joseph J. Simons, Chairman", "Noah Joshua Phillips", "Rohit Chopra", "Rebecca Kelly Slaughter", "Christine S. Wilson" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3100-readytech-corporation-matter", "source_filename": "11.18, ReadyTech Corporation.json", "num_provisions": 6, "num_requirements": 19, "order_duration_years": 20, "takeaway_brief": "ReadyTech falsely claimed on its website to be actively certifying Privacy Shield compliance and committed to related dispute resolution, when it never completed certification.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Education" ], "remedy_types": [ "Prohibition", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "11.18_smartstart_employment_screening", "docket_number": "C-4666", "company_name": "SmartStart Employment Screening, Inc.", "date_issued": "2018-11-15", "year": 2018, "administration": "Trump (1st)", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Privacy Shield Participation Misrepresentation", "Misrepresentation Regarding Continuing Privacy Shield Obligations" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "commissioners": [ "Joseph J. Simons, Chairman", "Noah Joshua Phillips", "Rohit Chopra", "Rebecca Kelly Slaughter", "Christine S. Wilson" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3154-smartstart-employment-screening-inc-matter", "source_filename": "11.18, SmartStart Employment Screening.json", "num_provisions": 7, "num_requirements": 19, "order_duration_years": 20, "takeaway_brief": "SmartStart claimed current Privacy Shield participation for nearly a year after its certification lapsed and never affirmed it would continue protecting EU personal data after withdrawal.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 7 } }, { "id": "11.18_venpath", "docket_number": "C-4664", "company_name": "VenPath, Inc.", "date_issued": "2018-11-15", "year": 2018, "administration": "Trump (1st)", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Privacy Shield Participation Misrepresentation", "Misrepresentation Regarding Continuing Obligations" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "commissioners": [ "Joseph J. Simons, Chairman", "Noah Joshua Phillips", "Rohit Chopra", "Rebecca Kelly Slaughter", "Christine S. Wilson" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3144-venpath-inc-matter", "source_filename": "11.18, VenPath.json", "num_provisions": 7, "num_requirements": 20, "order_duration_years": 20, "takeaway_brief": "VenPath continued claiming active Privacy Shield participation after its certification expired and failed to affirm it would continue protecting EU consumer data.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 7 } }, { "id": "02.19_musical.ly", "docket_number": "2:19-cv-1439", "company_name": "Musical.ly", "date_issued": "2019-02-15", "year": 2019, "administration": "Trump (1st)", "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ], "violation_type": "both", "complaint_counts": [ "Failure to Provide Notice of Information Practices", "Failure to Provide Direct Notice to Parents", "Failure to Obtain Verifiable Parental Consent", "Failure to Delete Children's Personal Information Upon Parental Request", "Unlawful Retention of Children's Personal Information" ], "legal_authority": "Sections 5(a)(1), 5(m)(1)(A), 13(b), and 16(a) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(a)(1), 45(m)(1)(A), 53(b), and 56(a), and Sections 1303(c) and 1306(d) of the Children's Online Privacy Protection Act of 1998, 15 U.S.C. §§ 6502(c) and 6505(d)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3004-musically-inc", "source_filename": "02.19, Musical.ly.json", "num_provisions": 10, "num_requirements": 33, "order_duration_years": null, "takeaway_brief": "Musical.ly knowingly collected personal data from millions of children under 13 without parental notice or consent and failed to delete children's data when parents requested it.", "statutory_topics": [ "COPPA" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Social Media" ], "remedy_types": [ "Prohibition", "Data Deletion", "Monetary Penalty", "Consumer Redress", "Compliance Monitoring", "Order Administration", "Recordkeeping" ], "provision_counts_by_topic": { "COPPA": 10 } }, { "id": "04.19_unixiz_doing_business_as_i-dressup.com", "docket_number": "5:19-cv-2222", "company_name": "UNIXIZ, Inc.", "date_issued": "2019-04-15", "year": 2019, "administration": "Trump (1st)", "categories": [ "COPPA / Children's Privacy", "Data Security", "Privacy / Deceptive Privacy Practices" ], "violation_type": "both", "complaint_counts": [ "COPPA Rule Violations — Collection, Use, and Disclosure of Children's Personal Information" ], "legal_authority": "Sections 5(a)(1), 5(m)(1)(A), 13(b), and 16(a) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(a)(1), 45(m)(1)(A), 53(b), and 56(a); Sections 1303(c) and 1306(d) of the Children's Online Privacy Protection Act of 1998, 15 U.S.C. §§ 6502(c) and 6505(d)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3002-unixiz-inc-doing-business-i-dressupcom", "source_filename": "04.19, Unixiz doing business as i-Dressup.com.json", "num_provisions": 12, "num_requirements": 46, "order_duration_years": null, "takeaway_brief": "UNIXIZ collected personal information from over 245,000 children on its gaming site without verifiable parental consent and with grossly inadequate data security.", "statutory_topics": [ "COPPA" ], "practice_areas": [ "Privacy", "Data Security" ], "industry_sectors": [ "Technology", "Social Media" ], "remedy_types": [ "Prohibition", "Monetary Penalty", "Comprehensive Security Program", "Third-Party Assessment", "Compliance Monitoring", "Order Administration", "Recordkeeping" ], "provision_counts_by_topic": { "COPPA": 12 } }, { "id": "07.19_d-link", "docket_number": "3:17-CV-00039-JD", "company_name": "D-Link Systems, Inc.", "date_issued": "2019-07-15", "year": 2019, "administration": "Trump (1st)", "categories": [ "Data Security" ], "violation_type": "deceptive", "complaint_counts": [ "Unfair Security Practices", "Security Event Response Policy Misrepresentation", "Router Promotional Misrepresentations", "IP Camera Promotional Misrepresentations", "Router GUI Misrepresentations", "IP Camera GUI Misrepresentations" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3157-x170030-d-link", "source_filename": "07.19, D-Link.json", "num_provisions": 10, "num_requirements": 38, "order_duration_years": 20, "takeaway_brief": "D-Link marketed routers and IP cameras as secure while leaving them vulnerable to hard-coded credentials, command injection flaws, and backdoors.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Comprehensive Security Program", "Third-Party Assessment", "Compliance Monitoring", "Prohibition", "Order Administration", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 10 } }, { "id": "07.19_equifax", "docket_number": "1:19-cv-03297-TWT", "company_name": "Equifax Inc.", "date_issued": "2019-07-15", "year": 2019, "administration": "Trump (1st)", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Fair Credit Reporting (FCRA)", "Gramm-Leach-Bliley", "AI / Algorithmic / Facial Recognition", "Telemarketing / Do-Not-Call" ], "violation_type": "unfair", "complaint_counts": [ "Unfair Acts or Practices Regarding Data Security", "Deceptive Acts or Practices Regarding Data Security to Consumers", "Deceptive Acts or Practices Regarding Data Security to Small Businesses", "Violations of the GLB Act Safeguards Rule" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Standards for Safeguarding Customer Information Rule (Safeguards Rule), 16 C.F.R. Part 314, issued pursuant to Sections 501-504 of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6804", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3203-equifax-inc", "source_filename": "07.19, Equifax.json", "num_provisions": 22, "num_requirements": 83, "order_duration_years": 20, "takeaway_brief": "Equifax's failure to patch a known security vulnerability for over four months led to a breach exposing the personal information of approximately 147 million consumers.", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Compliance Monitoring", "Monetary Penalty", "Consumer Redress", "Consumer Notification", "Order Administration", "Recordkeeping" ], "provision_counts_by_topic": { "GLBA": 22 } }, { "id": "07.19_facebook", "docket_number": "19-cv-2184", "company_name": "Facebook, Inc.", "date_issued": "2019-07-15", "year": 2019, "administration": "Trump (1st)", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "AI / Algorithmic / Facial Recognition" ], "violation_type": "deceptive", "complaint_counts": [ "Privacy Settings Misrepresentation (Dec 2012 - Apr 2014)", "F8 Announcement and Privacy Settings Misrepresentation (Apr 2014 - Apr 2015)", "Whitelisted Developers Access (Apr 2015 - Jun 2018)", "Failure to Implement Reasonable Privacy Program", "Facial Recognition Opt-In Misrepresentation", "Deceptive Use of Phone Numbers for Advertising" ], "legal_authority": "Sections 5(a), 5(l), 13(b), and 16(a)(1) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(a), 45(l), 53(b), and 56(a)(1)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/092-3184-182-3109-c-4365-facebook-inc-matter", "source_filename": "07.19, Facebook.json", "num_provisions": 16, "num_requirements": 80, "order_duration_years": 20, "statutory_topics": [], "practice_areas": [], "industry_sectors": [], "remedy_types": [], "provision_counts_by_topic": {} }, { "id": "07.19_james_v._grago_jr._doing_business_as_clixsense.com", "docket_number": "C-4678", "company_name": "James V. Grago, Jr., individually and d/b/a ClixSense.com", "date_issued": "2019-07-15", "year": 2019, "administration": "Trump (1st)", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ], "violation_type": "both", "complaint_counts": [ "Deception: Misrepresentation about Encryption", "Deception: Misrepresentation about Latest Security Techniques", "Unfairness: Failure to Employ Reasonable Security Practices" ], "legal_authority": "Federal Trade Commission Act", "commissioners": [ "Joseph J. Simons, Chairman", "Noah Joshua Phillips", "Rohit Chopra", "Rebecca Kelly Slaughter", "Christine S. Wilson" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3003-james-v-grago-jr-doing-business-clixsensecom-matter", "source_filename": "07.19, James V. Grago, Jr. doing business as ClixSense.com.json", "num_provisions": 10, "num_requirements": 38, "order_duration_years": 20, "takeaway_brief": "ClixSense.com claimed to use encryption and the latest security techniques while storing 6.6 million users' data entirely in clear text with no encryption.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Compliance Monitoring", "Order Administration", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 10 } }, { "id": "08.19_securtest", "docket_number": "C-4685", "company_name": "SecurTest, Inc.", "date_issued": "2019-08-15", "year": 2019, "administration": "Trump (1st)", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Privacy Shield Misrepresentation" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "commissioners": [ "Joseph J. Simons, Chairman", "Noah Joshua Phillips", "Rohit Chopra", "Rebecca Kelly Slaughter", "Christine Wilson" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3152-securtest-inc-matter", "source_filename": "08.19, SecurTest.json", "num_provisions": 6, "num_requirements": 18, "order_duration_years": 20, "takeaway_brief": "SecurTest falsely claimed Privacy Shield certification on its website after failing to complete the required certification steps.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Prohibition", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "09.19_google_llc_and_youtube", "docket_number": "1:19-cv-02642", "company_name": "Google LLC and YouTube, LLC", "date_issued": "2019-09-15", "year": 2019, "administration": "Trump (1st)", "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ], "violation_type": "both", "complaint_counts": [ "Violations of the Children's Online Privacy Protection Rule" ], "legal_authority": "Sections 5(a)(1), 5(m)(1)(A), 13(b), and 16(a)(1) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(a)(1), 45(m)(1)(A), 53(b), and 56(a)(1), and Sections 1303(c), 1305(a)(1), and 1306(d) of the Children's Online Privacy Protection Act of 1998, 15 U.S.C. §§ 6502(c), 6504(a)(1), and 6505(d)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3083-google-llc-youtube-llc", "source_filename": "09.19, Google LLC and YouTube.json", "num_provisions": 10, "num_requirements": 34, "order_duration_years": null, "takeaway_brief": "Google and YouTube collected persistent identifiers from child viewers of child-directed YouTube channels to serve behavioral advertising without parental notice or consent.", "statutory_topics": [ "COPPA" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology", "Social Media" ], "remedy_types": [ "Prohibition", "Monetary Penalty", "Consumer Redress", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "COPPA": 10 } }, { "id": "09.19_lightyear_dealer_technologies", "docket_number": "C-4687", "company_name": "LightYear Dealer Technologies, LLC", "date_issued": "2019-09-15", "year": 2019, "administration": "Trump (1st)", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Gramm-Leach-Bliley" ], "violation_type": "unfair", "complaint_counts": [ "Unfair Data Security Practices", "Violation of the GLB Safeguards Rule" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1), and the Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314", "commissioners": [ "Joseph J. Simons, Chairman", "Noah Joshua Phillips", "Rohit Chopra", "Rebecca Kelly Slaughter", "Christine S. Wilson" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3051-lightyear-dealer-technologies-llc-matter", "source_filename": "09.19, LightYear Dealer Technologies.json", "num_provisions": 11, "num_requirements": 39, "order_duration_years": 20, "takeaway_brief": "DealerBuilt stored the personal information of over 14 million consumers and 39,000 employees in clear text without access controls or a written security program.", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Comprehensive Security Program", "Third-Party Assessment", "Compliance Monitoring", "Prohibition", "Order Administration", "Recordkeeping" ], "provision_counts_by_topic": { "GLBA": 11 } }, { "id": "10.19_lifelock", "docket_number": "CV-10-00530-PHX-JJT", "company_name": "LifeLock, Inc.", "date_issued": "2019-10-15", "year": 2019, "administration": "Trump (1st)", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Health Data" ], "violation_type": "deceptive", "complaint_counts": [ "False Claims of Complete Identity Theft Protection", "False Claims of Address Change Protection", "False Claims of Ongoing Credit Monitoring", "False Claims of Guaranteed Creditor Phone Call Before New Accounts", "False Claims of Reasonable Data Security Practices", "False Claims of Encrypting Customer Data", "False Claims of Need-to-Know Access Controls" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/072-3069-x100023-lifelock-inc-corporation", "source_filename": "10.19, LifeLock.json", "num_provisions": 10, "num_requirements": 35, "order_duration_years": null, "takeaway_brief": "LifeLock falsely marketed its identity theft protection service as comprehensive and complete when it actually covered only a narrow subset of identity theft scenarios.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security", "Privacy" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Prohibition", "Monetary Penalty", "Consumer Redress", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 10 } }, { "id": "12.19_aleksandr_kogan_and_alexander_nix", "docket_number": "C-4693, C-4694", "company_name": "Cambridge Analytica, LLC", "date_issued": "2019-12-15", "year": 2019, "administration": "Trump (1st)", "categories": [ "Other" ], "violation_type": "deceptive", "complaint_counts": [ "Deceptive Claim Concerning the Collection of Personally Identifiable Information" ], "legal_authority": "Section 5 of the Federal Trade Commission Act", "commissioners": [ "Joseph J. Simons, Chairman", "Noah Joshua Phillips", "Rohit Chopra", "Rebecca Kelly Slaughter", "Christine S. Wilson" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3107-cambridge-analytica-llc-matter", "source_filename": "12.19, Aleksandr Kogan and Alexander Nix.json", "num_provisions": 7, "num_requirements": 24, "order_duration_years": 20, "takeaway_brief": "Aleksandr Kogan and Alexander Nix built a Facebook app that falsely promised not to collect users' identifiable information while harvesting data from millions of users and their friends.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Data Deletion", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 7 } }, { "id": "12.19_cambridge_analytica", "docket_number": "D09383", "company_name": "Cambridge Analytica, LLC", "date_issued": "2019-12-15", "year": 2019, "administration": "Trump (1st)", "categories": [ "Other" ], "violation_type": "deceptive", "complaint_counts": [], "legal_authority": "", "commissioners": [ "Joseph J. Simons, Chairman", "Noah Joshua Phillips", "Rohit Chopra", "Rebecca Kelly Slaughter", "Christine S. Wilson" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3107-cambridge-analytica-llc-matter", "source_filename": "12.19, Cambridge Analytica.json", "num_provisions": 7, "num_requirements": 15, "order_duration_years": 20, "takeaway_brief": "Cambridge Analytica misrepresented its data practices and privacy program participation in connection with harvesting personal data from millions of consumers.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Data Deletion", "Algorithmic Destruction", "Compliance Monitoring", "Order Administration" ], "provision_counts_by_topic": { "Section 5 Only": 7 } }, { "id": "12.19_unrollme", "docket_number": "C-4692", "company_name": "Unrollme Inc.", "date_issued": "2019-12-15", "year": 2019, "administration": "Trump (1st)", "categories": [ "Privacy / Deceptive Privacy Practices", "AI / Algorithmic / Facial Recognition" ], "violation_type": "deceptive", "complaint_counts": [ "False Representation That Personal Emails Would Not Be Touched", "Failure to Disclose E-Receipt Data Collection While Claiming Inbox Access Was Only for Subscription Scanning" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "commissioners": [ "Joseph J. Simons, Chairman", "Noah Joshua Phillips", "Rohit Chopra", "Rebecca Kelly Slaughter", "Christine S. Wilson" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3139-unrollme-inc-matter", "source_filename": "12.19, Unrollme.json", "num_provisions": 8, "num_requirements": 20, "order_duration_years": 20, "takeaway_brief": "Unrollme assured users it would never 'touch' their personal emails while secretly giving its parent company access to those inboxes to harvest and sell e-receipt data.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Consumer Notification", "Data Deletion", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 8 } }, { "id": "01.20_click_labs", "docket_number": "C-4705", "company_name": "Click Labs, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Privacy Shield Misrepresentation" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "commissioners": [ "Joseph J. Simons, Chairman", "Noah Joshua Phillips", "Rohit Chopra", "Rebecca Kelly Slaughter", "Christine S. Wilson" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3090-click-labs-inc-matter", "source_filename": "01.20, Click Labs.json", "num_provisions": 6, "num_requirements": 18, "order_duration_years": 20, "takeaway_brief": "Click Labs falsely claimed Privacy Shield certification on its website after never completing the certification process.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "01.20_dcr_workforce", "docket_number": "C-4698", "company_name": "DCR Workforce, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Privacy Misrepresentation" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "commissioners": [ "Joseph J. Simons, Chairman", "Noah Joshua Phillips", "Rohit Chopra", "Rebecca Kelly Slaughter", "Christine S. Wilson" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3188-dcr-workforce-inc-matter", "source_filename": "01.20, DCR Workforce.json", "num_provisions": 6, "num_requirements": 18, "order_duration_years": 20, "takeaway_brief": "DCR Workforce continued claiming active Privacy Shield compliance on its website after its certification had lapsed.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "01.20_global_data_vault", "docket_number": "C-4706", "company_name": "Global Data Vault, LLC", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Privacy Shield Participation Misrepresentation", "Misrepresentation Regarding Verification", "Misrepresentation Regarding Continuing Obligations" ], "legal_authority": "Section 5 of the Federal Trade Commission Act", "commissioners": [ "Joseph J. Simons, Chairman", "Noah Joshua Phillips", "Rohit Chopra", "Rebecca Kelly Slaughter", "Christine S. Wilson" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3093-global-data-vault-llc-matter", "source_filename": "01.20, Global Data Vault.json", "num_provisions": 7, "num_requirements": 21, "order_duration_years": 20, "takeaway_brief": "Global Data Vault continued claiming active Privacy Shield participation after its certification expired and also failed to obtain required annual verification while certified.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 7 } }, { "id": "01.20_incentive_services", "docket_number": "C-4703", "company_name": "Incentive Services, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Privacy Shield Misrepresentation" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "commissioners": [ "Joseph J. Simons, Chairman", "Noah Joshua Phillips", "Rohit Chopra", "Rebecca Kelly Slaughter", "Christine S. Wilson" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3078-incentive-services-inc-matter", "source_filename": "01.20, Incentive Services.json", "num_provisions": 6, "num_requirements": 19, "order_duration_years": 20, "takeaway_brief": "Incentive Services claimed Privacy Shield compliance on its website despite never completing the certification process for either framework.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Other" ], "remedy_types": [ "Prohibition", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "01.20_infotrax_systems_l.c.", "docket_number": "C-4696", "company_name": "InfoTrax Systems, L.C.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ], "violation_type": "unfair", "complaint_counts": [ "Unfairness: Failure to Employ Reasonable Data Security Practices" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Joseph J. Simons, Chairman", "Noah Joshua Phillips", "Rohit Chopra", "Rebecca Kelly Slaughter", "Christine S. Wilson" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3130-infotrax-systems-lc", "source_filename": "01.20, InfoTrax Systems, L.C..json", "num_provisions": 10, "num_requirements": 43, "order_duration_years": 20, "takeaway_brief": "InfoTrax Systems failed to implement basic data security measures for sensitive consumer financial information, allowing a hacker to access its servers seventeen times undetected over nearly two years.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Comprehensive Security Program", "Third-Party Assessment", "Compliance Monitoring", "Order Administration", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 10 } }, { "id": "01.20_lotadata", "docket_number": "C-4700", "company_name": "LotaData, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "categories": [ "Privacy / Deceptive Privacy Practices", "Location / Geolocation Data" ], "violation_type": "deceptive", "complaint_counts": [ "Privacy Shield Misrepresentation" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "commissioners": [ "Joseph J. Simons, Chairman", "Noah Joshua Phillips", "Rohit Chopra", "Rebecca Kelly Slaughter", "Christine S. Wilson" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3194-lotadata-inc-matter", "source_filename": "01.20, LotaData.json", "num_provisions": 6, "num_requirements": 18, "order_duration_years": 20, "takeaway_brief": "LotaData falsely claimed Privacy Shield certification on its website despite never completing the required certification steps.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "01.20_medable", "docket_number": "C-4697", "company_name": "Medable, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Privacy Shield Misrepresentation" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "commissioners": [ "Joseph J. Simons, Chairman", "Noah Joshua Phillips", "Rohit Chopra", "Rebecca Kelly Slaughter", "Christine S. Wilson" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3192-medable-inc-matter", "source_filename": "01.20, Medable.json", "num_provisions": 6, "num_requirements": 17, "order_duration_years": 20, "takeaway_brief": "Medable falsely claimed to be EU/US Privacy Shield certified on its website after never completing the certification process.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Healthcare", "Technology" ], "remedy_types": [ "Prohibition", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "01.20_mortgage_solutions_fcs", "docket_number": "4:20-cv-00110", "company_name": "Mortgage Solutions FCS, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Fair Credit Reporting (FCRA)", "Gramm-Leach-Bliley" ], "violation_type": "both", "complaint_counts": [ "Failure to Provide Clear, Conspicuous, and Accurate Privacy Notices", "Impermissible Disclosure of Nonpublic Personal Information", "Impermissible Use of Consumer Reports", "Failure to Develop and Implement an Information Security Program", "Inadequacy of Information Security Program", "Section 5 Deception — False Privacy Representation", "Section 5 Unfairness — Public Disclosure of Sensitive Financial Information" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b); Fair Credit Reporting Act, 15 U.S.C. §§ 1681-1681x; Privacy of Consumer Financial Information (Regulation P), 12 C.F.R. Part 1016; Standards for Safeguarding Customer Information (Safeguards Rule), 16 C.F.R. Part 314", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3199-mortgage-solutions-fcs-inc", "source_filename": "01.20, Mortgage Solutions FCS.json", "num_provisions": 16, "num_requirements": 46, "order_duration_years": null, "takeaway_brief": "Mortgage Solutions FCS publicly posted customers' sensitive financial and health information — including credit scores and medical conditions — in Yelp responses to negative reviews.", "statutory_topics": [ "FCRA", "GLBA" ], "practice_areas": [ "Privacy", "Data Security", "Financial Practices" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Compliance Monitoring", "Monetary Penalty", "Consumer Redress", "Order Administration", "Recordkeeping" ], "provision_counts_by_topic": { "FCRA": 11, "GLBA": 15 } }, { "id": "01.20_tdarx", "docket_number": "C-4704", "company_name": "TDARX, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Privacy Misrepresentation", "Misrepresentation Regarding Verification", "Misrepresentation Regarding Continuing Obligations" ], "legal_authority": "Section 5 of the Federal Trade Commission Act", "commissioners": [ "Joseph J. Simons, Chairman", "Noah Joshua Phillips", "Rohit Chopra", "Rebecca Kelly Slaughter", "Christine S. Wilson" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3084-tdarx-inc-matter", "source_filename": "01.20, TDARX.json", "num_provisions": 7, "num_requirements": 21, "order_duration_years": 20, "takeaway_brief": "TDARX continued claiming Privacy Shield participation on its website after certification lapsed and also failed to obtain required annual verification while certified.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 7 } }, { "id": "01.20_thru", "docket_number": "C-4702", "company_name": "Thru, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Privacy Shield Misrepresentation" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "commissioners": [ "Joseph J. Simons, Chairman", "Noah Joshua Phillips", "Rohit Chopra", "Rebecca Kelly Slaughter", "Christine S. Wilson" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3196-thru-inc-matter", "source_filename": "01.20, Thru.json", "num_provisions": 6, "num_requirements": 18, "order_duration_years": 20, "takeaway_brief": "Thru displayed Privacy Shield compliance claims in its privacy policy after never completing the certification steps for either the EU-U.S. or Swiss-U.S. frameworks.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "01.20_trueface.ai", "docket_number": "C-4699", "company_name": "214 Technologies, Inc.", "date_issued": "2020-01-15", "year": 2020, "administration": "Trump (1st)", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Privacy Shield Misrepresentation" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Joseph J. Simons, Chairman", "Noah Joshua Phillips", "Rohit Chopra", "Rebecca Kelly Slaughter", "Christine S. Wilson" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923019-openx-technologies-inc", "source_filename": "01.20, Trueface.ai.json", "num_provisions": 6, "num_requirements": 18, "order_duration_years": 20, "takeaway_brief": "Trueface.ai falsely claimed it had self-certified to the EU-U.S. Privacy Shield framework when it had never completed the certification process.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy", "AI / Automated Decision-Making" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "02.20_office_depot", "docket_number": "9:19-cv-80431", "company_name": "Office Depot, Inc.", "date_issued": "2020-02-15", "year": 2020, "administration": "Trump (1st)", "categories": [ "Other" ], "violation_type": "deceptive", "complaint_counts": [ "Deceptive Representations – Office Depot", "Means and Instrumentalities – Support.com" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3023-office-depot-inc", "source_filename": "02.20, Office Depot.json", "num_provisions": 10, "num_requirements": 32, "order_duration_years": null, "takeaway_brief": "Office Depot used a fake diagnostic software tool that automatically reported false malware findings to sell unnecessary repair services to consumers.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Deceptive Design / Dark Patterns" ], "industry_sectors": [ "Retail" ], "remedy_types": [ "Prohibition", "Compliance Monitoring", "Monetary Penalty", "Consumer Redress", "Order Administration", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 10 } }, { "id": "03.20_boostmyscore", "docket_number": "1:20-cv-00641", "company_name": "BoostMyScore LLC", "date_issued": "2020-03-15", "year": 2020, "administration": "Trump (1st)", "categories": [ "Telemarketing / Do-Not-Call" ], "violation_type": "deceptive", "complaint_counts": [ "Misrepresentations Regarding Credit Repair Services (FTC Act)", "Misleading Use of Tradelines (CROA)", "Misrepresentations Regarding Credit Repair Services (CROA)", "Course of Business That Results In Fraud or Deception (CROA)", "Violation of Prohibition Against Charging Advance Fees For Credit Repair Services (CROA)", "Misrepresentations Regarding Credit Repair Services (TSR)", "Violation of Prohibition Against Charging Advance Fees For Credit Repair Services (TSR)" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 410(b) of the Credit Repair Organizations Act (CROA), 15 U.S.C. § 1679h(b); Section 6(b) of the Telemarketing and Consumer Fraud and Abuse Prevention Act, 15 U.S.C. § 6105(b)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3059-boostmyscore-llc", "source_filename": "03.20, BoostMyScore.json", "num_provisions": 13, "num_requirements": 48, "order_duration_years": 20, "takeaway_brief": "BoostMyScore sold illegal credit piggybacking services and charged prohibited advance fees while falsely guaranteeing FICO score boosts.", "statutory_topics": [ "TSR" ], "practice_areas": [ "Financial Practices", "Telemarketing" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Prohibition", "Monetary Penalty", "Data Deletion", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "TSR": 13 } }, { "id": "03.20_retina-x_studios", "docket_number": "C-4711", "company_name": "RETINA-X STUDIOS, LLC", "date_issued": "2020-03-15", "year": 2020, "administration": "Trump (1st)", "categories": [ "COPPA / Children's Privacy", "Data Security", "Privacy / Deceptive Privacy Practices", "Location / Geolocation Data" ], "violation_type": "both", "complaint_counts": [ "Unfair Sale of Surreptitious Monitoring Products", "Deceptive Data Security Representation — MobileSpy", "Deceptive Data Security Representation — PhoneSheriff", "Deceptive Data Security Representation — TeenShield", "COPPA Violation — TeenShield Collection of Children's Data" ], "legal_authority": "Federal Trade Commission Act and the Children's Online Privacy Protection Rule (COPPA Rule)", "commissioners": [ "Joseph J. Simons, Chairman", "Noah Joshua Phillips", "Rohit Chopra", "Rebecca Kelly Slaughter", "Christine S. Wilson" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3118-retina-x-studios-llc-matter", "source_filename": "03.20, Retina-X Studios.json", "num_provisions": 15, "num_requirements": 50, "order_duration_years": 20, "takeaway_brief": "Retina-X sold covert device monitoring apps enabling stalking while falsely claiming consumers' data was kept private and secure.", "statutory_topics": [ "COPPA" ], "practice_areas": [ "Surveillance", "Data Security" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Data Deletion", "Comprehensive Security Program", "Third-Party Assessment", "Compliance Monitoring", "Order Administration", "Recordkeeping" ], "provision_counts_by_topic": { "COPPA": 15 } }, { "id": "03.20_t_m_protection_resources", "docket_number": "C-4709", "company_name": "T&M Protection Resources, LLC", "date_issued": "2020-03-15", "year": 2020, "administration": "Trump (1st)", "categories": [ "Privacy / Deceptive Privacy Practices", "Fair Credit Reporting (FCRA)" ], "violation_type": "deceptive", "complaint_counts": [ "Privacy Misrepresentation", "Misrepresentation Regarding Verification", "Misrepresentation Regarding Continuing Obligations" ], "legal_authority": "Section 5 of the Federal Trade Commission Act", "commissioners": [ "Joseph J. Simons, Chairman", "Noah Joshua Phillips", "Rohit Chopra", "Rebecca Kelly Slaughter", "Christine S. Wilson" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3092-tm-protection-resources-llc-matter", "source_filename": "03.20, T&M Protection Resources.json", "num_provisions": 7, "num_requirements": 21, "order_duration_years": 20, "takeaway_brief": "T&M Protection Resources falsely claimed active EU-U.S. Privacy Shield participation after its certification had lapsed.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Other" ], "remedy_types": [ "Prohibition", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 7 } }, { "id": "05.20_jasjit_gotra", "docket_number": "1:18-cv-10548", "company_name": "Alliance Security Inc.", "date_issued": "2020-05-15", "year": 2020, "administration": "Trump (1st)", "categories": [ "Fair Credit Reporting (FCRA)", "Telemarketing / Do-Not-Call" ], "violation_type": "both", "complaint_counts": [ "Obtaining Consumer Reports Without a Permissible Purpose (FCRA)", "Calls to Persons Registered on the National Do Not Call Registry (TSR)", "Calls Failing to Identify the Seller (TSR)", "Misrepresentations Concerning Seller or Telemarketer's Affiliations (TSR)", "Assisting and Facilitating Abusive or Deceptive Telemarketing Practices (TSR)", "Misrepresentations in Violation of the FTC Act" ], "legal_authority": "Sections 5(a), 5(m)(1)(A), 13(b), and 16(a) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(a), 45(m)(1)(A), 53(b), and 56(a); Section 6 of the Telemarketing and Consumer Fraud and Abuse Prevention Act, 15 U.S.C. § 6105; and Section 621(a) of the Fair Credit Reporting Act, 15 U.S.C. § 1681s(a)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/x140022-jasjit-gotra-alliance-security", "source_filename": "05.20, Jasjit Gotra.json", "num_provisions": 11, "num_requirements": 41, "order_duration_years": 20, "takeaway_brief": "Alliance Security and its CEO made over two million illegal telemarketing calls including to Do Not Call registrants, impersonated ADT, and obtained consumer reports without permissible purpose.", "statutory_topics": [ "TSR", "FCRA" ], "practice_areas": [ "Telemarketing", "Financial Practices" ], "industry_sectors": [ "Other" ], "remedy_types": [ "Prohibition", "Monetary Penalty", "Consumer Notification", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "TSR": 10, "FCRA": 9 } }, { "id": "05.20_tapplock", "docket_number": "C-4718", "company_name": "Tapplock, Inc.", "date_issued": "2020-05-15", "year": 2020, "administration": "Trump (1st)", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Deceptive Representation Regarding Security", "Deceptive Representation Regarding Protection of Personal Information" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1)", "commissioners": [ "Joseph J. Simons, Chairman", "Noah Joshua Phillips", "Rohit Chopra", "Rebecca Kelly Slaughter", "Christine S. Wilson" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3011-tapplock-inc-matter", "source_filename": "05.20, Tapplock.json", "num_provisions": 10, "num_requirements": 46, "order_duration_years": 20, "takeaway_brief": "Tapplock marketed its Internet-connected padlocks as 'unbreakable' and secure while critical physical and electronic vulnerabilities made them trivially easy to compromise.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Compliance Monitoring", "Order Administration", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 10 } }, { "id": "06.20_hyperbeard", "docket_number": "3:20-cv-03683", "company_name": "HyperBeard, Inc.", "date_issued": "2020-06-15", "year": 2020, "administration": "Trump (1st)", "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Violations of the Children's Online Privacy Protection Rule (COPPA)" ], "legal_authority": "Sections 5(a)(1), 5(m)(1)(A), 13(b), 16(a)(1), and 19 of the Federal Trade Commission Act, 15 U.S.C. §§ 45(a)(1), 45(m)(1)(A), 53(b), 56(a)(1), and 57(b); Sections 1303(c) and 1306(d) of the Children's Online Privacy Protection Act, 15 U.S.C. §§ 6502(c) and 6505(d); 16 C.F.R. Part 312", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3109-hyperbeard-inc", "source_filename": "06.20, HyperBeard.json", "num_provisions": 9, "num_requirements": 32, "order_duration_years": null, "takeaway_brief": "HyperBeard operated child-directed mobile apps that allowed advertising networks to collect children's personal data for behavioral advertising without parental consent.", "statutory_topics": [ "COPPA" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Data Deletion", "Monetary Penalty", "Consumer Redress", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "COPPA": 9 } }, { "id": "06.20_kohl_s_department_stores", "docket_number": "Civil Action No. 2:20-cv-859", "company_name": "Kohl's Department Stores, Inc.", "date_issued": "2020-06-15", "year": 2020, "administration": "Trump (1st)", "categories": [ "Fair Credit Reporting (FCRA)" ], "violation_type": "unfair", "complaint_counts": [ "Failure to Provide Records", "Failure to Respond Within 30 Days" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), and Section 609(e) of the Fair Credit Reporting Act, 15 U.S.C. § 1681g(e)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3200-kohls-department-stores-inc", "source_filename": "06.20, Kohl's Department Stores.json", "num_provisions": 8, "num_requirements": 32, "order_duration_years": null, "takeaway_brief": "Kohl's denied identity theft victims access to transaction records about fraudulent purchases made in their names.", "statutory_topics": [ "FCRA" ], "practice_areas": [ "Financial Practices" ], "industry_sectors": [ "Retail" ], "remedy_types": [ "Prohibition", "Monetary Penalty", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "FCRA": 8 } }, { "id": "07.20_miniclip", "docket_number": "C-4722", "company_name": "Miniclip S.A.", "date_issued": "2020-07-15", "year": 2020, "administration": "Trump (1st)", "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "COPPA Safe Harbor Misrepresentations" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "commissioners": [ "Joseph J. Simons, Chairman", "Noah Joshua Phillips", "Rohit Chopra", "Rebecca Kelly Slaughter", "Christine S. Wilson" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3129-miniclip-matter", "source_filename": "07.20, Miniclip.json", "num_provisions": 6, "num_requirements": 19, "order_duration_years": 20, "takeaway_brief": "Miniclip falsely claimed for years to be a certified participant in the CARU COPPA safe harbor program after its certified status was terminated.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 6 } }, { "id": "07.20_ortho-clinical_diagnostics", "docket_number": "C-4723", "company_name": "Ortho-Clinical Diagnostics, Inc.", "date_issued": "2020-07-15", "year": 2020, "administration": "Trump (1st)", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Privacy Misrepresentation", "Misrepresentation Regarding Verification", "Misrepresentation Regarding Continuing Obligations" ], "legal_authority": "Section 5 of the Federal Trade Commission Act", "commissioners": [ "Joseph J. Simons, Chairman", "Noah Joshua Phillips", "Rohit Chopra", "Rebecca Kelly Slaughter", "Christine S. Wilson" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3050-ortho-clinical-diagnostics-inc-matter", "source_filename": "07.20, Ortho-Clinical Diagnostics.json", "num_provisions": 7, "num_requirements": 20, "order_duration_years": 20, "takeaway_brief": "Ortho-Clinical Diagnostics kept claiming Privacy Shield compliance on its website after its certification lapsed and even after Commerce warned it to remove those claims.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Healthcare" ], "remedy_types": [ "Prohibition", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 7 } }, { "id": "09.20_emp_media", "docket_number": "2:18-cv-00035-APG-NJK", "company_name": "EMP Media, Inc.", "date_issued": "2020-09-15", "year": 2020, "administration": "Trump (1st)", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "unfair", "complaint_counts": [ "Unfair Nonconsensual Disclosure of Intimate Images and Personal Information", "Unfair Extortion-Based Removal Fees", "Violation of Nevada's Deceptive Trade Practices — Coercion, Duress, or Intimidation" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b); Chapter 598 of the Nevada Revised Statutes", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3052-emp-media-inc-myexcom", "source_filename": "09.20, Emp Media.json", "num_provisions": 12, "num_requirements": 35, "order_duration_years": 20, "takeaway_brief": "MyEx.com publicly posted intimate images and personal information of individuals without their consent and charged victims thousands of dollars to have the content removed.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Data Deletion", "Monetary Penalty", "Consumer Redress", "Third-Party Assessment", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 12 } }, { "id": "10.20_ntt_global_data_centers_americas", "docket_number": "D09386", "company_name": "Raging Wire Data Centers, Inc.", "date_issued": "2020-10-15", "year": 2020, "administration": "Trump (1st)", "categories": [ "Other" ], "violation_type": "deceptive", "complaint_counts": [], "legal_authority": "Federal Trade Commission Act", "commissioners": [ "Joseph J. Simons, Chairman", "Noah Joshua Phillips", "Rohit Chopra", "Rebecca Kelly Slaughter", "Christine S. Wilson" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3189-ntt-global-data-centers-americas-inc-matter", "source_filename": "10.20, NTT Global Data Centers Americas.json", "num_provisions": 8, "num_requirements": 21, "order_duration_years": 20, "takeaway_brief": "Raging Wire Data Centers misrepresented its participation in or compliance with a privacy framework, based on provision titles alone as no factual background was available.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Third-Party Assessment", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 8 } }, { "id": "11.20_midwest_recovery_systems", "docket_number": "4:20-cv-01674", "company_name": "Midwest Recovery Systems, LLC", "date_issued": "2020-11-15", "year": 2020, "administration": "Trump (1st)", "categories": [ "Health Data", "Fair Credit Reporting (FCRA)" ], "violation_type": "deceptive", "complaint_counts": [ "False or Unsubstantiated Claims that Consumers Owe Debts", "False or Misleading Collection Representations (FDCPA § 807)", "Unfair Collection Practices – Debt Parking (FDCPA § 808)", "Failure to Provide Validation Notice (FDCPA § 809(a))", "Furnishing Inaccurate Information to CRAs (FCRA § 623(a)(1)(A))", "Failure to Conduct Reasonable Investigation of Direct Disputes (FCRA § 623(a)(8)(E)(i))", "Failure to Report Investigation Results to Consumers (FCRA § 623(a)(8)(E)(iii))" ], "legal_authority": "Sections 5(a), 5(m)(1)(A), 13(b), and 19 of the FTC Act, 15 U.S.C. §§ 45(a), 45(m)(1)(A), 53(b), and 57b; Section 814 of the Fair Debt Collection Practices Act (FDCPA), 15 U.S.C. §1692l; and Section 621(a) of the Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681s(a)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923042-midwest-recovery-systems-llc", "source_filename": "11.20, Midwest Recovery Systems.json", "num_provisions": 16, "num_requirements": 49, "order_duration_years": null, "takeaway_brief": "Midwest Recovery Systems collected debts consumers did not owe and 'parked' over $98 million in unsubstantiated debts on credit reports without first notifying consumers.", "statutory_topics": [ "FCRA" ], "practice_areas": [ "Financial Practices" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Prohibition", "Data Deletion", "Monetary Penalty", "Consumer Redress", "Third-Party Assessment", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "FCRA": 16 } }, { "id": "12.20_appfolio", "docket_number": "1:20-cv-03563", "company_name": "AppFolio, Inc.", "date_issued": "2020-12-15", "year": 2020, "administration": "Trump (1st)", "categories": [ "Fair Credit Reporting (FCRA)" ], "violation_type": "unfair", "complaint_counts": [ "Reporting Obsolete Eviction and Criminal Records", "Failure to Follow Reasonable Accuracy Procedures" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b); Section 16(a)(1) of the Federal Trade Commission Act, 15 U.S.C. § 56(a)(1); Section 621(a) of the Fair Credit Reporting Act, 15 U.S.C. § 1681s(a)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923016-appfolio-inc", "source_filename": "12.20, AppFolio.json", "num_provisions": 8, "num_requirements": 19, "order_duration_years": null, "takeaway_brief": "AppFolio included obsolete records more than seven years old and inaccurate information from an unvetted vendor in tenant screening reports used to deny housing.", "statutory_topics": [ "FCRA" ], "practice_areas": [ "Financial Practices" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Monetary Penalty", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "FCRA": 8 } }, { "id": "02.21_skymed_international", "docket_number": "C-4732", "company_name": "SkyMed International, Inc.", "date_issued": "2021-02-15", "year": 2021, "administration": "Biden", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Health Data" ], "violation_type": "deceptive", "complaint_counts": [ "HIPAA Seal Misrepresentation", "Security Incident Response Misrepresentation", "Unfair Information Security Practices" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1)", "commissioners": [ "Joseph J. Simons, Chairman", "Noah Joshua Phillips", "Rohit Chopra", "Rebecca Kelly Slaughter", "Christine S. Wilson" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923140-skymed-international-inc-matter", "source_filename": "02.21, SkyMed International.json", "num_provisions": 12, "num_requirements": 49, "order_duration_years": 20, "takeaway_brief": "SkyMed displayed a self-created 'HIPAA Compliance' seal implying government verification of its practices, and misled consumers about what was exposed in a data security incident.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Healthcare" ], "remedy_types": [ "Prohibition", "Consumer Notification", "Comprehensive Security Program", "Third-Party Assessment", "Compliance Monitoring", "Order Administration", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 12 } }, { "id": "02.21_zoom_video_communications", "docket_number": "C-4731", "company_name": "Zoom Video Communications, Inc.", "date_issued": "2021-02-15", "year": 2021, "administration": "Biden", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "both", "complaint_counts": [ "Deceptive Representation Regarding End-to-End Encryption", "Deceptive Representation Regarding Level of Encryption", "Deceptive Representation Regarding Secured Cloud Storage for Recorded Meetings", "Unfair Circumvention of Third-Party Privacy and Security Safeguard", "Deceptive Failure to Disclose" ], "legal_authority": "Federal Trade Commission Act", "commissioners": [ "Joseph J. Simons, Chairman", "Noah Joshua Phillips", "Rohit Chopra", "Rebecca Kelly Slaughter", "Christine S. Wilson" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3167-zoom-video-communications-inc-matter", "source_filename": "02.21, Zoom Video Communications.json", "num_provisions": 11, "num_requirements": 59, "order_duration_years": 20, "takeaway_brief": "Zoom falsely claimed to offer end-to-end encryption for meetings and secretly installed software on Mac computers that bypassed Apple's security controls.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Compliance Monitoring", "Order Administration", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 11 } }, { "id": "06.21_flo_health", "docket_number": "C-4747", "company_name": "Flo Health, Inc.", "date_issued": "2021-06-15", "year": 2021, "administration": "Biden", "categories": [ "Privacy / Deceptive Privacy Practices", "Health Data" ], "violation_type": "deceptive", "complaint_counts": [ "Privacy Misrepresentation – Disclosures of Health Information", "Privacy Misrepresentation – Disclosures Beyond Identifiers", "Privacy Misrepresentation – Failure to Limit Third-Party Use", "Misrepresentation Regarding Notice", "Misrepresentation Regarding Choice", "Misrepresentation Regarding Accountability for Onward Transfers", "Misrepresentation Regarding Data Integrity and Purpose Limitation" ], "legal_authority": "Federal Trade Commission Act", "commissioners": [ "Lina Khan, Chair", "Noah Joshua Phillips", "Rohit Chopra", "Rebecca Kelly Slaughter", "Christine S. Wilson" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3133-flo-health-inc", "source_filename": "06.21, Flo Health.json", "num_provisions": 13, "num_requirements": 39, "order_duration_years": 20, "takeaway_brief": "Flo Health promised not to share women's reproductive health data with third parties but secretly disclosed it to Facebook, Google, and others.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Healthcare", "Technology" ], "remedy_types": [ "Prohibition", "Data Deletion", "Consumer Notification", "Third-Party Assessment", "Compliance Monitoring", "Order Administration", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 13 } }, { "id": "07.21_kuuhuub_et_al._u.s._v.", "docket_number": "21-cv-01758", "company_name": "Kuuhubb Inc.", "date_issued": "2021-07-15", "year": 2021, "administration": "Biden", "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ], "violation_type": "both", "complaint_counts": [ "COPPA Rule Violations – Failure to Provide Notice, Direct Notice to Parents, and Obtain Verifiable Parental Consent" ], "legal_authority": "Sections 5(a)(1), 5(m)(1)(A), 13(b), 16(a)(1), and 19 of the Federal Trade Commission Act, 15 U.S.C. §§ 45(a)(1), 45(m)(1)(A), 53(b), 56(a)(1), 57b, and Sections 1303(c) and 1306(d) of the Children's Online Privacy Protection Act of 1998, 15 U.S.C. §§ 6502(c), 6505(d)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3184-kuuhuub-inc-et-al-us-v-recolor-oy", "source_filename": "07.21, Kuuhuub, et al., U.S. v..json", "num_provisions": 11, "num_requirements": 37, "order_duration_years": null, "takeaway_brief": "Kuuhubb's Recolor App marketed as an adult coloring book contained a child-directed section through which it collected children's personal data for behavioral advertising without parental consent.", "statutory_topics": [ "COPPA" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Consumer Notification", "Data Deletion", "Consumer Redress", "Monetary Penalty", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "COPPA": 11 } }, { "id": "12.21_ascension_data_analytics", "docket_number": "C-4758", "company_name": "Ascension Data & Analytics, LLC", "date_issued": "2021-12-15", "year": 2021, "administration": "Biden", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Gramm-Leach-Bliley" ], "violation_type": "unfair", "complaint_counts": [ "Violation of the GLB Safeguards Rule" ], "legal_authority": "Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314, issued pursuant to Title I of the Gramm-Leach-Bliley (GLB) Act, 15 U.S.C. § 6801 et seq.; violations enforced through the Federal Trade Commission Act, 15 U.S.C. § 6805(a)(7)", "commissioners": [ "Lina M. Khan, Chair", "Noah Joshua Phillips", "Rebecca Kelly Slaughter", "Christine S. Wilson" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3126-ascension-data-analytics-llc-matter", "source_filename": "12.21, Ascension Data & Analytics.json", "num_provisions": 11, "num_requirements": 50, "order_duration_years": 20, "takeaway_brief": "Ascension Data & Analytics handed mortgage documents containing sensitive consumer data to a vendor without conducting any security vetting, resulting in a cloud storage misconfiguration that exposed the data.", "statutory_topics": [ "GLBA" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Financial Services", "Technology" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Compliance Monitoring", "Order Administration", "Recordkeeping" ], "provision_counts_by_topic": { "GLBA": 11 } }, { "id": "12.21_mylife.com", "docket_number": "2:20-cv-6692", "company_name": "MyLife.com, Inc.", "date_issued": "2021-12-15", "year": 2021, "administration": "Biden", "categories": [ "Fair Credit Reporting (FCRA)", "Telemarketing / Do-Not-Call" ], "violation_type": "both", "complaint_counts": [ "Deceptive Misrepresentation of Criminal/Sex Offender Records (FTC Act Section 5(a))", "Telemarketing Sales Rule Violations", "Restore Online Shoppers' Confidence Act (ROSCA) Violations", "FCRA Violation — Furnishing Consumer Reports Without Permissible Purpose", "FCRA Violation — Failure to Maintain Reasonable Procedures and Provide User Notices" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 16(a)(1) of the Federal Trade Commission Act, 15 U.S.C. § 56(a)(1); Telemarketing Sales Rule, 16 C.F.R. Part 310; Fair Credit Reporting Act, 15 U.S.C. §§ 1681-1681x; Restore Online Shoppers' Confidence Act, 15 U.S.C. § 8404", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3022-mylifecom-inc", "source_filename": "12.21, MyLife.com.json", "num_provisions": 15, "num_requirements": 60, "order_duration_years": 20, "takeaway_brief": "MyLife.com used deceptive teaser results suggesting searched individuals had criminal or sex offender records to sell subscriptions, and made cancellation deliberately difficult.", "statutory_topics": [ "FCRA", "TSR" ], "practice_areas": [ "Financial Practices", "Deceptive Design / Dark Patterns" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Monetary Penalty", "Consumer Notification", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "FCRA": 14, "TSR": 11 } }, { "id": "12.21_openx_technologies", "docket_number": "2:21-cv-09693", "company_name": "OpenX Technologies, Inc.", "date_issued": "2021-12-15", "year": 2021, "administration": "Biden", "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices", "Location / Geolocation Data" ], "violation_type": "both", "complaint_counts": [ "Deception - Location Data Collection Misrepresentation", "Deception - COPPA Activities Misrepresentation", "COPPA - Collection from Child-Directed Properties Without Consent" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Sections 1303(c) and 1306(d) of the Children's Online Privacy Protection Act of 1998, 15 U.S.C. §§ 6502(c) and 6505(d)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923019-openx-technologies-inc", "source_filename": "12.21, OpenX Technologies.json", "num_provisions": 16, "num_requirements": 55, "order_duration_years": 20, "takeaway_brief": "OpenX collected precise location data via a backdoor method that bypassed users' location permission denials, and collected children's personal data from child-directed apps without parental consent.", "statutory_topics": [ "COPPA" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Compliance Monitoring", "Monetary Penalty", "Data Deletion", "Consumer Notification", "Order Administration", "Recordkeeping" ], "provision_counts_by_topic": { "COPPA": 16 } }, { "id": "01.22_itmedia_solutions", "docket_number": "2:22-cv-00073", "company_name": "ITMEDIA SOLUTIONS LLC", "date_issued": "2022-01-15", "year": 2022, "administration": "Biden", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Fair Credit Reporting (FCRA)" ], "violation_type": "both", "complaint_counts": [ "Deceptive Representations About Information Sharing", "Unfair Distribution of Sensitive Information", "Obtaining and Using Consumer Reports Without Permissible Purpose", "Failure to Establish Procedures to Avoid Impermissible Use of Consumer Report Information", "Reselling Consumer Reports to Unidentified Users" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Sections 604 and 607 of the Fair Credit Reporting Act, 15 U.S.C. §§ 1681b and 1681e; Sections 13(b) and 16(a)(1) of the Federal Trade Commission Act, 15 U.S.C. §§ 53(b) and 56(a)(1)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1523225-itmedia-solutions-llc", "source_filename": "01.22, ITMedia Solutions.json", "num_provisions": 12, "num_requirements": 48, "order_duration_years": null, "takeaway_brief": "ITMedia collected consumers' sensitive loan application data under the pretext of connecting them to lenders, then sold it to marketers, debt negotiators, and unknown entities.", "statutory_topics": [ "FCRA" ], "practice_areas": [ "Privacy", "Financial Practices" ], "industry_sectors": [ "Financial Services", "Technology" ], "remedy_types": [ "Prohibition", "Monetary Penalty", "Order Administration", "Data Deletion", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "FCRA": 12 } }, { "id": "03.22_weight_watchersww", "docket_number": "3:22-cv-00946", "company_name": "Kurbo, Inc.", "date_issued": "2022-03-15", "year": 2022, "administration": "Biden", "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ], "violation_type": "both", "complaint_counts": [ "Violation of the COPPA Rule" ], "legal_authority": "Sections 5(a)(1), 5(m)(1)(A), 13(b), 16(a)(1), and 19 of the Federal Trade Commission Act, 15 U.S.C. §§ 45(a)(1), 45(m)(1)(A), 53(b), 56(a)(1), 57b; Sections 1303(c) and 1306(d) of the Children's Online Privacy Protection Act of 1998, 15 U.S.C. §§ 6502(c) and 6505(d); Commission's Children's Online Privacy Protection Rule, 16 C.F.R. Part 312", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923228-weight-watchersww", "source_filename": "03.22, Weight WatchersWW.json", "num_provisions": 8, "num_requirements": 34, "order_duration_years": null, "takeaway_brief": "Kurbo by WW collected personal data from children under 13 without adequate parental notice or verifiable consent.", "statutory_topics": [ "COPPA" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Healthcare", "Technology" ], "remedy_types": [ "Prohibition", "Data Deletion", "Monetary Penalty", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "COPPA": 8 } }, { "id": "04.22_credit_bureau_center", "docket_number": "17-cv-00194", "company_name": "Credit Bureau Center, LLC", "date_issued": "2022-04-15", "year": 2022, "administration": "Biden", "categories": [ "Fair Credit Reporting (FCRA)" ], "violation_type": "deceptive", "complaint_counts": [ "False Representations About Rental Properties (FTC Act § 5(a))", "Deceptive Omissions Regarding Free Credit Score Offer (FTC Act § 5(a))", "Failure to Disclose All Material Terms Before Obtaining Billing Information (ROSCA § 4(1))", "Failure to Obtain Consumers' Express Informed Consent (ROSCA § 4(2))", "Failure to Display Required Free Credit Report Disclosure (FCRA § 612(g) and Free Reports Rule)" ], "legal_authority": "Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b); Section 5 of the Restore Online Shoppers' Confidence Act (ROSCA), 15 U.S.C. § 8404; Section 621(a)(1) of the Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681s(a)(1)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/162-3120-x170014-credit-bureau-center-llc-formerly-known-myscore-llc", "source_filename": "04.22, Credit Bureau Center.json", "num_provisions": 3, "num_requirements": 3, "order_duration_years": null, "takeaway_brief": "Credit Bureau Center used fake rental property ads to lure consumers into hidden paid credit monitoring subscriptions falsely advertised as free.", "statutory_topics": [ "FCRA" ], "practice_areas": [ "Deceptive Design / Dark Patterns", "Financial Practices" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Prohibition", "Monetary Penalty", "Order Administration" ], "provision_counts_by_topic": { "FCRA": 3 } }, { "id": "05.22_everalbum", "docket_number": "C-4743", "company_name": "Everalbum, Inc.", "date_issued": "2022-05-15", "year": 2022, "administration": "Biden", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Misrepresentation Regarding Ever Users' Ability to Control the Ever App's Face Recognition Feature", "Misrepresentation Regarding Deletion of Ever Users' Photos Upon Account Deactivation" ], "legal_authority": "Federal Trade Commission Act", "commissioners": [ "Rebecca Kelly Slaughter, Acting Chair", "Noah Joshua Phillips", "Rohit Chopra", "Christine S. Wilson" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3172-everalbum-inc-matter", "source_filename": "05.22, Everalbum.json", "num_provisions": 8, "num_requirements": 29, "order_duration_years": 20, "takeaway_brief": "Everalbum enabled facial recognition by default without user consent and used consumers' photos to train commercial AI without adequately disclosing this or deleting data when accounts were deactivated.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy", "AI / Automated Decision-Making" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Consumer Notification", "Data Deletion", "Algorithmic Destruction", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 8 } }, { "id": "01.23_chegg", "docket_number": "C-4782", "company_name": "Chegg, Inc.", "date_issued": "2023-01-15", "year": 2023, "administration": "Biden", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ], "violation_type": "unfair", "complaint_counts": [ "Unfair Data Security Practices", "Data Security Misrepresentations" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "commissioners": [ "Lina M. Khan, Chair", "Noah Joshua Phillips", "Rebecca Kelly Slaughter", "Christine S. Wilson", "Alvaro M. Bedoya" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/chegg", "source_filename": "01.23, Chegg.json", "num_provisions": 14, "num_requirements": 48, "order_duration_years": 20, "takeaway_brief": "Chegg failed to implement basic data security controls for years, resulting in multiple breaches that exposed tens of millions of students' personal information.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Education", "Technology" ], "remedy_types": [ "Prohibition", "Data Deletion", "Consumer Notification", "Comprehensive Security Program", "Third-Party Assessment", "Compliance Monitoring", "Order Administration", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 14 } }, { "id": "01.23_drizly", "docket_number": "C-4780", "company_name": "DRIZLY, LLC", "date_issued": "2023-01-15", "year": 2023, "administration": "Biden", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ], "violation_type": "both", "complaint_counts": [ "Drizly's Unfair Information Security Practices", "Drizly's Deceptive Security Statements" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1)", "commissioners": [ "Lina M. Khan, Chair", "Rebecca Kelly Slaughter", "Christine S. Wilson", "Alvaro M. Bedoya" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023185-drizly-llc-matter", "source_filename": "01.23, Drizly.json", "num_provisions": 14, "num_requirements": 62, "order_duration_years": 20, "takeaway_brief": "Drizly stored sensitive credentials insecurely in public GitHub repositories and failed to enforce basic account security, allowing a hacker to steal data on 2.5 million consumers.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Retail", "Technology" ], "remedy_types": [ "Prohibition", "Data Deletion", "Recordkeeping", "Comprehensive Security Program", "Third-Party Assessment", "Compliance Monitoring", "Order Administration" ], "provision_counts_by_topic": { "Section 5 Only": 14 } }, { "id": "02.23_goodrx_holdings", "docket_number": "3:23-cv-460", "company_name": "GoodRx Holdings, Inc.", "date_issued": "2023-02-01", "year": 2023, "administration": "Biden", "categories": [ "Privacy / Deceptive Privacy Practices", "Health Data" ], "violation_type": "both", "complaint_counts": [ "Privacy Misrepresentation: Disclosure of Health Information to Third Parties", "Privacy Misrepresentation: Disclosure of Personal Information to Third Parties", "Privacy Misrepresentation: Failure to Limit Third-Party Use of Health Information", "Privacy Misrepresentation: Misrepresenting Compliance with the Digital Advertising Alliance Principles", "Privacy Misrepresentation: HIPAA Compliance", "Unfairness: Failure to Implement Measures to Prevent the Unauthorized Disclosure of Health Information", "Unfairness: Failure to Provide Notice and Obtain Consent Before Use and Disclosure of Health Information for Advertising", "Violation of the Health Breach Notification Rule" ], "legal_authority": "Sections 5(a)(1), 5(m)(1)(A), 13(b), 16(a)(1), and 19 of the Federal Trade Commission Act, 15 U.S.C. §§ 45(a)(1), 45(m)(1)(A), 53(b), 56(a)(1), 57b; Health Breach Notification Rule, 16 C.F.R. § 318", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023090-goodrx-holdings-inc", "source_filename": "02.23, GoodRx Holdings.json", "num_provisions": 18, "num_requirements": 76, "order_duration_years": 20, "takeaway_brief": "GoodRx repeatedly promised never to share users' health information with advertisers, then secretly transmitted prescription drug names and health conditions to Facebook, Google, and Criteo for targeted advertising.", "statutory_topics": [ "Health Breach Notification" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Healthcare", "Technology" ], "remedy_types": [ "Prohibition", "Order Administration", "Comprehensive Security Program", "Third-Party Assessment", "Compliance Monitoring", "Monetary Penalty", "Consumer Redress", "Recordkeeping" ], "provision_counts_by_topic": { "Health Breach Notification": 14 } }, { "id": "02.23_epic_games", "docket_number": "5:22-CV-00518", "company_name": "Epic Games, Inc.", "date_issued": "2023-02-15", "year": 2023, "administration": "Biden", "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ], "violation_type": "both", "complaint_counts": [ "COPPA Rule Violations — Failure to Provide Notice, Obtain Parental Consent, and Honor Parental Rights", "Unfair Default Settings — On-by-Default Voice/Text Chat and Public Display Name Broadcasting" ], "legal_authority": "Sections 5(a)(1), 5(m)(1)(A), 13(b), 16(a)(1), and 19 of the Federal Trade Commission Act, 15 U.S.C. §§ 45(a)(1), 45(m)(1)(A), 53(b), 56(a)(1), 57b, and Sections 1303(c) and 1306(d) of the Children's Online Privacy Protection Act of 1998, 15 U.S.C. §§ 6502(c), 6505(d)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923203-epic-games-matter", "source_filename": "02.23, Epic Games.json", "num_provisions": 13, "num_requirements": 58, "order_duration_years": 20, "takeaway_brief": "Epic Games violated COPPA by collecting children's personal data in Fortnite without parental consent, and enabled on-by-default voice and text chat that exposed children to harmful contact.", "statutory_topics": [ "COPPA" ], "practice_areas": [ "Privacy", "Deceptive Design / Dark Patterns" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Data Deletion", "Comprehensive Security Program", "Third-Party Assessment", "Compliance Monitoring", "Monetary Penalty", "Order Administration", "Recordkeeping" ], "provision_counts_by_topic": { "COPPA": 13 } }, { "id": "05.23_fashion_nova", "docket_number": "C-4759", "company_name": "Fashion Nova, LLC", "date_issued": "2023-05-15", "year": 2023, "administration": "Biden", "categories": [ "Other" ], "violation_type": "deceptive", "complaint_counts": [ "Deceptive Review Practices" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "commissioners": [ "Lina M. Khan, Chair", "Noah Joshua Phillips", "Rebecca Kelly Slaughter", "Christine S. Wilson" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3138-fashion-nova-llc-matter", "source_filename": "05.23, Fashion Nova.json", "num_provisions": 9, "num_requirements": 33, "order_duration_years": 20, "takeaway_brief": "Fashion Nova suppressed hundreds of thousands of negative customer reviews to create a falsely positive impression of its products.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "industry_sectors": [ "Retail" ], "remedy_types": [ "Prohibition", "Consumer Notification", "Monetary Penalty", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 9 } }, { "id": "06.23_easy_healthcare_corporation", "docket_number": "1:23-cv-3107", "company_name": "Easy Healthcare Corporation", "date_issued": "2023-06-15", "year": 2023, "administration": "Biden", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Health Data", "Location / Geolocation Data" ], "violation_type": "both", "complaint_counts": [ "Privacy Misrepresentation – Disclosures of Health Information", "Privacy Misrepresentation – Sharing Data with Third Parties", "Deceptive Failure to Disclose – Sharing Geolocation Information with Third Parties", "Privacy Misrepresentation – Third Parties' Use of Shared Data", "Deceptive Failure to Disclose – Third Parties' Use of Shared Data", "Unfair Privacy and Data Security Practices", "Unfair Sharing of Health Information for Advertising Purposes Without Affirmative Express Consent", "Violation of the Health Breach Notification Rule" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), and the Health Breach Notification Rule, 16 C.F.R. § 318", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3186-easy-healthcare-corporation-us-v", "source_filename": "06.23, Easy Healthcare Corporation.json", "num_provisions": 18, "num_requirements": 73, "order_duration_years": 20, "takeaway_brief": "The Premom ovulation app secretly shared women's sensitive health and geolocation data with third parties for advertising despite explicit privacy promises.", "statutory_topics": [ "Health Breach Notification" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Healthcare", "Technology" ], "remedy_types": [ "Prohibition", "Order Administration", "Consumer Notification", "Data Deletion", "Comprehensive Security Program", "Third-Party Assessment", "Compliance Monitoring", "Monetary Penalty", "Consumer Redress", "Recordkeeping" ], "provision_counts_by_topic": { "Health Breach Notification": 18 } }, { "id": "06.23_microsoft_corporation", "docket_number": "2:23-cv-00836-RAJ", "company_name": "Microsoft Corporation", "date_issued": "2023-06-15", "year": 2023, "administration": "Biden", "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ], "violation_type": "both", "complaint_counts": [ "COPPA Rule Violation – Failure to Provide Direct Notice, Online Notice, Obtain Verifiable Parental Consent, and Data Retention" ], "legal_authority": "Sections 5(a)(1), 5(m)(1)(A), 13(b), 16(a)(1), and 19 of the Federal Trade Commission Act (FTC Act), 15 U.S.C. §§ 45(a)(1), 45(m)(1)(A), 53(b), 56(a)(1), and 57b, and Sections 1303(c) and 1306(d) of the Children's Online Privacy Protection Act of 1998 (COPPA), 15 U.S.C. §§ 6502(c) and 6505(d)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923258-microsoft-corporation-us-v", "source_filename": "06.23, Microsoft Corporation.json", "num_provisions": 13, "num_requirements": 38, "order_duration_years": null, "takeaway_brief": "Microsoft collected personal information from children on Xbox Live before notifying parents or obtaining required parental consent, and retained incomplete-registration data for years.", "statutory_topics": [ "COPPA" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Consumer Notification", "Data Deletion", "Recordkeeping", "Monetary Penalty", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "COPPA": 13 } }, { "id": "07.23_amazon.com", "docket_number": "2:23-cv-00811", "company_name": "Amazon.com, Inc.", "date_issued": "2023-07-15", "year": 2023, "administration": "Biden", "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices", "Location / Geolocation Data" ], "violation_type": "both", "complaint_counts": [ "Deception – False Representation That Alexa App Users Could Delete Geolocation Information", "Deception – False Representation That Alexa Users Could Delete Their or Their Child's Voice Recordings", "Unfair Privacy Practices", "COPPA – Failure to Provide Complete Notice, Effective Deletion Opportunity, and Indefinite Retention of Children's Voice Recordings" ], "legal_authority": "Sections 5(a)(1), 5(m)(1)(A), 13(b), and 16(a) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(a)(1), 45(m)(1)(A), 53(b), and 56(a); and Sections 1303(c) and 1306(d) of the Children's Online Privacy Protection Act of 1998, 15 U.S.C. §§ 6502(c) and 6505(d)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3128-amazoncom-alexa-us-v", "source_filename": "07.23, Amazon.com.json", "num_provisions": 13, "num_requirements": 45, "order_duration_years": 20, "takeaway_brief": "Amazon retained children's Alexa voice recordings indefinitely and failed to honor user requests to delete voice and geolocation data despite explicit promises of full deletion control.", "statutory_topics": [ "COPPA" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Data Deletion", "Prohibition", "Consumer Notification", "Comprehensive Security Program", "Compliance Monitoring", "Monetary Penalty", "Order Administration", "Recordkeeping" ], "provision_counts_by_topic": { "COPPA": 13 } }, { "id": "08.23_edmodo", "docket_number": "23-cv-02495", "company_name": "Edmodo, LLC", "date_issued": "2023-08-15", "year": 2023, "administration": "Biden", "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ], "violation_type": "both", "complaint_counts": [ "Violations of the COPPA Rule", "Unfair Practices in Violation of Section 5 of the FTC Act" ], "legal_authority": "Sections 5(a)(1), 5(m)(1)(A), 13(b), and 16(a)(1) of the Federal Trade Commission Act, 15 U.S.C. §§ 45(a)(1), 45(m)(1)(A), 53(b), and 56(a)(1); Sections 1303(c) and 1306(d) of the Children's Online Privacy Protection Act of 1998, 15 U.S.C. §§ 6502(c) and 6505(d); Children's Online Privacy Protection Rule, 16 C.F.R. Part 312", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3129-edmodo-llc-us-v", "source_filename": "08.23, Edmodo.json", "num_provisions": 11, "num_requirements": 40, "order_duration_years": null, "takeaway_brief": "Edmodo collected personal information from hundreds of thousands of children without parental consent and attempted to shift its COPPA compliance obligations onto schools.", "statutory_topics": [ "COPPA" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Education", "Technology" ], "remedy_types": [ "Prohibition", "Data Deletion", "Monetary Penalty", "Consumer Redress", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "COPPA": 11 } }, { "id": "10.23_transunion_rental_screening_solutions_and_trans_union._ftc_and_cfpb_v.", "docket_number": "1:23-cv-02659", "company_name": "TransUnion Rental Screening Solutions, Inc.", "date_issued": "2023-10-15", "year": 2023, "administration": "Biden", "categories": [ "Fair Credit Reporting (FCRA)" ], "violation_type": "deceptive", "complaint_counts": [ "Failure to Follow Reasonable Procedures for Maximum Possible Accuracy (FCRA § 607(b))", "Failure to Disclose Sources of Information in Consumer File Disclosures (FCRA § 609(a))" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 621(a)(1) of the Fair Credit Reporting Act, 15 U.S.C. § 1681s(a)(1)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/182-3204-transunion-rental-screening-solutions-inc-trans-union-llc-ftc-cfpb-v", "source_filename": "10.23, TransUnion Rental Screening Solutions and Trans Union., FTC and CFPB v..json", "num_provisions": 13, "num_requirements": 46, "order_duration_years": null, "takeaway_brief": "TransUnion's rental screening subsidiary reported duplicated eviction entries, inaccurate case dispositions, mislabeled debt amounts, and sealed records in tenant background reports.", "statutory_topics": [ "FCRA" ], "practice_areas": [ "Financial Practices" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Monetary Penalty", "Third-Party Assessment", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "FCRA": 13 } }, { "id": "10.23_truthfinder", "docket_number": "23-CV-1674", "company_name": "Instant Checkmate, LLC", "date_issued": "2023-10-15", "year": 2023, "administration": "Biden", "categories": [ "Fair Credit Reporting (FCRA)" ], "violation_type": "both", "complaint_counts": [ "Deceptive Statements Regarding Accuracy", "Deceptive Statements Regarding Criminal and Arrest Records", "Deceptive Removal and Correction Claims", "False Claim of Unbiased Reviews", "Failure to Disclose Material Connections", "FCRA Section 607(a) — Failure to Maintain Permissible-Purpose Procedures", "FCRA Section 604(a) — Furnishing Reports Without Permissible Purpose", "FCRA Section 607(b) — Failure to Assure Maximum Possible Accuracy", "FCRA Section 604(b) — Failure to Follow Employment Screening Requirements", "FCRA Section 607(d) — Failure to Provide User Notice", "FCRA Section 611(a) — Failure to Conduct Reasonable Reinvestigations" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b); and Section 621(a) of the Fair Credit Reporting Act, 15 U.S.C. § 1681s(a)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/122-3221-instant-checkmate-inc", "source_filename": "10.23, TruthFinder.json", "num_provisions": 14, "num_requirements": 48, "order_duration_years": null, "takeaway_brief": "Instant Checkmate and TruthFinder falsely advertised report accuracy, implied searched individuals had criminal records when they often did not, and offered fake data correction tools.", "statutory_topics": [ "FCRA" ], "practice_areas": [ "Financial Practices", "Deceptive Design / Dark Patterns" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Comprehensive Security Program", "Prohibition", "Compliance Monitoring", "Monetary Penalty", "Third-Party Assessment", "Order Administration", "Recordkeeping" ], "provision_counts_by_topic": { "FCRA": 14 } }, { "id": "01.24_cafepress", "docket_number": "C-4768", "company_name": "Residual Pumpkin Entity, LLC", "date_issued": "2024-01-15", "year": 2024, "administration": "Biden", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Data Security Misrepresentations", "Response to Data Security Incident Misrepresentations", "Unfair Data Security Practices", "Data Collection and Use Misrepresentation", "Misrepresentation Relating to Privacy Shield Frameworks", "Misrepresentation Relating to Deletion of Consumer Data", "Unfair Withholding of Payable Commissions After Security Breach" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "commissioners": [ "Lina M. Khan, Chair", "Noah Joshua Phillips", "Rebecca Kelly Slaughter", "Christine S. Wilson", "Alvaro M. Bedoya" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923209-cafepress-matter", "source_filename": "01.24, CafePress.json", "num_provisions": 14, "num_requirements": 61, "order_duration_years": 20, "takeaway_brief": "CafePress failed to secure consumer data against well-known attack vectors, suffered a massive breach, misled consumers about the breach's scope, and withheld shopkeeper commissions as retaliation.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security", "Privacy" ], "industry_sectors": [ "Retail", "Technology" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Compliance Monitoring", "Monetary Penalty", "Consumer Redress", "Order Administration", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 14 } }, { "id": "01.24_epic_games", "docket_number": "C-4790", "company_name": "Epic Games, Inc.", "date_issued": "2024-01-15", "year": 2024, "administration": "Biden", "categories": [ "Data Security" ], "violation_type": "unfair", "complaint_counts": [ "Unfair Billing Without Express Informed Consent", "Unfair Denial of Account Access for Disputing Charges" ], "legal_authority": "Section 5 of the Federal Trade Commission Act", "commissioners": [ "Lina M. Khan, Chair", "Rebecca Kelly Slaughter", "Christine S. Wilson", "Alvaro M. Bedoya" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923203-epic-games-matter", "source_filename": "01.24, Epic Games.json", "num_provisions": 10, "num_requirements": 34, "order_duration_years": 20, "takeaway_brief": "Epic Games used dark patterns to charge consumers — including children — for Fortnite purchases without informed consent, and denied account access to those who disputed charges.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Deceptive Design / Dark Patterns" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Monetary Penalty", "Consumer Redress", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 10 } }, { "id": "02.24_global_tel_link_corporation", "docket_number": "C-4801", "company_name": "Global Tel*Link Corporation", "date_issued": "2024-02-15", "year": 2024, "administration": "Biden", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Health Data" ], "violation_type": "both", "complaint_counts": [ "Unfair Data Security Practices", "Unfair Failure to Notify Affected Consumers of the Incident", "Misrepresentations Regarding Data Security", "Misrepresentations to Individual Users Regarding the Incident", "Misrepresentations to Individual Users Regarding Notice", "Deceptive Representations to Facilities Regarding the Incident" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "commissioners": [ "Lina M. Khan, Chair", "Rebecca Kelly Slaughter", "Alvaro M. Bedoya" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2123012-global-tel-link-corporation", "source_filename": "02.24, Global Tel Link Corporation.json", "num_provisions": 15, "num_requirements": 62, "order_duration_years": 20, "takeaway_brief": "Global Tel*Link copied 649,500 incarcerated individuals' personal data to an unprotected test environment, exposed it to the internet for days, and then misled consumers and facilities about the breach.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Telecom" ], "remedy_types": [ "Comprehensive Security Program", "Third-Party Assessment", "Compliance Monitoring", "Consumer Redress", "Consumer Notification", "Prohibition", "Order Administration", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 15 } }, { "id": "03.24_rite_aid_corporation", "docket_number": "2:23-cv-05023", "company_name": "Rite Aid Corporation", "date_issued": "2024-03-15", "year": 2024, "administration": "Biden", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "AI / Algorithmic / Facial Recognition" ], "violation_type": "unfair", "complaint_counts": [ "Unfair Facial Recognition Technology Practices", "Unfair Failure to Implement or Maintain a Comprehensive Information Security Program in Violation of Section II of the 2010 Order" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023190-rite-aid-corporation-ftc-v", "source_filename": "03.24, Rite Aid Corporation.json", "num_provisions": 18, "num_requirements": 69, "order_duration_years": 20, "takeaway_brief": "Rite Aid deployed inaccurate facial recognition technology without adequate safeguards, causing wrongful surveillance of innocent consumers including disproportionate harms to minority shoppers.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "AI / Automated Decision-Making", "Data Security" ], "industry_sectors": [ "Healthcare", "Retail" ], "remedy_types": [ "Biometric Ban", "Data Deletion", "Comprehensive Security Program", "Consumer Notification", "Recordkeeping", "Prohibition", "Third-Party Assessment", "Compliance Monitoring", "Order Administration", "Other" ], "provision_counts_by_topic": { "Section 5 Only": 18 } }, { "id": "04.24_ring", "docket_number": "1:23-cv-01549", "company_name": "Ring LLC", "date_issued": "2024-04-15", "year": 2024, "administration": "Biden", "categories": [ "Data Security" ], "violation_type": "both", "complaint_counts": [ "Deceptive Security Representations", "Unfair Access to Customer Videos Without Consent", "Failure to Provide Reasonable Security Against Unauthorized Access" ], "legal_authority": "Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b), and Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023113-ring-llc", "source_filename": "04.24, Ring.json", "num_provisions": 16, "num_requirements": 57, "order_duration_years": 20, "takeaway_brief": "Ring gave employees and contractors unrestricted access to all customers' private home camera footage and failed to protect accounts from credential-stuffing attacks.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security", "Surveillance" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Data Deletion", "Comprehensive Security Program", "Third-Party Assessment", "Compliance Monitoring", "Consumer Notification", "Monetary Penalty", "Consumer Redress", "Order Administration", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 16 } }, { "id": "04.24_x-mode_social", "docket_number": "C-4802", "company_name": "X-Mode Social, Inc.", "date_issued": "2024-04-15", "year": 2024, "administration": "Biden", "categories": [ "Privacy / Deceptive Privacy Practices", "Health Data", "Location / Geolocation Data" ], "violation_type": "deceptive", "complaint_counts": [ "Unfair Sale of Sensitive Location Data", "Unfair Failure to Honor Consumer Privacy Choices", "Unfair Collection and Use of Consumer Location Data Without Informed Consent", "Unfair Collection and Use of Consumer Location Data Without Consent Verification", "Unfair Categorization of Consumers Based on Sensitive Characteristics for Marketing", "Deceptive Failure to Disclose Use of Location Data for Government/National Security Purposes", "Means and Instrumentalities to Engage in Deception" ], "legal_authority": "Federal Trade Commission Act", "commissioners": [ "Lina M. Khan, Chair", "Rebecca Kelly Slaughter", "Alvaro M. Bedoya", "Melissa Holyoak", "Andrew Ferguson" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2123038-x-mode-social-inc", "source_filename": "04.24, X-Mode Social.json", "num_provisions": 19, "num_requirements": 71, "order_duration_years": 20, "takeaway_brief": "X-Mode Social collected precise consumer location data through hundreds of apps and sold it—including sensitive locations like medical facilities—to government contractors without adequate disclosure or consumer consent.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy", "Surveillance" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Compliance Monitoring", "Consumer Notification", "Data Deletion", "Recordkeeping", "Order Administration" ], "provision_counts_by_topic": { "Section 5 Only": 19 } }, { "id": "05.24_betterhelp", "docket_number": "C-4796", "company_name": "BetterHelp, Inc.", "date_issued": "2024-05-15", "year": 2024, "administration": "Biden", "categories": [ "Privacy / Deceptive Privacy Practices", "Health Data" ], "violation_type": "both", "complaint_counts": [ "Unfairness – Unreasonable Privacy Practices", "Unfairness – Failure to Obtain Affirmative Express Consent", "Failure to Disclose – Disclosure of Health Information for Advertising and Third Parties' Own Uses", "Failure to Disclose – Use of Health Information for Advertising", "Privacy Misrepresentation – Disclosure of Health Information for Advertising and Third Parties' Own Uses", "Privacy Misrepresentation – Use of Health Information for Advertising", "Privacy Misrepresentation – Disclosure of Health Information", "Privacy Misrepresentation – HIPAA Certification" ], "legal_authority": "Section 5 of the Federal Trade Commission Act", "commissioners": [ "Lina M. Khan, Chair", "Rebecca Kelly Slaughter", "Alvaro M. Bedoya" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023169-betterhelp-inc-matter", "source_filename": "05.24, BetterHelp.json", "num_provisions": 18, "num_requirements": 74, "order_duration_years": 20, "takeaway_brief": "BetterHelp secretly shared consumers' sensitive mental health information with Facebook, Snapchat, and other advertising platforms for targeted advertising despite repeatedly promising strict privacy.", "statutory_topics": [ "Health Breach Notification" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Healthcare", "Technology" ], "remedy_types": [ "Prohibition", "Consumer Notification", "Data Deletion", "Comprehensive Security Program", "Third-Party Assessment", "Compliance Monitoring", "Monetary Penalty", "Consumer Redress", "Order Administration", "Recordkeeping" ], "provision_counts_by_topic": { "Health Breach Notification": 18 } }, { "id": "05.24_blackbaud", "docket_number": "C-4804", "company_name": "Blackbaud, Inc.", "date_issued": "2024-05-15", "year": 2024, "administration": "Biden", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Health Data" ], "violation_type": "both", "complaint_counts": [ "Unfair Information Security Practices", "Unfair Data Retention Practices", "Unfair Inaccurate Breach Notification", "Deceptive Security Statements", "Deceptive Initial Breach Notification" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45", "commissioners": [ "Lina M. Khan, Chair", "Rebecca Kelly Slaughter", "Alvaro M. Bedoya", "Melissa Holyoak", "Andrew Ferguson" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023181-blackbaud-inc", "source_filename": "05.24, Blackbaud.json", "num_provisions": 13, "num_requirements": 48, "order_duration_years": 20, "takeaway_brief": "Blackbaud's deficient security practices allowed a cyberattacker to remain undetected for months and exfiltrate millions of consumers' personal data, which the company then misrepresented in its breach notification.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Data Deletion", "Recordkeeping", "Comprehensive Security Program", "Third-Party Assessment", "Compliance Monitoring", "Order Administration" ], "provision_counts_by_topic": { "Section 5 Only": 13 } }, { "id": "05.24_cerebral_and_kyle_robertson", "docket_number": "24-cv-21376-JLK", "company_name": "Cerebral, Inc.", "date_issued": "2024-05-15", "year": 2024, "administration": "Biden", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Health Data" ], "violation_type": "both", "complaint_counts": [ "Deceptive Privacy Practices (Cerebral & Robertson)", "Deceptive Data Security Practices (Cerebral & Robertson)", "Unfair Privacy and Data Security Practices (Cerebral & Robertson)", "Deceptive Cancellation Practices (Cerebral & Robertson)", "Unfair and Deceptive Marketing and Consumer Review Practices (Robertson & Martelli)", "Violations of the Opioid Addiction Recovery Fraud Prevention Act (Cerebral, Robertson & Martelli)", "Violations of ROSCA (Cerebral & Robertson)", "Unfair and Deceptive Practices — Zealthy & Bruno Health (Robertson, Echeverry, Zealthy & Bruno Health)", "Violations of ROSCA — Zealthy & Bruno Health (Robertson, Echeverry, Zealthy & Bruno Health)" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 5(m)(1)(A) of the FTC Act, 15 U.S.C. § 45(m)(1)(A); Section 13(b) of the FTC Act, 15 U.S.C. § 53(b); Section 8023 of the Opioid Addiction Recovery Fraud Prevention Act of 2018, 15 U.S.C. § 45d; Section 5 of the Restore Online Shoppers' Confidence Act (ROSCA), 15 U.S.C. § 8404", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/222-3067-cerebral-inc-kyle-robertson-us-v", "source_filename": "05.24, Cerebral and Kyle Robertson.json", "num_provisions": 23, "num_requirements": 74, "order_duration_years": 20, "takeaway_brief": "Cerebral secretly shared millions of patients' sensitive mental health and personal data with over twenty advertising platforms while falsely promising confidential, secure care and making it difficult to cancel subscriptions.", "statutory_topics": [ "Health Breach Notification" ], "practice_areas": [ "Privacy", "Data Security", "Deceptive Design / Dark Patterns" ], "industry_sectors": [ "Healthcare", "Technology" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Compliance Monitoring", "Consumer Notification", "Data Deletion", "Monetary Penalty", "Consumer Redress", "Order Administration", "Recordkeeping" ], "provision_counts_by_topic": { "Health Breach Notification": 23 } }, { "id": "05.24_inmarket_media", "docket_number": "C-4803", "company_name": "InMarket Media, LLC", "date_issued": "2024-05-15", "year": 2024, "administration": "Biden", "categories": [ "Health Data", "Location / Geolocation Data" ], "violation_type": "deceptive", "complaint_counts": [ "Unfair Collection and Use of Consumer Location Data (Own Apps)", "Unfair Collection and Use of Consumer Location Data from Third-Party Apps", "Unfair Retention of Consumer Location Data", "Deceptive Failure to Disclose InMarket's Use of Consumer Location Data" ], "legal_authority": "Federal Trade Commission Act", "commissioners": [ "Lina M. Khan, Chair", "Rebecca Kelly Slaughter", "Alvaro M. Bedoya", "Melissa Holyoak", "Andrew Ferguson" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023088-inmarket-media-llc", "source_filename": "05.24, InMarket Media.json", "num_provisions": 18, "num_requirements": 62, "order_duration_years": 20, "takeaway_brief": "InMarket Media misled consumers about location data use in its apps and SDK, collecting precise location data for advertising profiling while telling consumers it was only for app functionality.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy", "Surveillance" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Consumer Notification", "Data Deletion", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 18 } }, { "id": "06.24_monument", "docket_number": "1:24-cv-01034", "company_name": "Monument, Inc.", "date_issued": "2024-06-15", "year": 2024, "administration": "Biden", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Health Data" ], "violation_type": "both", "complaint_counts": [ "Unfair Privacy Practices", "Unfair Disclosure of Consumers' Health Information Without Affirmative Express Consent", "Privacy Misrepresentation – Disclosures of Health Information to Third Parties", "Misrepresentation – Compliance with HIPAA", "Deceptive Privacy Claim – OARFPA Violation" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), and Section 8023 of the Opioid Addiction Recovery Fraud Prevention Act of 2018 (OARFPA), 15 U.S.C. § 45d", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2323043-monument-inc-us-v", "source_filename": "06.24, Monument.json", "num_provisions": 17, "num_requirements": 58, "order_duration_years": 20, "takeaway_brief": "Monument falsely claimed its alcohol addiction treatment platform was HIPAA compliant and 100% confidential while sharing users' sensitive health data with advertisers.", "statutory_topics": [ "Health Breach Notification" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Healthcare" ], "remedy_types": [ "Prohibition", "Data Deletion", "Consumer Notification", "Comprehensive Security Program", "Third-Party Assessment", "Compliance Monitoring", "Monetary Penalty", "Consumer Redress", "Order Administration", "Recordkeeping" ], "provision_counts_by_topic": { "Health Breach Notification": 17 } }, { "id": "08.24_verkada", "docket_number": "3:24-cv-06153", "company_name": "Verkada Inc.", "date_issued": "2024-08-15", "year": 2024, "administration": "Biden", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Health Data" ], "violation_type": "both", "complaint_counts": [ "Unfair Information Security Practices (Business Customers)", "Unfair Information Security Practices (Consumers)", "Information Security Misrepresentations", "Information Security Misrepresentations — Command Platform", "HIPAA Misrepresentations", "Privacy Shield Compliance Misrepresentations", "False Claim of Impartial Ratings and Reviews", "Deceptive Failure to Disclose Material Connections", "Failure to Honor Opt-Out Requests (CAN-SPAM)", "Failure to Provide Notice of Opt-Out (CAN-SPAM)", "Failure to Provide Valid Physical Postal Address (CAN-SPAM)" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), and Section 7(a) of the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act), 15 U.S.C. § 7706(a)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2123068-verkada-inc-us-v", "source_filename": "08.24, Verkada.json", "num_provisions": 14, "num_requirements": 53, "order_duration_years": 20, "takeaway_brief": "Verkada made false security claims for its building surveillance cameras, failed to implement basic security practices, and violated CAN-SPAM requirements in its marketing emails.", "statutory_topics": [ "CAN-SPAM" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Compliance Monitoring", "Monetary Penalty", "Consumer Redress", "Order Administration", "Recordkeeping" ], "provision_counts_by_topic": { "CAN-SPAM": 14 } }, { "id": "09.24_1health.iovitagene", "docket_number": "C-4798", "company_name": "1Health.io Inc.", "date_issued": "2024-09-15", "year": 2024, "administration": "Biden", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Security Misrepresentation – Exceeding Industry Standards", "Security Misrepresentation – Storing DNA Results without Identifying Information", "Privacy Misrepresentation – Data Deletion", "Privacy Misrepresentation – Saliva Sample Destruction", "Unfair Retroactive Privacy Policy Changes – Third-Party Sharing of Sensitive Data" ], "legal_authority": "Federal Trade Commission Act", "commissioners": [ "Lina M. Khan, Chair", "Rebecca Kelly Slaughter", "Alvaro M. Bedoya" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/1923170-1healthiovitagene-matter", "source_filename": "09.24, 1Health.ioVitagene.json", "num_provisions": 16, "num_requirements": 61, "order_duration_years": 20, "takeaway_brief": "Vitagene falsely claimed industry-leading security for DNA health data while publicly exposing the genetic and health records of over 2,600 consumers through unsecured cloud storage.", "statutory_topics": [ "Health Breach Notification" ], "practice_areas": [ "Privacy", "Data Security" ], "industry_sectors": [ "Healthcare", "Technology" ], "remedy_types": [ "Prohibition", "Data Deletion", "Comprehensive Security Program", "Third-Party Assessment", "Compliance Monitoring", "Monetary Penalty", "Consumer Redress", "Order Administration", "Recordkeeping" ], "provision_counts_by_topic": { "Health Breach Notification": 16 } }, { "id": "10.24_marriott_international_and_starwood_hotels_resorts_worldwide", "docket_number": "C-4807", "company_name": "Marriott International, Inc.", "date_issued": "2024-10-15", "year": 2024, "administration": "Biden", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ], "violation_type": "unfair", "complaint_counts": [ "Deceptive Security Statements", "Unfair Information Security Practices" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Lina M. Khan, Chair", "Rebecca Kelly Slaughter", "Alvaro M. Bedoya", "Melissa Holyoak", "Andrew Ferguson" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3022-marriott-international-inc-starwood-hotels-resorts-worldwide-llc-matter", "source_filename": "10.24, Marriott International and Starwood Hotels & Resorts Worldwide.json", "num_provisions": 13, "num_requirements": 62, "order_duration_years": 20, "takeaway_brief": "Marriott and Starwood Hotels suffered three major data breaches affecting hundreds of millions of consumers due to persistently inadequate security practices.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Retail" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Compliance Monitoring", "Consumer Redress", "Data Deletion", "Order Administration", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 13 } }, { "id": "12.24_gravy_analytics", "docket_number": "C-4810", "company_name": "Gravy Analytics, Inc.", "date_issued": "2024-12-15", "year": 2024, "administration": "Biden", "categories": [ "Health Data", "Location / Geolocation Data" ], "violation_type": "deceptive", "complaint_counts": [ "Unfair Sale of Sensitive Location Data", "Unfair Collection and Use of Consumer Location Data Without Consent Verification", "Unfair Sale of Sensitive Inferences Derived from Consumers' Location Data" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "commissioners": [ "Lina M. Khan, Chair", "Rebecca Kelly Slaughter", "Alvaro M. Bedoya", "Melissa Holyoak", "Andrew Ferguson" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/212-3035-gravy-analytics-inc-matter", "source_filename": "12.24, Gravy Analytics.json", "num_provisions": 19, "num_requirements": 66, "order_duration_years": 20, "takeaway_brief": "Gravy Analytics collected and sold precise mobile location data revealing consumers' sensitive characteristics — including health decisions and religious practices — without verifying user consent.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy", "Surveillance" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Compliance Monitoring", "Consumer Notification", "Data Deletion", "Recordkeeping", "Order Administration" ], "provision_counts_by_topic": { "Section 5 Only": 19 } }, { "id": "12.24_vivint_smart_home", "docket_number": "2:21-cv-00267-TS", "company_name": "Vivint Smart Home, Inc.", "date_issued": "2024-12-15", "year": 2024, "administration": "Biden", "categories": [ "Fair Credit Reporting (FCRA)" ], "violation_type": "deceptive", "complaint_counts": [ "No Established Identity Theft Prevention Program", "Obtaining Credit Reports Without a Permissible Purpose", "Unfair Sale of False Debt to Debt Buyers or Collectors" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b); Section 16(a) of the Federal Trade Commission Act, 15 U.S.C. § 56(a); Section 621(a) of the Fair Credit Reporting Act, 15 U.S.C. § 1681s(a)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/192-3060-vivint-smart-home-inc", "source_filename": "12.24, Vivint Smart Home.json", "num_provisions": 17, "num_requirements": 59, "order_duration_years": 20, "takeaway_brief": "Vivint's sales force fraudulently pulled third parties' credit reports without consent to qualify unqualified customers for financing, then passed those innocent parties' information to debt collectors.", "statutory_topics": [ "FCRA" ], "practice_areas": [ "Financial Practices" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Other", "Compliance Monitoring", "Third-Party Assessment", "Monetary Penalty", "Consumer Redress", "Order Administration", "Recordkeeping" ], "provision_counts_by_topic": { "FCRA": 17 } }, { "id": "01.25_cognosphere", "docket_number": "2:25-cv-447", "company_name": "COGNOSPHERE, LLC", "date_issued": "2025-01-15", "year": 2025, "administration": "Biden", "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ], "violation_type": "both", "complaint_counts": [ "COPPA Rule Violations – Failure to Provide Notice and Obtain Parental Consent", "Misrepresentations of Loot Box Odds", "Misrepresentations of Cost of Loot Box Prizes", "Unfair Selling and Offering a Multi-Tier Virtual Currency System to Children and Teenagers", "Unfair Promotion and Sale of Loot Boxes to Children and Teenagers" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Sections 1303(c) and 1306(d) of the Children's Online Privacy Protection Act of 1998 (COPPA), 15 U.S.C. §§ 6502(c), 6505(d); and the Children's Online Privacy Protection Rule (COPPA Rule), 16 C.F.R. pt. 312", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/222-3152-cognosphere-llc-us-v", "source_filename": "01.25, Cognosphere.json", "num_provisions": 13, "num_requirements": 48, "order_duration_years": null, "takeaway_brief": "HoYoverse collected children's personal data without parental consent and misled players about their true odds of winning loot box prizes, obscuring the actual cost of rare items.", "statutory_topics": [ "COPPA" ], "practice_areas": [ "Privacy", "Deceptive Design / Dark Patterns" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Data Deletion", "Monetary Penalty", "Consumer Redress", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "COPPA": 13 } }, { "id": "01.25_intellivision", "docket_number": "C-4809", "company_name": "IntelliVision Technologies Corp.", "date_issued": "2025-01-15", "year": 2025, "administration": "Biden", "categories": [ "AI / Algorithmic / Facial Recognition" ], "violation_type": "deceptive", "complaint_counts": [ "Misrepresentations – Facial Recognition Software Accuracy and Training", "False or Unsubstantiated Claims – Facial Recognition Software Bias", "False or Unsubstantiated Claims – Anti-Spoofing" ], "legal_authority": "Section 5 of the Federal Trade Commission Act", "commissioners": [ "Lina M. Khan, Chair", "Rebecca Kelly Slaughter", "Alvaro M. Bedoya", "Melissa Holyoak", "Andrew Ferguson" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/232-3023-intellivision-matter", "source_filename": "01.25, Intellivision.json", "num_provisions": 7, "num_requirements": 26, "order_duration_years": 20, "takeaway_brief": "IntelliVision marketed its facial recognition software as free of racial and gender bias and highly accurate when it had no testing to support those claims.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "AI / Automated Decision-Making" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 7 } }, { "id": "01.25_mobilewalla", "docket_number": "C-4811", "company_name": "Mobilewalla, Inc.", "date_issued": "2025-01-15", "year": 2025, "administration": "Biden", "categories": [ "Privacy / Deceptive Privacy Practices", "Health Data", "Location / Geolocation Data" ], "violation_type": "deceptive", "complaint_counts": [ "Unfair Sale of Sensitive Location Information", "Unfair Targeting Based on Sensitive Characteristics", "Unfair Collection of Consumer Information from RTB Exchanges", "Unfair Collection and Use of Consumer Location Information Without Consent Verification", "Unfair Retention of Consumer Location Information" ], "legal_authority": "Federal Trade Commission Act", "commissioners": [ "Lina M. Khan, Chair", "Rebecca Kelly Slaughter", "Alvaro M. Bedoya", "Melissa Holyoak", "Andrew Ferguson" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/202-3196-mobilewalla-inc-matter", "source_filename": "01.25, Mobilewalla.json", "num_provisions": 18, "num_requirements": 72, "order_duration_years": 20, "takeaway_brief": "Mobilewalla collected and sold consumers' sensitive location data — including data revealing visits to medical facilities and places of worship — without meaningful consent and in violation of ad exchange terms.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy", "Surveillance" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Consumer Notification", "Third-Party Assessment", "Data Deletion", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 18 } }, { "id": "02.25_aqua_finance", "docket_number": "3:24-cv-00288", "company_name": "Aqua Finance, Inc.", "date_issued": "2025-02-15", "year": 2025, "administration": "Trump (2nd)", "categories": [ "Fair Credit Reporting (FCRA)" ], "violation_type": "both", "complaint_counts": [ "Misrepresentations – Terms of Financing", "Failing to Adequately Disclose UCC Fixture Filing and Its Implications", "Unfairness – Funding Deceptively Marketed Credit Agreements", "Unfairness – Contracts Failing to Disclose Repeat Purchase Restrictions and Credit Terms", "Violations of TILA and Regulation Z", "Lack of Reasonable Written Policies and Procedures (FCRA/Furnisher Rule)", "Failing to Investigate and Report Results of Direct Dispute Investigations", "Failing to Notify CRAs of Disputed Information", "Failing to Cease Furnishing Information After Receipt of Identity Theft Reports", "Knowingly Furnishing Inaccurate Information to CRAs" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); the Truth in Lending Act (TILA), 15 U.S.C. §§ 1601–1666j; section 621(a) of the Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681s(a); and the Duties of Furnishers of Information to Consumer Reporting Agencies Rule, 12 C.F.R. § 1022, subpart E", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/aqua-finance", "source_filename": "02.25, Aqua Finance.json", "num_provisions": 13, "num_requirements": 61, "order_duration_years": null, "takeaway_brief": "Aqua Finance funded home water treatment financing arrangements whose terms were systematically misrepresented by dealers and structured deceptively as open-end credit in violation of federal lending law.", "statutory_topics": [ "FCRA" ], "practice_areas": [ "Financial Practices" ], "industry_sectors": [ "Financial Services" ], "remedy_types": [ "Prohibition", "Compliance Monitoring", "Consumer Notification", "Monetary Penalty", "Consumer Redress", "Order Administration", "Recordkeeping" ], "provision_counts_by_topic": { "FCRA": 13 } }, { "id": "02.25_avast", "docket_number": "2023033", "company_name": "Avast Limited", "date_issued": "2025-02-15", "year": 2025, "administration": "Trump (2nd)", "categories": [ "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Unfair Collection, Retention, and Sale of Consumers' Browsing Information", "Deceptive Failure to Disclose Tracking of Consumers", "Misrepresentations Regarding Aggregation and Anonymization" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a)", "commissioners": [ "Lina M. Khan, Chair", "Rebecca Kelly Slaughter", "Alvaro M. Bedoya" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023033-avast", "source_filename": "02.25, Avast.json", "num_provisions": 15, "num_requirements": 63, "order_duration_years": 20, "takeaway_brief": "Avast collected consumers' detailed browsing histories through its privacy-protection software and secretly sold that data to over 100 third parties without adequate disclosure or consent.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Data Deletion", "Algorithmic Destruction", "Order Administration", "Comprehensive Security Program", "Third-Party Assessment", "Compliance Monitoring", "Monetary Penalty", "Consumer Redress", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 15 } }, { "id": "05.25_godaddy", "docket_number": "C-202-3133", "company_name": "GoDaddy Inc.", "date_issued": "2025-05-15", "year": 2025, "administration": "Trump (2nd)", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ], "violation_type": "deceptive", "complaint_counts": [ "Unfair Data Security Practices", "Data Security Misrepresentations", "EU-U.S. & Swiss-U.S. Privacy Shield Frameworks" ], "legal_authority": "Section 5 of the Federal Trade Commission Act", "commissioners": [ "Andrew N. Ferguson, Chairman", "Melissa Holyoak", "Mark R. Meador" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2023133-godaddy-inc-et-al-matter", "source_filename": "05.25, GoDaddy.json", "num_provisions": 11, "num_requirements": 58, "order_duration_years": 20, "takeaway_brief": "GoDaddy marketed itself as a secure hosting provider with award-winning security while failing to implement basic controls, resulting in multiple major data compromises.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Compliance Monitoring", "Order Administration", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 11 } }, { "id": "07.25_roca_labs", "docket_number": "8:15-cv-02231-MSS-TBM", "company_name": "Roca Labs, Inc.", "date_issued": "2025-07-15", "year": 2025, "administration": "Trump (2nd)", "categories": [ "Privacy / Deceptive Privacy Practices", "Health Data" ], "violation_type": "both", "complaint_counts": [ "Deceptive Weight-Loss Claims", "False Establishment Claim", "Unfair Use of Non-Disparagement Provisions", "Misrepresentations About GastricBypass.me", "Failure to Disclose Material Connections", "Deceptive Privacy Claim", "Deceptive Discount Claim" ], "legal_authority": "Section 13(b) of the Federal Trade Commission Act (15 U.S.C. § 53(b)), in connection with violations of Sections 5(a) and 12 of the FTC Act (15 U.S.C. §§ 45(a) and 52)", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/142-3255-x150061-roca-labs-inc", "source_filename": "07.25, Roca Labs.json", "num_provisions": 17, "num_requirements": 66, "order_duration_years": 20, "takeaway_brief": "Roca Labs falsely claimed its dietary supplement had a scientifically proven 90% weight-loss success rate and silenced unhappy customers with non-disparagement clauses.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Other" ], "industry_sectors": [ "Healthcare" ], "remedy_types": [ "Prohibition", "Consumer Notification", "Monetary Penalty", "Consumer Redress", "Recordkeeping", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 17 } }, { "id": "09.25_pornhubmindgeekaylo", "docket_number": "2:25-cv-00752", "company_name": "AYLO GROUP LTD.", "date_issued": "2025-09-15", "year": 2025, "administration": "Trump (2nd)", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ], "violation_type": "both", "complaint_counts": [ "Unfairness – Distribution of CSAM and NCM to Consumers", "Deception – Flagging of Content", "Deception – Banning of CSAM Uploaders", "Deception – Re-Upload of CSAM", "Deception – Verification Paperwork (18 U.S.C. § 2257)", "Deception – Review of Content for CSAM and NCM", "Deception – CSAM and NCM Present on Websites", "Failure to Disclose – Collection of Personal Information", "Security Misrepresentation – Data Security", "Unconscionable Acts and Practices (UCSPA)", "Deceptive Acts and Practices (UCSPA)" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Section 13(b) of the FTC Act, 15 U.S.C. § 53(b); Utah Consumer Sales Practices Act, Utah Code § 13-11-1 et seq.", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/152-3202-inbox-group-llc-matter", "source_filename": "09.25, PornhubMindgeekAylo.json", "num_provisions": 20, "num_requirements": 105, "order_duration_years": null, "takeaway_brief": "Pornhub's operator actively distributed child sexual abuse material and non-consensual content for years while falsely claiming to promptly review and remove flagged material.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy", "Data Security" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Consumer Notification", "Compliance Monitoring", "Monetary Penalty", "Consumer Redress", "Order Administration", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 20 } }, { "id": "10.25_apitor", "docket_number": "3:25-cv-07363", "company_name": "Apitor Technology Co., Ltd.", "date_issued": "2025-10-15", "year": 2025, "administration": "Trump (2nd)", "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices", "Location / Geolocation Data" ], "violation_type": "both", "complaint_counts": [ "Failure to Provide Notice and Obtain Verifiable Parental Consent" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a), and the Children's Online Privacy Protection Rule (COPPA Rule), 16 C.F.R. part 312", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/apitor", "source_filename": "10.25, Apitor.json", "num_provisions": 8, "num_requirements": 34, "order_duration_years": null, "takeaway_brief": "Apitor's robot toy app secretly collected precise geolocation data from child users via a third-party SDK without parental notice or consent.", "statutory_topics": [ "COPPA" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Technology" ], "remedy_types": [ "Prohibition", "Data Deletion", "Monetary Penalty", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "COPPA": 8 } }, { "id": "12.25_disney", "docket_number": "2:25-cv-08223", "company_name": "Disney Worldwide Services, Inc. and Disney Entertainment Operations LLC", "date_issued": "2025-12-15", "year": 2025, "administration": "Trump (2nd)", "categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ], "violation_type": "both", "complaint_counts": [ "Violations of the COPPA Rule" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a); Sections 1303(c) and 1306(d) of the Children's Online Privacy Protection Act of 1998 (COPPA), 15 U.S.C. §§ 6502(c) and 6505(d); Children's Online Privacy Protection Rule (COPPA Rule), 16 C.F.R. Part 312", "commissioners": [], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/disney", "source_filename": "12.25, Disney.json", "num_provisions": 8, "num_requirements": 31, "order_duration_years": null, "takeaway_brief": "Disney failed to accurately designate child-directed YouTube videos as 'Made for Kids,' allowing targeted advertising and personal data collection on content directed at children.", "statutory_topics": [ "COPPA" ], "practice_areas": [ "Privacy" ], "industry_sectors": [ "Social Media", "Technology" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Monetary Penalty", "Order Administration", "Compliance Monitoring", "Recordkeeping" ], "provision_counts_by_topic": { "COPPA": 8 } }, { "id": "12.25_illuminate_education", "docket_number": "222-3105", "company_name": "Illuminate Education, Inc.", "date_issued": "2025-12-15", "year": 2025, "administration": "Trump (2nd)", "categories": [ "Data Security", "Privacy / Deceptive Privacy Practices" ], "violation_type": "unfair", "complaint_counts": [ "Unfair Information Security Practices", "Data Security Misrepresentations", "Misrepresentations to School Districts Regarding Notice" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "commissioners": [ "Andrew N. Ferguson, Chairman", "Mark R. Meador" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/222-3105-illuminate-education-inc-matter", "source_filename": "12.25, Illuminate Education.json", "num_provisions": 13, "num_requirements": 19, "order_duration_years": 10, "takeaway_brief": "Illuminate Education stored millions of students' personal data in plaintext with inadequate access controls, suffered a breach, and had made contractual security promises it did not keep.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Education", "Technology" ], "remedy_types": [ "Prohibition", "Data Deletion", "Recordkeeping", "Comprehensive Security Program", "Third-Party Assessment", "Consumer Notification", "Compliance Monitoring", "Order Administration" ], "provision_counts_by_topic": { "Section 5 Only": 13 } }, { "id": "12.25_illusory_systemsnomad", "docket_number": "C-2323016", "company_name": "Illusory Systems, Inc.", "date_issued": "2025-12-15", "year": 2025, "administration": "Trump (2nd)", "categories": [ "Data Security" ], "violation_type": "deceptive", "complaint_counts": [ "Unfair Security Practices", "Security Misrepresentations" ], "legal_authority": "Section 5(a) of the Federal Trade Commission Act", "commissioners": [ "Andrew N. Ferguson, Chairman", "Mark R. Meador" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/illusory-systemsnomad", "source_filename": "12.25, Illusory SystemsNomad.json", "num_provisions": 11, "num_requirements": 49, "order_duration_years": 10, "takeaway_brief": "Nomad marketed its cryptocurrency bridge as 'security-first' while deploying inadequately tested code with no incident response plan, leading to the near-total loss of user assets.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Data Security" ], "industry_sectors": [ "Financial Services", "Technology" ], "remedy_types": [ "Prohibition", "Comprehensive Security Program", "Third-Party Assessment", "Compliance Monitoring", "Monetary Penalty", "Order Administration", "Recordkeeping" ], "provision_counts_by_topic": { "Section 5 Only": 11 } }, { "id": "01.26_general_motors", "docket_number": "C-4828", "company_name": "General Motors LLC, General Motors Holdings LLC, and OnStar, LLC", "date_issued": "2026-01-15", "year": 2026, "administration": "Trump (2nd)", "categories": [ "Privacy / Deceptive Privacy Practices", "Location / Geolocation Data", "Fair Credit Reporting (FCRA)" ], "violation_type": "deceptive", "complaint_counts": [ "Unfair Use and Sale of Sensitive Data Without Affirmative Express Consent", "Deceptive Failure to Disclose Use and Disclosure of Consumer Location and Driver Behavior Data" ], "legal_authority": "Federal Trade Commission Act", "commissioners": [ "Andrew N. Ferguson, Chairman", "Mark R. Meador" ], "ftc_url": "https://www.ftc.gov/legal-library/browse/cases-proceedings/2423052-general-motors-llc-et-al-matter", "source_filename": "01.26, General Motors.json", "num_provisions": 16, "num_requirements": 53, "order_duration_years": 20, "takeaway_brief": "General Motors and OnStar collected detailed driving behavior data every three seconds and sold it to consumer reporting agencies without consumers' meaningful informed consent.", "statutory_topics": [ "Section 5 Only" ], "practice_areas": [ "Privacy", "Surveillance" ], "industry_sectors": [ "Technology", "Other" ], "remedy_types": [ "Prohibition", "Recordkeeping", "Data Deletion", "Other", "Consumer Notification", "Order Administration", "Compliance Monitoring" ], "provision_counts_by_topic": { "Section 5 Only": 16 } } ], "groupings": { "by_year": [ { "key": "1997", "label": "1997", "count": 2, "violation_breakdown": { "deceptive": 0, "unfair": 0, "both": 2 }, "top_categories": [ "Fair Credit Reporting (FCRA)" ], "top_companies": [ "Bruno's Inc.", "ALDI INC." ] }, { "key": "1999", "label": "1999", "count": 2, "violation_breakdown": { "deceptive": 1, "unfair": 1, "both": 0 }, "top_categories": [ "Fair Credit Reporting (FCRA)", "Privacy / Deceptive Privacy Practices" ], "top_companies": [ "First American Real Estate Solutions, LLC", "Liberty Financial Companies, Inc." ] }, { "key": "2001", "label": "2001", "count": 4, "violation_breakdown": { "deceptive": 1, "unfair": 1, "both": 2 }, "top_categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices" ], "top_companies": [ "Bigmailbox.com, Inc.", "LookSmart Ltd.", "Monarch Services, Inc.", "Lisa Frank, Inc." ] }, { "key": "2002", "label": "2002", "count": 3, "violation_breakdown": { "deceptive": 2, "unfair": 0, "both": 1 }, "top_categories": [ "Privacy / Deceptive Privacy Practices", "COPPA / Children's Privacy", "Gramm-Leach-Bliley", "Data Security" ], "top_companies": [ "American Pop Corn Company", "Paula L. Garrett, d/b/a Discreet Data Systems", "Microsoft Corporation" ] }, { "key": "2003", "label": "2003", "count": 3, "violation_breakdown": { "deceptive": 2, "unfair": 0, "both": 1 }, "top_categories": [ "Privacy / Deceptive Privacy Practices", "Data Security", "Gramm-Leach-Bliley" ], "top_companies": [ "Educational Research Center of America, Inc.", "GUESS?, INC.", "30 Minute Mortgage Inc." ] }, { "key": "2004", "label": "2004", "count": 4, "violation_breakdown": { "deceptive": 4, "unfair": 0, "both": 0 }, "top_categories": [ "Privacy / Deceptive Privacy Practices", "Telemarketing / Do-Not-Call", "COPPA / Children's Privacy", "Data Security", "Other" ], "top_companies": [ "UMG Recordings, Inc.", "MTS, Inc.", "Bonzi Software, Inc.", "Gateway Learning Corporation" ] }, { "key": "2005", "label": "2005", "count": 8, "violation_breakdown": { "deceptive": 1, "unfair": 2, "both": 5 }, "top_categories": [ "Gramm-Leach-Bliley", "Data Security", "Privacy / Deceptive Privacy Practices", "Telemarketing / Do-Not-Call" ], "top_companies": [ "Assail, Inc.", "Sunbelt Lending Services, Inc.", "PETCO ANIMAL SUPPLIES, INC.", "Nationwide Mortgage Group, Inc.", "Vision I Properties, LLC" ] }, { "key": "2006", "label": "2006", "count": 5, "violation_breakdown": { "deceptive": 1, "unfair": 2, "both": 2 }, "top_categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Gramm-Leach-Bliley", "COPPA / Children's Privacy", "Other" ], "top_companies": [ "DSW Inc.", "Nations Title Agency, Inc.", "CardSystems Solutions, Inc.", "Xanga.com, Inc.", "Integrity Security & Investigation Services, Inc." ] }, { "key": "2007", "label": "2007", "count": 5, "violation_breakdown": { "deceptive": 3, "unfair": 0, "both": 2 }, "top_categories": [ "Fair Credit Reporting (FCRA)", "Gramm-Leach-Bliley", "Data Security", "Privacy / Deceptive Privacy Practices", "Telemarketing / Do-Not-Call" ], "top_companies": [ "Consumerinfo.com, Inc.", "Information Search, Inc.", "Guidance Software, Inc.", "American United", "CEO GROUP, INC." ] }, { "key": "2008", "label": "2008", "count": 9, "violation_breakdown": { "deceptive": 2, "unfair": 3, "both": 4 }, "top_categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Fair Credit Reporting (FCRA)", "Health Data", "Gramm-Leach-Bliley" ], "top_companies": [ "Ingenix, Inc.", "Milliman, Inc.", "GOAL FINANCIAL, LLC", "Life is good, Inc.", "ACTION RESEARCH GROUP, INC." ] }, { "key": "2009", "label": "2009", "count": 9, "violation_breakdown": { "deceptive": 2, "unfair": 2, "both": 5 }, "top_categories": [ "Privacy / Deceptive Privacy Practices", "Fair Credit Reporting (FCRA)", "Data Security", "Other", "Health Data" ], "top_companies": [ "Genica Corporation", "Accusearch, Inc.", "CVS CAREMARK CORPORATION", "James B. Nutter & Company", "TALX Corporation" ] }, { "key": "2010", "label": "2010", "count": 13, "violation_breakdown": { "deceptive": 9, "unfair": 1, "both": 3 }, "top_categories": [ "Privacy / Deceptive Privacy Practices", "Data Security", "Fair Credit Reporting (FCRA)", "Health Data", "Other" ], "top_companies": [ "Collectify LLC", "ExpatEdge Partners, LLC", "Gregory Navone", "Onyx Graphics, Inc.", "Progressive Gaitways LLC" ] }, { "key": "2011", "label": "2011", "count": 16, "violation_breakdown": { "deceptive": 7, "unfair": 1, "both": 8 }, "top_categories": [ "Privacy / Deceptive Privacy Practices", "Data Security", "Fair Credit Reporting (FCRA)", "COPPA / Children's Privacy", "Gramm-Leach-Bliley" ], "top_companies": [ "Twitter, Inc.", "US Search, Inc.", "Playdom, Inc.", "Balls of Kryptonite, LLC", "Ceridian Corporation" ] }, { "key": "2012", "label": "2012", "count": 10, "violation_breakdown": { "deceptive": 2, "unfair": 1, "both": 7 }, "top_categories": [ "Privacy / Deceptive Privacy Practices", "Fair Credit Reporting (FCRA)", "Data Security", "COPPA / Children's Privacy", "Gramm-Leach-Bliley" ], "top_companies": [ "Asset Acceptance, LLC", "RockYou, Inc.", "Spokeo, Inc.", "HireRight Solutions, Inc.", "MYSPACE LLC" ] }, { "key": "2013", "label": "2013", "count": 17, "violation_breakdown": { "deceptive": 5, "unfair": 1, "both": 11 }, "top_categories": [ "Privacy / Deceptive Privacy Practices", "Health Data", "Data Security", "Fair Credit Reporting (FCRA)", "COPPA / Children's Privacy" ], "top_companies": [ "Compete, Inc.", "Path, Inc.", "Epic Marketplace, Inc.", "Equifax Information Services LLC", "Aspen Way Enterprises, Inc." ] }, { "key": "2014", "label": "2014", "count": 29, "violation_breakdown": { "deceptive": 25, "unfair": 1, "both": 3 }, "top_categories": [ "Privacy / Deceptive Privacy Practices", "Other", "Data Security", "Fair Credit Reporting (FCRA)", "Health Data" ], "top_companies": [ "GeneLink, Inc.", "TeleCheck Services, Inc.", "Accretive Health, Inc.", "TRENDnet, Inc.", "Aaron's, Inc." ] }, { "key": "2015", "label": "2015", "count": 22, "violation_breakdown": { "deceptive": 19, "unfair": 1, "both": 2 }, "top_categories": [ "Privacy / Deceptive Privacy Practices", "Other", "Health Data", "Fair Credit Reporting (FCRA)", "COPPA / Children's Privacy" ], "top_companies": [ "PaymentsMD, LLC", "American International Mailing, Inc.", "TES Franchising, LLC", "Nomi Technologies, Inc.", "Tricolor Auto Acceptance, LLC" ] }, { "key": "2016", "label": "2016", "count": 10, "violation_breakdown": { "deceptive": 6, "unfair": 2, "both": 2 }, "top_categories": [ "Privacy / Deceptive Privacy Practices", "Health Data", "Data Security", "Other", "Fair Credit Reporting (FCRA)" ], "top_companies": [ "Craig Brittain", "Oracle Corporation", "Sitesearch Corporation", "Credit Protection Association, LP", "Henry Schein Practice Solutions, Inc." ] }, { "key": "2017", "label": "2017", "count": 8, "violation_breakdown": { "deceptive": 5, "unfair": 0, "both": 3 }, "top_categories": [ "Privacy / Deceptive Privacy Practices", "Data Security", "AI / Algorithmic / Facial Recognition", "Gramm-Leach-Bliley" ], "top_companies": [ "VIZIO, Inc.", "Upromise, Inc.", "Turn Inc.", "Ruby Corp.", "Decusoft, LLC" ] }, { "key": "2018", "label": "2018", "count": 17, "violation_breakdown": { "deceptive": 12, "unfair": 2, "both": 3 }, "top_categories": [ "Privacy / Deceptive Privacy Practices", "Data Security", "Other", "COPPA / Children's Privacy", "Location / Geolocation Data" ], "top_companies": [ "Jerk, LLC", "Lenovo (United States) Inc.", "VTech Electronics Limited and VTech Electronics North America, LLC", "Prime Sites, Inc.", "Sears Holdings Management Corporation" ] }, { "key": "2019", "label": "2019", "count": 13, "violation_breakdown": { "deceptive": 7, "unfair": 2, "both": 4 }, "top_categories": [ "Privacy / Deceptive Privacy Practices", "Data Security", "COPPA / Children's Privacy", "AI / Algorithmic / Facial Recognition", "Gramm-Leach-Bliley" ], "top_companies": [ "Cambridge Analytica, LLC", "Musical.ly", "UNIXIZ, Inc.", "D-Link Systems, Inc.", "Equifax Inc." ] }, { "key": "2020", "label": "2020", "count": 25, "violation_breakdown": { "deceptive": 18, "unfair": 4, "both": 3 }, "top_categories": [ "Privacy / Deceptive Privacy Practices", "Fair Credit Reporting (FCRA)", "Data Security", "COPPA / Children's Privacy", "Location / Geolocation Data" ], "top_companies": [ "Click Labs, Inc.", "DCR Workforce, Inc.", "Global Data Vault, LLC", "Incentive Services, Inc.", "InfoTrax Systems, L.C." ] }, { "key": "2021", "label": "2021", "count": 7, "violation_breakdown": { "deceptive": 2, "unfair": 1, "both": 4 }, "top_categories": [ "Privacy / Deceptive Privacy Practices", "Data Security", "Health Data", "COPPA / Children's Privacy", "Gramm-Leach-Bliley" ], "top_companies": [ "SkyMed International, Inc.", "Zoom Video Communications, Inc.", "Flo Health, Inc.", "Kuuhubb Inc.", "Ascension Data & Analytics, LLC" ] }, { "key": "2022", "label": "2022", "count": 4, "violation_breakdown": { "deceptive": 2, "unfair": 0, "both": 2 }, "top_categories": [ "Privacy / Deceptive Privacy Practices", "Fair Credit Reporting (FCRA)", "Data Security", "COPPA / Children's Privacy" ], "top_companies": [ "ITMEDIA SOLUTIONS LLC", "Kurbo, Inc.", "Credit Bureau Center, LLC", "Everalbum, Inc." ] }, { "key": "2023", "label": "2023", "count": 11, "violation_breakdown": { "deceptive": 2, "unfair": 1, "both": 8 }, "top_categories": [ "Privacy / Deceptive Privacy Practices", "COPPA / Children's Privacy", "Data Security", "Health Data", "Location / Geolocation Data" ], "top_companies": [ "Chegg, Inc.", "DRIZLY, LLC", "GoodRx Holdings, Inc.", "Epic Games, Inc.", "Fashion Nova, LLC" ] }, { "key": "2024", "label": "2024", "count": 16, "violation_breakdown": { "deceptive": 6, "unfair": 3, "both": 7 }, "top_categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Health Data", "Location / Geolocation Data", "AI / Algorithmic / Facial Recognition" ], "top_companies": [ "Residual Pumpkin Entity, LLC", "Epic Games, Inc.", "Global Tel*Link Corporation", "Rite Aid Corporation", "Ring LLC" ] }, { "key": "2025", "label": "2025", "count": 12, "violation_breakdown": { "deceptive": 5, "unfair": 1, "both": 6 }, "top_categories": [ "Privacy / Deceptive Privacy Practices", "Data Security", "COPPA / Children's Privacy", "Health Data", "Location / Geolocation Data" ], "top_companies": [ "COGNOSPHERE, LLC", "IntelliVision Technologies Corp.", "Mobilewalla, Inc.", "Aqua Finance, Inc.", "Avast Limited" ] }, { "key": "2026", "label": "2026", "count": 1, "violation_breakdown": { "deceptive": 1, "unfair": 0, "both": 0 }, "top_categories": [ "Privacy / Deceptive Privacy Practices", "Location / Geolocation Data", "Fair Credit Reporting (FCRA)" ], "top_companies": [ "General Motors LLC, General Motors Holdings LLC, and OnStar, LLC" ] } ], "by_administration": [ { "key": "Clinton", "label": "Clinton", "count": 4, "violation_breakdown": { "deceptive": 1, "unfair": 1, "both": 2 }, "top_categories": [ "Fair Credit Reporting (FCRA)", "Privacy / Deceptive Privacy Practices" ], "top_companies": [ "Bruno's Inc.", "ALDI INC.", "First American Real Estate Solutions, LLC", "Liberty Financial Companies, Inc." ] }, { "key": "G.W. Bush", "label": "G.W. Bush", "count": 41, "violation_breakdown": { "deceptive": 16, "unfair": 8, "both": 17 }, "top_categories": [ "Privacy / Deceptive Privacy Practices", "Data Security", "Gramm-Leach-Bliley", "COPPA / Children's Privacy", "Telemarketing / Do-Not-Call" ], "top_companies": [ "Bigmailbox.com, Inc.", "LookSmart Ltd.", "Monarch Services, Inc.", "Lisa Frank, Inc.", "American Pop Corn Company" ] }, { "key": "Obama", "label": "Obama", "count": 126, "violation_breakdown": { "deceptive": 75, "unfair": 10, "both": 41 }, "top_categories": [ "Privacy / Deceptive Privacy Practices", "Data Security", "Fair Credit Reporting (FCRA)", "Other", "Health Data" ], "top_companies": [ "GeneLink, Inc.", "Genica Corporation", "Accusearch, Inc.", "CVS CAREMARK CORPORATION", "James B. Nutter & Company" ] }, { "key": "Trump (1st)", "label": "Trump (1st)", "count": 63, "violation_breakdown": { "deceptive": 42, "unfair": 8, "both": 13 }, "top_categories": [ "Privacy / Deceptive Privacy Practices", "Data Security", "COPPA / Children's Privacy", "Fair Credit Reporting (FCRA)", "Other" ], "top_companies": [ "Cambridge Analytica, LLC", "VIZIO, Inc.", "Upromise, Inc.", "Turn Inc.", "Ruby Corp." ] }, { "key": "Biden", "label": "Biden", "count": 41, "violation_breakdown": { "deceptive": 14, "unfair": 5, "both": 22 }, "top_categories": [ "Privacy / Deceptive Privacy Practices", "Data Security", "Health Data", "COPPA / Children's Privacy", "Location / Geolocation Data" ], "top_companies": [ "Epic Games, Inc.", "SkyMed International, Inc.", "Zoom Video Communications, Inc.", "Flo Health, Inc.", "Kuuhubb Inc." ] }, { "key": "Trump (2nd)", "label": "Trump (2nd)", "count": 10, "violation_breakdown": { "deceptive": 4, "unfair": 1, "both": 5 }, "top_categories": [ "Privacy / Deceptive Privacy Practices", "Data Security", "Fair Credit Reporting (FCRA)", "COPPA / Children's Privacy", "Location / Geolocation Data" ], "top_companies": [ "Aqua Finance, Inc.", "Avast Limited", "GoDaddy Inc.", "Roca Labs, Inc.", "AYLO GROUP LTD." ] } ], "by_category": [ { "key": "Privacy / Deceptive Privacy Practices", "label": "Privacy / Deceptive Privacy Practices", "count": 193, "violation_breakdown": { "deceptive": 107, "unfair": 19, "both": 67 }, "top_categories": [ "Privacy / Deceptive Privacy Practices", "Data Security", "COPPA / Children's Privacy", "Health Data", "Gramm-Leach-Bliley" ], "top_companies": [ "Microsoft Corporation", "Rite Aid Corporation", "GeneLink, Inc.", "Liberty Financial Companies, Inc.", "Bigmailbox.com, Inc." ] }, { "key": "Data Security", "label": "Data Security", "count": 89, "violation_breakdown": { "deceptive": 30, "unfair": 20, "both": 39 }, "top_categories": [ "Data Security", "Privacy / Deceptive Privacy Practices", "Gramm-Leach-Bliley", "Fair Credit Reporting (FCRA)", "Health Data" ], "top_companies": [ "Rite Aid Corporation", "GeneLink, Inc.", "Microsoft Corporation", "GUESS?, INC.", "30 Minute Mortgage Inc." ] }, { "key": "Fair Credit Reporting (FCRA)", "label": "Fair Credit Reporting (FCRA)", "count": 53, "violation_breakdown": { "deceptive": 11, "unfair": 10, "both": 32 }, "top_categories": [ "Fair Credit Reporting (FCRA)", "Data Security", "Privacy / Deceptive Privacy Practices", "Gramm-Leach-Bliley", "Telemarketing / Do-Not-Call" ], "top_companies": [ "Bruno's Inc.", "ALDI INC.", "First American Real Estate Solutions, LLC", "Consumerinfo.com, Inc.", "American United" ] }, { "key": "COPPA / Children's Privacy", "label": "COPPA / Children's Privacy", "count": 37, "violation_breakdown": { "deceptive": 12, "unfair": 1, "both": 24 }, "top_categories": [ "COPPA / Children's Privacy", "Privacy / Deceptive Privacy Practices", "Data Security", "Location / Geolocation Data", "Telemarketing / Do-Not-Call" ], "top_companies": [ "Bigmailbox.com, Inc.", "LookSmart Ltd.", "Monarch Services, Inc.", "Lisa Frank, Inc.", "American Pop Corn Company" ] }, { "key": "Health Data", "label": "Health Data", "count": 36, "violation_breakdown": { "deceptive": 17, "unfair": 2, "both": 17 }, "top_categories": [ "Health Data", "Privacy / Deceptive Privacy Practices", "Data Security", "Location / Geolocation Data", "Fair Credit Reporting (FCRA)" ], "top_companies": [ "Ingenix, Inc.", "Milliman, Inc.", "CVS CAREMARK CORPORATION", "Progressive Gaitways LLC", "Rite Aid Corporation" ] }, { "key": "Other", "label": "Other", "count": 27, "violation_breakdown": { "deceptive": 24, "unfair": 2, "both": 1 }, "top_categories": [ "Other" ], "top_companies": [ "Cambridge Analytica, LLC", "Bonzi Software, Inc.", "Integrity Security & Investigation Services, Inc.", "Accusearch, Inc.", "EchoMetrix, Inc." ] }, { "key": "Gramm-Leach-Bliley", "label": "Gramm-Leach-Bliley", "count": 24, "violation_breakdown": { "deceptive": 2, "unfair": 5, "both": 17 }, "top_categories": [ "Gramm-Leach-Bliley", "Data Security", "Privacy / Deceptive Privacy Practices", "Fair Credit Reporting (FCRA)", "Telemarketing / Do-Not-Call" ], "top_companies": [ "Paula L. Garrett, d/b/a Discreet Data Systems", "30 Minute Mortgage Inc.", "Assail, Inc.", "Sunbelt Lending Services, Inc.", "Nationwide Mortgage Group, Inc." ] }, { "key": "Location / Geolocation Data", "label": "Location / Geolocation Data", "count": 16, "violation_breakdown": { "deceptive": 9, "unfair": 0, "both": 7 }, "top_categories": [ "Location / Geolocation Data", "Privacy / Deceptive Privacy Practices", "Data Security", "Health Data", "COPPA / Children's Privacy" ], "top_companies": [ "HTC America, Inc.", "Goldenshores Technologies, LLC", "Snapchat, Inc.", "BLU PRODUCTS, INC.", "Uber Technologies, Inc." ] }, { "key": "Telemarketing / Do-Not-Call", "label": "Telemarketing / Do-Not-Call", "count": 14, "violation_breakdown": { "deceptive": 6, "unfair": 3, "both": 5 }, "top_categories": [ "Telemarketing / Do-Not-Call", "Privacy / Deceptive Privacy Practices", "Fair Credit Reporting (FCRA)", "Gramm-Leach-Bliley", "COPPA / Children's Privacy" ], "top_companies": [ "UMG Recordings, Inc.", "Gateway Learning Corporation", "Assail, Inc.", "Vision I Properties, LLC", "Sun Spectrum Communications Organization, Inc." ] }, { "key": "AI / Algorithmic / Facial Recognition", "label": "AI / Algorithmic / Facial Recognition", "count": 7, "violation_breakdown": { "deceptive": 4, "unfair": 2, "both": 1 }, "top_categories": [ "AI / Algorithmic / Facial Recognition", "Privacy / Deceptive Privacy Practices", "Data Security", "Health Data", "Fair Credit Reporting (FCRA)" ], "top_companies": [ "Henry Schein Practice Solutions, Inc.", "VIZIO, Inc.", "Equifax Inc.", "Facebook, Inc.", "Unrollme Inc." ] } ] }, "analysis": { "by_year": { "1997": { "title": "1997", "summary": "2 enforcement actions, primarily both violations.", "narrative": "The FTC brought 2 enforcement actions in this group, with the majority involving both practices. Key focus areas included Fair Credit Reporting (FCRA)." }, "1999": { "title": "1999", "summary": "2 enforcement actions, primarily deceptive violations.", "narrative": "The FTC brought 2 enforcement actions in this group, with the majority involving deceptive practices. Key focus areas included Fair Credit Reporting (FCRA), Privacy / Deceptive Privacy Practices." }, "2001": { "title": "2001", "summary": "4 enforcement actions, primarily both violations.", "narrative": "The FTC brought 4 enforcement actions in this group, with the majority involving both practices. Key focus areas included COPPA / Children's Privacy, Privacy / Deceptive Privacy Practices." }, "2002": { "title": "2002", "summary": "3 enforcement actions, primarily deceptive violations.", "narrative": "The FTC brought 3 enforcement actions in this group, with the majority involving deceptive practices. Key focus areas included Privacy / Deceptive Privacy Practices, COPPA / Children's Privacy, Gramm-Leach-Bliley." }, "2003": { "title": "2003", "summary": "3 enforcement actions, primarily deceptive violations.", "narrative": "The FTC brought 3 enforcement actions in this group, with the majority involving deceptive practices. Key focus areas included Privacy / Deceptive Privacy Practices, Data Security, Gramm-Leach-Bliley." }, "2004": { "title": "2004", "summary": "4 enforcement actions, primarily deceptive violations.", "narrative": "The FTC brought 4 enforcement actions in this group, with the majority involving deceptive practices. Key focus areas included Privacy / Deceptive Privacy Practices, Telemarketing / Do-Not-Call, COPPA / Children's Privacy." }, "2005": { "title": "2005", "summary": "8 enforcement actions, primarily both violations.", "narrative": "The FTC brought 8 enforcement actions in this group, with the majority involving both practices. Key focus areas included Gramm-Leach-Bliley, Data Security, Privacy / Deceptive Privacy Practices." }, "2006": { "title": "2006", "summary": "5 enforcement actions, primarily unfair violations.", "narrative": "The FTC brought 5 enforcement actions in this group, with the majority involving unfair practices. Key focus areas included Data Security, Privacy / Deceptive Privacy Practices, Gramm-Leach-Bliley." }, "2007": { "title": "2007", "summary": "5 enforcement actions, primarily deceptive violations.", "narrative": "The FTC brought 5 enforcement actions in this group, with the majority involving deceptive practices. Key focus areas included Fair Credit Reporting (FCRA), Gramm-Leach-Bliley, Data Security." }, "2008": { "title": "2008", "summary": "9 enforcement actions, primarily both violations.", "narrative": "The FTC brought 9 enforcement actions in this group, with the majority involving both practices. Key focus areas included Data Security, Privacy / Deceptive Privacy Practices, Fair Credit Reporting (FCRA)." }, "2009": { "title": "2009", "summary": "9 enforcement actions, primarily both violations.", "narrative": "The FTC brought 9 enforcement actions in this group, with the majority involving both practices. Key focus areas included Privacy / Deceptive Privacy Practices, Fair Credit Reporting (FCRA), Data Security." }, "2010": { "title": "2010", "summary": "13 enforcement actions, primarily deceptive violations.", "narrative": "The FTC brought 13 enforcement actions in this group, with the majority involving deceptive practices. Key focus areas included Privacy / Deceptive Privacy Practices, Data Security, Fair Credit Reporting (FCRA)." }, "2011": { "title": "2011", "summary": "16 enforcement actions, primarily both violations.", "narrative": "The FTC brought 16 enforcement actions in this group, with the majority involving both practices. Key focus areas included Privacy / Deceptive Privacy Practices, Data Security, Fair Credit Reporting (FCRA)." }, "2012": { "title": "2012", "summary": "10 enforcement actions, primarily both violations.", "narrative": "The FTC brought 10 enforcement actions in this group, with the majority involving both practices. Key focus areas included Privacy / Deceptive Privacy Practices, Fair Credit Reporting (FCRA), Data Security." }, "2013": { "title": "2013", "summary": "17 enforcement actions, primarily both violations.", "narrative": "The FTC brought 17 enforcement actions in this group, with the majority involving both practices. Key focus areas included Privacy / Deceptive Privacy Practices, Health Data, Data Security." }, "2014": { "title": "2014", "summary": "29 enforcement actions, primarily deceptive violations.", "narrative": "The FTC brought 29 enforcement actions in this group, with the majority involving deceptive practices. Key focus areas included Privacy / Deceptive Privacy Practices, Other, Data Security." }, "2015": { "title": "2015", "summary": "22 enforcement actions, primarily deceptive violations.", "narrative": "The FTC brought 22 enforcement actions in this group, with the majority involving deceptive practices. Key focus areas included Privacy / Deceptive Privacy Practices, Other, Health Data." }, "2016": { "title": "2016", "summary": "10 enforcement actions, primarily deceptive violations.", "narrative": "The FTC brought 10 enforcement actions in this group, with the majority involving deceptive practices. Key focus areas included Privacy / Deceptive Privacy Practices, Health Data, Data Security." }, "2017": { "title": "2017", "summary": "8 enforcement actions, primarily deceptive violations.", "narrative": "The FTC brought 8 enforcement actions in this group, with the majority involving deceptive practices. Key focus areas included Privacy / Deceptive Privacy Practices, Data Security, AI / Algorithmic / Facial Recognition." }, "2018": { "title": "2018", "summary": "17 enforcement actions, primarily deceptive violations.", "narrative": "The FTC brought 17 enforcement actions in this group, with the majority involving deceptive practices. Key focus areas included Privacy / Deceptive Privacy Practices, Data Security, Other." }, "2019": { "title": "2019", "summary": "13 enforcement actions, primarily deceptive violations.", "narrative": "The FTC brought 13 enforcement actions in this group, with the majority involving deceptive practices. Key focus areas included Privacy / Deceptive Privacy Practices, Data Security, COPPA / Children's Privacy." }, "2020": { "title": "2020", "summary": "25 enforcement actions, primarily deceptive violations.", "narrative": "The FTC brought 25 enforcement actions in this group, with the majority involving deceptive practices. Key focus areas included Privacy / Deceptive Privacy Practices, Fair Credit Reporting (FCRA), Data Security." }, "2021": { "title": "2021", "summary": "7 enforcement actions, primarily both violations.", "narrative": "The FTC brought 7 enforcement actions in this group, with the majority involving both practices. Key focus areas included Privacy / Deceptive Privacy Practices, Data Security, Health Data." }, "2022": { "title": "2022", "summary": "4 enforcement actions, primarily deceptive violations.", "narrative": "The FTC brought 4 enforcement actions in this group, with the majority involving deceptive practices. Key focus areas included Privacy / Deceptive Privacy Practices, Fair Credit Reporting (FCRA), Data Security." }, "2023": { "title": "2023", "summary": "11 enforcement actions, primarily both violations.", "narrative": "The FTC brought 11 enforcement actions in this group, with the majority involving both practices. Key focus areas included Privacy / Deceptive Privacy Practices, COPPA / Children's Privacy, Data Security." }, "2024": { "title": "2024", "summary": "16 enforcement actions, primarily both violations.", "narrative": "The FTC brought 16 enforcement actions in this group, with the majority involving both practices. Key focus areas included Data Security, Privacy / Deceptive Privacy Practices, Health Data." }, "2025": { "title": "2025", "summary": "12 enforcement actions, primarily both violations.", "narrative": "The FTC brought 12 enforcement actions in this group, with the majority involving both practices. Key focus areas included Privacy / Deceptive Privacy Practices, Data Security, COPPA / Children's Privacy." }, "2026": { "title": "2026", "summary": "1 enforcement action, primarily deceptive violations.", "narrative": "The FTC brought 1 enforcement action in this group, with the majority involving deceptive practices. Key focus areas included Privacy / Deceptive Privacy Practices, Location / Geolocation Data, Fair Credit Reporting (FCRA)." } }, "by_administration": { "Clinton": { "title": "Clinton", "summary": "4 enforcement actions, primarily both violations.", "narrative": "The FTC brought 4 enforcement actions in this group, with the majority involving both practices. Key focus areas included Fair Credit Reporting (FCRA), Privacy / Deceptive Privacy Practices." }, "G.W. Bush": { "title": "G.W. Bush", "summary": "41 enforcement actions, primarily both violations.", "narrative": "The FTC brought 41 enforcement actions in this group, with the majority involving both practices. Key focus areas included Privacy / Deceptive Privacy Practices, Data Security, Gramm-Leach-Bliley." }, "Obama": { "title": "Obama", "summary": "126 enforcement actions, primarily deceptive violations.", "narrative": "The FTC brought 126 enforcement actions in this group, with the majority involving deceptive practices. Key focus areas included Privacy / Deceptive Privacy Practices, Data Security, Fair Credit Reporting (FCRA)." }, "Trump (1st)": { "title": "Trump (1st)", "summary": "63 enforcement actions, primarily deceptive violations.", "narrative": "The FTC brought 63 enforcement actions in this group, with the majority involving deceptive practices. Key focus areas included Privacy / Deceptive Privacy Practices, Data Security, COPPA / Children's Privacy." }, "Biden": { "title": "Biden", "summary": "41 enforcement actions, primarily both violations.", "narrative": "The FTC brought 41 enforcement actions in this group, with the majority involving both practices. Key focus areas included Privacy / Deceptive Privacy Practices, Data Security, Health Data." }, "Trump (2nd)": { "title": "Trump (2nd)", "summary": "10 enforcement actions, primarily both violations.", "narrative": "The FTC brought 10 enforcement actions in this group, with the majority involving both practices. Key focus areas included Privacy / Deceptive Privacy Practices, Data Security, Fair Credit Reporting (FCRA)." } }, "by_category": { "Privacy / Deceptive Privacy Practices": { "title": "Privacy / Deceptive Privacy Practices", "summary": "193 enforcement actions, primarily deceptive violations.", "narrative": "The FTC brought 193 enforcement actions in this group, with the majority involving deceptive practices. Key focus areas included Privacy / Deceptive Privacy Practices, Data Security, COPPA / Children's Privacy." }, "Data Security": { "title": "Data Security", "summary": "89 enforcement actions, primarily both violations.", "narrative": "The FTC brought 89 enforcement actions in this group, with the majority involving both practices. Key focus areas included Data Security, Privacy / Deceptive Privacy Practices, Gramm-Leach-Bliley." }, "Fair Credit Reporting (FCRA)": { "title": "Fair Credit Reporting (FCRA)", "summary": "53 enforcement actions, primarily both violations.", "narrative": "The FTC brought 53 enforcement actions in this group, with the majority involving both practices. Key focus areas included Fair Credit Reporting (FCRA), Data Security, Privacy / Deceptive Privacy Practices." }, "COPPA / Children's Privacy": { "title": "COPPA / Children's Privacy", "summary": "37 enforcement actions, primarily both violations.", "narrative": "The FTC brought 37 enforcement actions in this group, with the majority involving both practices. Key focus areas included COPPA / Children's Privacy, Privacy / Deceptive Privacy Practices, Data Security." }, "Health Data": { "title": "Health Data", "summary": "36 enforcement actions, primarily deceptive violations.", "narrative": "The FTC brought 36 enforcement actions in this group, with the majority involving deceptive practices. Key focus areas included Health Data, Privacy / Deceptive Privacy Practices, Data Security." }, "Other": { "title": "Other", "summary": "27 enforcement actions, primarily deceptive violations.", "narrative": "The FTC brought 27 enforcement actions in this group, with the majority involving deceptive practices. Key focus areas included Other." }, "Gramm-Leach-Bliley": { "title": "Gramm-Leach-Bliley", "summary": "24 enforcement actions, primarily both violations.", "narrative": "The FTC brought 24 enforcement actions in this group, with the majority involving both practices. Key focus areas included Gramm-Leach-Bliley, Data Security, Privacy / Deceptive Privacy Practices." }, "Location / Geolocation Data": { "title": "Location / Geolocation Data", "summary": "16 enforcement actions, primarily deceptive violations.", "narrative": "The FTC brought 16 enforcement actions in this group, with the majority involving deceptive practices. Key focus areas included Location / Geolocation Data, Privacy / Deceptive Privacy Practices, Data Security." }, "Telemarketing / Do-Not-Call": { "title": "Telemarketing / Do-Not-Call", "summary": "14 enforcement actions, primarily deceptive violations.", "narrative": "The FTC brought 14 enforcement actions in this group, with the majority involving deceptive practices. Key focus areas included Telemarketing / Do-Not-Call, Privacy / Deceptive Privacy Practices, Fair Credit Reporting (FCRA)." }, "AI / Algorithmic / Facial Recognition": { "title": "AI / Algorithmic / Facial Recognition", "summary": "7 enforcement actions, primarily deceptive violations.", "narrative": "The FTC brought 7 enforcement actions in this group, with the majority involving deceptive practices. Key focus areas included AI / Algorithmic / Facial Recognition, Privacy / Deceptive Privacy Practices, Data Security." } } } }